In iTunes backup, the iPhone Keychain sqlite database is stored as a Plist file. The Keychain file gets stored with 51a4616e576dd33cd2abadfea874eb8ff246bf0e file name in the iTunes backup folder.
Keychain data stored in the backup is encrypted using a hardware generated key – key 0×835. So renaming the file 51a4616e576dd33cd2abadfea874eb8ff246bf0e to keychain-backup.plist and editing with a plist editor opens the file but does not display the data in it.
Steps to decrypt the backup Keychain (Mac OS X):
1. Go to iTunes backup folder. Default location is -~/Library/Application Support/MobileSync/Backup/
2. Rename the file 51a4616e576dd33cd2abadfea874eb8ff246bf0e to keychain-backup.plist.
3. Extract key 0×835 by following my previous blog post – Extracting AES keys from iPhone.
4. Download & install mercurial. Researchers at sogeti developed tools to decrypt the keychain files. Grab the tools by running the below command on Mac OS X terminal.
hg clone https://code.google.com/p/iphone-dataprotection/
5. Install python dependencies.
sudo easy_install M2crypto construct progressbar setuptools sudo ARCHFLAGS='-arch i386 -arch x86_64' easy_install pycrypto
6. Navigate to iphone-dataprotection folder and run keychain_tool.py by supplying keychain-backup.plist path and the backup folder path.
cd iphone-dataprotection python python_scripts/keychain_tool.py ~/Library/Application Support/MobileSync/Backup/[UDID]/keychain-backup.plist ~/Library/Application Support/MobileSync/Backup/[UDID]/Manifest.plist
Steps to decrypt the backup Keychain (Windows 7):
1. Go to iTunes backup folder. Default location is - C:\Users\[user name]\AppData\Roaming\Apple Computer\MobileSync\Backup\
2. Rename the file 51a4616e576dd33cd2abadfea874eb8ff246bf0e to keychain-backup.plist.
3. Extract key 0×835 by following my previous blog post - Extracting AES keys from iPhone.
4. Download & install mercurial. Researchers at sogeti developed tools to decrypt the keychain files. Grab the tools by running the below command from windows command prompt. It creates iphone-dataprotection folder in the current directory.
hg clone https://code.google.com/p/iphone-dataprotection/
5. Download and install Python 2.6 in C:\Python26 folder.
6. Add C:\Python26 to system PATH environment variable.
7. Install windows openSSL.
8. Install python dependencies - setuptools, M2Crypto, pycrypto & pyqt
9. Download progressbar-2.3.rar and extract it to c:\ drive. From command prompt navigate to c:\progressbar-2.3 and type the below command.
cd progressbar-2.3 python setup.py install
10. Download construct-2.06.rar and extract it to c:\ drive. From command prompt navigate to c:\construct-2.06 folder and type the below command.
cd construct-2.06 python setup.py install
11. From command prompt, navigate to iphone-dataprotection folder and run keychain_tool.py by supplying keychain-backup.plist path and the backup folder path.
cd iphone-dataprotection python python_scripts/keychain_tool.py C:\Users\[user name]\AppData\Roaming\Apple Computer\MobileSync\Backup\[UDID]\keychain-backup.plist C:\Users\[user name]\AppData\Roaming\Apple Computer\MobileSync\Backup\[UDID]\Manifest.plist
* In the above command replace [user name] & [UDID] with appropriate values.
12. The script prompts for key 0×835. key in the value obtained in step 2. keychain-tool.py automatically decrypts the backup keychain content and displays it on the command prompt.
Note: keychain in the iTunes encrypted backup is stored encrypted with iTunes password. So while decrypting the keychain from iTunes encrypted backups, enter the backup password instead of key 0×835.
More detailed video demonstration is available at – iPhone forensics – Analysis of iOS 5 backups: video.
