Recently, I've been working on a tool to extract data from iOS backups, and one of the files that a backup have is the Manifest.mbdb (or mbdx for old versions).
The Manifest.mbdb is a binary file that contains records for the hashed files that the backup includes, the hashed files can be anything that a certain application requires or saved, from a image thumbnail to a sqlite3 database file.
Reading the file can be tricky, since the record itself have a variable length, so you can just split the file based on a delimiter, you need to read it byte to byte. I'm going to expose here the data structures this file contains:
|uint16||Lenght||Length of the string||0x0000|
|ASCII data||Data||Actual string of (length) size. Don't need to read this if length is null.||nothing|
|string||Key||Key of the property|
|Type||Field name||Description||Null value|
|string||Path||Path to file||0x0000|
|string||Hash||SHA-1 hash of the file||0xFFFF|
|string||Encription key||Encryption key -if any-||0xFFFF|
|uint32||Last modified time||EPOCH|
|uint32||Last accesed time||EPOCH|
|uint8||Flag||0x1 to 0xB|
|uint8||Properties number||Number of properties to follow with this record||0x00|
|property[0...n]||Property objects||Each property object -if any-||nothing|
|--||File name||SHA1(domain + path)|