I've been reading lots of interesting information about iTunes and IOS, so I thought I would investigate, just what is in an iTunes backup. Typically, on OS X, you can find your iTunes backup here, under the appropriate OS X user profile:
/Library/Application Support/MobileSync/Backup
When you look at the backup, it's a giant list of 40 character hexadecimal file names. After doing some quick reading on theiphonewiki.com, those file names are SHA-1 hashes. Each of the files, is a backed-up file from the iPhone. The problem of restoring the file system then is that we need to find the original file names from the hashes.
Luckily, Apple provides an index. There is a file called "Manifest.mbdb" which is a binary index of all the SHA-1 files. There is a pretty good description of the format of that file here. After reading the Manifest.mbdb into memory, we have enough information to generate all the SHA-1 hashes. From there, we can match the generated hashes to the filenames on the file system, and we have enough information to regenerate the backed-up filesystem.
Once we have the file system, it's interesting to look around and find out what information was actually backed-up. Here's some highlights:
- SMS messages: "Library/SMS/sms.db". This is a sqlite database.
- Address Book: "Library/AddressBook/AddressBook.sqlitedb". sqlite database.
- Notes: "Library/notes/notes.sqlite". sqlite database.
- Call History: "Library/CallHistory/call_history.db". sqlite database.
- Photos: "Media/DCIM/". File systems of JPG files.
- SMS photos: "Library/SMS/Attachments". File system of JPG files.
- Safari bookmarks: "Library/Safari/Bookmarks.db". sqlite database.
I have working proof of concept code, however, in the interest of being a good guy, I'm keeping it private.