Overview
When an iPhone, iPad, or iPod touch is backed up to a Mac via Finder (or iTunes on older macOS versions), the backup is stored in the MobileSync directory. Each backup contains device metadata (device name, IMEI, serial number, iOS version), a manifest database cataloguing all backed-up files, and the actual backup data (which may be encrypted). Even when backups are encrypted, the metadata files remain readable and provide significant forensic value.
Forensic Significance
| Evidence Type | Forensic Value |
|---|
| Device identification | Device name, serial number, IMEI, phone number |
| iOS version | Software version at time of backup |
| Backup timestamps | When backups were created (indicates device connection) |
| Backup encryption state | Whether backup data is protected |
| File manifest | Complete list of backed-up files and their domains |
| Application list | Apps installed on the iOS device |
File Locations
| Artifact | Path | Format |
|---|
| Backup root | ~/Library/Application Support/MobileSync/Backup/ | Directory |
| Device info | .../Backup/<UDID>/Info.plist | Plist |
| Manifest | .../Backup/<UDID>/Manifest.db | SQLite |
| Manifest plist | .../Backup/<UDID>/Manifest.plist | Plist |
| Status | .../Backup/<UDID>/Status.plist | Plist |
Each backup is stored in a directory named with the device's UDID (Unique Device Identifier).
Info.plist
| Key | Description |
|---|
Device Name | User-configured device name |
Display Name | Display name |
IMEI | Device IMEI number |
Serial Number | Device serial number |
Phone Number | Phone number (if applicable) |
Product Type | Device model identifier (e.g., iPhone14,2) |
Product Version | iOS version |
Build Version | iOS build number |
Last Backup Date | Timestamp of this backup |
iTunes Version | Version of iTunes/Finder that created the backup |
Manifest.db
SQLite database with a Files table:
| Column | Type | Description |
|---|
fileID | TEXT | SHA-1 hash filename |
domain | TEXT | Backup domain (e.g., HomeDomain, AppDomain-com.example) |
relativePath | TEXT | Original file path on the iOS device |
flags | INTEGER | File type flags |
file | BLOB | Binary plist with file metadata (size, dates, permissions) |
Status.plist
| Key | Description |
|---|
IsFullBackup | Whether this is a complete backup |
Date | Backup timestamp |
SnapshotState | Backup state (finished, in progress) |
Key Fields for Analysis
# Read device info
plutil -p ~/Library/Application\ Support/MobileSync/Backup/*/Info.plist
# List backed-up file domains
sqlite3 ~/Library/Application\ Support/MobileSync/Backup/*/Manifest.db \
"SELECT DISTINCT domain FROM Files ORDER BY domain;"
# Count files per domain
sqlite3 ~/Library/Application\ Support/MobileSync/Backup/*/Manifest.db \
"SELECT domain, COUNT(*) as count FROM Files GROUP BY domain ORDER BY count DESC LIMIT 20;"
Analysis Notes
- Device attribution: The Info.plist provides enough information (IMEI, serial number, phone number) to uniquely identify the iOS device and its owner.
- Connection evidence: The existence of a backup proves the iOS device was physically connected to (or on the same network as) the Mac. The backup date provides the connection timestamp.
- Encrypted backups: If
Manifest.plist contains IsEncrypted = true, the backup data files are encrypted with a user-set password. The metadata files (Info.plist, Status.plist) remain readable regardless. - Multiple backups: Multiple UDID directories indicate multiple iOS devices have been backed up to this Mac.
- App inventory: The
domain column in Manifest.db reveals all apps installed on the iOS device (each app creates an AppDomain-<bundle.id> domain). - Stale backups: Old backups from previously owned devices may remain on disk, providing historical device connection evidence.
| Tool | Support |
|---|
| macfor | Not yet implemented (planned) |
| plutil / sqlite3 (macOS built-in) | Read metadata and manifest |
| iMazing | Commercial iOS backup browser |
| iPhone Backup Extractor | Commercial backup extraction |
| libimobiledevice | Open-source iOS backup tools |
References