# iphone-backup-decrypt
Decrypt an encrypted, local (i.e. non-iCloud), iPhone backup created from iOS13 or newer.
This code is mainly a [wrapper for this StackOverflow answer](https://stackoverflow.com/a/13793043),
itself based on the [iphone-dataprotection](https://code.google.com/p/iphone-dataprotection/) code.
## Install
Requires [Python 3.8](https://www.python.org/) or higher.
The backup decryption keys are protected using 10 million rounds of PBKDF2 with SHA256, then 10 thousand further iterations of PBKDF2 with SHA-1.
To speed up decryption, `fastpbkdf2` is desirable; otherwise the code will fall back to using `pycryptodome`'s implementation.
The fallback is ~50% slower at the initial backup decryption step, but does not require the complicated build and install of `fastpbkdf2`.
Install via `pip`:
```shell script
pip install iphone_backup_decrypt
# Optionally:
pip install fastpbkdf2
```
Or if you have Docker, an alternative is to use the pre-built image: `ghcr.io/jsharkey13/iphone_backup_decrypt`. A Command Prompt example might look like:
```shell
docker run --rm -it ^
-v "%AppData%/Apple Computer/MobileSync/Backup/[device-specific-hash]":/backup:ro ^
-v "%cd%/output":/output ^
ghcr.io/jsharkey13/iphone_backup_decrypt
```
## Usage
This code decrypts the backup using the passphrase chosen when encrypted backups were enabled in iTunes.
The `relativePath` of the file(s) to be decrypted also needs to be known.
Very common files, like those for the call history or text message databases, can be found in the `RelativePath` class: e.g. use `RelativePath.CALL_HISTORY` instead of the full `Library/CallHistoryDB/CallHistory.storedata`.
More complex matching, particularly for non-unique filenames, may require specifying the `domain` of the files. The `DomainLike` and `MatchFiles` classes contain common domains and domain-path pairings.
If the relative path is not known, you can manually open the `Manifest.db` SQLite database and explore the `Files` table to find those of interest.
After creating the class, use the `EncryptedBackup.save_manifest_file(...)` method to store a decrypted version.
A minimal example to decrypt and extract some files might look like:
```python
from iphone_backup_decrypt import EncryptedBackup, RelativePath, MatchFiles
passphrase = "..." # Or load passphrase more securely from stdin, or a file, etc.
backup_path = "%AppData%\\Apple Computer\\MobileSync\\Backup\\[device-specific-hash]"
backup = EncryptedBackup(backup_directory=backup_path, passphrase=passphrase)
# Extract the call history SQLite database:
backup.extract_file(relative_path=RelativePath.CALL_HISTORY,
output_filename="./output/call_history.sqlite")
# Extract the camera roll, using MatchFiles for combined path and domain matching:
backup.extract_files(**MatchFiles.CAMERA_ROLL, output_folder="./output/camera_roll")
# Extract WhatsApp SQLite database and attachments:
backup.extract_file(relative_path=RelativePath.WHATSAPP_MESSAGES,
output_filename="./output/whatsapp.sqlite")
backup.extract_files(**MatchFiles.WHATSAPP_ATTACHMENTS,
output_folder="./output/whatsapp", preserve_folders=False)
# Extract Strava workouts:
backup.extract_files(**MatchFiles.STRAVA_WORKOUTS, output_folder="./output/strava")
```
## Alternatives
This library aims to be minimal, providing only what is necessary to extract encrypted files. There are alternatives which claim to offer similar or more advanced functionality:
- [KnugiHK/iphone_backup_decrypt](https://github.com/KnugiHK/iphone_backup_decrypt/tree/master), a fork of this library and part of [Whatsapp-Chat-Exporter](https://github.com/KnugiHK/Whatsapp-Chat-Exporter).
- [jfarley248/iTunes_Backup_Reader](https://github.com/jfarley248/iTunes_Backup_Reader), which uses an older version of this library.
- [datatags/mount-ios-backup](https://github.com/datatags/mount-ios-backup), which uses an older version of this library.
- [avibrazil/iOSbackup](https://github.com/avibrazil/iOSbackup) a similar Python library with a friendlier interface for exploring a backup.
- [MaxiHuHe04/iTunes-Backup-Explorer](https://github.com/MaxiHuHe04/iTunes-Backup-Explorer), a Java based alternative with a GUI.
Raw data
{
"_id": null,
"home_page": "",
"name": "iphone-backup-decrypt",
"maintainer": "",
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": "",
"keywords": "iPhone,backup,forensics,iOS,WhatsApp,decryption,iOS backup,iTunes Backup",
"author": "James Sharkey",
"author_email": "",
"download_url": "https://files.pythonhosted.org/packages/00/3a/6a2db781c07069d594d4815f19833094c916cd3cf6f8c046f0e41cd47286/iphone_backup_decrypt-0.6.0.tar.gz",
"platform": null,
"description": "# iphone-backup-decrypt\r\n\r\nDecrypt an encrypted, local (i.e. non-iCloud), iPhone backup created from iOS13 or newer.\r\nThis code is mainly a [wrapper for this StackOverflow answer](https://stackoverflow.com/a/13793043),\r\nitself based on the [iphone-dataprotection](https://code.google.com/p/iphone-dataprotection/) code.\r\n\r\n## Install\r\n\r\nRequires [Python 3.8](https://www.python.org/) or higher.\r\n\r\nThe backup decryption keys are protected using 10 million rounds of PBKDF2 with SHA256, then 10 thousand further iterations of PBKDF2 with SHA-1.\r\nTo speed up decryption, `fastpbkdf2` is desirable; otherwise the code will fall back to using `pycryptodome`'s implementation.\r\nThe fallback is ~50% slower at the initial backup decryption step, but does not require the complicated build and install of `fastpbkdf2`.\r\n\r\nInstall via `pip`:\r\n```shell script\r\npip install iphone_backup_decrypt\r\n# Optionally:\r\npip install fastpbkdf2\r\n```\r\n\r\nOr if you have Docker, an alternative is to use the pre-built image: `ghcr.io/jsharkey13/iphone_backup_decrypt`. A Command Prompt example might look like: \r\n```shell\r\ndocker run --rm -it ^\r\n -v \"%AppData%/Apple Computer/MobileSync/Backup/[device-specific-hash]\":/backup:ro ^\r\n -v \"%cd%/output\":/output ^\r\n ghcr.io/jsharkey13/iphone_backup_decrypt\r\n```\r\n\r\n## Usage\r\n\r\nThis code decrypts the backup using the passphrase chosen when encrypted backups were enabled in iTunes.\r\n\r\nThe `relativePath` of the file(s) to be decrypted also needs to be known.\r\nVery common files, like those for the call history or text message databases, can be found in the `RelativePath` class: e.g. use `RelativePath.CALL_HISTORY` instead of the full `Library/CallHistoryDB/CallHistory.storedata`.\r\n\r\nMore complex matching, particularly for non-unique filenames, may require specifying the `domain` of the files. The `DomainLike` and `MatchFiles` classes contain common domains and domain-path pairings. \r\n\r\nIf the relative path is not known, you can manually open the `Manifest.db` SQLite database and explore the `Files` table to find those of interest.\r\nAfter creating the class, use the `EncryptedBackup.save_manifest_file(...)` method to store a decrypted version.\r\n\r\nA minimal example to decrypt and extract some files might look like:\r\n```python\r\nfrom iphone_backup_decrypt import EncryptedBackup, RelativePath, MatchFiles\r\n\r\npassphrase = \"...\" # Or load passphrase more securely from stdin, or a file, etc.\r\nbackup_path = \"%AppData%\\\\Apple Computer\\\\MobileSync\\\\Backup\\\\[device-specific-hash]\"\r\n\r\nbackup = EncryptedBackup(backup_directory=backup_path, passphrase=passphrase)\r\n\r\n# Extract the call history SQLite database:\r\nbackup.extract_file(relative_path=RelativePath.CALL_HISTORY, \r\n output_filename=\"./output/call_history.sqlite\")\r\n\r\n# Extract the camera roll, using MatchFiles for combined path and domain matching:\r\nbackup.extract_files(**MatchFiles.CAMERA_ROLL, output_folder=\"./output/camera_roll\")\r\n\r\n# Extract WhatsApp SQLite database and attachments:\r\nbackup.extract_file(relative_path=RelativePath.WHATSAPP_MESSAGES,\r\n output_filename=\"./output/whatsapp.sqlite\")\r\nbackup.extract_files(**MatchFiles.WHATSAPP_ATTACHMENTS,\r\n output_folder=\"./output/whatsapp\", preserve_folders=False)\r\n\r\n# Extract Strava workouts:\r\nbackup.extract_files(**MatchFiles.STRAVA_WORKOUTS, output_folder=\"./output/strava\")\r\n```\r\n\r\n## Alternatives\r\n\r\nThis library aims to be minimal, providing only what is necessary to extract encrypted files. There are alternatives which claim to offer similar or more advanced functionality:\r\n\r\n - [KnugiHK/iphone_backup_decrypt](https://github.com/KnugiHK/iphone_backup_decrypt/tree/master), a fork of this library and part of [Whatsapp-Chat-Exporter](https://github.com/KnugiHK/Whatsapp-Chat-Exporter).\r\n - [jfarley248/iTunes_Backup_Reader](https://github.com/jfarley248/iTunes_Backup_Reader), which uses an older version of this library.\r\n - [datatags/mount-ios-backup](https://github.com/datatags/mount-ios-backup), which uses an older version of this library.\r\n - [avibrazil/iOSbackup](https://github.com/avibrazil/iOSbackup) a similar Python library with a friendlier interface for exploring a backup.\r\n - [MaxiHuHe04/iTunes-Backup-Explorer](https://github.com/MaxiHuHe04/iTunes-Backup-Explorer), a Java based alternative with a GUI.\r\n",
"bugtrack_url": null,
"license": "",
"summary": "Decrypt and extract files from an iOS13+ encrypted local backup.",
"version": "0.6.0",
"project_urls": {
"Homepage": "https://github.com/jsharkey13/iphone_backup_decrypt"
},
"split_keywords": [
"iphone",
"backup",
"forensics",
"ios",
"whatsapp",
"decryption",
"ios backup",
"itunes backup"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "17b0768b34bd491955af8c18d5a1a1e058cb8c3fbcbe6cb382d9d0b05fe93537",
"md5": "55cf397a2bb83f25129ae79e8731f4d9",
"sha256": "07baf6c2df44f262d14b0ce1faa2ee562f7283ec73948392bb2418198a96e701"
},
"downloads": -1,
"filename": "iphone_backup_decrypt-0.6.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "55cf397a2bb83f25129ae79e8731f4d9",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8",
"size": 13293,
"upload_time": "2024-02-10T11:47:39",
"upload_time_iso_8601": "2024-02-10T11:47:39.297211Z",
"url": "https://files.pythonhosted.org/packages/17/b0/768b34bd491955af8c18d5a1a1e058cb8c3fbcbe6cb382d9d0b05fe93537/iphone_backup_decrypt-0.6.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "003a6a2db781c07069d594d4815f19833094c916cd3cf6f8c046f0e41cd47286",
"md5": "933f78dfeded700b49a47b0d35d7b2c5",
"sha256": "f4f14594ec963fc5ec39e246de8046d46e66c83ce742edc77b14a95d77df3ee5"
},
"downloads": -1,
"filename": "iphone_backup_decrypt-0.6.0.tar.gz",
"has_sig": false,
"md5_digest": "933f78dfeded700b49a47b0d35d7b2c5",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8",
"size": 13851,
"upload_time": "2024-02-10T11:47:41",
"upload_time_iso_8601": "2024-02-10T11:47:41.236994Z",
"url": "https://files.pythonhosted.org/packages/00/3a/6a2db781c07069d594d4815f19833094c916cd3cf6f8c046f0e41cd47286/iphone_backup_decrypt-0.6.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-02-10 11:47:41",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "jsharkey13",
"github_project": "iphone_backup_decrypt",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "iphone-backup-decrypt"
}