±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 35745
New Yesterday: 5 Visitors: 151

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Does iCloud Mobile Backup Creation Remove iTunes Encryption?

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

UnallocatedClusters
Senior Member
 

Does iCloud Mobile Backup Creation Remove iTunes Encryption?

Post Posted: Jun 25, 18 21:59

Colleagues,

I am a bit confused, but happy with the results of the following:

* On 06/15/2018, I used Cellebrite PA v.7.6.0.83 to create Method 1 & Method 2 extractions of an iPhone 7 running iOS 11.0.3

* When the PA extractions completed, Physical Analyzer stated that there is an iTunes encryption password in place (which my client could not recall).

* I attempted to open the "iPhoneBackup.tar" file using MOBILedit Forensic Express and received the same message "please enter the iTunes encryption password."

* Today, 06/25/2018, I used Elcomsoft Phone Breaker Forensic v8.22.24547 to download three iCloud stored mobile backups of the iPhone 7 (created 06/20/2018, 06/22/2018 and 06/24/2018).

* I then used Cellebrite PA v.7.6.0.83 to process the Elcomsoft Phone Breaker Forensic downloaded mobile backups; there was NO iTunes encryption password in place and thus Cellebrite PA was able to completely process the EPBF downloaded mobil backups and recover deleted text messages, deleted call logs, etc.

Shocked Shocked Shocked

So, I am trying to figure out why the EPBF downloaded mobile backups were not encrypted by the same iTunes password which encrypted the first Cellebrite extraction of the iPhone 7.

* Does the creation of an iCloud mobile backup remove iTunes encryption???

Between the 06/15 first Cellebrite extraction, and the 06/20 iCloud mobile backup creation, it is possible the iPhone owner somehow removed the iTunes encryption password, but I have not been informed as such; the iPhone 7 owner is not technical so I doubt this occurred.  
 
  

Mark_Eskridge
Member
 

Re: Does iCloud Mobile Backup Creation Remove iTunes Encrypt

Post Posted: Jun 26, 18 01:19

Two separate backups, one on a local computer and one in the cloud, which exist independent of one another. The iCloud backup is always protected by the iCloud user name and password, but not stored encrypted. The iTunes backup can either be encrypted or not encrypted on a local computer, based upon a user setting. That user setting is stored on the iPhone and will affect all future local backups, including Cellebrite. There is a workaround in iOS11 for removing the setting from the iPhone, so your Cellebrite backup is not encrypted.  
 
  

pcook8198
Member
 

Re: Does iCloud Mobile Backup Creation Remove iTunes Encrypt

Post Posted: Jun 27, 18 09:46

Not trying to teach anyone to suck eggs

Did you just click through the options on PA method 1 and 2

It asks if you want to encrypt the extractions / backup and default password it uses is 1234

Just a thought

and again Please don't think I'm trying to preach

Ive done it a few times when distracted and accept the pop ups.

I spent a good few hours trying to get the iTunes backup password when the owner had not set one Embarassed  
 
  

hsiF_cisneroF
Newbie
 

Re: Does iCloud Mobile Backup Creation Remove iTunes Encrypt

Post Posted: Jun 27, 18 15:29

As Mark points out, these are two distinct backups - one is encrypted and stored locally on a device (computer) and the other is stored in the cloud.  
 

Page 1 of 1