Skip to content

sideffectt/ios-forensics

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
cli.py
cli.py
 
 
requirements.txt
requirements.txt
 
 
setup.py
setup.py
 
 

Repository files navigation

iOS Forensics Toolkit

Modular Python toolkit for parsing iOS device artifacts. Extracts data from SQLite databases and Property List files commonly found in iOS backups and file system extractions.

Supported Artifacts

Parser Database Description
SMSParser sms.db SMS and iMessage data
WhatsAppParser ChatStorage.sqlite WhatsApp messages and media
SafariParser History.db Browser history
CallHistoryParser CallHistory.storedata Call records
KnowledgeCParser knowledgeC.db System activity and app usage
ContactsParser AddressBook.sqlitedb Contact information
PlistParser *.plist Configuration files

Installation

git clone https://github.com/sideffectt/ios-forensics.git
cd ios-forensics
pip install -e .

Usage

Command Line

# Parse SMS database
python cli.py sms.db -o messages.json

# Parse with limit
python cli.py ChatStorage.sqlite -t whatsapp -l 100 -o output.csv -f csv

# List database tables
python cli.py sms.db --tables

# Show table schema
python cli.py sms.db --schema message

# Get call statistics
python cli.py CallHistory.storedata -t calls --stats

Python API

from src import SMSParser, WhatsAppParser, PlistParser

# Parse SMS
with SMSParser('sms.db') as parser:
    messages = parser.parse(limit=100)
    conversations = parser.conversations()
    parser.export_json('sms.json')

# Parse WhatsApp
with WhatsAppParser('ChatStorage.sqlite') as parser:
    messages = parser.parse()
    chats = parser.chats()

# Parse plist
plist = PlistParser('Info.plist')
data = plist.parse()
bundle_id = plist.get('CFBundleIdentifier')
plist.print_structure()

Timestamp Conversion

from src import cocoa_to_datetime, auto_convert

# Cocoa timestamp (since 2001-01-01)
dt = cocoa_to_datetime(700000000)

# Auto-detect format
dt = auto_convert(some_timestamp)

Project Structure

ios-forensics/
├── src/
│   ├── parsers/
│   │   ├── base.py         # Base parser class
│   │   ├── sms.py          # SMS/iMessage parser
│   │   ├── whatsapp.py     # WhatsApp parser
│   │   ├── safari.py       # Safari history parser
│   │   ├── calls.py        # Call history parser
│   │   ├── knowledgec.py   # System activity parser
│   │   ├── contacts.py     # Contacts parser
│   │   └── plist.py        # Property list parser
│   └── utils/
│       ├── timestamp.py    # Timestamp converters
│       └── export.py       # Export functions
├── cli.py                  # Command-line interface
├── setup.py
└── README.md

iOS Artifact Locations

Artifact Path
SMS /private/var/mobile/Library/SMS/sms.db
WhatsApp /private/var/mobile/Containers/Data/Application/[UUID]/Documents/ChatStorage.sqlite
Safari /private/var/mobile/Library/Safari/History.db
Calls /private/var/mobile/Library/CallHistoryDB/CallHistory.storedata
KnowledgeC /private/var/mobile/Library/CoreDuet/Knowledge/knowledgeC.db
Contacts /private/var/mobile/Library/AddressBook/AddressBook.sqlitedb

Apple Timestamp Formats

Format Epoch Used In
Cocoa/CoreData 2001-01-01 Most iOS databases
Unix 1970-01-01 General purpose
WebKit 1601-01-01 Safari (microseconds)
Nanoseconds 2001-01-01 SMS database

Export Formats

  • JSON (default)
  • CSV
  • HTML

Requirements

  • Python 3.7+
  • No external dependencies (standard library only)

License

MIT

About

iOS forensics toolkit for parsing WhatsApp, SMS, Safari, and system databases

Topics

python ios sqlite safari forensics dfir cybersecurity whatsapp plist digital-forensics forensic-analysis sms-parser mobile-forensics

Resources

Readme

License

MIT license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages