Investigating Windows iTunes Desktop Application
18/11/2022 Friday
Windows iTunes desktop application is a media management app developed by Apple. It is used for creating and customizing digital media library by allowing the user to download, play, organize, and manage audio and video files. It is also extremely useful when trying to set up an Apple device or manage its media content via a Windows computer.
Digital Forensics Value of iTunes
Apple devices are one of the widest selling portable digital devices on the market. It is also known for its encryption methods which are strong enough to thwart most of digital forensics’ efforts. Thanks to iTunes synchronization feature, there is an opportunity to get access to the backed-up data and extract information from it without being forced to break Apple’s encryption methods.
Location and Structure of iTunes Artifacts
The default location of the Artifacts left behind by iTunes:
C:\Users\%user%\AppData\Local\Apple Computer
C:\Users\%user%\AppData\Roaming\Apple Computer
Analyzing iTunes Artifacts with ArtiFast
This section will discuss how to use ArtiFast to extract Windows iTunes artifacts from Windows machines and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase, you can select iTunes artifacts:
Once ArtiFast parser plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Windows itunes artifacts in ArtiFast.
iTunes Cookies Artifact
- Name - Name of the cookie.
- Path - Path of the cookie value.
- URL - The domain of the cookie.
- Value - The content of the cookie.
- Expiration Date - The date and time when the cookie expires.
- Creation Date - The date and time when the cookie was created.
- Is secure - Indicates whether the cookie is secure.
- Is httponly - Indicates whether the cookie is using httponly.
iTunes Devices Information Artifact
- Unique Identifier - A Unique identifier for each device.
- Date - The last time when this device was connected to iTunes SW.
- Device Class - The type of the connected device: iphone, ipod, ..etc.
- Family ID - The family ID of the connected device.
- Product Type - The type of the connected device.
- Serial Number - The serial mumber of the connected device.
- Use Count - The number of times the user connected that device to iTunes.
- IMEI - A unique, 15-digit number that identifies the device on a cellular network.
- Product Name - Product name of the connected device.
- Phone Number - Phone number of the connected device.
- Device Name - Device name chosen by the user.
iTunes Applications Information Artifact
- Icon - The Bytes of the installed App icon.
- App Name - The name of the App installed on the user device.
- Publisher Name - The name of the developer of the App.
- Apple ID - The Apple ID of the app purchaser.
- Date - The date the app was purchased.
- Version - The app version.
iTunes Backed Up Images Artifact
- Created Date/Time - The created date/time of the image in the phone.
- Last Modified Date/Time - The last modified date/time of the image in the phone.
- Saved Date/Time - The saved date/time of the image to that computer.
- Size - The size of the image in bytes.
- Folder Name - The folder name on the computer in which the image is saved to.
- File Name - The file name on the computer in which the image is saved to.
- Image Path -The image path in the phone device.
- Unique Identifier - TThe unique identifier for each phone created by iTunes.
iTunes Voice Memos Artifact
- Size - The size of the voice memo in bytes.
- Name - The folder name on the computer in which the voice memo is saved to.
- Date - The file name on the computer in which the voice memo is saved to.
- Is Recorded on Device - The voice memo path in the phone device.
For more information or suggestions please contact: kalthoum.karkazan@forensafe.com
