├── README
├── gist406824
├── .DS_Store
├── calculatePiFunction.R
├── mapper.R
├── parseEMRout.R
└── reducer.R
├── gist764370
└── aBillionPi.R
└── iPhone-iTunes-Backup-Spy-Python-Program
├── harvestEmailAddressMultiLevels.py
├── harvestEmailAddresses.py
├── iPhone_SMS_spy.py
├── linkPageHarvestEmail.py
├── mobileSiteEmailHarvester.py
└── simpleEmailHarvester.py
/README:
--------------------------------------------------------------------------------
1 | Python menu to program to extract iPhone data from unencrypted iTunes backups. What can you spy?
2 | Call logs, SMS Messages, Contacts, Email, Calendar,
3 | Pictures, Web History, Google Maps, GPS Tracking
4 | Info, Passwords, Facebook data
5 |
6 |
7 | iTunes backups of the iPhone are stored in the following directories:
8 | Windows XP: C:\Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\
9 | Windows Vista: C:\Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\
10 | Mac OS X: /Users/(username)/Library/Application Support/MobileSync/Backup/
11 |
12 |
13 |
14 | Contents OS Real filename Backup filename Type
15 | SMS / Text messages 1-4 sms.db 3d0d7e5fb2ce288813306e4d4636395e047a3d28 SQLite 3
16 | Contacts / address book 1 AddressBook.sqlitedb adb8c77534444e97c31ff15924d50f3ed1fbd3b1 SQLite 3
17 | Contacts / address book 2-4 AddressBook.sqlitedb 31bb7ba8914766d4ba40d6dfb6113c8b614be442 SQLite 3
18 | Calendar 1 Calendar.sqlitedb 14ee8cdc3e6e0220399ff210246e1c92b7df89a0 SQLite 3
19 | Calendar 2-4 Calendar.sqlitedb 2041457d5fe04d39d0ab481178355df6781e6858 SQLite 3
20 | Notes 1-3 notes.db 740b7eaf93d6ea5d305e88bb349c8e9643f48c3b SQLite 3
21 | Notes 4 notes.sqlite ca3bc056d4da0bbf88b5fb3be254f3b7147e639c SQLite 3
22 | Call history 1 call_history.db a49bfab36504be1bf563c1d1813b05efd6076717 SQLite 3
23 | Call history 2-3 call_history.db ff1324e6b949111b2fb449ecddb50c89c3699a78 SQLite 3
24 | Call history 4 call_history.db 2b2b0084a1bc3a5ac8c27afdf14afb42c61a19ca SQLite 3
25 | Locations 4 consolidated.db 4096c9ec676f2847dc283405900e284a7c815836 SQLite 3
26 | Facebook Data 4 friends.db 6639cb6a02f32e0203851f25465ffb89ca8ae3fa SQLite 3
27 |
28 | plist files Content
29 | com.apple.accountsettings.plist Email accounts configured on Apple Mail application
30 | Directions.plist Directions to remote locations
31 | History.plist Log of searched locations
32 | com.apple.Maps.plist Last viewed latitude and longitude
33 | com.apple.mobilephone.speeddial.plist Speed dial contacts saved in the Favorites list
34 | com.apple.mobilephone.plist Last phone numbers dialed
35 | Bookmarks.plist Bookmarked URLs
36 | History.plist Browsing history
37 | Cookies.plist Information about cookies
38 | com.apple.preferences.datetime.plist Local Date and time zone
39 | com.apple.network.identification.plist Wireless network settings
40 | com.apple.wifi.plist com.apple.preferences.network.plist Status of wifi and Bluetooth networks
41 | com.apple.MobileBluetooth.devices.plist com.apple.MobileBluetooth.services.plist Log of Bluetooth devices paired with the iPhone
42 | History of Bluetooth pairings
43 | com.apple.commcenter.plist ICCID and IMSI unique identifiers
44 | Info.plist Device information including device name, unique identifier, phone number, serial number, etc.
45 |
46 | This program is free software: you can redistribute it and/or
47 | modify it under the terms of the GNU Lesser General Public
48 | License as published by the Free Software Foundation, either
49 | version 3 of the License, or (at your option) any later version.
50 |
51 | This program is distributed in the hope that it will be useful,
52 | but WITHOUT ANY WARRANTY; without even the implied warranty of
53 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
54 | Lesser General Public License for more details.
55 |
56 | You should have received a copy of the GNU Lesser General Public
57 | License along with this library.
58 | If not, see or
59 | .
--------------------------------------------------------------------------------
/gist406824/.DS_Store:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/dgleebits/iPhone-iTunes-Backup-Spy-Python-Program/84bf4f5ea84c1d8386d87b58875326a28b855174/gist406824/.DS_Store
--------------------------------------------------------------------------------
/gist406824/calculatePiFunction.R:
--------------------------------------------------------------------------------
1 | estimatePi <- function(numDraws){
2 | r <- .5 #radius... in case the unit circle is too boring
3 | x <- runif(numDraws, min=-r, max=r)
4 | y <- runif(numDraws, min=-r, max=r)
5 | inCircle <- ifelse( (x^2 + y^2)^.5 < r , 1, 0)
6 | return(sum(inCircle) / length(inCircle) * 4)
7 | }
--------------------------------------------------------------------------------
/gist406824/mapper.R:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env Rscript
2 |
3 | trimWhiteSpace <- function(line) gsub("(^ +)|( +$)", "", line)
4 | splitIntoWords <- function(line) unlist(strsplit(line, "[[:space:]]+"))
5 |
6 | ## **** could do with a single readLines or in blocks
7 | con <- file("stdin", open = "r")
8 | while (length(line <- readLines(con, n = 1, warn = FALSE)) > 0) {
9 | line <- trimWhiteSpace(line)
10 | cat(as.numeric(line),"\t", "\n", sep="")
11 | }
12 |
13 | close(con)
--------------------------------------------------------------------------------
/gist406824/parseEMRout.R:
--------------------------------------------------------------------------------
1 | ############## this starts the job assuming you have your credentials.json set up properly
2 | ############## it also assumes the mapper.R/reducer.R/calculatePiFunction.R are all in a bucked called emrexample
3 | ############## Output goes to emrout on S3 which must NOT exist before this is run
4 | ############## the file numberList.txt is not in this gist because it is 10,000 lines long: each line is simply an integer from 1:10000
5 | ############## numberList.txt needs to be created and placed in your S3 emrexample bucket
6 | ############## you will also need the Amazon EMR command line tools: http://docs.amazonwebservices.com/ElasticMapReduce/latest/DeveloperGuide/DownloadingtheCLI.html
7 | ############## and S3CMD: http://s3tools.org/s3cmd
8 |
9 | system("elastic-mapreduce --create --stream --input s3n://emrexample/numberList.txt --mapper s3n://emrexample/mapper.R --reducer s3n://emrexample/reducer.R --output s3n://emrout/ --name EMRexample --num-instances 50 --cache s3n://emrexample/calculatePiFunction.R#calculatePiFunction.R")
10 |
11 | ########### Don't run the rest of this until the job is done ########################
12 | #you have to have s3cmd for this to work
13 | #copies the results back
14 | system("s3cmd get s3://emrexample/out/* .")
15 |
16 | require(Hmisc) #for the substring.location() function
17 |
18 | #be sure and change this path...
19 | basePath <- "/home/jal/Documents/R/EMR Example/output/"
20 |
21 | fileList <- list.files(path=basePath)
22 |
23 | fi <- 1
24 | fileResults <- NULL
25 |
26 | for (fi in 1:length(fileList)){
27 | fname <- paste(basePath, fileList[fi], sep = "")
28 | tst <- readChar(fname, file.info(fname)$size)
29 | spt <- strsplit(tst, "|", fixed=T)
30 |
31 | singleFileResults <- NULL
32 |
33 | for (i in 1:(length(spt[[1]])-1)) {
34 | spt2 <- substr(spt[[1]][i], substring.location(spt[[1]][i], "\tA")$first+1, nchar(spt[[1]][i]))
35 | results <- unserialize(charToRaw(spt2))
36 | singleFileResults[[i]] <- results
37 | }
38 |
39 | fileResults[[fi]] <- singleFileResults
40 | }
41 |
42 | f <- unlist(fileResults)
43 |
44 | cat("estimate of pi is: ", mean(f), "\n")
45 |
46 |
--------------------------------------------------------------------------------
/gist406824/reducer.R:
--------------------------------------------------------------------------------
1 | #! /usr/bin/env Rscript
2 |
3 | options(warn=-1)
4 | trimWhiteSpace <- function(line) gsub("(^ +)|( +$)", "", line)
5 |
6 | con <- file("stdin", open = "r")
7 | source("./calculatePiFunction.R")
8 | while (length(line <- readLines(con, n = 1, warn = FALSE)) > 0) {
9 | x <- as.numeric(trimWhiteSpace(line))
10 | set.seed(x)
11 | myOutput <- estimatePi(1e5)
12 | cat(line, rawToChar(serialize(myOutput, NULL, ascii=T)), "|\n", sep = "")
13 | }
14 |
15 | close(con)
16 |
17 |
--------------------------------------------------------------------------------
/gist764370/aBillionPi.R:
--------------------------------------------------------------------------------
1 | estimatePi <- function(seed){
2 | set.seed(seed)
3 | numDraws <- 1e6
4 | r <- .5 #radius... in case the unit circle is too boring
5 | x <- runif(numDraws, min=-r, max=r)
6 | y <- runif(numDraws, min=-r, max=r)
7 | inCircle <- ifelse( (x^2 + y^2)^.5 < r , 1, 0)
8 | return(sum(inCircle) / length(inCircle) * 4)
9 | }
10 |
11 | seedList <- as.list(1:1e3)
12 |
13 | require(segue)
14 | myCluster <- createCluster(20)
15 | myEstimates <- emrlapply( myCluster, seedList, estimatePi )
16 | stopCluster(myCluster)
17 |
18 | myPi <- Reduce(sum, myEstimates) / length(myEstimates)
19 |
20 | format(myPi, digits=10)
21 |
22 |
23 |
--------------------------------------------------------------------------------
/iPhone-iTunes-Backup-Spy-Python-Program/harvestEmailAddressMultiLevels.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | ''' This webscraper hits http://app.example.com/qf_net/Default.aspx and http://app.example.com/QFOrgChart_net/default.aspx?id=1056
3 | and http://app.example.com/QFOrgChart_net/orgchart.html and parses http://app.example.com/Qf_Net/DirectoryDetail.aspx?ID=14753&name=Sheila
4 | from webpage. Email address harvester. '''
5 |
6 | def main():
7 | ''' This main function loops thru GET's '''
8 | IDLimit = 20
9 | myCounter = 14
10 | myCounter2 = 0
11 | myList = {}
12 | defaultTargetURL = 'http://app.example.com/QFOrgChart_net/default.aspx?id='
13 | search_value = 'default.aspx?id='
14 | searchTerm = 'DirectoryDetail.aspx?ID='
15 | splitItem = '"'
16 | beginTAG = 'mailto:'
17 | beginTAGvalue = len(beginTAG)
18 | endTAG = '@example.com'
19 | endTAGvalue = len(endTAG)
20 |
21 | while myCounter 0:
31 | stuff = webPage.split(splitItem)
32 | while myCounter2 < entryOnPage:
33 | for myLink in stuff:
34 | if searchTerm in myLink:
35 | myList[myCounter2] = myLink
36 | myCounter2 = myCounter2+1
37 | for k, v in myList.iteritems():
38 | valueLink = "http://app.example.com"+v
39 | try:
40 | f2 = urllib2.urlopen(valueLink)
41 | webPageSecondLevel = f2.read()
42 | extractEmail(webPageSecondLevel)
43 | except urllib2.HTTPError, error:
44 | contents = error.read()
45 |
46 | def parse(myList):
47 | ''' Function splits webpage into list and parses email addresses '''
48 | splitItem = '"'
49 | searchTerm = 'DirectoryDetail.aspx?ID='
50 | search_value = 'default.aspx?id='
51 | beginTAG = 'mailto:'
52 | beginTAGvalue = len(beginTAG)
53 | endTAG = '@example.com'
54 | endTAGvalue = len(endTAG)
55 | stuff = myList.split(splitItem)
56 | for myLink in stuff:
57 | if searchTerm in myLink:
58 | return myLink
59 |
60 | def extractEmail(line):
61 | ''' Uses slice on line to get email address '''
62 | splitItem = '"'
63 | searchTerm = 'DirectoryDetail.aspx?ID='
64 | search_value = 'default.aspx?id='
65 | beginTAG = 'mailto:'
66 | beginTAGvalue = len(beginTAG)
67 | endTAG = '@example.com'
68 | endTAGvalue = len(endTAG)
69 | lSS = line[(line.find(beginTAG)+beginTAGvalue):(line.find(endTAG)+endTAGvalue)]
70 | if len(lSS) > endTAGvalue:
71 | print lSS
72 |
73 | if __name__ == "__main__":
74 | import urllib2
75 | main()
76 |
77 |
78 |
79 |
--------------------------------------------------------------------------------
/iPhone-iTunes-Backup-Spy-Python-Program/harvestEmailAddresses.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/python
2 | '''This program enumerates the website based phonebook and harvests email addresses'''
3 |
4 | import urllib2
5 | targetURL = "http://somewebaddress"
6 | alphabet = "abcdefghijklmnopqrstuvwxyz"
7 | beginTAG = "mailto:"
8 | beginTAGvalue = len(beginTAG)
9 | endTAG = "@someDomain.whatever"
10 | endTAGvalue = len(endTAG)
11 |
12 | def main():
13 | #looping thru alphabet - GET request for each letter
14 | for letter in alphabet:
15 | print "Here are the email addresses for %s" %letter
16 | print "*"*100
17 | f = urllib2.urlopen(targetURL+letter)
18 | line = f.readline()
19 | for line in f:
20 | extractEmail(line)
21 |
22 | def extractEmail(line):
23 | ''' Uses slice on line to get email address '''
24 | lSS = line[(line.find(beginTAG)+beginTAGvalue):(line.find(endTAG)+endTAGvalue)]
25 | if len(lSS) > endTAGvalue:
26 | print lSS
27 |
28 | if __name__ == "__main__":
29 | main()
--------------------------------------------------------------------------------
/iPhone-iTunes-Backup-Spy-Python-Program/iPhone_SMS_spy.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # encoding: utf-8
3 |
4 | import sqlite3
5 | import time
6 | import sys
7 | import os
8 | import codecs
9 |
10 | """
11 | iphone_sms_spy.py
12 |
13 | Decodes iphone sms database, hidden in itunes backup data files, into human readable form
14 |
15 | *** Use program with COPY of the original data***
16 | *** Use at own risk ***
17 | *** Be good ***
18 |
19 | Created by: Dan G
20 | Create Date: Friday 5th August 2011
21 | Contact: dangleebits@hotmail.ca
22 | Version: 0.1
23 |
24 | Windows XP: C:\Documents and Settings\(username)\Application Data\Apple Computer\MobileSync\Backup\
25 | Windows Vista: C:\Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\
26 | Mac OS X: /Users/(username)/Library/Application Support/MobileSync/Backup/
27 |
28 | Thanks to iphone backup decoder and arrdino and viaforensics and andy for their work
29 | """
30 |
31 | DEBUG = True #Set True for copy of output to file
32 | output = """%s - %s - %s
33 | %s
34 |
35 | """
36 |
37 | def usage():
38 | print "iPhone SMS Spy Decoder\n"
39 | print "Usage: " + sys.argv[0] + " (Path to 3d0d7e5fb2ce288813306e4d4636395e047a3d28 file to SMS SPY) \n"
40 | print "Coded by Dan G"
41 | print "Version 0.1"
42 |
43 | #conversion of the epoch to human
44 | def convertDate(epoch):
45 | return time.strftime("%a, %d %b %Y %H:%M:%S",time.localtime(epoch))
46 |
47 | def main(dbfile, outputfile):
48 |
49 | #variables
50 | count = 0
51 | firstDate = ""
52 | lastDate = ""
53 | outFile = codecs.open(outputfile, encoding='utf-8', mode='w')
54 |
55 | #opening db and SQL query for SMS
56 | connection = sqlite3.connect(r"c:\Documents and Settings\(username)\Desktop\sms.db")
57 | cursor = connection.cursor()
58 | cursor.execute ("select flags, address, date, text from message")
59 |
60 | #iterating
61 | for row in cursor:
62 | flags = ""
63 | flags = row[0]
64 | if flags == 2: direction = "Received"
65 | if flags == 3: direction = "Sent"
66 | if flags == 0: direction = ""
67 | address = str(row[1])
68 | date = convertDate(row[2])
69 | text = unicode(row[3])
70 |
71 | #printing each SMS message to stdout
72 | outData = output % (address, direction, date, text)
73 | print outData
74 |
75 | #for output file
76 | if DEBUG:
77 | print outData
78 | outFile.write(outData)
79 |
80 | #put first Date and last Date in variables
81 | if count == 0:
82 | firstDate = date
83 | lastDate = date
84 | count += 1
85 |
86 | #prints the date of the first SMS and the lastest date on the last SMS
87 | outData = "Date Range: %s - %s" % (firstDate, lastDate)
88 | #toggle for file output
89 | if DEBUG:
90 | print outData
91 | #creation of the file output
92 | outFile.write(outData)
93 | #good citizen
94 | outFile.close()
95 |
96 | if __name__ == "__main__":
97 | dbfile = "c:\Documents and Settings\(username)\Desktop\sms.db"
98 | outFile = "SMS_Spy.txt"
99 | main(dbfile, outFile)
--------------------------------------------------------------------------------
/iPhone-iTunes-Backup-Spy-Python-Program/linkPageHarvestEmail.py:
--------------------------------------------------------------------------------
1 | #! /usr/bin/python
2 | '''This program will snarf email addresses from Online Staff Directory'''
3 |
4 | import urllib2
5 |
6 | my_dict = {}
7 | my_emailAddresses = {}
8 | data = []
9 | my_counter = 0
10 | my_target = 'http://m.directory.xxx/index.cfm/person/search#'
11 | search_string = ' endTAGvalue:
40 | print emailAddress
41 |
42 | if __name__ == "__main__":
43 | main()
44 |
--------------------------------------------------------------------------------
/iPhone-iTunes-Backup-Spy-Python-Program/mobileSiteEmailHarvester.py:
--------------------------------------------------------------------------------
1 | import mechanize
2 |
3 | alphabet = 'abcdefghijklmnopqrstuvwxyz'
4 | # Fill it out an 'a'
5 | for letter in alphabet:
6 | b = mechanize.Browser()
7 | # Disable loading robots.txt
8 | b.set_handle_robots(False)
9 | b.addheaders = [('User-agent','Mozilla/4.0 (compatible; MSIE 5.0; Windows 98;)')]
10 | # Navigate
11 | b.open('http://m.directory.example.ca/index.cfm/person/searchform')
12 | # Choose a form
13 | b.select_form(nr=0)
14 | b['search'] = letter
15 | # Submit put into fh file handler contstant
16 | fh = b.submit()
17 | # read instance of fh into data constant
18 | data = fh.readlines()
19 | for line in data:
20 | if '_id=' in line:
21 | dataList.append(line[line.find('''_id=''')+4:line.find('''" data-ajax="false"''')])
22 | for item in range(len(mylist)):
23 | response = mechanize.urlopen('http://m.directory.example.ca/index.cfm/person/get?person_id=' + (mylist[item]))
24 | dump = response.readlines()
25 | for line in dump:
26 | if 'mailto:' in line:
27 | print line
--------------------------------------------------------------------------------
/iPhone-iTunes-Backup-Spy-Python-Program/simpleEmailHarvester.py:
--------------------------------------------------------------------------------
1 | #! /usr/bin/python
2 | '''
3 | This program will snarf email addresses from Online Staff Directory
4 | '''
5 |
6 | import urllib2
7 |
8 | mylist = []
9 | emailAddressList = []
10 | data = []
11 | my_target = 'http://ccapps.example.ca/phonebook/phonebook.serv?search=a'
12 |
13 | file_handler = urllib2.urlopen(my_target)
14 | data = file_handler.readlines()
15 |
16 | for line in data:
17 | if 'mailto:' in line:
18 | emailAddressString = line
19 | emailAddress = emailAddressString[emailAddressString.find('mailto:')+7:emailAddressString.find('@example.ca')+10]
20 | emailAddressList.append(emailAddress)
21 | mylist = emailAddressList[:]
22 |
23 | if mylist:
24 | mylist.sort()
25 | last = mylist[-1]
26 | for i in range(len(mylist)-2, -1, -1):
27 | if last == mylist[i]:
28 | del mylist[i]
29 | else:
30 | last = mylist[i]
31 |
32 | print mylist
--------------------------------------------------------------------------------