带密码使用iTunes所做的备份带有keychain文件,在知道密码的情况下可以解密,使用收费的UFED、Oxygen等可以解析,开源的使用iphone-dataprotection可以做,这套代码能够解析加密itunes备份文件,以及解析keychain文件。
参考:
http://code.google.com/p/iphone-dataprotection/
http://www.securitylearn.net/2012/05/03/decrypting-the-iphone-keychain-from-backups
Steps to decrypt the backup Keychain (Mac OS X):
- Go to iTunes backup folder. Default location is -~/Library/Application Support/MobileSync/Backup/
- Rename the file 51a4616e576dd33cd2abadfea874eb8ff246bf0e to keychain-backup.plist.
- Extract key 0×835 by following my previous blog post – Extracting AES keys from iPhone.
- Download & install mercurial. Researchers at sogeti developed tools to decrypt the keychain files. Grab the tools by running the below command on Mac OS X terminal.(sudo easy_install mercurial, mercurial是较为流行的分布式版本控制工具,用hg命令同步)
运行 hg clone https://code.google.com/p/iphone-dataprotection/
5. Install python dependencies.
sudo easy_install M2crypto construct progressbar setuptools
sudo ARCHFLAGS='-arch i386 -arch x86_64' easy_install pycrypto
M2Crypto 是一个 Python 语言对 OpenSSL 的封装,支持包括 RSA、DSA、DH、HMACs、消息摘要、对称加密如 AES,以及客户端和服务器端的 SSL 功能。安装之前需要先装Xcode(gcc),swig,pcre。
6. Navigate to iphone-dataprotection folder and run keychain_tool.py by supplying keychain-backup.plist path and the backup folder path.
cd iphone-dataprotection
python python_scripts/keychain_tool.py ~/Library/Application Support/MobileSync/Backup/[UDID]/keychain-backup.plist ~/Library/Application Support/MobileSync/Backup/[UDID]/Manifest.plist
7. The script prompts for key 0×835. key in the value obtained in step 2. keychain-tool.py automatically decrypts the backup keychain content and displays it on the terminal.
In iTunes backup, the iPhone Keychain sqlite database is stored as a Plist file. The Keychain file gets stored with 51a4616e576dd33cd2abadfea874eb8ff246bf0e file name in the iTunes backup folder.
Keychain data stored in the backup is encrypted using a hardware generated key – key 0×835. So renaming the file 51a4616e576dd33cd2abadfea874eb8ff246bf0e to keychain-backup.plist and editing with a plist editor opens the file but does not display the data in it.
Steps to decrypt the backup Keychain (Mac OS X):
1. Go to iTunes backup folder. Default location is -~/Library/Application Support/MobileSync/Backup/
2. Rename the file 51a4616e576dd33cd2abadfea874eb8ff246bf0e to keychain-backup.plist.
3. Extract key 0×835 by following my previous blog post – Extracting AES keys from iPhone.
4. Download & install mercurial. Researchers at sogeti developed tools to decrypt the keychain files. Grab the tools by running the below command on Mac OS X terminal.
hg clone https://code.google.com/p/iphone-dataprotection/
5. Install python dependencies.
sudo easy_install M2crypto construct progressbar setuptools
sudo ARCHFLAGS='-arch i386 -arch x86_64' easy_install pycrypto
6. Navigate to iphone-dataprotection folder and run keychain_tool.py by supplying keychain-backup.plist path and the backup folder path.
cd iphone-dataprotection
python python_scripts/keychain_tool.py ~/Library/Application Support/MobileSync/Backup/[UDID]/keychain-backup.plist ~/Library/Application Support/MobileSync/Backup/[UDID]/Manifest.plist
7. The script prompts for key 0×835. key in the value obtained in step 2. keychain-tool.py automatically decrypts the backup keychain content and displays it on the terminal.
Steps to decrypt the backup Keychain (Windows 7):
1. Go to iTunes backup folder. Default location is - C:\Users\[user name]\AppData\Roaming\Apple Computer\MobileSync\Backup\
2. Rename the file 51a4616e576dd33cd2abadfea874eb8ff246bf0e to keychain-backup.plist.
3. Extract key 0×835 by following my previous blog post - Extracting AES keys from iPhone.
4. Download & install mercurial. Researchers at sogeti developed tools to decrypt the keychain files. Grab the tools by running the below command from windows command prompt. It creates iphone-dataprotection folder in the current directory.
hg clone https://code.google.com/p/iphone-dataprotection/
5. Download and install Python 2.6 in C:\Python26 folder.
6. Add C:\Python26 to system PATH environment variable.
7. Install windows openSSL.
8. Install python dependencies - setuptools, M2Crypto, pycrypto & pyqt
9. Download progressbar-2.3.rar and extract it to c:\ drive. From command prompt navigate to c:\progressbar-2.3 and type the below command.
cd progressbar-2.3
python setup.py install
10. Download construct-2.06.rar and extract it to c:\ drive. From command prompt navigate to c:\construct-2.06 folder and type the below command.
cd construct-2.06
python setup.py install
11. From command prompt, navigate to iphone-dataprotection folder and run keychain_tool.py by supplying keychain-backup.plist path and the backup folder path.
cd iphone-dataprotection
python python_scripts/keychain_tool.py C:\Users\[user name]\AppData\Roaming\Apple Computer\MobileSync\Backup\[UDID]\keychain-backup.plist C:\Users\[user name]\AppData\Roaming\Apple Computer\MobileSync\Backup\[UDID]\Manifest.plist
* In the above command replace [user name] & [UDID] with appropriate values.
12. The script prompts for key 0×835. key in the value obtained in step 2. keychain-tool.py automatically decrypts the backup keychain content and displays it on the command prompt.
Note: keychain in the iTunes encrypted backup is stored encrypted with iTunes password. So while decrypting the keychain from iTunes encrypted backups, enter the backup password instead of key 0×835.
More detailed video demonstration is available at – iPhone forensics – Analysis of iOS 5 backups: video.
发表评论