Decrypting the iPhone keychain from backups

In iTunes backup, the iPhone Keychain sqlite database is stored as a Plist file. The Keychain file gets stored with 51a4616e576dd33cd2abadfea874eb8ff246bf0e file name in the iTunes backup folder.

Keychain data stored in the backup is encrypted using a hardware generated key – key 0x835. So renaming the file 51a4616e576dd33cd2abadfea874eb8ff246bf0e to keychain-backup.plist and editing with a plist editor opens the file but does not display the data in it.

Steps to decrypt the backup Keychain (Mac OS X):

1. Go to iTunes backup folder. Default location is -~/Library/Application Support/MobileSync/Backup/

2. Rename the file 51a4616e576dd33cd2abadfea874eb8ff246bf0e to keychain-backup.plist.

3. Extract key 0x835 by following my previous blog post – Extracting AES keys from iPhone.

4. Download & install mercurial. Researchers at sogeti developed tools to decrypt the keychain files. Grab the tools by running the below command on Mac OS X terminal.

hg clone https://code.google.com/p/iphone-dataprotection/

5. Install python dependencies.

sudo easy_install M2crypto construct progressbar setuptools sudo ARCHFLAGS='-arch i386 -arch x86_64' easy_install pycrypto

6. Navigate to iphone-dataprotection folder and run keychain_tool.py by supplying keychain-backup.plist path and the backup folder path.

cd iphone-dataprotection python python_scripts/keychain_tool.py ~/Library/Application Support/MobileSync/Backup/[UDID]/keychain-backup.plist ~/Library/Application Support/MobileSync/Backup/[UDID]/Manifest.plist

7. The script prompts for key 0x835. key in the value obtained in step 2. keychain-tool.py automatically decrypts the backup keychain content and displays it on the terminal.



Steps to decrypt the backup Keychain (Windows 7):

1. Go to iTunes backup folder. Default location is – C:\Users\[user name]\AppData\Roaming\Apple Computer\MobileSync\Backup\

2. Rename the file 51a4616e576dd33cd2abadfea874eb8ff246bf0e to keychain-backup.plist.

3. Extract key 0x835 by following my previous blog post – Extracting AES keys from iPhone.

4. Download & install mercurial. Researchers at sogeti developed tools to decrypt the keychain files. Grab the tools by running the below command from windows command prompt. It creates iphone-dataprotection folder in the current directory.

hg clone https://code.google.com/p/iphone-dataprotection/

5. Download and install Python 2.6 in C:\Python26 folder.

6. Add C:\Python26 to system PATH environment variable.

7. Install windows openSSL.

8. Install python dependencies – setuptools, M2Crypto, pycrypto & pyqt

9. Download progressbar-2.3.rar and extract it to c:\ drive. From command prompt navigate to c:\progressbar-2.3 and type the below command.

cd progressbar-2.3 python setup.py install

10. Download construct-2.06.rar and extract it to c:\ drive. From command prompt navigate to c:\construct-2.06 folder and type the below command.

cd construct-2.06 python setup.py install

11. From command prompt, navigate to iphone-dataprotection folder and run keychain_tool.py by supplying keychain-backup.plist path and the backup folder path.

cd iphone-dataprotection python python_scripts/keychain_tool.py C:\Users\[user name]\AppData\Roaming\Apple Computer\MobileSync\Backup\[UDID]\keychain-backup.plist C:\Users\[user name]\AppData\Roaming\Apple Computer\MobileSync\Backup\[UDID]\Manifest.plist

* In the above command replace [user name] & [UDID] with appropriate values.

12. The script prompts for key 0x835. key in the value obtained in step 2. keychain-tool.py automatically decrypts the backup keychain content and displays it on the command prompt.

Note: keychain in the iTunes encrypted backup is stored encrypted with iTunes password. So while decrypting the keychain from iTunes encrypted backups, enter the backup password instead of key 0x835.

More detailed video demonstration is available at – iPhone forensics – Analysis of iOS 5 backups: video.

For iOS 7, apply this patch – https://code.google.com/p/iphone-dataprotection/issues/detail?id=115