Does iCloud Mobile Backup Creation Remove iTunes Encryption?
I am a bit confused, but happy with the results of the following
* On 06/15/2018, I used Cellebrite PA v.22.214.171.124 to create Method 1 & Method 2 extractions of an iPhone 7 running iOS 11.0.3
* When the PA extractions completed, Physical Analyzer stated that there is an iTunes encryption password in place (which my client could not recall).
* I attempted to open the "iPhoneBackup.tar" file using MOBILedit Forensic Express and received the same message "please enter the iTunes encryption password."
* Today, 06/25/2018, I used Elcomsoft Phone Breaker Forensic v8.22.24547 to download three iCloud stored mobile backups of the iPhone 7 (created 06/20/2018, 06/22/2018 and 06/24/2018).
* I then used Cellebrite PA v.126.96.36.199 to process the Elcomsoft Phone Breaker Forensic downloaded mobile backups; there was NO iTunes encryption password in place and thus Cellebrite PA was able to completely process the EPBF downloaded mobil backups and recover deleted text messages, deleted call logs, etc.
😯 😯 😯
So, I am trying to figure out why the EPBF downloaded mobile backups were not encrypted by the same iTunes password which encrypted the first Cellebrite extraction of the iPhone 7.
* Does the creation of an iCloud mobile backup remove iTunes encryption???
Between the 06/15 first Cellebrite extraction, and the 06/20 iCloud mobile backup creation, it is possible the iPhone owner somehow removed the iTunes encryption password, but I have not been informed as such; the iPhone 7 owner is not technical so I doubt this occurred.
Two separate backups, one on a local computer and one in the cloud, which exist independent of one another. The iCloud backup is always protected by the iCloud user name and password, but not stored encrypted. The iTunes backup can either be encrypted or not encrypted on a local computer, based upon a user setting. That user setting is stored on the iPhone and will affect all future local backups, including Cellebrite. There is a workaround in iOS11 for removing the setting from the iPhone, so your Cellebrite backup is not encrypted.
Not trying to teach anyone to suck eggs
Did you just click through the options on PA method 1 and 2
It asks if you want to encrypt the extractions / backup and default password it uses is 1234
Just a thought
and again Please don't think I'm trying to preach
Ive done it a few times when distracted and accept the pop ups.
I spent a good few hours trying to get the iTunes backup password when the owner had not set one oops
As Mark points out, these are two distinct backups - one is encrypted and stored locally on a device (computer) and the other is stored in the cloud.