By Andrew Hoog | January 24, 2018
HOWTO decrypt iOS 10+ backups with irestore
This is the second installment in our series HOWTO decrypt iOS 10 backups with open source tools that explores open source tools capable of decrypting iOS 10+ backups with a step-by-step HOWTO approach.
In this post, we’ll examine irestore, a tool written in golang in 2016 by Steve Dunham.
Please checked out other posts in this series:
- HOWTO decrypt iOS 10+ backups with irestore [this post]
- HOWTO decrypt iOS 10+ backups with iphone-dataprotection
These tools were setup and run on macOS however should work on Linux with minor modifications.
Note: you must know the backup password…these tools do not implement password cracking techniques
I was intrigued with the irestore as it was written in golang, seemed well structured and provided additional details that as a forensic researcher I found very useful. Below are the directions for how I installed irestore.
mkdir ~/git cd ~/git git clone firstname.lastname@example.org:dunhamsteve/ios.git
If you don’t have git install with ssh keys, you can also just download the repo over https and then unzip it to ~/git with the following command (which assumes downloads are saved in ~/Downloads):
mv ~/Downloads/ios-master.zip ~/Downloads/ios.zip unzip ~/Downloads/ios.zip -d ~/git
Install and configure Go
These steps were snagged from the macOS Setup Guide by Sourabh which I refer to when I rebuild a Mac. This assumes you have Homebrew installed so if not please do this first. You can find directions on the Homebrew website or the Homebrew chapter in the macOS Setup Guide.
brew update brew install golang
Then edit you shell startup script (in this case I’m using zsh but you may be using Bash). Also, feel free to use the editor of your choice (vim, emac, vi, nano, etc.):
vim ~/.zshrc export GOPATH=$HOME/go-workspace export GOROOT=/usr/local/opt/go/libexec export PATH=$HOME/bin:/usr/local/bin:$GOPATH/bin:$GOROOT/bin:$PATH
Finally let’s add those paths we just referenced:
mkdir -p $GOPATH $GOPATH/src $GOPATH/pkg $GOPATH/bin
From here, you should exit your shell and start a new one so the confi file changes take effect.
Finally you can test to make sure go is setup and working as follows:
hiro@metaverse:~|⇒ go version go version go1.9.2 darwin/amd64
Install dependent go packages
Next, you need to install the various go tools that irestore depends on. If you are new to go, I’d suggest you just execute these commands one at a time and make sure they run properly and don’t encounter any errors:
go get -u github.com/dunhamsteve/ios/backup go get -u github.com/dunhamsteve/ios/crypto/aeswrap go get -u github.com/dunhamsteve/ios/crypto/gcm go get -u github.com/dunhamsteve/ios/encoding/asn1 go get -u github.com/dunhamsteve/plist go get -u github.com/dunhamsteve/plist go get -u golang.org/x/crypto/ssh/terminal
Alternatively, you can take care of all of the above with this single command:
go get -u github.com/dunhamsteve/ios/...
OK, we’re funally ready to run irestore. In case you’ve changed directories, we’ll change back into the irestore source direction and run it:
cd ~/git/ios go run cmd/irestore/irestore.go
and provided you have backup up at least one iOS device to your computer, you’ll get something like the following:
$ cd ~/git/ios $ go run cmd/irestore/irestore.go iphone1 <udid1> iphone2 <udid2>
There are four commands you can now run:
Usage: ls [domain] restore domain dest dumpkeys [outputfile] apps
which will work on backups with or without a backup password. If there is a password, you have to enter it at the prompt. Here’s an example of the output (truncated) for the
ls command on a password protected iOS 10 backup:
$ go run cmd/irestore/irestore.go iphone1 ls Selected iphone1 <udid> Backup Password: key derivation took 10.501394168s use the password <redacted> to skip load Got manifest key [redacted] AppDomain-com.apple.AccountAuthenticationDialog AppDomain-com.apple.AppStore AppDomain-com.apple.CloudKit.ShareBear <snip>