Information Technology Reference
In-Depth Information
are protected with a set of class keys from the Backup keybag. The class keys in the
Backup keybag are protected with a key derived from the password set in iTunes through
10,000 iterations of
PBKDF2
(
Password-Based Key Derivation Function 2
). Both open
source and commercial tools provide support for an encrypted backup file parsing if the
password is known. Some tools won't even prompt for a password, which make them use-
less in a forensic investigation. iPhone Data Protection Tools is capable of extracting data
from encrypted backup files if the password is known.
iPhone Data Protection Tools
iPhone Data Protection Tools contains Python scripts to decrypt the backup when the
backup password is available. To decrypt and acquire data from the encrypted backup, in a
terminal window, run the
backup_tool.py
script on your backup directory and enter
the backup password when prompted, as shown in the following commands:
$cd iphone-dataprotection
$cd python_scripts
$sudo python backup_tool.py ~/Library/Application\ Support/
MobileSync/Backup/6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898/
Device Name : Satishb3
Display Name : Satishb3
Last Backup Date : 2014-01-15 16:34:13
IMEI : 012856001945212
Serial Number : 85137505EDG
Product Type : iPhone2,1
Product Version : 6.1
iTunes Version : 11.1.3
Extract backup to /Users/satishb3/Library/Application
Support/MobileSync/Backup/
6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_extract ? (y/n)
Type the letter
y
and hit
Enter
. The script displays a number of messages indicating the
current file being operated upon, as follows:
Backup is encrypted
Enter backup password:
12345
Writing /Users/satishb3/Library/Application Support/
MobileSync/Backup/
6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_extract/HomeDomain/
