Information Technology Reference
In-Depth Information
Encrypted backup
iTunes provides an option for the users to encrypt their backups using a password. Forensic
examiners may elect to create an encrypted backup to protect the evidence. It is pertinent
that the examiner documents the password should this method be used.
To create an encrypted backup, perform the following steps:
1. Connect the iPhone to the forensic workstation using a USB cable.
2. On the forensic workstation, launch iTunes.
3. Click on the iPhone icon displayed in the upper-right corner of the iTunes inter-
face. It displays the iPhone summary page.
4. In the iPhone summary page, select the
This computer
checkbox and select the
Encrypt iPhone backup
option. Selecting the option prompts you to enter a pass-
word, as shown in the following screenshot.
5. Set a password and click on the
Back Up Now
button. It creates an encrypted
backup.
iTunes—encrypted backup
If a backup is password protected, the password is set on the device itself and stored in the
keychain file. Also, whenever the device is connected to iTunes, it automatically chooses
the
Encrypt iPhone backup
option regardless whether the users own a copy of iTunes be-
ing used on their computer or someone else's. So, even if you have access to the suspect's
iPhone, you cannot produce an unencrypted backup unless you know the backup password.
Extracting encrypted backups
For encrypted backups, the backup files are encrypted using the
AES256
algorithm in the
CBC mode, with a unique key and a null
IV
(
initialization vector
). The unique file keys