Apple iPhone 5 & 6 Encrypted Backup

What are your exact device models ? What iOS runs on them ?

What are your exact device models ? What iOS runs on them ?

The models and iOS versions are-

iPhone 5 (A1429) - iOS 9.3.2
iPhone 6s (A1688) - iOS 9.3.3

PB10,

If you are referring to an iTunes' encryption password that is in place on the iPhones, then here are some options

1) Elcomsoft Phone Breaker Forensic Edition (https://www.elcomsoft.com/eppb.html) US $799.00

2) Compelson MobilEdit Forensic Express (http//www.mobiledit.com/online-store/forensic-express) US $1,200.00

OPTION 1 Elcomsoft Phone Breaker ("EPB") can be used to crack the iTunes encryption password of mobile backups of the iPhones. So, you could use EPB to download iCloud stored mobile backups of both phones (assuming you have the AppleIDs and Passwords for the phones) and then use EPB to crack the iTunes encryption password.

OPTION 2 Alternatively, you could use the latest version of iTunes to make a mobile backup of each iPhone which would be found here C\Users\*USER ACCOUNT NAME*\AppData\Roaming\Apple Computer\MobileSync\Backup\………

Then once you have mobile backups created, you could use EPB to crack the iTunes password. You will need to test option 2 as iTunes might prevent the creation of a mobile backup without inputting the iTunes encryption password.

OPTION 3 Compelson MobilEdit Forensic Express can be used to crack the iTunes password of the iPhones directly (not the mobile backups of the phones).

Other items to look at

If you have the MacBook or Windows computer of the phone owner, use a tool such as Passmark's OSForensics to create an index and "dictionary" file of the computer itself. The "dictionary" file can then be fed into Elcomsoft's Phone Breaker to aid in cracking the iTunes encryption password.

Have you tried entering the passcode when prompted? I've had huge success getting into devices when prompted by Cellebrite to enter the password when its processing the file system dump.

RR -

I believe the root cause problem the OP is facing is the lack of the iTunes encryption password, not the AppleID password.

Create dumps using UFED advanced logical backup method one and set an encryption password, the default is 1234.

PB10,

If you are referring to an iTunes' encryption password that is in place on the iPhones, then here are some options

1) Elcomsoft Phone Breaker Forensic Edition (https://www.elcomsoft.com/eppb.html) US $799.00

2) Compelson MobilEdit Forensic Express (http//www.mobiledit.com/online-store/forensic-express) US $1,200.00

OPTION 1 Elcomsoft Phone Breaker ("EPB") can be used to crack the iTunes encryption password of mobile backups of the iPhones. So, you could use EPB to download iCloud stored mobile backups of both phones (assuming you have the AppleIDs and Passwords for the phones) and then use EPB to crack the iTunes encryption password.

OPTION 2 Alternatively, you could use the latest version of iTunes to make a mobile backup of each iPhone which would be found here C\Users\*USER ACCOUNT NAME*\AppData\Roaming\Apple Computer\MobileSync\Backup\………

Then once you have mobile backups created, you could use EPB to crack the iTunes password. You will need to test option 2 as iTunes might prevent the creation of a mobile backup without inputting the iTunes encryption password.

OPTION 3 Compelson MobilEdit Forensic Express can be used to crack the iTunes password of the iPhones directly (not the mobile backups of the phones).

Other items to look at

If you have the MacBook or Windows computer of the phone owner, use a tool such as Passmark's OSForensics to create an index and "dictionary" file of the computer itself. The "dictionary" file can then be fed into Elcomsoft's Phone Breaker to aid in cracking the iTunes encryption password.

Yes, it is the iTunes encryption password. I have attempted elcomsoft for any 'weak' passcodes, 4-6 digits, alphanumeric. Obviously, the longer the password, the longer the brute force attempt will take.

Unfortunately there are only mobile phones involved, no computers (to create a dictionary file).

Hopefully the owner will cough up the password, in the meantime i was looking at different avenues (such as jailbreaking the device). Would this give me direct access to the database files as the device would no longer be 'locked' down.

PB10,

If you are referring to an iTunes' encryption password that is in place on the iPhones, then here are some options

1) Elcomsoft Phone Breaker Forensic Edition (https://www.elcomsoft.com/eppb.html) US $799.00

2) Compelson MobilEdit Forensic Express (http//www.mobiledit.com/online-store/forensic-express) US $1,200.00

OPTION 1 Elcomsoft Phone Breaker ("EPB") can be used to crack the iTunes encryption password of mobile backups of the iPhones. So, you could use EPB to download iCloud stored mobile backups of both phones (assuming you have the AppleIDs and Passwords for the phones) and then use EPB to crack the iTunes encryption password.

OPTION 2 Alternatively, you could use the latest version of iTunes to make a mobile backup of each iPhone which would be found here C\Users\*USER ACCOUNT NAME*\AppData\Roaming\Apple Computer\MobileSync\Backup\………

Then once you have mobile backups created, you could use EPB to crack the iTunes password. You will need to test option 2 as iTunes might prevent the creation of a mobile backup without inputting the iTunes encryption password.

OPTION 3 Compelson MobilEdit Forensic Express can be used to crack the iTunes password of the iPhones directly (not the mobile backups of the phones).

Other items to look at

If you have the MacBook or Windows computer of the phone owner, use a tool such as Passmark's OSForensics to create an index and "dictionary" file of the computer itself. The "dictionary" file can then be fed into Elcomsoft's Phone Breaker to aid in cracking the iTunes encryption password.

Yes, it is the iTunes encryption password. I have attempted elcomsoft for any 'weak' passcodes, 4-6 digits, alphanumeric. Obviously, the longer the password, the longer the brute force attempt will take.

Unfortunately there are only mobile phones involved, no computers (to create a dictionary file).

Hopefully the owner will cough up the password, in the meantime i was looking at different avenues (such as jailbreaking the device). Would this give me direct access to the database files as the device would no longer be 'locked' down.

I assume you are not in LE? Jailbreaking a phone would make your evidence highly questionable.

Your evidence is only questionable if you have no idea why or what happened. If you can articulate what you did, the changes made, and the results or lack thereof on mission critical data, then you have no issues.

I assume you are not in LE? Jailbreaking a phone would make your evidence highly questionable.