SecurityLearn

When iPhone is connected to a computer for the first time, iTunes automatically creates a subfolder with device UDID as the folder name and takes a backup of everything available on the iPhone. UDID stands for unique device identifier which is unique for every iPhone and computed from iPhone hardware attributes like MAC, ECID, Bluetooth address, etc…  iTunes backup locations are shown in the Table-1. Once the subfolder is created, then each time the device is connected to the computer, iTunes will only updates the files in the existing subfolder. iTunes also provides a way for the users to store the device backup in a secure way by setting a backup password. When a user sets a backup password, all files in the backup gets encrypted.

iTunes backup everything on the device along with the device details like serial number, UDID, SIM hardware number and phone number. Backup folder contains a list of files which are not in a readable format as shown in the Figure 1. Filename consists of 40 digits alphanumeric hex value.

Most of these files are property list files and SQLite database files. Below listed free tools can be used to convert the gibberish backup files into a readable format as shown in Figure 2.

MAC OS X – iPhone Backup Extractor – http://supercrazyawesome.com/
Windows – iPhone Backup Browser – http://code.google.com/p/iphonebackupbrowser/

Most of the files in the backup are encrypted with a key derived from the iPhone hardware key. To view content of these files we have to decrypt them. I am going to cover the decryption process in my next post.

Apple is changing the iTunes backup mechanism with every release of iOS. So it is always challenging to design tools to read the latest iOS backups.

[Update: 03-May-2012]
Instructions to decrypt the backup keychain are available at – Decrypting the iPhone Keychain from backups