# iphone-backup-decrypt
Decrypt an encrypted, local iPhone backup created from iOS13 or newer.
This code [was based on this StackOverflow answer](https://stackoverflow.com/a/13793043),
itself based on the [iphone-dataprotection](https://code.google.com/p/iphone-dataprotection/) code.
## Install
[](https://pypi.org/project/iphone-backup-decrypt/)
Requires [Python 3.8](https://www.python.org/) or higher.
The backup decryption keys are protected using 10 million rounds of PBKDF2 with SHA256, then 10 thousand further iterations of PBKDF2 with SHA-1.
To speed up decryption, `fastpbkdf2` is desirable; otherwise the code will fall back to using `pycryptodome`'s implementation.
The fallback is ~50% slower at the initial backup decryption step, but does not require the complicated build and install of `fastpbkdf2`.
Install via `pip`:
```shell script
pip install iphone_backup_decrypt
# Optionally:
pip install fastpbkdf2
```
Or if you have Docker, an alternative is to use the pre-built image: `ghcr.io/jsharkey13/iphone_backup_decrypt`. A Command Prompt example might look like:
```shell
docker run --rm -it ^
-v "%AppData%/Apple Computer/MobileSync/Backup/[device-specific-hash]":/backup:ro ^
-v "%cd%/output":/output ^
ghcr.io/jsharkey13/iphone_backup_decrypt
```
## Usage
This code decrypts the backup using the passphrase chosen when encrypted backups were enabled in iTunes.
The `relativePath` of the file(s) to be decrypted also needs to be known.
Very common files, like those for the call history or text message databases, can be found in the `RelativePath` class: e.g. use `RelativePath.CALL_HISTORY` instead of the full `Library/CallHistoryDB/CallHistory.storedata`.
More complex matching, particularly for non-unique filenames, may require specifying the `domain` of the files. The `DomainLike` and `MatchFiles` classes contain common domains and domain-path pairings.
If the relative path is not known, you can manually open the `Manifest.db` SQLite database and explore the `Files` table to find those of interest.
After creating the class, use the `EncryptedBackup.save_manifest_file(...)` method to store a decrypted version.
A minimal example to decrypt and extract some files might look like:
```python
from iphone_backup_decrypt import EncryptedBackup, RelativePath, MatchFiles
passphrase = "..." # Or load passphrase more securely from stdin, or a file, etc.
backup_path = "%AppData%/Apple Computer/MobileSync/Backup/[device-specific-hash]"
# Or MacOS: "/Users/[user]/Library/Application Support/MobileSync/Backup/[device-hash]"
backup = EncryptedBackup(backup_directory=backup_path, passphrase=passphrase)
# Extract the call history SQLite database:
backup.extract_file(relative_path=RelativePath.CALL_HISTORY,
output_filename="./output/call_history.sqlite")
# Extract the camera roll, using MatchFiles for combined path and domain matching:
backup.extract_files(**MatchFiles.CAMERA_ROLL, output_folder="./output/camera_roll")
# Extract any iCloud camera roll images on the device (may include thumbnails for some
# but not all images offloaded to the cloud, and have duplicates from the camera roll):
backup.extract_files(**MatchFiles.ICLOUD_PHOTOS, output_folder="./output/icloud_photos")
# Extract WhatsApp SQLite database and attachments:
backup.extract_file(relative_path=RelativePath.WHATSAPP_MESSAGES,
output_filename="./output/whatsapp.sqlite")
backup.extract_files(**MatchFiles.WHATSAPP_ATTACHMENTS,
output_folder="./output/whatsapp", preserve_folders=False)
# Extract Strava workouts:
backup.extract_files(**MatchFiles.STRAVA_WORKOUTS, output_folder="./output/strava")
```
## Alternatives
This library aims to be minimal, providing only what is necessary to extract encrypted files. There are alternatives which claim to offer similar or more advanced functionality:
- [KnugiHK/iphone_backup_decrypt](https://github.com/KnugiHK/iphone_backup_decrypt/tree/master), a fork of this library and part of [Whatsapp-Chat-Exporter](https://github.com/KnugiHK/Whatsapp-Chat-Exporter).
- [jfarley248/iTunes_Backup_Reader](https://github.com/jfarley248/iTunes_Backup_Reader), which uses an older version of this library.
- [datatags/mount-ios-backup](https://github.com/datatags/mount-ios-backup), which uses an older version of this library.
- [PeterUpfold/dump-iphone-backup](https://github.com/PeterUpfold/dump-iphone-backup), a wrapper for this library to decrypt a whole backup on the command-line.
- [avibrazil/iOSbackup](https://github.com/avibrazil/iOSbackup) a similar Python library with a friendlier interface for exploring a backup.
- [MaxiHuHe04/iTunes-Backup-Explorer](https://github.com/MaxiHuHe04/iTunes-Backup-Explorer), a Java based alternative with a GUI.
Raw data
{
"_id": null,
"home_page": null,
"name": "iphone-backup-decrypt",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.8",
"maintainer_email": null,
"keywords": "iPhone, backup, forensics, iOS, WhatsApp, decryption, iOS backup, iTunes Backup",
"author": "James Sharkey",
"author_email": null,
"download_url": "https://files.pythonhosted.org/packages/6f/e7/bcdacdec21d628122ba240e7f742ab2175149e58672be63af55ff37a0f28/iphone_backup_decrypt-0.9.0.tar.gz",
"platform": null,
"description": "# iphone-backup-decrypt\r\n\r\nDecrypt an encrypted, local iPhone backup created from iOS13 or newer.\r\nThis code [was based on this StackOverflow answer](https://stackoverflow.com/a/13793043),\r\nitself based on the [iphone-dataprotection](https://code.google.com/p/iphone-dataprotection/) code.\r\n\r\n## Install\r\n\r\n[](https://pypi.org/project/iphone-backup-decrypt/)\r\n\r\nRequires [Python 3.8](https://www.python.org/) or higher.\r\n\r\nThe backup decryption keys are protected using 10 million rounds of PBKDF2 with SHA256, then 10 thousand further iterations of PBKDF2 with SHA-1.\r\nTo speed up decryption, `fastpbkdf2` is desirable; otherwise the code will fall back to using `pycryptodome`'s implementation.\r\nThe fallback is ~50% slower at the initial backup decryption step, but does not require the complicated build and install of `fastpbkdf2`.\r\n\r\nInstall via `pip`:\r\n```shell script\r\npip install iphone_backup_decrypt\r\n# Optionally:\r\npip install fastpbkdf2\r\n```\r\n\r\nOr if you have Docker, an alternative is to use the pre-built image: `ghcr.io/jsharkey13/iphone_backup_decrypt`. A Command Prompt example might look like: \r\n```shell\r\ndocker run --rm -it ^\r\n -v \"%AppData%/Apple Computer/MobileSync/Backup/[device-specific-hash]\":/backup:ro ^\r\n -v \"%cd%/output\":/output ^\r\n ghcr.io/jsharkey13/iphone_backup_decrypt\r\n```\r\n\r\n## Usage\r\n\r\nThis code decrypts the backup using the passphrase chosen when encrypted backups were enabled in iTunes.\r\n\r\nThe `relativePath` of the file(s) to be decrypted also needs to be known.\r\nVery common files, like those for the call history or text message databases, can be found in the `RelativePath` class: e.g. use `RelativePath.CALL_HISTORY` instead of the full `Library/CallHistoryDB/CallHistory.storedata`.\r\n\r\nMore complex matching, particularly for non-unique filenames, may require specifying the `domain` of the files. The `DomainLike` and `MatchFiles` classes contain common domains and domain-path pairings. \r\n\r\nIf the relative path is not known, you can manually open the `Manifest.db` SQLite database and explore the `Files` table to find those of interest.\r\nAfter creating the class, use the `EncryptedBackup.save_manifest_file(...)` method to store a decrypted version.\r\n\r\nA minimal example to decrypt and extract some files might look like:\r\n```python\r\nfrom iphone_backup_decrypt import EncryptedBackup, RelativePath, MatchFiles\r\n\r\npassphrase = \"...\" # Or load passphrase more securely from stdin, or a file, etc.\r\nbackup_path = \"%AppData%/Apple Computer/MobileSync/Backup/[device-specific-hash]\"\r\n# Or MacOS: \"/Users/[user]/Library/Application Support/MobileSync/Backup/[device-hash]\"\r\n\r\nbackup = EncryptedBackup(backup_directory=backup_path, passphrase=passphrase)\r\n\r\n# Extract the call history SQLite database:\r\nbackup.extract_file(relative_path=RelativePath.CALL_HISTORY, \r\n output_filename=\"./output/call_history.sqlite\")\r\n\r\n# Extract the camera roll, using MatchFiles for combined path and domain matching:\r\nbackup.extract_files(**MatchFiles.CAMERA_ROLL, output_folder=\"./output/camera_roll\")\r\n\r\n# Extract any iCloud camera roll images on the device (may include thumbnails for some\r\n# but not all images offloaded to the cloud, and have duplicates from the camera roll):\r\nbackup.extract_files(**MatchFiles.ICLOUD_PHOTOS, output_folder=\"./output/icloud_photos\")\r\n\r\n# Extract WhatsApp SQLite database and attachments:\r\nbackup.extract_file(relative_path=RelativePath.WHATSAPP_MESSAGES,\r\n output_filename=\"./output/whatsapp.sqlite\")\r\nbackup.extract_files(**MatchFiles.WHATSAPP_ATTACHMENTS,\r\n output_folder=\"./output/whatsapp\", preserve_folders=False)\r\n\r\n# Extract Strava workouts:\r\nbackup.extract_files(**MatchFiles.STRAVA_WORKOUTS, output_folder=\"./output/strava\")\r\n```\r\n\r\n## Alternatives\r\n\r\nThis library aims to be minimal, providing only what is necessary to extract encrypted files. There are alternatives which claim to offer similar or more advanced functionality:\r\n\r\n - [KnugiHK/iphone_backup_decrypt](https://github.com/KnugiHK/iphone_backup_decrypt/tree/master), a fork of this library and part of [Whatsapp-Chat-Exporter](https://github.com/KnugiHK/Whatsapp-Chat-Exporter).\r\n - [jfarley248/iTunes_Backup_Reader](https://github.com/jfarley248/iTunes_Backup_Reader), which uses an older version of this library.\r\n - [datatags/mount-ios-backup](https://github.com/datatags/mount-ios-backup), which uses an older version of this library.\r\n - [PeterUpfold/dump-iphone-backup](https://github.com/PeterUpfold/dump-iphone-backup), a wrapper for this library to decrypt a whole backup on the command-line.\r\n - [avibrazil/iOSbackup](https://github.com/avibrazil/iOSbackup) a similar Python library with a friendlier interface for exploring a backup.\r\n - [MaxiHuHe04/iTunes-Backup-Explorer](https://github.com/MaxiHuHe04/iTunes-Backup-Explorer), a Java based alternative with a GUI.\r\n",
"bugtrack_url": null,
"license": null,
"summary": "Decrypt and extract files from an iOS13+ encrypted local backup.",
"version": "0.9.0",
"project_urls": {
"Homepage": "https://github.com/jsharkey13/iphone_backup_decrypt"
},
"split_keywords": [
"iphone",
" backup",
" forensics",
" ios",
" whatsapp",
" decryption",
" ios backup",
" itunes backup"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "b89464a31be93f72e0a254bde68e4cf7d24aef37a0a985754a197fa1b028a665",
"md5": "d83f2836fc04ceca930ddd9051c74644",
"sha256": "55b5adfafac757f58aa6444b83a4cc2c20cdd699c6ff1d2f4b549936a5dad92c"
},
"downloads": -1,
"filename": "iphone_backup_decrypt-0.9.0-py3-none-any.whl",
"has_sig": false,
"md5_digest": "d83f2836fc04ceca930ddd9051c74644",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.8",
"size": 15767,
"upload_time": "2024-09-18T15:50:10",
"upload_time_iso_8601": "2024-09-18T15:50:10.537139Z",
"url": "https://files.pythonhosted.org/packages/b8/94/64a31be93f72e0a254bde68e4cf7d24aef37a0a985754a197fa1b028a665/iphone_backup_decrypt-0.9.0-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "6fe7bcdacdec21d628122ba240e7f742ab2175149e58672be63af55ff37a0f28",
"md5": "8804c65429b9034f25c3c3555c459e6f",
"sha256": "13b18fef3c8e3af627914f8c1a429bbc5555dfb0505239ba49efe99984cc0c96"
},
"downloads": -1,
"filename": "iphone_backup_decrypt-0.9.0.tar.gz",
"has_sig": false,
"md5_digest": "8804c65429b9034f25c3c3555c459e6f",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.8",
"size": 16125,
"upload_time": "2024-09-18T15:50:12",
"upload_time_iso_8601": "2024-09-18T15:50:12.179472Z",
"url": "https://files.pythonhosted.org/packages/6f/e7/bcdacdec21d628122ba240e7f742ab2175149e58672be63af55ff37a0f28/iphone_backup_decrypt-0.9.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-09-18 15:50:12",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "jsharkey13",
"github_project": "iphone_backup_decrypt",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"lcname": "iphone-backup-decrypt"
}
JSON
