Nowadays more and more people use encryption to protect the backups of their iPhone, iPad, or iPod touch in iTunes. That’s why this is one of typical problems of modern digital forensics. As you know, iTunes backups can be found in the following locations:

Mac OS X: /Users/(username)/Library/Application Support/MobileSync/Backup/

Windows 7, 8 or 10: \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\

Of course, if the backup you found is protected with a weak password, you can use some cracking tools, like our favorite Elcomsoft Phone Breaker.

Figure 1. Elcomsoft Phone Breaker’s Password Recovery Wizard window

But what if the backup is protected with a strong password? Ok, let’s imagine a situation: you are examining an image from a Mac OS X system, and find an encrypted iTunes backup with unknown password. What should you do if the password is strong enough, and you cracking tools fail?

The answer is – user’s keychain! Of course, you must know user-password, but if you do – you can get the password for the iTunes backup you found.

There is a tool, which can help you – Simon Key’s dumpkeychain. This tool is freely available from EnCase App Central.

Before running the tool, you need to extract user’s keychain file from the image. It is located at:

/Users/(username)/Library/Keychains/login.keychain

Ok, now you have the keychain file and is ready to run the tool. Use command prompt and type the following command:

dumpkeychain.exe -u <user_keychain> <password> <output_file>

Where:

<user_keychain> – the keychain file you’ve just extracted from the image

<password> – user-password

<output_file> – a file, where the output will be saved

Figure 2. Decrypting user’s keychain with dumpkeychain.exe

Now you have a text file with all the passwords stored in user’s keychain. Open it with your favorite text editor and find “iPhone Backup” value. Here it is! You’ve found the password and now can decrypt the backup!

Authors:

Igor Mikhaylov & Oleg Skulkin

Load More Related Articles
Load More In Articles

2 Comments

  1. Lazza

    March 1, 2017 at 11:10 pm

    It’s a bit weird that you blurred the password (P3VC3ofH3VRT) on the top but not the same one printed later on. 😉

    Reply

    • Admin

      March 2, 2017 at 5:17 pm

      It’s not a real password, so not a problem 🙂

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *