Nowadays more and more people use encryption to protect the backups of their iPhone, iPad, or iPod touch in iTunes. That’s why this is one of typical problems of modern digital forensics. As you know, iTunes backups can be found in the following locations:
Mac OS X: /Users/(username)/Library/Application Support/MobileSync/Backup/
Windows 7, 8 or 10: \Users\(username)\AppData\Roaming\Apple Computer\MobileSync\Backup\
Of course, if the backup you found is protected with a weak password, you can use some cracking tools, like our favorite Elcomsoft Phone Breaker.
Figure 1. Elcomsoft Phone Breaker’s Password Recovery Wizard window
But what if the backup is protected with a strong password? Ok, let’s imagine a situation: you are examining an image from a Mac OS X system, and find an encrypted iTunes backup with unknown password. What should you do if the password is strong enough, and you cracking tools fail?
The answer is – user’s keychain! Of course, you must know user-password, but if you do – you can get the password for the iTunes backup you found.
There is a tool, which can help you – Simon Key’s dumpkeychain. This tool is freely available from EnCase App Central.
Before running the tool, you need to extract user’s keychain file from the image. It is located at:
Ok, now you have the keychain file and is ready to run the tool. Use command prompt and type the following command:
dumpkeychain.exe -u <user_keychain> <password> <output_file>
<user_keychain> – the keychain file you’ve just extracted from the image
<password> – user-password
<output_file> – a file, where the output will be saved
Figure 2. Decrypting user’s keychain with dumpkeychain.exe
Now you have a text file with all the passwords stored in user’s keychain. Open it with your favorite text editor and find “iPhone Backup” value. Here it is! You’ve found the password and now can decrypt the backup!