±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35894
New Yesterday: 3 Visitors: 124

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Decrypt iOS Keychain

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

mshibo
Member
 

Decrypt iOS Keychain

Post Posted: Jun 23, 18 12:41

Well, I've been using Elcomsoft to deal with iOS encrypted backups but lately, it doesn't do good work as it can't get even 80% of the passwords and they are still shown encrypted.
So, my question is, what other tool or way to decrypt those passwords?  
 
  

hsiF_cisneroF
Newbie
 

Re: Decrypt iOS Keychain

Post Posted: Jun 27, 18 15:24

Just to confirm, are you taking about decrypting encrypted iTunes backups on a computer or are you talking about decrypting a keychain recorded from an acquisition of a mobile device? How are you using Elcomsoft? What data are you using to decrypt the files? How are you generating the wordlists?

If talking about encrypted iTunes backups, I come across these quite often at work and I have only failed to decrypt one (I've managed to decrypt the other 100+) by finding passwords on the source device (the laptop). Some suggestions to identify passwords:-

- Firefox Profile - I've had quite a lot of success with using passwords from here to decrypt an iTunes backup
- If the source device is a Macbook, have a look at the login.keychain. EnCase7 allows you to decrypt the data of this or there is a great free CLI tool called 'dumpkeychain' which will process the login.keychain.
- Data breach dumps freely available online - you can search these for an email address for the owner of the device and then try and passwords against this
- Use Magnet Forensics free tool, Wordlist Generator. You do need to have AXIOM to use this though. This will create a dictionary that you can then import into Elcomsoft  
 
  

v.katalov
Member
 

Re: Decrypt iOS Keychain

Post Posted: Feb 18, 19 08:15

- mshibo
Well, I've been using Elcomsoft to deal with iOS encrypted backups but lately, it doesn't do good work as it can't get even 80% of the passwords and they are still shown encrypted.
So, my question is, what other tool or way to decrypt those passwords?


The problem is that keychain items may have different security attributes. Some of them are encrypted using backup password only -- and we get them all (and there is no other software that can get more, it is simply not technically possible). The other records use stronger encryption, based on the unique hardware key that is *not* available in backup and can be obtained only from the device itself (though there are meny problems here, too).

We recently published the article describing all the methods of keychain extraction and decryption.

blog.elcomsoft.com/201...-keychain/  
 
  

hommy0
Senior Member
 

Re: Decrypt iOS Keychain

Post Posted: Feb 18, 19 10:08

- hsiF_cisneroF

- If the source device is a Macbook, have a look at the login.keychain. EnCase7 allows you to decrypt the data of this or there is a great free CLI tool called 'dumpkeychain' which will process the login.keychain.


As well as having dumpkeychain, depending on the version of EnCase 7 you are using, both EnCase 7 and EnCase 8 can decrypt the login keychain. This is actioned by treating it as a compound file (Right Click -> Entries -> View File Structure) supply the users login password (or other password they have used to protect the login keychain)

The contents can then be viewed by clicking on the entry.  
 

Page 1 of 1