iFind Analyzer
DiscontinuedA desktop utility designed to audit local iOS backups created by iTunes. It utilized advanced parsing algorithms to read the `Manifest.plist` and decrypt the iOS Keychain, exposing vulnerabilities in how early iOS versions stored credentials locally.
Technical Capabilities
Backup Manifest Parsing
The tool could read and interpret the `Manifest.plist` and `Info.plist` files generated by iTunes. This involved reverse-engineering the binary property list format (bplist) to map obfuscated filenames to their original paths and file types.
Keychain Analysis
By exploiting vulnerabilities in local backup encryption (prior to iOS 8/9 hardening), the tool attempted to decrypt the `keychain-2.db` SQLite database. This allowed for the extraction of stored Wi-Fi passwords and application tokens.
iCloud Extraction
The primary function was to identify the primary iCloud email address associated with the device backup. It scanned the account configuration databases to retrieve the user's Apple ID for forensic identification purposes.
SQLite Forensics
iFind included a built-in SQLite viewer capable of querying the thousands of database files inside an iPhone backup. It allowed for the structured export of SMS messages, call logs, and contacts without restoring the device.