RSS

iPhone Forensics – Analysis of iOS 5 backups : Part2

May 30

In the first part of this article, we discussed the techniques to read iTunes backups. The following article discloses the procedure to extract protection class keys from the Backup Keybag and covers the techniques & the tools to decrypt the protected backup files and the encrypted backups.

Data protection mechanism introduced in iOS 4 protects the sensitive data in files on the file system and items in the keychain by adding another layer of encryption. Data protection uses the user’s passcode key and the device specific hardware encryption keys to generate a set of class keys which protect the designated data. Developers use the data protection API to add protection class flag to the files and the keychain items. On the iPhone, protection class keys are stored in the System Keybag. During the backup, iTunes generates a new set of protection class keys and stores them in the Backup Keybag. Class keys stored in the System Keybag are different from the keys in the Backup Keybag. Protected files and data in the backup are encrypted using the class keys that are stored in the Backup Keybag. In normal backups Backup Keybag is protected with a key generated from the iPhone hardware (Key 0x835) and in encrypted backups it is protected with the iTunes password.

Data protection for files can be enabled by setting a value for the NSFileProtection attribute using the NSFileManager class setAttributes:ofItemAtPath:error method. List of protection classes available for the files are shown in Table 1.

 

iPhone data protection for files

Data protection for keychain items can be enabled by setting a protection class value inSecItemAdd or SecItemUpdate methods. Keychain class keys also define whether a keychain item can be migrated to other device or not. List of protection classes available for the keychain items are shown in Table 2.

 

iPhone keychain data protection

Jean Sigwald, a researcher at Sogeti ESEC labs has released open source forensic tool kit that can be used to decrypt the protected backup files from normal backups and encrypted backups. Below details outline their research and gives an overview on usage of the tools.

Setup:

On Mac OS X, download & install the required python modules (pycrypto, M2crypto, construct and progressbar).

sudo ARCHFLAGS='-arch i386 -arch x86_64' easy_install pycrypto
sudo easy_install M2crypto construct progressbar

Download and install Mercurial (http://mercurial.selenic.com/) to check out the source code from the iphone-dataprotection Google code repository.

hg clone https://code.google.com/p/iphone-dataprotection/
cd iphone-dataprotection

Decrypting Normal backups:

In case of normal backups, the data protection class keys stored in the Backup Keybag are protected by a hardware generated key (Key 0x835). In order to grab the protection class keys from the Backup Keybag Key 0x835 is required and the key is computed only on the device. So decryption of protected files in the normal backup is not possible without having access to the actual device. In forensic investigations the information recovered from the normal backups is less if physical access to the device is not available.

Steps below explain the procedure to decrypt the protected files stored in the normal backup in case physical access to device is obtained. On the iPhone, Key 0x835 is computed by the IOAESAccelerator kernel service at iOS boot by encrypting a static value 01010101010101010101010101010101 with UID. UID is a hardware encryption key embedded in the iPhone application processor AES engine and it is unique for each device. iOS running on the iPhone cannot read the hardware key (UID) but it uses the key to compute Key 0x835 in kernel mode. UID is not accessible to user land process. This restriction can be bypassed by patching the IOAESAccelerator kernel service.

Steps to extract Key 0x835 from the iPhone:

1. Jailbreak your iPhone. If you don’t like to Jailbreak the phone, follow the steps explained in the iPhone Forensics article.
2. On the iPhone, install OpenSSH from Cydia. OpenSSH allows connecting to the device over SSH.
3. On Mac OS X workstation, download device_infos, kernel_patcher and Cyberduck tools.
4. Connect the iPhone and workstation to the same Wi-Fi network.
5. On OS X run Cyberduck and connect to the iPhone by typing iPhone IP address, root as username and alpine as password.
6. Copy device_infos and kernel_patcher executables to the iPhone root directory.
7. Run Mac terminal and SSH to the iPhone by typing iPhone IP, root as username and alpine as password.

ssh  root@iPhone-IP
Password: alpine

8. On SSH terminal, run the below commands to change the execution permissions of kernel_patcher and device_infos.

chmod 777 kernel_patcher
chmod 777 device_infos

9. Patch IOAESAccelerator kernel service to use the hardware encryption key (UID) from user land process. Kernel_patcher script modifies the kernel and applies the required patches to IOAESAccelerator.

./kernel_patcher

* If the kernel is already patched, the above script displays kernel patching failed message.

10. Run device_infos script and supply key835 as a parameter. The script computes the Key 0x835 and displays on the screen. If key835 parameter is not supplied, the script computes all the encryption keys and stores them in a Plist file.

./device_infos key835

Extract encryption keys on iPhone

Once Key 0x835 is grabbed, it is possible to decrypt the Backup Keybag and obtain the data protection class keys. Later these class keys are used to decrypt the protected files in the backup.

11. On Mac OS X terminal, navigate to iphone-dataprotection directory. Run the backup_tool.py script by supplying the iTunes backup directory path.

python python_scripts/backup_tool.py /Users/User/Library/Application Support/MobileSync/Backup/[iPhone UDID]/ [output_path]

If output_path is not mentioned, the script creates [iPhone UDID]_extract directory in the backup folder and extracts the backup files into it.

On the backup, the iPhone keychain sqlite database is stored as a Plist file (Keychain-backup.plist). The Plist file contents are encrypted with the keychain data protection class keys. Items in the keychain can only be viewed after decrypting it with the keychain protection class keys.

Run keychain_tool.py and supply Key 0x835. The script decrypts the Backup Keybag, grabs the protection class keys from 6 to 11 (listed in Table 2) and decrypts the keychain items.

python python_scripts/keychain_tool.py –d /Users/User/Library/Application Support/MobileSync/Backup/[iPhone UDID_extract]/keychain-backup.plist /Users/User/Library/Application Support/MobileSync/Backup/[iPhone UDID_extract]/Manifest.plist

The above script dumps the generic passwords, internet passwords, certificates and private keys from the keychain backup file.

Decrypting Encrypted backups:

In cases of encrypted backups, migratable data protection class keys (6 to 8 listed in Table 2) stored in the Backup Keybag are protected by iTunes password and ThisDeviceOnly class keys (9 to 11 listed in Table 2) stored in the Backup Keybag are protected by Key 0x835 along with the iTunes password. Most of the data stored in the encrypted backups is migratable as the data is encrypted with the iTunes password and it is not tied to a specific device. Files in the backup are encrypted with a unique key for each file using AES 256 in CBC mode. Encryption keys are stored in the Backup Keybag and protected by iTunes password. In order to decrypt the Backup Keybag, grab the protection class keys and decrypt backup files iTunes password is required. So decryption of files in the encrypted backup is not possible without the iTunes password. In forensic investigations the information recovered from the backups is less if the iTunes password is not available. As iTunes does not impose any password strength rules on encrypted backups, it is easy to perform a brute force attack on it. Encrypted backups add a significant difficulty in data recovering and it may be impossible with a complex password in use.

During the backup iTunes stores the encrypted backup password on the iPhone keychain. So if the backup password is unknown and physical access to the device is available, the backup password can be retrieved by viewing the iPhone keychain items. On a JailBroken iPhone, all the keychain items can be viewed using keychain_dumper tool.

Tools like iPhone Backup Extractor & iPhone Backup Browser does not work on encrypted backups. They can only read & parse the Manifest.mbdb file and prepares a file structure. However the file cannot be opened as the content is encrypted.

Steps below explain the procedure to decrypt the files stored in the encrypted backup with a known iTunes password.

Run backup_tool.py and supply iTunes password to it. In case if the password is unknown, modify the backup_tool.py script and attach a brute force script to it. Backup_tool.py script takes the user entered password, decrypts the Backup Keybag, grabs all the encryption keys and decrypts the files in the backup.

python python_scripts/backup_tool.py /Users/User/Library/Application Support/MobileSync/Backup/[iPhone UDID]/ [output_path]

If output_path is not mentioned, the script creates [iPhone UDID]_extract directory in the backup folder and extracts the backup files into it.

On the encrypted backup, the iPhone keychain sqlite database is stored as a Plist file (Keychain-backup.plist). The Plist file contents are encrypted with the migratable and ThisDeviceOnly keychain data protection class keys.

To view migratable keychain items run keychain_tool.py and supply iTunes password.
To view ThisDeviceOnly keychain items run keychain_tool.py and supply Key 0x835.

python python_scripts/keychain_tool.py –d /Users/User/Library/Application Support/MobileSync/Backup/[iPhone UDID_extract]/keychain-backup.plist /Users/User/Library/Application Support/MobileSync/Backup/[iPhone UDID_extract]/Manifest.plist

The above script dumps the generic passwords, internet passwords, certificates and private keys from the keychain backup file.

During an iPhone backup, iTunes only stores the existing files to the backup. So it is not possible to recover the deleted files on the iPhone from backups.

Conclusion:

Techniques illustrated in the article shows that forensics investigation is possible on the latest version of iPhone backups. However the information recovered from the backup alone without physical access to the device is less. Apple is also changing the backup mechanism with every major release of iTunes. So it is always challenging to design the scripts to decrypt the iTunes backups.

References:

  1.  iPhone data protection in depth by Jean-Baptiste Bédrune, Jean Sigwald
    http://esec-lab.sogeti.com/dotclear/public/publications/11-hitbamsterdam-iphonedataprotection.pdf
  2. iPhone data protection tools
    http://code.google.com/p/iphone-dataprotection/
  3. iPhone wiki
    http://theiphonewiki.com

Part 3 of this article will demonstrate the techniques in a video.

I wrote this article for infosec institute. Take a look at the web application security course offered by infosecinstitute.

 

Posted by on May 30, 2012 in iPhone

19 Comments

Tags: , , , , , , , , , , , , , , , , , , , ,

19 responses to “iPhone Forensics – Analysis of iOS 5 backups : Part2

  1. Jan

    June 22, 2012 at 3:50 pm

    Hi,
    when decrypting the iTunes password encrypted backup, I get the following error:

    Enter backup password :
    123456
    WARNING: File 0309c543d9e9ce5b05a12250c37e55b62e405e19 (Library/Preferences/com.apple.PeoplePicker.plist) has not been found
    Traceback (most recent call last):
    File “./python_scripts/backup_tool.py”, line 78, in
    main()
    File “./python_scripts/backup_tool.py”, line 75, in main
    extract_backup(backup_path, output_path)
    File “./python_scripts/backup_tool.py”, line 46, in extract_backup
    mbdb.extract_backup(output_path)
    File “/Users/jan/Documents/iOSTools/iphone-dataprotection/python_scripts/backups/backup4.py”, line 127, in extract_backup
    self.extract_file(filename, record, output_path)
    File “/Users/jan/Documents/iOSTools/iphone-dataprotection/python_scripts/backups/backup4.py”, line 136, in extract_file
    file_data = self.read_file(filename, record)
    File “/Users/jan/Documents/iOSTools/iphone-dataprotection/python_scripts/backups/backup4.py”, line 159, in read_file
    c = AES.new(key, AES.MODE_CBC)
    File “build/bdist.macosx-10.7-intel/egg/Crypto/Cipher/AES.py”, line 95, in new
    File “build/bdist.macosx-10.7-intel/egg/Crypto/Cipher/AES.py”, line 59, in __init__
    File “build/bdist.macosx-10.7-intel/egg/Crypto/Cipher/blockalgo.py”, line 141, in __init__
    ValueError: IV must be 16 bytes long

    I the “_extract” directory, I am missing the keychain-backup.plist file.

    Any ideas ?
    regards,
    Jan

     
    • Kelly

      December 22, 2012 at 2:53 am

      I got this same error also. It comes from this line in backup4.py:

      c = AES.new(key, AES.MODE_CBC)

      I read in some forums about the error that pycrypto used to put in an all 0 bytestring if you left off the IV argument to the constructor, so I tried:

      c = AES.new(key, AES.MODE_CBC, b’0000000000000000′)

      The program ran then, but all of the decrypted files are garbage. I will trudge on, but guidance would be appreciated if anyone knows the error!

       
      • satishb3

        December 22, 2012 at 6:25 am

        which version of iOS ?

         
        • treats

          July 31, 2015 at 6:48 pm

          All I want to do is backup pictures from text messages… I’m in deep.

          I’m getting the same thing as Jan. Initial error is “ValueError: IV must be 16 bytes long”

          I haven’t found a workaround, but the ‘fix’ that Kelly suggests does move the script further, but the script still fails and the files that have been decrypted are corrupt and not readable…

          I think I’m at a dead-end considering my ios version is 8.2.

           
  2. Jan

    June 22, 2012 at 4:16 pm

    if I try use an unencrypted backup I get the keychain-backup.plist but cannot decrypt it:

    ./python_scripts/keychain_tool.py /Users/jan/Library/Application Support/MobileSync/Backup/[UUID]_extract/keychain-backup.plist /Users/jac/Library/Application Support/MobileSync/Backup/[UUID]_extract/Manifest.plist
    from: can’t read /var/mail/optparse
    from: can’t read /var/mail/keystore.keybag
    from: can’t read /var/mail/keychain
    from: can’t read /var/mail/keychain.managedconfiguration
    from: can’t read /var/mail/util
    from: can’t read /var/mail/keychain.keychain4

    What did I miss ?

     
  3. Jan

    June 22, 2012 at 4:25 pm

    .. sorry, I was running the keychain_tool.py as a bash script “./keychain_tool.py” instead of “python keychain_tool.py” 🙂

     
  4. Aferman

    August 26, 2012 at 2:57 am

    Has anyone managed to recover a corrupt encrypted iphone backup using python on windows? If so, could you provide some guidance?

     
  5. Jose Corbacho

    November 17, 2012 at 6:40 pm

    Hi,

    I have been trying to execute backup_tool.py with an iTunes backup of iPad 2 running iOS 6.0.1 but it does not work.

    This is the output with not encrypted backup:
    Device Name : IPad Jose Corbacho
    Display Name : IPad Jose Corbacho
    Last Backup Date : 2012-11-17 08:31:20
    IMEI : missing
    Serial Number : DYTHGJHDDJ8T
    Product Type : iPad3,1
    Product Version : 6.0.1
    iTunes Version : 10.7
    Extract backup to /Users/User/ios_forensics/backup_itunes_hardware_key_password_extract ? (y/n)
    y
    Backup is not encrypted
    FAIL: keybag type > 3 : 1073741825
    unlockBackupKeybagWithPasscode: not a backup keybag
    Cannot decrypt backup keybag. Wrong password ?

    This is the output with encrypted backup:

    Device Name : IPad Jose Corbacho
    Display Name : IPad Jose Corbacho
    Last Backup Date : 2012-09-10 14:05:54
    IMEI : missing
    Serial Number : DYTHGJHDDJ8T
    Product Type : iPad3,1
    Product Version : 5.1.1
    iTunes Version : 10.6.3
    Extract backup to /Users/User/ios_forensics/backup_itunes_user_password_extract ? (y/n)
    y
    Backup is encrypted
    Enter backup password :
    my_itunes_password_for_backups
    FAIL: keybag type > 3 : 1073741825
    unlockBackupKeybagWithPasscode: not a backup keybag
    Cannot decrypt backup keybag. Wrong password ?

    Do you know if the backup-tool.py works with iOS 6.0.1?
    Thanks,
    Jose Corbacho

     
    • satishb3

      November 18, 2012 at 8:47 pm

      it is not working with 6.0.1 backups

       
  6. Geoff

    March 12, 2013 at 6:36 pm

    If your backup is corrupt / incomplete, there is no manifesto file, but there are a large number of encrypted files, and you still have a functioning iphone, is it possible to decrypt individual files in a backup folder any carry out a manual data recovery?

    Thanks

     
    • satishb3

      March 13, 2013 at 6:16 am

      No it is not possible to decrypt individual files. All encryption keys are stored in manifest file. So if manifest is missing there is no way to decrypt other files.

       
      • Geoff

        March 14, 2013 at 3:12 pm

        OK – that’s bad news. Are the encryption keys stored in the Keybag in the Manifest file randomly seeded / selected for each backup – there’s no chance that the same sequence of keys is generated for each backup for a given device?

        Thanks

         
        • satishb3

          March 14, 2013 at 5:33 pm

          They are unique for each backup.

           
  7. Jef

    August 5, 2014 at 2:54 am

    Hi,
    I have forgotten my itunes password and I would like to decrypt my backup. I’m on iTunes 11.2.2 , my iPhone is the 4S on iOS 7.1.2.
    Is it possible ? if it is what do I have to do ?
    I have tried
    python python_scripts/backup_tool.py /Users/User/Library/Application Support/MobileSync/Backup/[iPhone UDID]/ [output_path]
    but I have get the error
    /Users/j-e/Downloads/iphone-dataprotection-83b5dc3ae9a5/python_scripts/crypto/PBKDF2.py:85: DeprecationWarning: the sha module is deprecated; use the hashlib module instead
    import sha as SHA1
    Traceback (most recent call last):
    File “python_scripts/backup_tool.py”, line 2, in
    from backups.backup3 import decrypt_backup3
    File “/Users/j-e/Downloads/iphone-dataprotection-83b5dc3ae9a5/python_scripts/backups/backup3.py”, line 2, in
    from crypto.aes import AESdecryptCBC
    File “/Users/j-e/Downloads/iphone-dataprotection-83b5dc3ae9a5/python_scripts/crypto/aes.py”, line 1, in
    from Crypto.Cipher import AES
    ImportError: No module named Crypto.Cipher

    Thanks
    I apologie I’m french and I don’t understand exactly what I’ve to do

     
    • satishb3

      August 5, 2014 at 7:15 pm

      Seems pycrypto python module is not installed on your machine.

      If you forgot your password, the only way to decrypt the backup is by bruteforcing the password.
      The other way is, backup password is stored in iPhone. You can jailbreak the phone and use keychaindumper – http://www.securitylearn.net/2012/03/27/keychain-dumper-usage-explained/

       
      • Jef

        August 5, 2014 at 10:51 pm

        Thanks for the answer.
        I’ve installed pycrypto now.
        So I’ve to bruteforcing the password because my iphone is in the Atlantic Ocean :(.How can I do bruteforcing ? Is there a script to do it ?

         
        • satishb3

          August 5, 2014 at 11:17 pm

          elcomesoft password breaker is the only option (its paid tool). It is pretty fast and can use GPU to crack password.

           

Leave a Reply

Your email address will not be published. Required fields are marked *