Part 1: The video is going to cover in detailed analysis of iOS backups which will help during iPhone forensics. It focuses on iPhone backups and explains the technical procedure to extract data from the backup files. Forensic techniques on iTunes backup is useful in cases where we get physical access to the suspect’s computer instead of the iPhone. With iOS 5, iPhone data can be backed up to a computer with iTunes or to a cloud based storage with iCloud. The video provides a deep analysis of iTunes backup. For the video I am using a mac os x vm running on a windows 7 host . Demos are captured on iTunes 10 .6 . Connect the iPhone to a Mac vm using an USB cable and open iTunes. It will display the connected iPhone on the left frame. When the iPhone is synced with iTunes, it copies all the iPhone contents to a folder. Path to this folder is located by navigating to users , user , library directory. Library directory is protected and cannot be opened by double clicking on it. To open the library directory press ctrl +shift+ g and type the application support path (/users/user/Library/Application Support/) and press enter. It will move you inside the library folder. Now you can navigate to mobilesync folder to open the backup folder. The folder is currently empty because we haven’t performed any backup. To initiate a backup from iTunes, right click on the device and select backup. iTunes display the backup status on top of the toolbar. Backup time depends on the amount of information stored on the device. A 16 giga bytes of data will take at least 10 minutes for the backup.. Once the backup is completed, iTunes will create a folder in the backup directory with device unique Identifier (UDID) as the name. iTunes backup makes a copy of everything on the device like contacts, photos, configuration files, keychain, cookies and application data, etc. It also backups device details like mobile serial number, SIM number and the phone number. Backup folder contains a list of files which are in un readable format. The folder consists of uniquely named files with a 40 digit alphanumeric hex value without any file extension. The whole backup is maintained by 4 meta files. We will look inside each meta file. Status.plist is a property list file and contains the details about the backup. It includes backup state, a flag to identify the full backup (IsFullBackup). On the initial sync of an iPhone, iTunes performs a full backup. From there on it will only backup the files which are modified on the device. Info.plist is a property list file and contains the device details like device name, build version, IMEI, phone number, last backup date, product version, product type, serial number, sync settings and a list of application names that were installed on the device. Manifest.plist is a property list file and contains the Backup Keybag which stores all the backup encryption keys, a flag to identify the passcode protected devices (WasPasscodeSet) and a flag to identify the encrypted backup (IsEncrypted), application bundle details Manifest.mbdb is a binary file which contains information about all other files in the backup along with the file sizes and file system structure. The binary file can be viewed using a hex editor. For a better look and feel I have opened the same mbdb file using a hex editor on windows machine. The first 6 bytes in the file acts as a magic number to identify the mbdb file. Rest of the file contains the information about backup files. For example search for the keychain word, to find out information about backup keychain. On the iTunes backup, iPhone keychain database is stored as a property list file under keychain domain. On iPhone, Domain name is decided upon the content of the file. This 40 digit hex file name in the backup folder is derived from SHA1 hash value of the file path appended to the respective domain name with a hyphen symbol. I am using an online hash calculator to show how the iTunes create the file names. For example to locate the iphone keychian in backup files, compute the SHA 1 hash for KeychainDomain-keychain-backup.plist. In this keychainDomain is the domain name and keychainbackup.plist is the file name. Sha 1 hash of KeychainDomain-keychain-backup.plist is computed to 51a46... Now you can search the backup folder for the hash value and it will contain the keychain data. To view what type of file it is, open it with an hex editor. The starting few bytes in the file indicates that it is a plist file. To view the file contents, add .plist extension to the file. Upon adding the file extension we can open the file using a plist editor. Now you can notice the plist file displays the table names like genp, inept and a number of keychain items. But the keychain items are in encrypted fashion. So we cannot see the actual values inside the keychain. During backup iTunes encrypts the keychain items using a key which is computed by the iPhone hardware. In the next part of the video we will see how to decrypt the keychain contents. We will see an another example on, how a backup file name is calculated for a third party application like skype. On iPhone, data stored by third party applications is categorized into APPDomain. To find out the skype property list file in the backup, add AppDomain to the Skype property list file path and compute SHA 1 hash of it. SHA 1 hash value for skype plist is - bc0e... Now you can search the backup folder for the hash value. Once the file is identified, Drag the file to an hex editor to find out the file type. The starting few bytes in the file indicates that it is a property list file. To view the file contents, add .plist extension to the file. Open the file using a plist editor. Xcode comes with a default plist editor. The Skype property list file displays the actual content because it is not encrypted. It indicates that all the files in the backup are not encrypted. Instead of we computing the hash values and reading each and every file we can use free tools like iPhone backup extractor to read the backups. Before reading the backups, remove the .plist extension which we have added to the keychain and Skype files in the backup. Read backup button in the Backup extractor list out all the available backups in the backup folder. Choose a backup and the tool reads info.plist meta file and list out all the application identifiers. To extract application files from the backup select all the values from the list. Here i am going to extract only iOS files. Once you select the values, the tool prompts to choose a folder to store the extracte files. Specify the extraction path, The tool parse the information stored in the Mbdb file and creates the file structure. It converts the un readable backup files into a readable format and stores them in the supplied directory. Extracted backup files contain several plist files, keychain, photos and Sqlite database files. Plist files can be opened using a plist editor. Sqlite database files stored in the extracted backup can be viewed with the help sqlite client. To view the calendar Sqlite database, open terminal and supply the calendar database path to sqlite3 command. .tables sql command list out the table details. As the file is not encrypted you can view the values stored in the tables with select command. Most of the property list files and Sqlite database files stored in the backup are not encrypted. Now we will take a look at the keychain-backup.plist. Opening the plist file displays the table structure but the keychain items are displayed encrypted. Jean Sigwald, a researcher at Sogeti ESEC labs has released open source forensic tool kit that can be used to decrypt the backup keychain file. You can find their research on google code project named iphone data protection. The forensic toolkit is developed in python language and it requires the installation of few python modules. Download and install pycrypto, M2crypto, construct and progressbar python modules by following the readme file. It will take a couple of minutes to install the modules. Download the mercurial software to check out the source code from Google repository. I am going to cancel the download because I have already installed now you can check out the source code using hg command. After running this command, it is going to create a new directory called iPhone data protection in the current directory. You can notice that, it has downloaded around 121 files. Navigate to iPhone data protection folder; it lists out all the downloaded files. Most of them are python scripts and shell scripts. We are going to use backup_tool python script which is similar to iPhone backup extractor. The python script reads the backup and stores the extracted backup files in the output directory. if out put path is not mentioned, then it will create a new folder in the iTunes backup folder . I did not mention the output path here. So it created the device UDID_extract folder in the iTunes backup directory. You can notice the script has extracted all the files from the backup. But the keychain backup file is still encrypted. The keychain items are encrypted with the keychain data protection class keys which are stored in the backup Keybag. Backup Keybag is protected by an encryption key computed on the iphone hardware. So in order to grab the protection class keys, first we have to grab the key 835 computed by the iPhone hardware key. iPhone hardware key is not accessible to user land process. This restriction can be bypassed by patching a kernel service. Jean sigwald wrote the code to patch kernel and to read encryption keys from the device. I have compiled the code and prepared executable files which can be used directly on the device. I made them available for download on my 4shared account. Link to the downloads are available in my blog. To load the executables onto the device, jailbreak the iphone and install openssh from cydia. Connect the iPhone and workstation to the same Wi-Fi network. On OS X run Cyberduck and connect to the iPhone by typing iPhone IP address, root as username and alpine as password. Drag the downloaded kernel patcher and device infos executables to Cyberduck. It will copy the files from the workstation to iphone. Now from terminal connect to the phone as a root user over ssh . Grant executable permission to the uploaded files using chmod command. Run kernel patcher, it will patch the IOAESAccelerator kernel services and gives access to the hardware key. The kernel patcher executable works only for ios 5 devices. Now run device_infos, it will compute all the encryption keys and store them in a property list file. View the property list file using plutil command and note down the key 835 value. Key 835 is used to decrypt the backup Keybag and extract data protection class keys. To decrypt the backup keychain file, run keychain_tool python script by supplying keychain backup plist and backup manifest file. The script prompts to enter key 835 value. Upon entering the right key , it decrypts and displays the decrypted keychain values on the screen. I am not showing the passwords here because it will reveal all my passwords. Keychain tool python script also comes with several other flags using which you can store the output into csv files. The method of managing the backups has changed with every major release of iTunes however the method of converting the path names to the file names still remains the same. On the iPhone, Key 0x835 is computed by the IOAESAccelerator kernel service at iOS boot by encrypting a static value with a hardware encryption key embedded in the iPhone application processor and it is unique for each device. iOS running on the iPhone cannot read the hardware key but it uses the key to compute Key 0x835 in kernel mode. Hardware key is not accessible to user land process. Part 2: This part of the video covers the complete analysis of encrypted iOS5 backups. Connect the iPhone to a Mac vm using an USB cable and open iTunes. In iTunes summary tab, check encrypt local backup option. iTunes immediately prompts the user to enter a password. iTunes does not impose any password rules here so we can use short passwords too. Encrypted backups are designed for data migration between different iOS devices. Data migration is achieved by encrypting the backup with a password supplied to iTunes instead of the key generated on the iPhone hardware. Once the backup process is completed, iTunes will create a folder in the backup directory located in mobilesync folder. Press ctrl +shift+ g and type the application support path (/users/user/Library/Application Support/) and press enter. It will move you inside the library folder. Now you can navigate to mobilesync folder to open the backup folder. Backup folder contains a list of files which are in un readable format. The folder consists of uniquely named files with a 40 digit alphanumeric hex value without any file extension. Every file in the backup is encrypted with an unique file key and the file keys are stored in the backup keybag. Encrypted backups are managed by 4 meta files and the meta files are not encrypted. Manifest.plist file contains a flag that indicates whether the backup is encrypted or not. In this case, it shows isEncrytped flag as Yes which indicates the backup is encrypted. Now we will take a look at the files which are stored in the backup. For a better understanding I am trying to view skype property list file in the backup. In order to locate the skype.plist file in the backup, first we have to compute sha1 value for it. This can be computed by adding appdomain to skype property list file path. Once the hash value is computed, search the backup folder for that file. On the first part of the video, we have identified that this file is a plist file using an hex editor. So I am adding .plist extension to the file to open it with a plist editors. Double click on the file and you can notice the file is corrupted message. File is not really corrupted but it is encrypted. So OS cannot read the file headers and displays file corrupted message. Tools like iPhone backup extractor can be still used to read the encrypted backups. But the tool can only read the filenames but not the contents. Before reading the backup, remove the .plist extension which we have added to the skype property list file . Read backup button in the Backup extractor list out all the available backups in the backup folder. Choose a backup. The tool reads the un encrypted meta files and list out all the application identifiers. Here I am going to extract only iOS files. Once you select the values, the tool prompts to choose a folder to store the extracted files. I am creating a new folder named enc-backupextract and extracting the encrypted backup into it. The tool parse the information stored in the Mbdb file and creates the file structure. It converts the un readable backup files into a readable format and stores them in the supplied directory. Extracted backup files contain several plist files, keychain, photos and Sqlite database files. When we try to open the file it displays the file is corrupted message because the file is encrypted,. Keychain backup file is also encrypted. Jean Sigwald has released a open source forensic tool kit that can be used to decrypt the encrypted iOS backup files. Watch first part of the video, to download the tool kit. We are going to use backup_tool python script which is similar to iPhone backup extractor but it also supports encrypted iTunes backups. The python script reads the backup and stores the extracted backup files in the output directory. if output directory path is not mentioned, then it will create a new folder in the iTunes backup folder . The script prompts the user to enter iTunes password. If the password is unknown, we can write a bruteforce script and attach it here. Once the correct backup password is supplied, the script extracts and decrypts all the files in the encrypted backup and stores them in the output path. I’ve mentioned output directory as backupextract. From finder, navigate to backupextract folder which is located in the user directory. Here you can notice all the extracted files. Now if we click on a plist file, it gets open with a plist editor. Keychain file is also decrypted. But the keychain items are still encrypted with the data protection class keys. keychain data protection class keys are stored in the backup Keybag are protected by the password which is used for backup encryption. In order to decrypt the keychain items first we have to read the data protection class keys. This can be done with the help of keyhcian_tool python script. Run keychain_tool python script by supplying keychain backup plist and backup manifest file. The script prompts to enter key 835 value. Keychain Data protection class keys are classified into migratable and this device only keys. Key 835 is computed on the iPhone hardware and it is required to decrypt the keychain items which are tied to the device using this device only protection class keys. Here I am going to decrypt only migratable keychain items so I am not supplying key 835. Backup Keybag is already decrypted after running backup_tool script. So keychian_tool script automatically reads the migratable protection class keys from Keybag and displays the decrypted keychain items on the screen. I am not showing the passwords here because it will reveal all my own passwords. Keychain tool python script also comes with several other flags using which you can store the output into csv files. Techniques illustrated in the article shows that forensics investigation is possible on the latest version of iPhone backups. However the information recovered from the backup alone without physical access to the device is less. Apple is also changing the backup mechanism with every major release of iTunes. So it is always challenging to design the scripts to decrypt the iTunes backups.