In Apple ecosystem, logical acquisition is the most convenient and the most compatible extraction method, with local backups being a major contributor. Password-protected backups contain significantly more information than unencrypted backups, which is why many forensic tools including iOS Forensic Toolkit automatically apply a temporary backup password before creating a backup. If a temporary password is not removed after the extraction, subsequent extraction attempts, especially made with a different tool, will produce encrypted backups protected with an effectively unknown password. In this article we’ll talk about why this happens and how to deal with it.
Password-protected iOS backups
An iTunes-style backup is a major part of the logical extraction process. In iOS and iPadOS, local backups may be protected and securely encrypted with a password. If a backup is protected with a password, some information (such as the keychain) is encrypted with the same password as the rest of the backup. If, however, the backup is not protected with a password, iOS still encrypts the keychain using encryption keys specific to a particular device. This means that the keychain from the unencrypted backup can be only restored onto exactly the particular physical device the backup was captured from, while password-protected backups can be restored onto a the same or different hardware. In addition, certain sensitive information (such as Health, Safari history, etc.) is not included in unencrypted backups at all.
Since password-protected backups offer more available information than unencrypted backups, we recommend setting a temporary backup password (e.g., ‘123’) when performing logical acquisition. The password must be created before creating a backup and removed after the backup is captured. iOS Forensic Toolkit attempts to automatically apply a temporary password before the extraction, and remove it once the process is finished. The process, however, requires some manual intervention as iOS prompts for a manual entry of the screen lock passcode on the device when setting or removing the backup password. The prompt is only displayed for a limited time. If the prompt expires without user input, the operation will continue without changing or removing the backup password.
The screen lock passcode must be manually entered on the iOS device when assigning and removing the backup password. The procedure is identical regardless of the tool; the same prompt will be displayed if you attempt to change or remove the backup password from iTunes or Finder. The prompt will be displayed on the iPhone for a limited time. If the expert skips the prompt before the extraction, the backup will be created without a password. If, however, the expert skips the prompt displayed after the extraction, the temporary backup password will be left on the device. For this reason, we strongly recommend checking the state of the backup password before and after the extraction, and removing the temporary backup password if one is accidentally left on the device.
Depending on the amount of data, making a local backup may take a while, which makes it possible for the expert to miss the end of the process and correspondingly miss the limited-time prompt on the device. If this happens, the temporary backup password cannot be removed from the device.
If the device you are extracting was previously extracted with a third-party forensic tool, it may have a ‘leftover’ backup password on it.
What can you do with an unknown backup password?
There are generally three approaches to unknown backup passwords.
Try one of the passwords that are commonly set by the different forensic tools.
Try attacking the password with Elcomsoft Phone Breaker. Note that the speed of the attack will be extremely slow (several passwords a minute) due to increased backup security in iOS 10.2.
Consider resetting the backup password. This should be only considered as the last resort due to multiple implications.
Leftover passwords set by forensic tools
iOS Forensic Toolkit as well as other forensic tools may automatically set a temporary password before the extraction. If a temporary password is not removed afterwards, try one of the following passwords:
Elcomsoft iOS Forensic Toolkit: 123
Cellebrite UFED: 1234
MSAB XRY: 1234
Belkasoft Evidence Center: 12345
Oxygen Forensic Detective: 123456 (or oxygen for older versions)
Magnet AXIOM: mag123
MOBILedit Forensic: 123
Recovering the backup password
If none of the passwords match, you may attempt to attack the backup password using Elcomsoft Phone Breaker or Elcomsoft Distributed Password Recovery. For this, produce a password-protected backup first, then open it in the tool of your choice. Since iOS 10.2, Apple hardened security of password-protected backups following the vulnerability discovered in iOS 10.0. A GPU-assisted attack performed on a single computer delivers the speed of up to hundred passwords per second (depending on the GPU), while a CPU-only attack can only try a handful of passwords per minute. For this reason, we can only realistically recommend attacks based on very short, targeted dictionaries.
Resetting the backup password: the last resort
If you were unable to guess or recover the backup password, we recommend saving a password-protected backup nevertheless. After that, consider resetting the backup password with “Reset All Settings” (not to be confused with “Erase content and settings”, which factory-resets the device).
Since iOS 11, Apple makes it possible to reset the backup password on the iPhone by using the following steps.
Unlock the iPhone with Touch ID, Face ID or passcode.
Open the Settings app and navigate to General.
Scroll all the way down and tap Reset.
Tap and confirm Reset All Settings
Enter the iPhone passcode if one is enabled
The “Reset All Settings” command will erase the following settings:
Display brightness
Whether or not to display battery percentage
All Wi-Fi passwords (but not any other passwords or tokens stored in the Keychain)
apple.wifi.plist
iTunes backup password
The passcode
Please note that the device’s screen lock passcode is also removed when you use the “Reset All Settings” command. Removing the screen lock passcode has multiple important implications as it disables certain iCloud-related features (such as end-to-end encryption and the synchronization of end-to-end encrypted data), erases certain types of data (such as Apple Pay transactions, Exchange downloaded mail and accounts, and more). For this reason, resetting the backup password should be only considered as a last resort.
By Oleg Afonin at 2022-11-10 13:13:07 Source ElcomSoft blog: