jfarley248 / iTunes_Backup_Reader

Python 3 Script to parse out iTunes backups
MIT License
172 stars 41 forks source link
backups dfir forensics ios itunes itunes-backups kape mobile

iTunes_Backup_Reader

Python 3 Script to read iTunes Backups

(Due to a bug in biplist, the script will not work on Python 3.9, please use a lower version of Python or one of the frozen exe's)

Download binary from the Releases section: https://github.com/jfarley248/iTunes_Backup_Analyzer/releases

Current Version: 4.0.1

Usage:

usage: iTunes_Backup_Reader.py [-h] -i INPUTDIR -o OUTPUTDIR -t OUT_TYPE [-v]
                               [-b] [--ir] [-r] [-d] [-p PASSWORD]

Utility to Read iTunes Backups

optional arguments:
  -h, --help            show this help message and exit
  -i INPUTDIR, --inputDir INPUTDIR
                        Path to iTunes Backup Folder
  -o OUTPUTDIR, --outputDir OUTPUTDIR
                        Directory to store results
  -t OUT_TYPE, --type OUT_TYPE
                        Output type. txt csv or db
  -v, --verbose         increase output verbosity
  -b, --bulk            Bulk parse. Point at folder containing backup folders
  --ir                  Incident Response Mode. Will automatically check user
                        folders for backups. Requires admin rights. Point at
                        root of drive
  -r, --recreate        Tries to recreate folder structure for unencrypted
                        backups
  -d, --decrypt         Just decrypts the backup into an unecrypted, unparsed
                        format
  -p PASSWORD           Password for encrypted backups

Backups located in C:\Users{user}\AppData\Roaming\Apple Computer\MobileSync\Backup{GUID}

Artifacts Parsed:

Updates in Version 3

Version 3.1

Version 3.0

Big thanks to Tony Knutson @bigt252002 for helping me test and providing ideas and feedback on new features!

Updates in version 2.1

Updates in version 2.0

Future Updates

Known Issues