Information Technology Reference
In-Depth Information
Library/Preferences/com.apple.voiceservices.plist
Writing /Users/satishb3/Library/Application Support/
MobileSync/Backup/
6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_extract/
CameraRollDomain/Media/DCIM/100APPLE/IMG_0038.JPG
Writing /Users/satishb3/Library/Application Support/
MobileSync/Backup/
6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_extract/
SystemPreferencesDomain/SystemConfiguration/
preferences.plist
[...]
Writing /Users/satishb3/Library/Application Support/
MobileSync/Backup/
6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_extract/HomeDomain/
Library/Preferences/com.apple.springboard.plist
You can decrypt the keychain using the following command:
python keychain_tool.py -d "/Users/satishb3/Library/
Application Support/MobileSync/Backup/
6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_extract/
KeychainDomain/keychain-backup.plist" "/Users/satishb3/
Library/Application Support/MobileSync/Backup/
6c1b7aca59e2eba6f4635cfe7c4b2de1bd812898_extract/
Manifest.plist"
The script creates the
6c1b7aca59e2eba6f4635cfe7c4b2de1b-
d812898_extract
folder in the backup directory location, then decrypts and extracts
the backup files into a number of domain directories by restoring the original filenames.
Decrypting the keychain
Encrypted backup files can be cracked using brute force attacks in both the command line
and GUI tools. For encrypted backups, the keychain items protected with the
ThisDeviceOnly
data protection class are encrypted using a set of class keys that are
protected with the key
0x835
. All other keychain items are encrypted using a set of class
keys that are protected with a password set in iTunes. If you want to extract the
ThisDeviceOnly
protected items, you need to extract a key
0x835
from the device
from iOS Devices
.
