dissect.target.loaders.itunes
#
Module Contents#
Classes#
Load iTunes backup files. |
|
Parse a directory as an iTunes backup directory. |
|
Utility class that represents a file in a iTunes backup. |
|
Parse and implements a simple key bag. |
|
Represent a class key that is stored in a key bag. |
Functions#
Translate a domain and relative path (as stored in iTunes backups) to an absolute path on an iOS device. |
|
Parse the BackupKeyBag buffer. Simple TLV format. |
|
Helper function to easily decrypt some data with a default IV. |
|
AES key unwrapping algorithm. |
Attributes#
- dissect.target.loaders.itunes.HAS_PYSTANDALONE = True#
- dissect.target.loaders.itunes.HAS_PYCRYPTODOME = True#
- dissect.target.loaders.itunes.DOMAIN_TRANSLATION#
- class dissect.target.loaders.itunes.ITunesLoader(path: pathlib.Path, **kwargs)#
Bases:
dissect.target.loader.Loader
Load iTunes backup files.
References
- static detect(path: pathlib.Path) bool #
Detects wether this
Loader
class can load this specificpath
.- Parameters:
path – The target path to check.
- Returns:
True
if thepath
can be loaded by aLoader
instance.False
otherwise.
- map(target: dissect.target.target.Target) None #
Maps the loaded path into a
Target
.- Parameters:
target – The target that we’re mapping into.
- class dissect.target.loaders.itunes.ITunesBackup(root: pathlib.Path)#
Parse a directory as an iTunes backup directory.
- property identifier: str#
- open(password: str | None = None, kek: bytes | None = None) None #
Open the backup.
Opens the Manifest.db file. Requires a password if the backup is encrypted.
- Parameters:
password – Optional backup password if the backup is encrypted.
kek – Optional kek if the password is unknown, but the derived key is known.
- class dissect.target.loaders.itunes.FileInfo(backup: ITunesBackup, file_id: str, domain: str, relative_path: str, flags: int, metadata: bytes)#
Utility class that represents a file in a iTunes backup.
- property mode: int#
- property size: int#
- property encryption_key: str | None#
- __repr__() str #
Return repr(self).
- get() pathlib.Path #
Return a Path object to the underlying file.
- create_cipher()#
Return a new AES cipher for this file.
- class dissect.target.loaders.itunes.KeyBag(buf: bytes)#
Parse and implements a simple key bag.
- class dissect.target.loaders.itunes.ClassKey(uuid: bytes, protection_class: int, wrap_type: int, key_type: int, wrapped_key: bytes, public_key: bytes | None = None)#
Represent a class key that is stored in a key bag.
- property unwrapped: bool#
Return whether this key is already unwrapped.
- WRAP_PASSCODE = 2#
- dissect.target.loaders.itunes.translate_file_path(domain: str, relative_path: str) str #
Translate a domain and relative path (as stored in iTunes backups) to an absolute path on an iOS device.
- dissect.target.loaders.itunes.parse_key_bag(buf: bytes) tuple[dict[str, bytes, int], dict[str, ClassKey]] #
Parse the BackupKeyBag buffer. Simple TLV format.
- dissect.target.loaders.itunes.aes_decrypt(data: bytes, key: bytes, iv: bytes = b'\x00' * 16) bytes #
Helper function to easily decrypt some data with a default IV.
- dissect.target.loaders.itunes.aes_unwrap_key(kek: bytes, wrapped: bytes, iv: int = 12008468691120727718) bytes #
AES key unwrapping algorithm.
Derived from https://github.com/kurtbrose/aes_keywrap/blob/master/aes_keywrap.py