HOWTO decrypt iOS 10 backups with iphone-dataprotection | Hack42 Labs - Expert Forensics Research

HOWTO decrypt iOS 10 backups with iphone-dataprotection

By Andrew Hoog | June 19, 2018

HOWTO decrypt iOS 10+ backups with iphone-dataprotecion

This is the third installment in our series HOWTO decrypt iOS 10 backups with open source tools that explores open source tools capable of decrypting iOS 10+ backups with a step-by-step HOWTO approach.

In this post, we’ll examine the venerable iphone-dataprotection toolset that was developed by Jean-Baptiste Bedrune and Jean Sigwald of Sogeti / ESEC in 2011, the early days of the “iOS Crypto Wars”.

Please checked out other posts in this series:

  1. Introduction
  2. HOWTO decrypt iOS 10+ backups with irestore
  3. HOWTO decrypt iOS 10+ backups with iphone-dataprotection [this post]

These tools were setup and run on macOS however should work on Linux with minor modifications.

Note: you must know the backup password…these tools do not implement password cracking techniques

iphone-dataprotection

At Hack In The Box Amsterdam 2011 (HITB), researchers Jean-Baptiste Bedrune and Jean Sigwald presented their excellent research on iPhone data protections in a talk entitled, “iPhone Data Protection in Depth” which included accompanying tools and source code.

The tools were updated into 2014 (supporting the iPhone 5) however after that point has not received additional updates.

The great thing about open source tools, though, is the community can pitch in and keep a project going. A number of folks made copies of the code (from Google Code to GitHub) and at least one of those repos (from DinoSec) has received updates enabling the decryption of backups from iOS 10 devices.

Fetch source code

First, let’s clone the updated source code repo from DinoSec:

$ cd git
$ git clone git@github.com:dinosec/iphone-dataprotection.git
Cloning into 'iphone-dataprotection'...
remote: Counting objects: 294, done.
remote: Total 294 (delta 0), reused 0 (delta 0), pack-reused 294
Receiving objects: 100% (294/294), 3.38 MiB | 5.22 MiB/s, done.
Resolving deltas: 100% (68/68), done.

Install dependencies

Next we’ll leverage virtualenv to isolate our python dependencies: 

$ cd iphone-dataprotection
$ python -m virtualenv --python=`which python2.7` env
Running virtualenv with interpreter /usr/bin/python2.7
New python executable in /Users/hiro/Downloads/iphone-dataprotection/env/bin/python
Installing setuptools, pip, wheel...done.

And then activate virtualenv and install the tools dependencies: 

$ source env/bin/activate
$ pip install pycrypto
$ pip install construct

Run backup_tool.py

Now we’re ready to try it out. The script takes two inputs:

$ python python_scripts/backup_tool.py
Usage: python_scripts/backup_tool.py <backup path> [output path]

so to try it out on a iOS 10.3.3 encrypted backup, I ran the following: 

$ python python_scripts/backup_tool.py ~/Library/Application\ Support/MobileSync/Backup/<UDID> /tmp
Device Name : iphone-me
Display Name : iphone-me
Last Backup Date : 2018-03-12 07:03:57
IMEI : NNNNNNNNNNNNNNN
Serial Number : FFAABBCCDDEE 
Product Type : iPhone7,2
Product Version : 10.3.3
iTunes Version : 12.7.3.46
Extract backup to /tmp ? (y/n)

The decrypted files were all extracted to /tmp/ so you might consider creating a separate directory for the files and providing that as the output path.

Search

Categories

Tags