By Andrew Hoog | January 24, 2018
HOWTO decrypt iOS 10+ backups with irestore
This is the second installment in our series HOWTO decrypt iOS 10 backups with open source tools that explores open source tools capable of decrypting iOS 10+ backups with a step-by-step HOWTO approach.
In this post, we’ll examine irestore, a tool written in golang in 2016 by Steve Dunham.
Please checked out other posts in this series:
- Introduction
- HOWTO decrypt iOS 10+ backups with irestore [this post]
- HOWTO decrypt iOS 10+ backups with iphone-dataprotection
These tools were setup and run on macOS however should work on Linux with minor modifications.
Note: you must know the backup password…these tools do not implement password cracking techniques
irestore
I was intrigued with the irestore as it was written in golang, seemed well structured and provided additional details that as a forensic researcher I found very useful. Below are the directions for how I installed irestore.
mkdir ~/git
cd ~/git
git clone git@github.com:dunhamsteve/ios.gitIf you don’t have git install with ssh keys, you can also just download the repo over https and then unzip it to ~/git with the following command (which assumes downloads are saved in ~/Downloads):
mv ~/Downloads/ios-master.zip ~/Downloads/ios.zip
unzip ~/Downloads/ios.zip -d ~/gitInstall and configure Go
These steps were snagged from the macOS Setup Guide by Sourabh which I refer to when I rebuild a Mac. This assumes you have Homebrew installed so if not please do this first. You can find directions on the Homebrew website or the Homebrew chapter in the macOS Setup Guide.
brew update
brew install golangThen edit you shell startup script (in this case I’m using zsh but you may be using Bash). Also, feel free to use the editor of your choice (vim, emac, vi, nano, etc.):
vim ~/.zshrc
export GOPATH=$HOME/go-workspace
export GOROOT=/usr/local/opt/go/libexec
export PATH=$HOME/bin:/usr/local/bin:$GOPATH/bin:$GOROOT/bin:$PATHFinally let’s add those paths we just referenced:
mkdir -p $GOPATH $GOPATH/src $GOPATH/pkg $GOPATH/binFrom here, you should exit your shell and start a new one so the confi file changes take effect.
Finally you can test to make sure go is setup and working as follows:
hiro@metaverse:~|⇒ go version
go version go1.9.2 darwin/amd64Install dependent go packages
Next, you need to install the various go tools that irestore depends on. If you are new to go, I’d suggest you just execute these commands one at a time and make sure they run properly and don’t encounter any errors:
go get -u github.com/dunhamsteve/ios/backup
go get -u github.com/dunhamsteve/ios/crypto/aeswrap
go get -u github.com/dunhamsteve/ios/crypto/gcm
go get -u github.com/dunhamsteve/ios/encoding/asn1
go get -u github.com/dunhamsteve/plist
go get -u github.com/dunhamsteve/plist
go get -u golang.org/x/crypto/ssh/terminalAlternatively, you can take care of all of the above with this single command:
go get -u github.com/dunhamsteve/ios/...Run irestore
OK, we’re funally ready to run irestore. In case you’ve changed directories, we’ll change back into the irestore source direction and run it:
cd ~/git/ios
go run cmd/irestore/irestore.goand provided you have backup up at least one iOS device to your computer, you’ll get something like the following:
$ cd ~/git/ios
$ go run cmd/irestore/irestore.go
iphone1 <udid1>
iphone2 <udid2>There are four commands you can now run:
Usage:
ls [domain]
restore domain dest
dumpkeys [outputfile]
appswhich will work on backups with or without a backup password. If there is a password, you have to enter it at the prompt. Here’s an example of the output (truncated) for the ls command on a password protected iOS 10 backup:
$ go run cmd/irestore/irestore.go iphone1 ls
Selected iphone1 <udid>
Backup Password:
key derivation took 10.501394168s use the password <redacted> to skip load
Got manifest key [redacted]
AppDomain-com.apple.AccountAuthenticationDialog
AppDomain-com.apple.AppStore
AppDomain-com.apple.CloudKit.ShareBear
<snip>