dissect.target.loaders.itunes
#
Module Contents#
Classes#
A base class for loading a specific path and coupling it to a |
|
Parse a directory as an iTunes backup directory. |
|
Utility class that represents a file in a iTunes backup. |
|
Parse and implements a simple key bag. |
|
Represent a class key that is stored in a key bag. |
Functions#
Translate a domain and relative path (as stored in iTunes backups) to an absolute path on an iOS device. |
|
Parse the BackupKeyBag buffer. Simple TLV format. |
|
Helper function to easily decrypt some data with a default IV. |
|
AES key unwrapping algorithm. |
Attributes#
- dissect.target.loaders.itunes.HAS_PYSTANDALONE = True#
- dissect.target.loaders.itunes.HAS_PYCRYPTODOME = True#
- dissect.target.loaders.itunes.DOMAIN_TRANSLATION#
- class dissect.target.loaders.itunes.ITunesLoader(path, **kwargs)#
Bases:
dissect.target.loader.Loader
A base class for loading a specific path and coupling it to a
Target
.Implementors of this class are responsible for mapping any type of source data to a
Target
. Whether that’s to map all VMDK files from a VMX or mapping the contents of a zip file to a virtual filesystem, if it’s something that can be translated to a “disk”, “volume” or “filesystem”, you can write a loader that maps it into a target.You can do anything you want to manipulate the
Target
object in yourmap
function, but generally you do one of the following:open a
Container
and add it totarget.disks
.open a
Volume
and add it totarget.volumes
.open a
VirtualFilesystem
, add your files into it and add it totarget.filesystems
.
You don’t need to manually parse volumes or filesystems in your loader, just add the highest level object you have (e.g. a
Container
of a VMDK file) to the target. However, sometimes you need to get creative. Take a look at theITunesLoader
andTarLoader
for some creative examples.- Parameters:
path – The target path to load.
- static detect(path)#
Detects wether this
Loader
class can load this specificpath
.- Parameters:
path – The target path to check.
- Returns:
True
if thepath
can be loaded by aLoader
instance.False
otherwise.
- map(target)#
Maps the loaded path into a
Target
.- Parameters:
target – The target that we’re mapping into.
- class dissect.target.loaders.itunes.ITunesBackup(root)#
Parse a directory as an iTunes backup directory.
- property identifier#
- open(password=None, kek=None)#
Open the backup.
Opens the Manifest.db file. Requires a password if the backup is encrypted.
- derive_key(password)#
Derive the key bag encryption key from a given password.
- files()#
Iterate all the files in this backup.
- class dissect.target.loaders.itunes.FileInfo(backup, file_id, domain, relative_path, flags, metadata)#
Utility class that represents a file in a iTunes backup.
- property mode#
- property size#
- property encryption_key#
- __repr__()#
Return repr(self).
- get()#
Return a Path object to the underlying file.
- create_cipher()#
Return a new AES cipher for this file.
- class dissect.target.loaders.itunes.KeyBag(buf)#
Parse and implements a simple key bag.
- unlock_with_passcode_key(key: bytes)#
Attempt to unlock the passcode protected keys in this key bag with the given decryption key.
- unwrap(key)#
Unwrap a given key.
Wrapped keys are prefixed with a 32bit protection class.
- class dissect.target.loaders.itunes.ClassKey(uuid, protection_class, wrap_type, key_type, wrapped_key, public_key=None)#
Represent a class key that is stored in a key bag.
- property unwrapped#
Return whether this key is already unwrapped.
- WRAP_PASSCODE = 2#
- classmethod from_bag_dict(data)#
- unwrap(kek)#
Attempt to unwrap this key.
- dissect.target.loaders.itunes.translate_file_path(domain, relative_path)#
Translate a domain and relative path (as stored in iTunes backups) to an absolute path on an iOS device.
- dissect.target.loaders.itunes.parse_key_bag(buf: bytes)#
Parse the BackupKeyBag buffer. Simple TLV format.
- dissect.target.loaders.itunes.aes_decrypt(data, key, iv=b'\x00' * 16)#
Helper function to easily decrypt some data with a default IV.
- dissect.target.loaders.itunes.aes_unwrap_key(kek, wrapped, iv=12008468691120727718)#
AES key unwrapping algorithm.
Derived from https://github.com/kurtbrose/aes_keywrap/blob/master/aes_keywrap.py