Information Technology Reference
In-Depth Information
Decrypting KeywordIndex.plist
Decrypting Manifest.sqlitedb
Decrypting express.psa
Decrypted 50518 files
The script modifies the disk image directly and the files are now decrypted and readable.
To verify this, you can mount the disk image and examine
AddressBook.sqlitedb
,
which was previously unreadable, with the following command:
$hdiutil attach -readonly data_20131209-1956.dmg
/dev/disk3 /Volumes/Data
$cd /Volumes/Data/
$hexdump -C mobile/Library/AddressBook/AddressBook.sqlitedb
| head
The output is as shown in the following screenshot:
The decrypted AddressBook file
Now, you should be able to fully examine the artifacts on the data partition, which will be
