RSS
 

Reading iPhone Backups

31 Mar

When iPhone is connected to a computer for the first time, iTunes automatically creates a subfolder with device UDID as the folder name and takes a backup of everything available on the iPhone. UDID stands for unique device identifier which is unique for every iPhone and computed from iPhone hardware attributes like MAC, ECID, Bluetooth address, etc…  iTunes backup locations are shown in the Table-1. Once the subfolder is created, then each time the device is connected to the computer, iTunes will only updates the files in the existing subfolder. iTunes also provides a way for the users to store the device backup in a secure way by setting a backup password. When a user sets a backup password, all files in the backup gets encrypted.

iPhone backup path in windows & Mac OS x

iTunes backup everything on the device along with the device details like serial number, UDID, SIM hardware number and phone number. Backup folder contains a list of files which are not in a readable format as shown in the Figure 1. Filename consists of 40 digits alphanumeric hex value.

 

iPhone backups - before decryption

Most of these files are property list files and SQLite database files. Below listed free tools can be used to convert the gibberish backup files into a readable format as shown in Figure 2.

MAC OS X – iPhone Backup Extractor – http://supercrazyawesome.com/
Windows – iPhone Backup Browser – http://code.google.com/p/iphonebackupbrowser/

 Reading iPhone backups

Most of the files in the backup are encrypted with a key derived from the iPhone hardware key. To view content of these files we have to decrypt them. I am going to cover the decryption process in my next post.

Apple is changing the iTunes backup mechanism with every release of iOS. So it is always challenging to design tools to read the latest iOS backups.

[Update: 03-May-2012]
Instructions to decrypt the backup keychain are available at – Decrypting the iPhone Keychain from backups

 
4 Comments

Posted in iPhone

 

Tags: , , , ,

Leave a Reply

 

 
  1. Week 13 in Review – 2012 | Infosec Events

    April 2, 2012 at 4:29 pm

    [...] Reading iPhone Backups – securitylearn.wordpress.com [...]

     
  2. Scoopz Blog » How to hack Facebook, Dropbox, LinkedIn and other iOS apps using a plist extracted from iOS backups

    April 11, 2012 at 7:21 am

    [...] Thanks to  Gareth Wright for finding the plist vulnerabilities and Satish B for his guide outlining how to extract files from iTunes iOS backups. [...]

     
  3. Kelly

    April 15, 2013 at 11:23 pm

    I’m not sure when the last time the two linked programs were updated, so I’d also like to point out some more software to assist in reading iPhone backup data. Decipher Backup Browser (http://deciphertools.com) also translate the hashed (gibberish) backup file names into a readable structure, as well as translate some of the frequently-requested data (contacts, notes, voice memos) into a nicely viewable format.

    I hope this helps someone!

     
  4. AlinaAgnes

    March 5, 2014 at 9:12 am

    This iTunes data recovery software also works great. See here for more:
    download.cnet.com/MyJad-iTunes-Backup-Extractor/3000-2094_4-75925898.html