Information Technology Reference
In-Depth Information
Operating system
Location
Mac OS X
/private/var/db/lockdown/
Pairing records on the computer contain the device certificate, Escrow keybag, root certi-
ficate, host certificate, host private key, and root certificate and private key. For example,
the content shown in the following screenshot was located in a pairing record on one par-
ticular computer with a file named
6c1b7aca59e2eba6f4635cfe7c4b2de1b-
d812898.plist
.
Pairing record on a computer
The Escrow keybag stored on the computer allows iTunes to back up and sync with the
device even in a locked state. The Escrow keybag is a copy of the
System keybag
and
contains a collection of data protection class keys that are used for encryption on the
iPhone. Commercial tools that claim to be able to crack a locked iPhone without brute
force require access to the host computer and thus, the Escrow keybag. The keybag im-
proves the user experience during device synchronization and gives access to all classes of
data on the device without entering the passcode.
The Escrow keybag is protected with a newly generated key computed from the key
0x835
and stored in an escrow record on the device. The escrow record is a property list
file stored in the
/private/var/root/Library/Lockdown/es-
crow_records/
directory with a filename that represents the computer's unique identi-
fier. Starting with iOS 5, escrow records are protected with the
UntilFirstUser-
Authentication
data protection class, which ties the encryption to the user's
passcode. So, the device passcode must be entered before backing up with iTunes for the
first time.
