https://github.com/jsharkey13/iphone_backup_decrypt

Decrypt an encrypted iOS backup created by iTunes on Windows or MacOS
https://github.com/jsharkey13/iphone_backup_decrypt

backup decryption forensics ios ios-backup iphone itunes python whatsapp

Last synced: 2 days ago
JSON representation

Decrypt an encrypted iOS backup created by iTunes on Windows or MacOS

• Host: GitHub
• URL: https://github.com/jsharkey13/iphone_backup_decrypt
• Owner: jsharkey13
• License: other
• Created: 2019-11-10T11:20:24.000Z (about 5 years ago)
• Default Branch: master
• Last Pushed: 2024-09-18T15:45:49.000Z (about 2 months ago)
• Last Synced: 2024-11-03T00:06:23.459Z (8 days ago)
• Topics: backup, decryption, forensics, ios, ios-backup, iphone, itunes, python, whatsapp
• Language: Python
• Homepage:
• Size: 69.3 KB
• Stars: 258
• Watchers: 11
• Forks: 43
• Open Issues: 0
• Metadata Files:
  • Readme: README.md
  • License: LICENSE.txt

Awesome Lists containing this project

• awesome-rainmana - jsharkey13/iphone_backup_decrypt - Decrypt an encrypted iOS backup created by iTunes on Windows or MacOS (Python)

README

        
# iphone-backup-decrypt

Decrypt an encrypted, local iPhone backup created from iOS13 or newer.

This code [was based on this StackOverflow answer](https://stackoverflow.com/a/13793043),

itself based on the [iphone-dataprotection](https://code.google.com/p/iphone-dataprotection/) code.

## Install

[![PyPI - Version](https://img.shields.io/pypi/v/iphone-backup-decrypt)](https://pypi.org/project/iphone-backup-decrypt/)

Requires [Python 3.8](https://www.python.org/) or higher.

The backup decryption keys are protected using 10 million rounds of PBKDF2 with SHA256, then 10 thousand further iterations of PBKDF2 with SHA-1.

To speed up decryption, `fastpbkdf2` is desirable; otherwise the code will fall back to using `pycryptodome`'s implementation.

The fallback is ~50% slower at the initial backup decryption step, but does not require the complicated build and install of `fastpbkdf2`.

Install via `pip`:

```shell script

pip install iphone_backup_decrypt

# Optionally:

pip install fastpbkdf2

```

Or if you have Docker, an alternative is to use the pre-built image: `ghcr.io/jsharkey13/iphone_backup_decrypt`. A Command Prompt example might look like: 

```shell

docker run --rm -it ^

    -v "%AppData%/Apple Computer/MobileSync/Backup/[device-specific-hash]":/backup:ro ^

    -v "%cd%/output":/output ^

    ghcr.io/jsharkey13/iphone_backup_decrypt

```

## Usage

This code decrypts the backup using the passphrase chosen when encrypted backups were enabled in iTunes.

The `relativePath` of the file(s) to be decrypted also needs to be known.

Very common files, like those for the call history or text message databases, can be found in the `RelativePath` class: e.g. use `RelativePath.CALL_HISTORY` instead of the full `Library/CallHistoryDB/CallHistory.storedata`.

More complex matching, particularly for non-unique filenames, may require specifying the `domain` of the files. The `DomainLike` and `MatchFiles` classes contain common domains and domain-path pairings. 

If the relative path is not known, you can manually open the `Manifest.db` SQLite database and explore the `Files` table to find those of interest.

After creating the class, use the `EncryptedBackup.save_manifest_file(...)` method to store a decrypted version.

A minimal example to decrypt and extract some files might look like:

```python

from iphone_backup_decrypt import EncryptedBackup, RelativePath, MatchFiles

passphrase = "..."  # Or load passphrase more securely from stdin, or a file, etc.

backup_path = "%AppData%/Apple Computer/MobileSync/Backup/[device-specific-hash]"

# Or MacOS: "/Users/[user]/Library/Application Support/MobileSync/Backup/[device-hash]"

backup = EncryptedBackup(backup_directory=backup_path, passphrase=passphrase)

# Extract the call history SQLite database:

backup.extract_file(relative_path=RelativePath.CALL_HISTORY, 

                    output_filename="./output/call_history.sqlite")

# Extract the camera roll, using MatchFiles for combined path and domain matching:

backup.extract_files(**MatchFiles.CAMERA_ROLL, output_folder="./output/camera_roll")

# Extract any iCloud camera roll images on the device (may include thumbnails for some

# but not all images offloaded to the cloud, and have duplicates from the camera roll):

backup.extract_files(**MatchFiles.ICLOUD_PHOTOS, output_folder="./output/icloud_photos")

# Extract WhatsApp SQLite database and attachments:

backup.extract_file(relative_path=RelativePath.WHATSAPP_MESSAGES,

                    output_filename="./output/whatsapp.sqlite")

backup.extract_files(**MatchFiles.WHATSAPP_ATTACHMENTS,

                     output_folder="./output/whatsapp", preserve_folders=False)

# Extract Strava workouts:

backup.extract_files(**MatchFiles.STRAVA_WORKOUTS, output_folder="./output/strava")

```

## Alternatives

This library aims to be minimal, providing only what is necessary to extract encrypted files. There are alternatives which claim to offer similar or more advanced functionality:

 - [KnugiHK/iphone_backup_decrypt](https://github.com/KnugiHK/iphone_backup_decrypt/tree/master), a fork of this library and part of [Whatsapp-Chat-Exporter](https://github.com/KnugiHK/Whatsapp-Chat-Exporter).

 - [jfarley248/iTunes_Backup_Reader](https://github.com/jfarley248/iTunes_Backup_Reader), which uses an older version of this library.

 - [datatags/mount-ios-backup](https://github.com/datatags/mount-ios-backup), which uses an older version of this library.

 - [PeterUpfold/dump-iphone-backup](https://github.com/PeterUpfold/dump-iphone-backup), a wrapper for this library to decrypt a whole backup on the command-line.

 - [avibrazil/iOSbackup](https://github.com/avibrazil/iOSbackup) a similar Python library with a friendlier interface for exploring a backup.

 - [MaxiHuHe04/iTunes-Backup-Explorer](https://github.com/MaxiHuHe04/iTunes-Backup-Explorer), a Java based alternative with a GUI.