CN102750495A - System for cracking and restoring iPhone encrypted backup files - Google Patents
System for cracking and restoring iPhone encrypted backup files Download PDFInfo
- Publication number
- CN102750495A CN102750495A CN2012101874051A CN201210187405A CN102750495A CN 102750495 A CN102750495 A CN 102750495A CN 2012101874051 A CN2012101874051 A CN 2012101874051A CN 201210187405 A CN201210187405 A CN 201210187405A CN 102750495 A CN102750495 A CN 102750495A
- Authority
- CN
- China
- Prior art keywords
- module
- file
- backup file
- cracking
- key
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a system for cracking and restoring iPhone encrypted backup files. The system comprises a graphical user interface (GUI) module, a password cracking module, a backup file restoring module and a keychain checking module. The GUI module is used for interactive operation between a user and a device; the password cracking module is connected with the GUI module and used for cracking encrypted files to obtain cracking passwords; the backup file restoring module receives the cracking passwords to restore encrypted backup files; and the keychain checking module receives the cracking passwords to check data stored in the keychain. According to the system for cracking and restoring encrypted backup files, the iPhone encrypted backup files are restored directly through the encrypted passwords, so that data in the iPhone are obtained, and the inside of existing mobile phone forensic systems can be integrated, and evidence obtaining and case detecting of office departments are facilitated.
Description
Technical field
The invention belongs to mobile device information security and forensic technologies field; Relate to a kind of file decryption and restoring system; Relate in particular to a kind of system that iPhone mobile phone cipher backup file is cracked and reduces; Can remedy the deficiency of existing mobile phone forensic technologies, be convenient to public office department and collect evidence and cracking of cases.
Background technology
At present, along with the development that strides greatly of the domestic and international communication technology, mobile devices such as mobile phone are constantly weeded out the old and bring forth the new, and kind is more and more, function from strength to strength, people are also more and more stronger to the dependence of these mobile devices.Wherein mobile phone is the most outstanding for this, becomes a kind of personal data management equipment gradually.But mobile phone is when the life of giving people brings convenience, and the case that relates to cellphone information is also in continuous increase.For the personnel in charge of the case, the data in suspect's mobile phone provide important case clue probably, therefore, have produced the equipment and the system of many mobile phone evidence obtainings.
But the appearance of iPhone smart mobile phone because it can back up encryption to the data in the mobile phone, makes present mobile phone evidence obtaining equipment can't extract the data in the iPhone mobile phone normally.The backup file of iPhone mobile phone is encrypted through using iTunes software on computers, and the backup file after the encryption can be kept in the computer according to unique path.In case the iPhone mobile phone has carried out the encrypted backup operation, the mobile phone evidence-obtaining system can't extract the data in the mobile phone, and reason is that the form of file is modified to encryption format, and the mobile phone evidence-obtaining system can't be handled and resolve file.
Summary of the invention
The objective of the invention is to the problem that exists in the above-mentioned existing mobile phone forensic technologies; A kind of cracking and restoring system to iPhone mobile phone cipher backup file is provided; Directly reduce iPhone mobile phone cipher backup file through decryption; Thereby the data in the acquisition mobile phone are to remedy the deficiency of existing mobile phone forensic technologies.
For achieving the above object, the present invention adopts following technical scheme:
Cracking and restoring system of a kind of iPhone mobile phone cipher backup file comprises GUI module, password cracking module, reduction backup file module and checks the keychain module;
Said GUI module is a graphic user interface, is used for the interactive operation of user and equipment;
The said GUI module of said password cracking module relation is used for encrypt file is cracked, and obtains decryption;
Said reduction backup file module receives said decryption from the password cracking module, and the encrypted backup file is reduced and exports according to the original route of going back of user preset;
The said keychain of checking module receives said decryption from the password cracking module, checks the data that leave among the keychain, and feeds back to said GUI module.
Further, comprise through the user of said GUI module realization and the interactive operation of equipment:
The storage path of encrypted backup file is provided for said password cracking module; The original route of going back of encrypted backup file is set; Reception is from the data of said password cracking module, said reduction backup file module and the said keychain of checking module and show.
Further, said password cracking module is utilized Brute Force technology, and the encrypt file of iPhone mobile phone is cracked.
Further; Said reduction backup file module is carried out SHA1 to the raw filename in the manifest.mbdb file in the backup file folder and is calculated; The filename after the calculating and the filename of encryption format are compared; After finding the file of coupling, the filename of encryption format is revised as raw filename.
Further; Said password cracking module adopts the Brute Force method to crack, and detailed process is: a record that will crack in the dictionary is designated as Passcode, and this Passcode obtains Passcode key through the PBKDF2 decipherment algorithm; Passcode key and class key ciphertext obtain the plaintext of class key through AES Unwrap decipherment algorithm; In AES Unwrap decrypting process, carry out integrity checking, if check that successfully then said Passcode is decryption.
Further; Said reduction backup file module cracks file content through following method: at first will obtain Passcode key through the PBKDF2 decipherment algorithm by the password Passcode that the password cracking module obtains; Obtain class key through AES Unwrap decipherment algorithm again, the AES key ciphertext in AES Unwrap decipherment algorithm deciphering manifest.mbdb file obtains AES key expressly again; Expressly obtain the original contents of file at last through AES key.
Further, the data among the said Keychain comprise: password, private key, digital certificates and encryption notes.
The objective of the invention is to the problem that exists in the above-mentioned existing mobile phone forensic technologies; A kind of cracking and restoring system to iPhone mobile phone cipher backup file is provided; Directly reduce iPhone mobile phone cipher backup file through decryption, thereby obtain the data in the mobile phone, it is inner to be integrated in existing mobile phone evidence-obtaining system; As a subsystem, be convenient to public office department and collect evidence and cracking of cases.
Description of drawings
Fig. 1 cracks and the composition structural representation of restoring system for the iPhone mobile phone cipher backup file of the embodiment of the invention.
The workflow diagram of Fig. 2 in the embodiment of the invention iPhone mobile phone cipher backup file being cracked and reduces.
Fig. 3 is the principle of work synoptic diagram of reduction backup file module among Fig. 1.
Embodiment
Through specific embodiment and conjunction with figs., the present invention is done detailed explanation below.
The backup file of iPhone mobile phone is encrypted through using iTunes software on computers, and the backup file after the encryption can be kept in the computer according to unique path.In case the iPhone mobile phone has carried out the encrypted backup operation, the mobile phone evidence-obtaining system can't extract the data in the mobile phone, and reason is that the form of file is modified to encryption format, and the mobile phone evidence-obtaining system can't be handled and resolve file.
Fig. 1 cracks and the composition structural representation of restoring system for the iPhone mobile phone cipher backup file of present embodiment.As shown in the drawing, this system comprises: the GUI module is used for interactive operation between computer, user and the module; The password cracking module is used to obtain encrypted backup file password; Reduction backup file module is used to reduce source document; Check the keychain module, be used for showing the data of iPhone cell phone password management holder.In four modules, password cracking module, reduction backup file module and check related successively (connection) the GUI module of keychain module, in addition, reduction backup file module with check keychain module difference association (connection) password cracking module.
Fig. 2 is for using the workflow diagram that system shown in Figure 1 cracks and reduces iPhone mobile phone cipher backup file.Specify as follows:
1) after the entering system, the user selects the store path of backup file in computer through the GUI module.Can provide one to store the path.
2) operation password cracking module, system's active attack encrypt file cracks encrypt file.
This module is utilized the Brute Force technology, obtains the password of the encrypted backup file of iPhone mobile phone automatically fast.This module can only crack the encrypted backup file of iPhone mobile phone, can't crack the encrypt file of other mobile device, and is because this module has adopted the specially designed crack method of the present invention, specific as follows:
(RFC 2898 through PBKDF2 at first will to crack a record (being called Passcode) in the dictionary; Referring to www.ietf.org/rfc/rfc2898.txt) decipherment algorithm (required parameter is stored in the manifest.plist file of backup file) obtains Passcode key; (RFC 3394 through AES Unwrap for Passcode key and class key ciphertext (being stored in the manifest.plist file); Referring to www.ietf.org/rfc/rfc3394.txt) decipherment algorithm obtains the plaintext of class key; In AES Unwrap decrypting process; Carry out integrity checking, if check successfully (method of judging success or not sees www.ietf.org/rfc/rfc3394.txt for details), then said Passcode is final password.If inspection is unsuccessful, then next bar record is repeated aforesaid operations, until checking success and obtaining decryption.
The password cracking module can be given the GUI module with the password transmission that generates, directly to be shown to the user; Also give reduction backup file module on the other hand with password transmission.
3) reduction backup file module receives the password that is generated by the password cracking module, and the file of encryption format is reduced to original file layout and generates backup file according to specified path.
Can directly browse multimedia files such as picture in the mobile phone, video, audio frequency through this module.Also original route can be provided with through the GUI module.
Fig. 3 is the principle of work synoptic diagram of reduction backup file module in the said system.The prerequisite of reduction backup file is the initial password (password that promptly uses the password cracking module to obtain) that has obtained backup file, when reduction, make the operation of two aspects: to the modification of filename and cracking file content.
On the one hand; After the operation reduction backup file module; This module is carried out SHA1 to the raw filename in the manifest.mbdb file in the backup file folder automatically and is calculated (referring to www.ietf.org/rfc/rfc3174.txt); The filename after the calculating and the filename of encryption format are compared, find the file of coupling after, the filename of encryption format is revised as raw filename.On the other hand, the file of this module meeting active attack encryption format is deciphered the content of encryption format file, obtains the content of original.In conjunction with above-mentioned two aspects, the original that finally can regain one's integrity.
Wherein, to file content to crack process following:
(RFC 2898 through PBKDF2 for the password Passcode that at first the password cracking module is obtained; Referring to www.ietf.org/rfc/rfc2898.txt) decipherment algorithm obtains Passcode key; (RFC 3394 through AES Unwrap with Passcode Key again; Referring to www.ietf.org/rfc/rfc3394.txt) decipherment algorithm obtains class key (expressly); At last the AES key ciphertext of classkey in AES Unwrap (RFC 3394) decipherment algorithm deciphering manifest.mbdb file obtained the plaintext of AESkey, AES key is last key.
Content in the backup file is encrypted original contents exactly and is obtained ciphertext through AES key, need only the original contents that ciphertext can be obtained file through key A ES key deciphering during reduction.
What must explain is that cracking of file content is different with the password cracking of password cracking module.The password cracking of password cracking module is that the keying sequence in the dictionary is deciphered the keybag in the manifest.plist file in the backup file, if successful decryption has then been accomplished password cracking.This is different processes with the password cracking of above-mentioned file content.
4) after backup file generates, check that the keychain module can demonstrate the multiple private data among the password management system keychain of iPhone mobile phone, and feed back to the GUI module, be shown to the user.
Keychain is the password management system among the MAC OS of Apple.A key can comprise polytype data: password (comprising that website, SSH account, network are shared, wireless network, group mail, encryption disk image etc.), private key, digital certificates and encryption notes etc.Therefore preserved many accounts informations among the keychain, therefore be provided with and check that the keychain function obtains more mobile phone internal data to the user.
What check the realization of Keychain module is the parsing of keychain file.In the file recovery module; Keychain file (keychain-backup.plist) has been decrypted into normal file (but some data wherein remain superencipher) from encrypt file, and this module is exactly to parse the encrypting user private data of preserving in this document on this basis.
The reduction process of Keychain file is with reference to the file recovery module, and its resolving is specially: class key that the password cracking module obtains and the encryption AES key in the keychain-backup.plist file calculate the plaintext of AES key through AES Unwrap algorithm (rfc3394); Through the enciphered data among the AES key deciphering keychain-backup.plist, decipherment algorithm is AES CBC then.So just obtained Keychain.
Above embodiment is only in order to technical scheme of the present invention to be described but not limit it; Those of ordinary skill in the art can make amendment or is equal to replacement technical scheme of the present invention; And not breaking away from the spirit and the scope of technical scheme of the present invention, protection scope of the present invention should be as the criterion so that claim is said.
Claims (8)
1. cracking and restoring system of an iPhone mobile phone cipher backup file comprises GUI module, password cracking module, reduction backup file module and checks the keychain module;
Said GUI module is a graphic user interface, is used for the interactive operation of user and equipment;
The said GUI module of said password cracking module relation is used for the encrypted backup file is cracked, and obtains decryption;
Said reduction backup file module receives said decryption, and the encrypted backup file is reduced and exports according to the original route of going back of user preset;
The said keychain of checking module receives said decryption, checks the data that leave among the keychain, and feeds back to said GUI module.
2. the system of claim 1 is characterized in that, said GUI module is the storage path that said password cracking module provides the encrypted backup file.
3. the system of claim 1 is characterized in that, said GUI module is the original route of going back that said reduction backup file module provides the encrypted backup file.
4. the system of claim 1 is characterized in that, said GUI module receives from the data of said password cracking module, said reduction backup file module and the said keychain of checking module and shows.
5. the system of claim 1 is characterized in that, said password cracking module adopts the Brute Force method to crack, and detailed process is:
A record that cracks in the dictionary is designated as Passcode; This Passcode obtains Passcode key through the PBKDF2 decipherment algorithm; Passcode key and class key ciphertext obtain the plaintext of class key through AES Unwrap decipherment algorithm; In the AESUnwrap decrypting process, carry out integrity checking, if check that successfully then said Passcode is decryption.
6. the system of claim 1; It is characterized in that; Said reduction backup file module is carried out SHA1 to the raw filename in the manifest.mbdb file in the backup file folder and is calculated; The filename after the calculating and the filename of encryption format are compared, find the file of coupling after, the filename of encryption format is revised as raw filename.
7. the system of claim 1 is characterized in that, said reduction backup file module cracks file content through following method:
At first will obtain Passcode key through the PBKDF2 decipherment algorithm by the password Passcode that the password cracking module obtains; Obtain class key through AES Unwrap decipherment algorithm again, the AES key ciphertext in AES Unwrap decipherment algorithm deciphering manifest.mbdb file obtains AES key expressly again; Expressly obtain the original contents of file at last through AES key.
8. the system of claim 1 is characterized in that, the data among the said Keychain comprise: password, private key, digital certificates and encryption notes.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012101874051A CN102750495A (en) | 2012-06-07 | 2012-06-07 | System for cracking and restoring iPhone encrypted backup files |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012101874051A CN102750495A (en) | 2012-06-07 | 2012-06-07 | System for cracking and restoring iPhone encrypted backup files |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102750495A true CN102750495A (en) | 2012-10-24 |
Family
ID=47030667
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012101874051A Pending CN102750495A (en) | 2012-06-07 | 2012-06-07 | System for cracking and restoring iPhone encrypted backup files |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102750495A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104142830A (en) * | 2014-08-11 | 2014-11-12 | 四川效率源信息安全技术有限责任公司 | Method and device for extracting application data of smart phone by script plug-in technology |
| CN104869170A (en) * | 2015-05-29 | 2015-08-26 | 四川效率源信息安全技术有限责任公司 | Decryption method for encrypted data file of UC browser |
| CN105740390A (en) * | 2016-01-27 | 2016-07-06 | 四川秘无痕信息安全技术有限责任公司 | Plist format data reversal extraction method |
| WO2018090508A1 (en) * | 2016-11-15 | 2018-05-24 | 平安科技(深圳)有限公司 | Keychain-based data management method, terminal and device, and computer readable storage medium |
| CN109344633A (en) * | 2018-09-28 | 2019-02-15 | 山东超越数控电子股份有限公司 | A kind of software decryption method based on mixed logic processor platform |
| CN110543772A (en) * | 2019-08-23 | 2019-12-06 | 厦门市美亚柏科信息股份有限公司 | Offline decryption method and device |
| CN111737057A (en) * | 2020-06-24 | 2020-10-02 | 深圳软牛科技有限公司 | APFS file system data recovery method and device and electronic equipment |
| CN112241524A (en) * | 2019-07-16 | 2021-01-19 | 深圳软牛科技有限公司 | iOS device account password importing method and system |
| CN112306563A (en) * | 2020-11-03 | 2021-02-02 | 深圳软牛科技有限公司 | Method, device, equipment and storage medium for resetting IOS screen use time password |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1694394A (en) * | 2005-04-14 | 2005-11-09 | 上海交通大学 | Deciphering method for file password |
| CN1700180A (en) * | 2005-04-14 | 2005-11-23 | 上海交通大学 | Data file restoration and password cracking system |
| KR20100072034A (en) * | 2007-09-18 | 2010-06-29 | 콸콤 인코포레이티드 | Method and apparatus for creating a remotely activated secure backup service for mobile handsets |
| CN102088352A (en) * | 2009-12-08 | 2011-06-08 | 北京大学 | Data encryption transmission method and system for message-oriented middleware |
| CN102368850A (en) * | 2011-10-13 | 2012-03-07 | 福州博远无线网络科技有限公司 | Method for carrying out encryption and decryption on video file on mobile phone |
-
2012
- 2012-06-07 CN CN2012101874051A patent/CN102750495A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1694394A (en) * | 2005-04-14 | 2005-11-09 | 上海交通大学 | Deciphering method for file password |
| CN1700180A (en) * | 2005-04-14 | 2005-11-23 | 上海交通大学 | Data file restoration and password cracking system |
| KR20100072034A (en) * | 2007-09-18 | 2010-06-29 | 콸콤 인코포레이티드 | Method and apparatus for creating a remotely activated secure backup service for mobile handsets |
| CN102088352A (en) * | 2009-12-08 | 2011-06-08 | 北京大学 | Data encryption transmission method and system for message-oriented middleware |
| CN102368850A (en) * | 2011-10-13 | 2012-03-07 | 福州博远无线网络科技有限公司 | Method for carrying out encryption and decryption on video file on mobile phone |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104142830A (en) * | 2014-08-11 | 2014-11-12 | 四川效率源信息安全技术有限责任公司 | Method and device for extracting application data of smart phone by script plug-in technology |
| CN104142830B (en) * | 2014-08-11 | 2017-06-06 | 四川效率源信息安全技术股份有限公司 | The method and apparatus that smart mobile phone application data is extracted by script plug-in part technology |
| CN104869170A (en) * | 2015-05-29 | 2015-08-26 | 四川效率源信息安全技术有限责任公司 | Decryption method for encrypted data file of UC browser |
| CN104869170B (en) * | 2015-05-29 | 2018-11-13 | 四川效率源信息安全技术股份有限公司 | For the decryption method of UC browser data file encryptions |
| CN105740390A (en) * | 2016-01-27 | 2016-07-06 | 四川秘无痕信息安全技术有限责任公司 | Plist format data reversal extraction method |
| WO2018090508A1 (en) * | 2016-11-15 | 2018-05-24 | 平安科技(深圳)有限公司 | Keychain-based data management method, terminal and device, and computer readable storage medium |
| CN109344633A (en) * | 2018-09-28 | 2019-02-15 | 山东超越数控电子股份有限公司 | A kind of software decryption method based on mixed logic processor platform |
| CN112241524A (en) * | 2019-07-16 | 2021-01-19 | 深圳软牛科技有限公司 | iOS device account password importing method and system |
| CN110543772A (en) * | 2019-08-23 | 2019-12-06 | 厦门市美亚柏科信息股份有限公司 | Offline decryption method and device |
| CN111737057A (en) * | 2020-06-24 | 2020-10-02 | 深圳软牛科技有限公司 | APFS file system data recovery method and device and electronic equipment |
| CN111737057B (en) * | 2020-06-24 | 2024-09-17 | 深圳软牛科技集团股份有限公司 | APFS file system data recovery method and device and electronic equipment |
| CN112306563A (en) * | 2020-11-03 | 2021-02-02 | 深圳软牛科技有限公司 | Method, device, equipment and storage medium for resetting IOS screen use time password |
| CN112306563B (en) * | 2020-11-03 | 2023-11-17 | 深圳软牛科技有限公司 | Method, device, equipment and storage medium for resetting IOS screen using time password |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102750495A (en) | System for cracking and restoring iPhone encrypted backup files | |
| CN110086612B (en) | Block chain public and private key backup and lost recovery method and system | |
| GB2538052B (en) | Encoder, decoder, encryption system, encryption key wallet and method | |
| US8457308B2 (en) | Communication system and method for protecting messages between two mobile phones | |
| CN103023635B (en) | A kind of method of information back-up and device | |
| CN105450395A (en) | Information encryption and decryption processing method and system | |
| CN1773994A (en) | Method for realizing data safety storing business | |
| US20120311327A1 (en) | Data crypto method for data de-duplication and system thereof | |
| CN112055022A (en) | High-efficiency and high-security network file transmission double encryption method | |
| CN106357678A (en) | Cloud encryption storage method for intelligent terminal and intelligent terminal | |
| CN102340455A (en) | Transmission method of E-mail encrypted by fingerprint data and receiving method thereof | |
| US9332405B2 (en) | Short message backup method, mobile terminal, and server | |
| CN103166757A (en) | Method and system capable of dynamically protecting user private data | |
| CN101957894B (en) | Conditional e-file authority controlling and managing system and method | |
| CN104601820A (en) | Mobile terminal information protection method based on TF password card | |
| CN114257562B (en) | Instant messaging method, device, electronic equipment and computer readable storage medium | |
| CN102231181B (en) | Computer system used for file encryption and file encryption method | |
| CN102053926A (en) | Storage device and data security control method thereof | |
| JPH1020779A (en) | Key changing method in open key cipher system | |
| CN102523563B (en) | Multimedia messaging service (MMS) encrypting method based on identity-based cryptograph (IBC) technology | |
| CN105279447A (en) | Method and device for data encryption, and method and device for data decryption | |
| US20150046565A1 (en) | System and method for archiving messages | |
| CN102118311A (en) | Data transmission method | |
| CN102883039A (en) | Method for encrypting multimedia private diary of mobile phone | |
| CN103634313A (en) | Address list processing method and device, as well as mobile terminal |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20121024 |