Digital forensics

iPhone Forensics – Analysis of iOS 5 backups : Part 2

May 29, 2012 by Satish B.

[highlight color=”blue”]Interested in formal iPhone forensics training? Check out our 3 day iPhone and iOS forensics course now available. [/highlight]

In the first part of this article, we discussed the techniques to read iTunes backups. The following article discloses the procedure to extract protection class keys from the Backup Keybag and covers the techniques & the tools to decrypt the protected backup files and the encrypted backups.

Data protection mechanism introduced in iOS 4 protects the sensitive data in files on the file system and items in the keychain by adding another layer of encryption. Data protection uses the user’s passcode key and the device specific hardware encryption keys to generate a set of class keys which protect the designated data. Developers use the data protection API to add protection class flag to the files and the keychain items. On the iPhone, protection class keys are stored in the System Keybag. During the backup, iTunes generates a new set of protection class keys and stores them in the Backup Keybag. Class keys stored in the System Keybag are different from the keys in the Backup Keybag. Protected files and data in the backup are encrypted using the class keys that are stored in the Backup Keybag. In normal backups Backup Keybag is protected with a key generated from the iPhone hardware (Key 0x835) and in encrypted backups it is protected with the iTunes password.

Data protection for files can be enabled by setting a value for the NSFileProtection attribute using the NSFileManager class setAttributes:ofItemAtPath:error method. List of protection classes available for the files are shown in Table 1.

Key id Protection class Description
1 NSProtectionComplete File is accessible only after the device is unlocked
2 NSFileProtectionCompleteUnlessOpen
  • File is accessible after the device is unlocked (or)
  • File is accessible if the file handle remains open before locking the device
3 NSFileProtectionCompleteUntilFirstUserAuthentication File is accessible after the first unlock of the device to till reboot
4 NSProtectionNone File is accessible even the device is locked
5 NSFileProtectionRecovery  Undocumented

(Table 1)

Data protection for keychain items can be enabled by setting a protection class value inSecItemAdd or SecItemUpdate methods. Keychain class keys also define whether a keychain item can be migrated to other device or not. List of protection classes available for the keychain items are shown in Table 2.

Key id Protection class Description
6 kSecAttrAccessibleWhenUnlocked Keychain item is accessible only after the device is unlocked
7 kSecAttrAccessibleAfterFirstUnlock Keychain item is accessible only after the first unlock of the device to till reboot
8 kSecAttrAccessibleAlways Keychain item is accessible even the device is locked
9 kSecAttrAccessibleWhenUnlockedThisDeviceOnly Keychain item is accessible only after the device is unlocked and the item cannot be migrated between devices
10 kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly Keychain item is accessible after the first unlock of the device and the item cannot be migrated
11 kSecAttrAccessibleAlwaysThisDeviceOnly Keychain item is accessible even the device is locked and the item cannot be migrated

(Table 2)

Jean Sigwald, a researcher at Sogeti ESEC labs has released open source forensic tool kit that can be used to decrypt the protected backup files from normal backups and encrypted backups. Below details outline their research and gives an overview on usage of the tools.

Setup:

On Mac OS X, download & install the required python modules (pycrypto, M2crypto, construct and progressbar).

[code]
> sudo ARCHFLAGS=’-arch i386 -arch x86_64′ easy_install pycrypto
> sudo easy_install M2crypto construct progressbar
[/code]

Download and install Mercurial (http://mercurial.selenic.com/) to check out the source code from the iphone-dataprotection Google code repository.

[code]
> hg clone https://code.google.com/p/iphone-dataprotection/
> cd iphone-dataprotection
[/code]

Decrypting Normal backups:

In case of normal backups, the data protection class keys stored in the Backup Keybag are protected by a hardware generated key (Key 0x835). In order to grab the protection class keys from the Backup Keybag Key 0x835 is required and the key is computed only on the device. So decryption of protected files in the normal backup is not possible without having access to the actual device. In forensic investigations the information recovered from the normal backups is less if physical access to the device is not available.

Steps below explain the procedure to decrypt the protected files stored in the normal backup in case physical access to device is obtained. On the iPhone, Key 0x835 is computed by the IOAESAccelerator kernel service at iOS boot by encrypting a static value 01010101010101010101010101010101 with UID. UID is a hardware encryption key embedded in the iPhone application processor AES engine and it is unique for each device. iOS running on the iPhone cannot read the hardware key (UID) but it uses the key to compute Key 0x835 in kernel mode. UID is not accessible to user land process. This restriction can be bypassed by patching the IOAESAccelerator kernel service.

Steps to extract Key 0x835 from the iPhone:

1. Jailbreak your iPhone. If you don’t like to Jailbreak the phone, follow the steps explained in the iPhone Forensics article.
2. On the iPhone, install OpenSSH from Cydia. OpenSSH allows connecting to the device over SSH.
3. On Mac OS X workstation, download device_infos, kernel_patcher and Cyberduck tools.
4. Connect the iPhone and workstation to the same Wi-Fi network.
5. On OS X run Cyberduck and connect to the iPhone by typing iPhone IP address, root as username and alpine as password.
6. Copy device_infos and kernel_patcher executables to the iPhone root directory.
7. Run Mac terminal and SSH to the iPhone by typing iPhone IP, root as username and alpine as password.

[code]
> ssh root@iPhone-IP
Password: alpine
[/code]

8. On SSH terminal, run the below commands to change the execution permissions of kernel_patcher and device_infos.

[code]
> chmod 777 kernel_patcher
> chmod 777 device_infos
[/code]

9. Patch IOAESAccelerator kernel service to use the hardware encryption key (UID) from user land process. Kernel_patcher script modifies the kernel and applies the required patches to IOAESAccelerator.

[code]
> ./kernel_patcher
[/code]

* If the kernel is already patched, the above script displays kernel patching failed message.

10. Run device_infos script and supply key835 as a parameter. The script computes the Key 0x835 and displays on the screen. If key835 parameter is not supplied, the script computes all the encryption keys and stores them in a Plist file.

[code]
> ./device_infos key835
[/code]

Once Key 0x835 is grabbed, it is possible to decrypt the Backup Keybag and obtain the data protection class keys. Later these class keys are used to decrypt the protected files in the backup.

11. On Mac OS X terminal, navigate to iphone-dataprotection directory. Run the backup_tool.py script by supplying the iTunes backup directory path.

[code]
> python python_scripts/backup_tool.py /Users/User/Library/Application
Support/MobileSync/Backup/[iPhone UDID]/ [output_path]
[/code]

If output_path is not mentioned, the script creates [iPhone UDID]_extract directory in the backup folder and extracts the backup files into it.

On the backup, the iPhone keychain sqlite database is stored as a Plist file (Keychain-backup.plist). The Plist file contents are encrypted with the keychain data protection class keys. Items in the keychain can only be viewed after decrypting it with the keychain protection class keys.

Run keychain_tool.py and supply Key 0x835. The script decrypts the Backup Keybag, grabs the protection class keys from 6 to 11 (listed in Table 2) and decrypts the keychain items.

[code]
> python python_scripts/keychain_tool.py –d /Users/User/Library/Application
Support/MobileSync/Backup/[iPhone UDID_extract]/keychain-backup.plist
/Users/User/Library/Application
Support/MobileSync/Backup/[iPhone UDID_extract]/Manifest.plist

[/code]

The above script dumps the generic passwords, internet passwords, certificates and private keys from the keychain backup file.

Decrypting Encrypted backups

In cases of encrypted backups, migratable data protection class keys (6 to 8 listed in Table 2) stored in the Backup Keybag are protected by iTunes password and ThisDeviceOnly class keys (9 to 11 listed in Table 2) stored in the Backup Keybag are protected by Key 0x835 along with the iTunes password. Most of the data stored in the encrypted backups is migratable as the data is encrypted with the iTunes password and it is not tied to a specific device. Files in the backup are encrypted with a unique key for each file using AES 256 in CBC mode. Encryption keys are stored in the Backup Keybag and protected by iTunes password. In order to decrypt the Backup Keybag, grab the protection class keys and decrypt backup files iTunes password is required. So decryption of files in the encrypted backup is not possible without the iTunes password. In forensic investigations the information recovered from the backups is less if the iTunes password is not available. As iTunes does not impose any password strength rules on encrypted backups, it is easy to perform a brute force attack on it. Encrypted backups add a significant difficulty in data recovering and it may be impossible with a complex password in use.

During the backup iTunes stores the encrypted backup password on the iPhone keychain. So if the backup password is unknown and physical access to the device is available, the backup password can be retrieved by viewing the iPhone keychain items. On a JailBroken iPhone, all the keychain items can be viewed using keychain_dumper tool.

Tools like iPhone Backup Extractor & iPhone Backup Browser does not work on encrypted backups. They can only read & parse the Manifest.mbdb file and prepares a file structure. However the file cannot be opened as the content is encrypted.

Steps below explain the procedure to decrypt the files stored in the encrypted backup with a known iTunes password.

Run backup_tool.py and supply iTunes password to it. In case if the password is unknown, modify the backup_tool.py script and attach a brute force script to it. Backup_tool.py script takes the user entered password, decrypts the Backup Keybag, grabs all the encryption keys and decrypts the files in the backup.

[code]
> python python_scripts/backup_tool.py /Users/User/Library/Application Support/MobileSync/Backup/[iPhone UDID]/ [output_path]
[/code]

If output_path is not mentioned, the script creates [iPhone UDID]_extract directory in the backup folder and extracts the backup files into it.

On the encrypted backup, the iPhone keychain sqlite database is stored as a Plist file (Keychain-backup.plist). The Plist file contents are encrypted with the migratable and ThisDeviceOnly keychain data protection class keys.

To view migratable keychain items run keychain_tool.py and supply iTunes password.
To view ThisDeviceOnly keychain items run keychain_tool.py and supply Key 0x835.

[code]
> python python_scripts/keychain_tool.py –d /Users/User/Library/Application
Support/MobileSync/Backup/[iPhone UDID_extract]/keychain-backup.plist
/Users/User/Library/Application
Support/MobileSync/Backup/[iPhone UDID_extract]/Manifest.plist

[/code]

The above script dumps the generic passwords, internet passwords, certificates and private keys from the keychain backup file.

Conclusion:

Techniques illustrated in the article shows that forensics investigation is possible on the latest version of iPhone backups. However the information recovered from the backup alone without physical access to the device is less. Apple is also changing the backup mechanism with every major release of iTunes. So it is always challenging to design the scripts to decrypt the iTunes backups.

References

  1. iPhone data protection in depth by Jean-Baptiste Bédrune, Jean Sigwald
    http://esec-lab.sogeti.com/dotclear/public/publications/11-hitbamsterdam-iphonedataprotection.pdf
  2. iPhone data protection tools

    http://code.google.com/p/iphone-dataprotection/

  3. iPhone wiki

    http://theiphonewiki.com

Posted: May 29, 2012
Author
Satish B.
View Profile

Satish B (@satishb3) is an Information Security Professional with 6 years of experience in penetration testing of web applications and mobile applications. He is currently a security researcher at Infosec Institute. Satish's blog is located at - http://www.securitylearn.net Email: satishb3@securitylearn.net

8 responses to “iPhone Forensics – Analysis of iOS 5 backups : Part 2”

  1. Andre Gironda says:

    tried this on my iPad 2 running 4.3.3. kernel_patcher failed

    (gdb) bt
    #0 0x2fe0ec40 in __dyld_stub_binding_helper_interface ()
    #1 0x00002e3c in main ()
    (gdb) step
    Single stepping until exit from function __dyld_stub_binding_helper_interface,
    which has no line number information.
    0x33c92eac in vm_read ()
    (gdb) bt
    #0 0x33c92eac in vm_read ()
    #1 0x00002e3c in main ()
    (gdb) step
    Single stepping until exit from function vm_read,
    which has no line number information.

    Program received signal EXC_BAD_INSTRUCTION, Illegal instruction/operand.
    0x33c92ee0 in vm_read ()
    (gdb) bt
    #0 0x33c92ee0 in vm_read ()
    #1 0x00002e3c in main ()
    (gdb) info threads
    * 2 “com.apple.main-thread” 0x33c92ee0 in vm_read ()
    (gdb) disass
    Dump of assembler code for function vm_read:
    0x33c92eac : push {r4, r5, r6, r7, lr}
    0x33c92eae : add r7, sp, #12
    0x33c92eb0 : stmdb sp!, {r8, r10}
    0x33c92eb4 : sub sp, #72
    0x33c92eb6 : mov r4, r1
    0x33c92eb8 : ldr r1, [pc, #256] (0x33c92fbc )
    0x33c92eba : mov r6, r0
    0x33c92ebc : mov r5, r2
    0x33c92ebe : add r1, pc
    0x33c92ec0 : movs r2, #8
    0x33c92ec2 : ldr.w r8, [r1]
    0x33c92ec6 : add r0, sp, #36
    0x33c92ec8 : mov r10, r3
    0x33c92eca : mov r1, r8
    0x33c92ecc : bl 0x33c858b4
    0x33c92ed0 : movw r3, #5395 ; 0x1513
    0x33c92ed4 : str r4, [sp, #44]
    0x33c92ed6 : str r3, [sp, #12]
    0x33c92ed8 : str r5, [sp, #48]
    0x33c92eda : str r6, [sp, #20]
    0x33c92edc : bl 0x33c94e38
    0x33c92ee0 : movw r3, #4804 ; 0x12c4
    0x33c92ee4 : str r3, [sp, #32]
    0x33c92ee6 : movs r3, #0
    0x33c92ee8 : movs r1, #3
    0x33c92eea : str r3, [sp, #4]
    0x33c92eec : str r3, [sp, #8]
    0x33c92eee : movs r2, #40
    0x33c92ef0 : adds r3, #60
    0x33c92ef2 : str r0, [sp, #24]
    0x33c92ef4 : str r0, [sp, #0]
    0x33c92ef6 : add r0, sp, #12
    0x33c92ef8 : bl 0x33c9472c
    0x33c92efc : mov r4, r0
    0x33c92efe : cbz r0, 0x33c92f26
    0x33c92f00 : add.w r3, r0, #4026531840 ; 0xf0000000
    0x33c92f04 : subs r3, #2
    0x33c92f06 : cmp r3, #14
    0x33c92f08 : bhi.n 0x33c92f1e
    0x33c92f0a : movs r2, #1
    0x33c92f0c : lsls r2, r3
    0x33c92f0e : movw r3, #16387 ; 0x4003
    0x33c92f12 : tst r2, r3
    0x33c92f14 : beq.n 0x33c92f1e
    0x33c92f16 : ldr r0, [sp, #24]
    0x33c92f18 : bl 0x33c94de8
    0x33c92f1c : b.n 0x33c92fb0
    0x33c92f1e : ldr r0, [sp, #24]
    0x33c92f20 : bl 0x33c94dec
    0x33c92f24 : b.n 0x33c92fb0
    0x33c92f26 : ldr r3, [sp, #32]
    0x33c92f28 : movw r2, #4904 ; 0x1328
    0x33c92f2c : cmp r3, r2
    0x33c92f2e : beq.n 0x33c92f3c
    0x33c92f30 : cmp r3, #71
    0x33c92f32 : ldr r3, [pc, #140] (0x33c92fc0 )
    0x33c92f34 : it ne
    0x33c92f36 : mvnne.w r3, #300 ; 0x12c
    0x33c92f3a : b.n 0x33c92f9a
    0x33c92f3c : ldr r3, [sp, #12]
    0x33c92f3e : ldr r2, [sp, #16]
    0x33c92f40 : cmp r3, #0
    0x33c92f42 : bge.n 0x33c92f5c
    0x33c92f44 : ldr r3, [sp, #36]
    0x33c92f46 : subs r2, #52
    0x33c92f48 : it ne
    0x33c92f4a : movne r2, #1
    0x33c92f4c : cmp r3, #1
    0x33c92f4e : ite eq
    0x33c92f50 : moveq r3, r2
    0x33c92f52 : orrne.w r3, r2, #1 ; 0x1
    0x33c92f56 : cmp r3, #0
    0x33c92f58 : bne.n 0x33c92fac
    0x33c92f5a : b.n 0x33c92f7a
    0x33c92f5c : cmp r2, #36
    0x33c92f5e : bne.n 0x33c92fac
    0x33c92f60 : ldr r3, [sp, #44]
    0x33c92f62 : cbz r3, 0x33c92fac
    0x33c92f64 : ldrb.w r2, [sp, #40]
    0x33c92f68 : ldrb.w r1, [r8, #4]
    0x33c92f6c : cmp r2, r1
    0x33c92f6e : beq.n 0x33c92f9a
    0x33c92f70 : ldr r3, [sp, #44]
    0x33c92f72 : rev r3, r3
    0x33c92f74 : str r3, [sp, #44]
    0x33c92f76 : cbz r3, 0x33c92f9e
    0x33c92f78 : b.n 0x33c92f9a
    0x33c92f7a : ldrb.w r3, [sp, #51]
    0x33c92f7e : cmp r3, #1
    0x33c92f80 : bne.n 0x33c92fac
    0x33c92f82 : ldr r3, [pc, #64] (0x33c92fc4 )
    0x33c92f84 : ldrb.w r2, [sp, #56]
    0x33c92f88 : add r3, pc
    0x33c92f8a : ldr r3, [r3, #0]
    0x33c92f8c : ldrb r3, [r3, #4]
    0x33c92f8e : cmp r2, r3
    0x33c92f90 : beq.n 0x33c92f9e
    0x33c92f92 : ldr r3, [sp, #60]
    0x33c92f94 : rev r3, r3
    0x33c92f96 : str r3, [sp, #60]
    0x33c92f98 : b.n 0x33c92f9e
    0x33c92f9a : mov r4, r3
    0x33c92f9c : b.n 0x33c92fb0
    0x33c92f9e : ldr r3, [sp, #40]
    0x33c92fa0 : ldr r2, [sp, #100]
    0x33c92fa2 : str.w r3, [r10]
    0x33c92fa6 : ldr r3, [sp, #60]
    0x33c92fa8 : str r3, [r2, #0]
    0x33c92faa : b.n 0x33c92fb0
    0x33c92fac : ldr r3, [pc, #24] (0x33c92fc8 )
    0x33c92fae : b.n 0x33c92f9a
    0x33c92fb0 : mov r0, r4
    0x33c92fb2 : sub.w sp, r7, #20 ; 0x14
    0x33c92fb6 : ldmia.w sp!, {r8, r10}
    0x33c92fba : pop {r4, r5, r6, r7, pc}
    0x33c92fbc : bne.n 0x33c93044
    0x33c92fbe : lsrs r2, r4, #11
    0x33c92fc0 : mcr2 15, 6, pc, cr12, cr15, {7}
    0x33c92fc4 : beq.n 0x33c930b8
    0x33c92fc6 : lsrs r2, r4, #11
    0x33c92fc8 : mrc2 15, 6, pc, cr4, cr15, {7}
    End of assembler dump.

  2. satish b says:

    Currently the Kernel patcher code only works for iOS 5.

  3. Nick says:

    Hi. I have all backup files for my broken iPhone 4, I’m trying to see firstly what I have backed up that I can save (mainly messages) and I can’t remember if I encrypted or not. Have got to the stage where iPhone backup browser will see my phones description but will not open files. I have a PC and not a Mac computer, can you give me an idea of my next step?

    This is the warning backup browser gives me.

    – Unable to load DLL “bplist.dll” The specified procedure could not be found.

    Please bear in mind I am a ‘hacking’ novice, I know only so far what I have read in your fantastic forensic posts.

    Thanks.

  4. satish b says:

    Open backup location and edit Manifest.plist using a plist editor. Search for ‘IsEncrypted’ value. If it is ‘true’ then the backup is encrypted.

    For bplist.dll problem – look at requirement section in – http://code.google.com/p/iphonebackupbrowser/

  5. Alex says:

    Hello Satish,

    Many thanks for interesting article.
    I just wanted to inform you that the download links of the tools named as “device_infos, kernel_patcher” are not valid!

    Can you provide new links.

    Regards,
    Alex

  6. milka says:

    Hello,
    and thank you for your article. I have my keychain-backup.plist that I want to decrypt. The tool you’re suggesting only works on Mac or Linux.

    Do you know how one could do this in Windows?

    Many thanks.

  7. satish b says:

    To decrypt the keychain from backups on Windows, visit – http://www.securitylearn.net/2012/05/03/decrypting-the-iphone-keychain-from-backups/

  8. Stumpy says:

    If you have a decrypted iTunes backup you want to analyse, I have some Linux based scripts to help.
    The scripts will restore the logical file system i.e recreate the original directory structure and restore the files to their original locations and file names. The scripts will also recover chat/email/message data from a number of sources. You can get the scripts here:
    http://code.google.com/p/itune-unbackup/

Leave a Reply

Your email address will not be published.