HOWTO decrypt iOS 10+ backups with irestore | Hack42 Labs - Expert Forensics Research

HOWTO decrypt iOS 10+ backups with irestore

By Andrew Hoog | January 24, 2018

HOWTO decrypt iOS 10+ backups with irestore

This is the second installment in our series HOWTO decrypt iOS 10 backups with open source tools that explores open source tools capable of decrypting iOS 10+ backups with a step-by-step HOWTO approach.

In this post, we’ll examine irestore, a tool written in golang in 2016 by Steve Dunham.

Please checked out other posts in this series:

  1. Introduction
  2. HOWTO decrypt iOS 10+ backups with irestore [this post]
  3. HOWTO decrypt iOS 10+ backups with iphone-dataprotection

These tools were setup and run on macOS however should work on Linux with minor modifications.

Note: you must know the backup password…these tools do not implement password cracking techniques


I was intrigued with the irestore as it was written in golang, seemed well structured and provided additional details that as a forensic researcher I found very useful. Below are the directions for how I installed irestore.

mkdir ~/git
cd ~/git
git clone

If you don’t have git install with ssh keys, you can also just download the repo over https and then unzip it to ~/git with the following command (which assumes downloads are saved in ~/Downloads):

mv ~/Downloads/ ~/Downloads/
unzip ~/Downloads/ -d ~/git

Install and configure Go

These steps were snagged from the macOS Setup Guide by Sourabh which I refer to when I rebuild a Mac. This assumes you have Homebrew installed so if not please do this first. You can find directions on the Homebrew website or the Homebrew chapter in the macOS Setup Guide.

brew update
brew install golang

Then edit you shell startup script (in this case I’m using zsh but you may be using Bash). Also, feel free to use the editor of your choice (vim, emac, vi, nano, etc.):

vim ~/.zshrc
    export GOPATH=$HOME/go-workspace
    export GOROOT=/usr/local/opt/go/libexec
    export PATH=$HOME/bin:/usr/local/bin:$GOPATH/bin:$GOROOT/bin:$PATH

Finally let’s add those paths we just referenced:

mkdir -p $GOPATH $GOPATH/src $GOPATH/pkg $GOPATH/bin

From here, you should exit your shell and start a new one so the confi file changes take effect.

Finally you can test to make sure go is setup and working as follows:

hiro@metaverse:~|⇒  go version
go version go1.9.2 darwin/amd64

Install dependent go packages

Next, you need to install the various go tools that irestore depends on. If you are new to go, I’d suggest you just execute these commands one at a time and make sure they run properly and don’t encounter any errors:

go get -u
go get -u
go get -u
go get -u
go get -u
go get -u
go get -u

Alternatively, you can take care of all of the above with this single command:

go get -u

Run irestore

OK, we’re funally ready to run irestore. In case you’ve changed directories, we’ll change back into the irestore source direction and run it:

cd ~/git/ios
go run cmd/irestore/irestore.go

and provided you have backup up at least one iOS device to your computer, you’ll get something like the following:

$ cd ~/git/ios
$ go run cmd/irestore/irestore.go
iphone1    <udid1>
iphone2    <udid2>

There are four commands you can now run:

    ls [domain]
    restore domain dest
    dumpkeys [outputfile]

which will work on backups with or without a backup password. If there is a password, you have to enter it at the prompt. Here’s an example of the output (truncated) for the ls command on a password protected iOS 10 backup:

$ go run cmd/irestore/irestore.go iphone1 ls
Selected iphone1 <udid>
Backup Password:
key derivation took 10.501394168s use the password <redacted> to skip load
Got manifest key [redacted]