iPhone 6 A1586 and ...
 
Notifications
Clear all

iPhone 6 A1586 and UFED

11 Posts
9 Users
0 Likes
1,579 Views
(@almrasl)
Posts: 10
Active Member
Topic starter
 

Hello guys i got 2 unlocked iPhones with no Security Codes and took a backup with UFED TOUCH, however physical anaylyser could not parse the image and asks for encryption password, while i have not set any password.

I tried to take a backup using itunes too, it can only take encrypted backups, i cannot untick the option.

both iphone 6 are running 10.2.1

Any thoughts?

 
Posted : 20/03/2017 10:06 am
(@dandaman_24)
Posts: 172
Estimable Member
 

Try 1234

 
Posted : 20/03/2017 12:47 pm
(@almrasl)
Posts: 10
Active Member
Topic starter
 

I contacted Cellebrite they told me the same, unfortunately it did not work.

This is interesting.

 
Posted : 20/03/2017 1:57 pm
SamBrown
(@sambrown)
Posts: 97
Trusted Member
 

The user enabled iTunes backup encryption, this is independent from the passcode.
1234 is the default password which is set by Physical Analyzer if there has not been set a password by the user and you tick the "encrypt backup" box during the extraction process. So in this case this will not work of course.

As far as I know you have these options

a) Jailbreak it (if possible) and extract data with method 3 in Physical Analyzer. It will not be encrypted.

b) Use Elcomesoft Phone breaker and try brute forcing the password. Or you can create a list of passwords and throw it in Physical Analyser if asked for a password.
This probably won't work because Apple changed the password hashing algorithm with iOS 10. Brute forcing is now very very very slow. So basically this is not really working anymore.

c) Ask the owner of the phone for the password

 
Posted : 20/03/2017 5:16 pm
CopyRight
(@copyright)
Posts: 184
Estimable Member
 

Very informative.

 
Posted : 21/03/2017 8:22 am
OxygenForensics
(@oxygenforensics)
Posts: 143
Estimable Member
 

Oxygen Forensic Detective can also help you to find the password to the encrypted iTunes backup. The built-in Passware module uses the latest algorithms and technologies including distributed processing and GPU acceleration with ATI and NVIDIA boards. The software offers varoius attacks such as brute-force, dictionary, Xieve, etc.

 
Posted : 22/03/2017 11:38 am
Bolo
 Bolo
(@bolo)
Posts: 97
Trusted Member
 

iPhone uses PBKDF/HMAC2-SHA256 (+10 million iterations) and you can BF it with free HashCat - https://hashcat.net/forum/thread-6351.html

 
Posted : 23/03/2017 1:42 am
CopyRight
(@copyright)
Posts: 184
Estimable Member
 

That's really good, I've never used hashcat to break iTunes backup before, do you have commands or a guide so I can try and explore?

Thanks.

 
Posted : 23/03/2017 10:37 am
(@giuseppem)
Posts: 24
Eminent Member
 

That's really good, I've never used hashcat to break iTunes backup before, do you have commands or a guide so I can try and explore?

Thanks.

@Bolo I'm interest too, and I think I'm not the only one.

 
Posted : 30/03/2017 10:14 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

It doesn't seem that complex to use, after having extracted the hash
https://hashcat.net/forum/thread-6047-post-33257.html#pid33257
https://github.com/philsmd/itunes_backup2hashcat/

jaclaz

 
Posted : 30/03/2017 10:52 pm
Page 1 / 2
Share: