In Apple ecosystem, logical acquisition is the most convenient and the most compatible extraction method, with local backups being a major contributor. Password-protected backups contain significantly more information than unencrypted backups, which is why many forensic tools including iOS Forensic Toolkit automatically apply a temporary backup password before creating a backup. If a temporary password is not removed after the extraction, subsequent extraction attempts, especially made with a different tool, will produce encrypted backups protected with an effectively unknown password. In this article we’ll talk about why this happens and how to deal with it.
An iTunes-style backup is a major part of the logical extraction process. In iOS and iPadOS, local backups may be protected and securely encrypted with a password. If a backup is protected with a password, some information (such as the keychain) is encrypted with the same password as the rest of the backup. If, however, the backup is not protected with a password, iOS still encrypts the keychain using encryption keys specific to a particular device. This means that the keychain from the unencrypted backup can be only restored onto exactly the particular physical device the backup was captured from, while password-protected backups can be restored onto a the same or different hardware. In addition, certain sensitive information (such as Health, Safari history, etc.) is not included in unencrypted backups at all.
More information: About encrypted backups on your iPhone, iPad, or iPod touch – Apple Support
Since password-protected backups offer more available information than unencrypted backups, we recommend setting a temporary backup password (e.g., ‘123’) when performing logical acquisition. The password must be created before creating a backup and removed after the backup is captured. iOS Forensic Toolkit attempts to automatically apply a temporary password before the extraction, and remove it once the process is finished. The process, however, requires some manual intervention as iOS prompts for a manual entry of the screen lock passcode on the device when setting or removing the backup password. The prompt is only displayed for a limited time. If the prompt expires without user input, the operation will continue without changing or removing the backup password.
The screen lock passcode must be manually entered on the iOS device when assigning and removing the backup password. The procedure is identical regardless of the tool; the same prompt will be displayed if you attempt to change or remove the backup password from iTunes or Finder. The prompt will be displayed on the iPhone for a limited time. If the expert skips the prompt before the extraction, the backup will be created without a password. If, however, the expert skips the prompt displayed after the extraction, the temporary backup password will be left on the device. For this reason, we strongly recommend checking the state of the backup password before and after the extraction, and removing the temporary backup password if one is accidentally left on the device.
Depending on the amount of data, making a local backup may take a while, which makes it possible for the expert to miss the end of the process and correspondingly miss the limited-time prompt on the device. If this happens, the temporary backup password cannot be removed from the device.
If the device you are extracting was previously extracted with a third-party forensic tool, it may have a ‘leftover’ backup password on it.
There are generally three approaches to unknown backup passwords.
iOS Forensic Toolkit as well as other forensic tools may automatically set a temporary password before the extraction. If a temporary password is not removed afterwards, try one of the following passwords:
If none of the passwords match, you may attempt to attack the backup password using Elcomsoft Phone Breaker or Elcomsoft Distributed Password Recovery. For this, produce a password-protected backup first, then open it in the tool of your choice. Since iOS 10.2, Apple hardened security of password-protected backups following the vulnerability discovered in iOS 10.0. A GPU-assisted attack performed on a single computer delivers the speed of up to hundred passwords per second (depending on the GPU), while a CPU-only attack can only try a handful of passwords per minute. For this reason, we can only realistically recommend attacks based on very short, targeted dictionaries.
If you were unable to guess or recover the backup password, we recommend saving a password-protected backup nevertheless. After that, consider resetting the backup password with “Reset All Settings” (not to be confused with “Erase content and settings”, which factory-resets the device).
Since iOS 11, Apple makes it possible to reset the backup password on the iPhone by using the following steps.
The “Reset All Settings” command will erase the following settings:
Please note that the device’s screen lock passcode is also removed when you use the “Reset All Settings” command. Removing the screen lock passcode has multiple important implications as it disables certain iCloud-related features (such as end-to-end encryption and the synchronization of end-to-end encrypted data), erases certain types of data (such as Apple Pay transactions, Exchange downloaded mail and accounts, and more). For this reason, resetting the backup password should be only considered as a last resort.
Build high-performance clusters for breaking passwords faster. Elcomsoft Distributed Password Recovery offers zero-overhead scalability and supports GPU acceleration for faster recovery. Serving forensic experts and government agencies, data recovery services and corporations, Elcomsoft Distributed Password Recovery is here to break the most complex passwords and strong encryption keys within realistic timeframes.
Elcomsoft Distributed Password Recovery official web page & downloads »
Extract critical evidence from Apple iOS devices in real time. Gain access to phone secrets including passwords and encryption keys, and decrypt the file system image with or without the original passcode. Physical and logical acquisition options for all 64-bit devices running all versions of iOS.
Elcomsoft iOS Forensic Toolkit official web page & downloads »
Gain full access to information stored in FileVault 2 containers, iOS, Apple iCloud and Windows Phone devices! Download device backups from Apple iCloud and Microsoft OneDrive servers. Use Apple ID and password or extract binary authentication tokens from computers, hard drives and forensic disk images to download iCloud data without a password. Decrypt iOS backups with GPU-accelerated password recovery.