Information Technology Reference
In-Depth Information
through an escrow file to decrypt the locked device. For this to work, the examiner would
need to have access to both the iOS device and the host computer to which the device is
backed up.
Should the host computer not be available, as mentioned, the
demo_bruteforce.py
Python script included in iPhone Data Protection Tools can perform brute force attack and
guess any four-digit passcode within 18 minutes. Brute force on the device is slow, and
the time required to brute force a passcode depends on the device's capability. The follow-
ing table lists the time required to brute force passcodes of various lengths and complexity
requirements on the iPhone 4:
Passcode length
Complexity
Time
4
Numeric
18 minutes
4
Alphanumeric
19 days
6
Alphanumeric
196 days
8
Alphanumeric
755 thousand years
8
Alphanumeric, complex 27 million years
On Mac OS X, open a new terminal and run the following command. The brute force
script uses the
1999
port opened with
tcprelay.py
to communicate with the ramdisk
tools on the device. The script brute forces the passcode, decrypts the System keybag,
dumps the data protection keys, and places them into a directory named with the
Unique
Device Identifier
(
UDID
) of the target device in a
.plist
format.
$sudo python python_scripts/demo_bruteforce.py
Connecting to device :
b716de79051ef093a98fc3ff1c46ca5e36faabc3Keybag UUID :
5b14620bd1e74013bfa66325b6946773
Enter passcode or leave blank for bruteforce:
Hit
Enter
on the keyboard to start the brute force process:
Trying all 4-digits passcodes...
0 of 10000 ETA: --:--:--
