±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36317
New Yesterday: 0 Visitors: 128

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

iPhone Backup is Password Protected

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

tfink26
Newbie
 

iPhone Backup is Password Protected

Post Posted: Oct 16, 12 19:49

I am currently working with an iPhone 4s from a homicide investigation. The phone is not password protected but Cellebrite Physical and Oxygen Standard are unable to process it. Each tool gives me a message stating that the iTunes Backup Files are password protected.

I do have access to the device owner's iMac.

Has anyone had any luck working around this issue? Any ideas?

Thanks.  
 
  

crashed
Member
 

Re: iPhone Backup is Password Protected

Post Posted: Oct 16, 12 21:41

Using Elcomsoft's phone password breaker you could try and bruteforce attack the Manifest.plist file which is contained within the backup. There is also the option to wordlist attack the file as well.
Unfortunately if you are searching for more than 5 characters in your password you may have a long wait!

crashed  
 
  

isth
Senior Member
 

Re: iPhone Backup is Password Protected

Post Posted: Oct 16, 12 23:30

I'm not sure if it's the same thing, but I had a weird issue where Oxygen password protected the iTunes backup I made along with any subsequent backups I attempted to make. I then attempted to crack the backup with Elcomsoft's password breaker and it was successful! The password it came up with was "oxygen" - obviously not created by the user. I'm not really sure why this happened but there you go. In doing some research I saw that others had had similar issues where it would randomly assign a password on the backup.  
 
  

satishb3
Newbie
 

Re: iPhone Backup is Password Protected

Post Posted: Dec 26, 12 09:39

iPhone backup password is stored in the iPhone keychain. So if you have access to the iPhone, jailbreak and use keychain dumper to dump the keychain items.  
 
  

randomaccess
Senior Member
 

Re: iPhone Backup is Password Protected

Post Posted: Dec 26, 12 10:31

i wouldnt jailbreak to get the keychain password unless you have to

law enforcement can us zdairski's tools, which will dump the keychain if i remember correctly for supported devices
otherwise, ufed physical analyser or maybe katana forensics tool will do it for you

either way, if its a 4s or above you're out of luck examining the phone anyways if its locked  
 
  

Jonathan
Senior Member
 

Re: iPhone Backup is Password Protected

Post Posted: Dec 26, 12 16:31

- randomaccess


law enforcement can us zdairski's tools..


I just Googled Jonathan Zdziarski. Pity I'll never get to use his iOS tools, but see that he's got a rather interesting blog: "The Case for Assault Weapons", "Pawns in a Political Country", "A Few Words on God" are a few recent topics.
_________________
Forensic Control
twitter.com/ForensicControl
St Bride Foundation, 14 Bride Lane, London, EC4Y 8EQ 
 
  

Robbo747
Member
 

Re: iPhone Backup is Password Protected

Post Posted: Dec 26, 12 18:56

- tfink26
I am currently working with an iPhone 4s from a homicide investigation. The phone is not password protected but Cellebrite Physical and Oxygen Standard are unable to process it. Each tool gives me a message stating that the iTunes Backup Files are password protected.


Cellebrite Physical acquisition on a iPhone 4S is not possible, only a Logical or File System extraction can be made on this handset model.

- randomaccess
i wouldnt jailbreak to get the keychain password unless you have to

Even if you were to obtain the keychain by jailbreaking method, wouldn't the keychain be impossible to crack, with the Python "decrypto" module, as Apple changed the AES encryption algorithm when it went to iPhone 4S.

iPhone 4S shipped with iOS5, so now all attributes are now encrypted. On the encryption side, AES-GCM is used instead of AES-CBC. (AES-GCM is included in NSA Cryptography) Any partition on the phone can be encrypted and there are new protection classes- NSFileProtectionComplete.

I've found XRY will read in a iPhone 4S, that is running in encrypted mode, where it will read in the iTunes backup data first, note its encrypted & carry on to read the rest of the data on the phone. After a XRY dump, latest version has modules added in that can decrypt certain data that has been read in- SMS, MMS, Pictures, etc. Cellebrite & presumably Oxygen can't overcome this first step during the "Read Phone Info" stage.

What about syncing the exhibit to a virtual image of the computer, fire up iTunes, de-select the option to encrypt backup, re-sync the phone to iTunes with the encryption de-selected & see how this goes.  
 

Page 1 of 2
Page 1, 2  Next