Thursday, January 19, 2012

Whose iPod?

iPods, iPods, everywhere...

...Which means they are frequently lost or stolen.  ...Which means they end up in my office with a request attached stating, "Can you please try to figure out who owns this?"

Device Name

iTunes, the principal means for managing iPod content, allows users to name their device.  Usually, owner's put their names, like 'John Doe,' so the the device is reported in iTunes as 'John Doe's iPod.'  In a fat32 formatted device, like an iPod Nano, the device name is recorded as the volume label. 

When it comes to linking the device to owners, though, the device name is seldom enough.  'John Doe' might be too common a name, not listed in the phone book or in your records management system.  Worse, the device name might be 'Wookie'.  What then?

What Apple Doesn't Tell You

The Apple Store, commonly known as the iTunes store, sells media for playback on the device.  Music and Video are popular purchases, and are sold in the MPEG-4 format with file extensions of .m4p (music) and .m4v (video).

The purchaser of this content has to create and use an Apple Store account.  For quite some time, the account name is the user's email address.  Users provide there real names as part of the creation process, which is necessary for credit card transactions.  Very standard business practices, nothing nefarious here.

The slight of hand comes on download (well, it would have to occur before download for you precise-types).  The Apple Store account name and the purchaser's real name are embedded in the media file!  MPEG-4 files contain metadata (data about data) such as the Artist, Title, Album, even album cover art.  The metadata takes the form of key:value pairs, often referred to as 'atoms.'

Where to look

The atoms 'name' and 'apID' contain the purchasers real name and account name (email address) respectively.  However, no tools I am aware of automatically display this content.  The excellent exiftool by Phil Harvey will display the account name (apID atom, i.e., email address) but not the purchasers real name. 

While Harvey's tool is excellent, it just doesn't do to run exiftool against every media file on an iPod.  First, not every media file is an MPEG-4 with Apple Store metadata.  iTunes allows users to convert their existing mp3 and CD collections to MPEG-4, for example.  These media files take on the .m4a file extension and do not contain purchaser information.  Nor do .mp3s, for that matter.

When I'm in a hurry, which is most of the time, I resort to a straight forward, compound command:

$ find /media/iPod/iPod_Control/Music -type f -name "*.m4[pv]" | while read i; do strings -f "$i"|grep -E -m1 'name.+'; strings -f "$i"| grep -E -m1 -A2 'apID'; done

Am I out of my flipping mind?  No.  That really works, works well, and works really, really fast.  Should I explain it?  No, not unless you really want me to.  The output looks like this:

/media/iPod/iPod_Control/Music/F49/PFLT.m4v: nameJohn Doe
/media/iPod/iPod_Control/Music/F49/PFLT.m4v: 8apID
/media/iPod/iPod_Control/Music/F49/PFLT.m4v: 0data

/media/iPod/iPod_Control/Music/F49/QQDN.m4p: nameJohn Doe
/media/iPod/iPod_Control/Music/F49/QQDN.m4p: 8apID
/media/iPod/iPod_Control/Music/F49/QQDN.m4p: 0data

Pretty?  Maybe not.  Does it answer the question of what is the real name and email address of the media purchaser?  Yes.  And did I mention, really, really fast?

I'm aware that some people might like or need nicer output for a report of some kind.  I wrote a bash script , called iphone_music that works with exiftool to produce nice output:

======== /media/iPod/iPod_Control/Music/F49/PFLT.m4v
File Type                       : M4V
Apple Store Account             :
Apple Store Account Type        : iTunes
Apple Store Real Name           :
John Doe
======== /media/iPod/iPod_Control/Music/F49/QQDN.m4p
File Type                       : M4P
Apple Store Account             :
Apple Store Account Type        : iTunes
Apple Store Real Name           : John Doe

Iphone_music is also quite fast and uses the same basic methodology as the find command first demonstrated.  Additionally, it can tell you the names, artists, albums, etc. of other media on the device for instances where the owner has no purchased media on the device but can describe the media on board (e.g., .mp3, .m4a).  You may have noticed from the paths of the media files demonstrated, iTunes does not name the files after their content.

Iphone_music can be vastly improved, such as sorting by artist, email, owner name, etc, and I'll likely rewrite the tool in python to facilitate implementing these features.

Final Note (pun intended)

The methods detailed here work on mounted file systems and allocated files.  It is possible to find the real name and email address on devices where the media files have been deleted by the iPod thief / finder.  I won't detail the process here, but it involves using the Sleuthkit to pipe unallocated space to strings and grep for the name and apID atoms.  Another method, though slower, would be to use photorec or another file carving tool to recover MPEG-4 files an then use the methods above to search the recovered files.


  1. awesome post. can you explain the compound command? Shafik

  2. Certainly (comments follow each line of the command):

    find /media/iPod/iPod_Control/Music -type f -name "*.m4[pv]" | #find in the music folder files (-type f) that with file extension .m4p or .m4v and pipe to the next step

    while read i; do #start a loop where in each pass the 'i' variable is assigned a file passed from the find operation

    strings -f "$i"|grep -E -m1 'name.+'; #extract ascii strings from file $i and prepend the file name (-f), grep the strings for name followed by any character sequence of at least one character, stop searching the file once you find it (-m1)

    strings -f "$i"| grep -E -m1 -A2 'apID'; #extract the ascii again from file $i prepending the file name (-f), grep the strings for 'apID' and print the two following lines (-A2) to capture the account name, stop searching the file once you find it (-m1).

    done #the loop is finish, rinse and repeat until find is out of files.

    You may have noted that the file is searched twice for one string at a time, rather than searched once for two strings. This is on purpose, keeping the output clean and results from a knowledge of the file structute: the meta data is at the front, so the performance hit is minimal since the whole file is not grepped (remember -m1?). Practicality beats purity!

  3. So cool I am loving playing with the files from my phone. Thanks for the detailed explanation of the commands. Just wanted to let you know you are teaching someone who is grateful.

  4. Also because i used ifuse to mount as root (I have a rooted phone) and because i was using an iPhone my directory was /media/iPhone/private/var/mobile/Media/iTunes_Control/Music
    and I used the following command to find the Music folder while in the root directory of my phone.
    find -type d | grep Music


Time Perspective

Telling time in forensic computing can be complicated. User interfaces hide the complexity, usually displaying time stamps in a human reada...