When a user creates a backup of their device in iTunes, there is an option for them to make the backup encrypted and password protected.
Once this option has been set, from what I have seen when you go on to make an acquisition (logical) of the device whether you use Cellebrite or Magnet or whatever else, it appears that all acquisitions are encrypted also and unless you know the encryption password set by the user any acquisition you're able to make is effectively useless.
Is this correct? If so, that is perhaps Apple's biggest anti-forensics obstacle yet. Of course you could try to brute force as there doesn't appear to be a limitation on the number of attempts, but this is very hit and miss.
Are there any other ways around this?
Are there any other ways around this?
Yes, Ask the owner for the password / passcode lol lol
There's not a lot of way around it …
Are there any other ways around this?
Yes, Ask the owner for the password / passcode lol lol
Funny thing, an incredible number of people 'forget' their password after it gets seized roll
I struggle to understand how this works.
Let me repeat in this scenario I am saying that there is access to the device bypassing the phone passcode lock screen.
Is it simply a case that once a person creates an encrypted backup of their i device, that sets it so any future acquisitions or backups made of that device anywhere will be encrypted with the same password?
So in this scenario, unless you know the password the only option is 'thumb' forensics?
Wotsits, there is no bypass for iTunes backup password but you can still try to find it.
In Oxygen Forensic Detective we have Passware module that finds passwords to encrypted iTunes backups. You may choose any supported attack you need including brute force and accelerate password recovery with multiple computers, NVIDIA & AMD GPUs. But unfortunately nobody will garantee that you will find password in all the cases. Sometimes it may take months and even more.
That is correct, once a password is set, all future backups are encrypted with that password.
Interesting thing though, i had an iPhone 4 which had a backup password set, but the physical dump wasn't encrypted.
Hi,
Things changed massively from the iPhone 4s onwards with regards to encryption.
Certainly in relation to your question the previous answer is quite right in saying that once the user sets the device to create encrypted backups you as an examiner will end up with encrypted reads from UFED, Oxygen etc.
As you have the PIN code you can manually examine the device though and the password might be saved on there in a note. Users have been known to do that before.
With regard to breaking the iTunes password, if you are LE then there will probably be some form of support available to you at national/federal level.
Steve
Thank you all for your replies.
Wotsits, there is no bypass for iTunes backup password but you can still try to find it.
In Oxygen Forensic Detective we have Passware module that finds passwords to encrypted iTunes backups. You may choose any supported attack you need including brute force and accelerate password recovery with multiple computers, NVIDIA & AMD GPUs. But unfortunately nobody will garantee that you will find password in all the cases. Sometimes it may take months and even more.
Is this simply a brute force attack? Or does it have some special ability to find where the password is stored?
Wotsits,
I used Elcomsoft's Phone Breaker (https://
The owner of the phone was deceased (I was working for the fiancé of the deceased) so no one alive knew the iTunes password.
Fortunately, the password turned out to be "1234" which is why I am sure it cracked so quickly.
Here are some password cracking best practices I have been taught (perhaps others can add theirs)
1) Create an index of a relevant laptop / desktop / email account in order to create a custom "dictionary file". This custom dictionary file can be fed into most password cracking software in order to enhance the cracking process.
The theory is that people commonly use, amongst other words, personal names, pet names, nick names, company names, school names, family names, sports team names, sports mascot names, etc. plus a combination of numbers and characters for their own passwords.
So, if one can create a dictionary file of words unique to the target's computers/accounts/devices, then it is possible that the dictionary file of unique to the target's words will be part of the password one is trying to ascertain.
2) If possible, use password recovery tools on the target's workstation to extract the target's commonly used passwords; for example, a password used to log in to Gmail might be duplicative of the iTunes password one is trying to crack, so simply using a password extraction tool to extract saved Chrome passwords, for example, might reveal the desired iTunes password.
I use Passmark's OSForensics to extract passwords in this manner as well as NirSofer's tools. Also Win-UFO (http//win-ufo.org/) has a bunch of free password extraction tools built in. Win-UFO (DART) can also be found on the Deft Forensics Live USB drives one can purchase cheaply at osdisc.com.
Regards,
Larry
Thank you all for your replies.
Wotsits, there is no bypass for iTunes backup password but you can still try to find it.
In Oxygen Forensic Detective we have Passware module that finds passwords to encrypted iTunes backups. You may choose any supported attack you need including brute force and accelerate password recovery with multiple computers, NVIDIA & AMD GPUs. But unfortunately nobody will garantee that you will find password in all the cases. Sometimes it may take months and even more.Is this simply a brute force attack? Or does it have some special ability to find where the password is stored?
Yes, this is brute force attack only or any other supported attack you choose from the list, like Xieve, Dictionary, etc.