dissect.target.loaders.itunes#

Module Contents#

Classes#

ITunesLoader

A base class for loading a specific path and coupling it to a Target.

ITunesBackup

Parse a directory as an iTunes backup directory.

FileInfo

Utility class that represents a file in a iTunes backup.

KeyBag

Parse and implements a simple key bag.

ClassKey

Represent a class key that is stored in a key bag.

Functions#

translate_file_path

Translate a domain and relative path (as stored in iTunes backups) to an absolute path on an iOS device.

parse_key_bag

Parse the BackupKeyBag buffer. Simple TLV format.

aes_decrypt

Helper function to easily decrypt some data with a default IV.

aes_unwrap_key

AES key unwrapping algorithm.

Attributes#

dissect.target.loaders.itunes.HAS_PYSTANDALONE = True#
dissect.target.loaders.itunes.HAS_PYCRYPTODOME = True#
dissect.target.loaders.itunes.DOMAIN_TRANSLATION#
class dissect.target.loaders.itunes.ITunesLoader(path, **kwargs)#

Bases: dissect.target.loader.Loader

A base class for loading a specific path and coupling it to a Target.

Implementors of this class are responsible for mapping any type of source data to a Target. Whether that’s to map all VMDK files from a VMX or mapping the contents of a zip file to a virtual filesystem, if it’s something that can be translated to a “disk”, “volume” or “filesystem”, you can write a loader that maps it into a target.

You can do anything you want to manipulate the Target object in your map function, but generally you do one of the following:

  • open a Container and add it to target.disks.

  • open a Volume and add it to target.volumes.

  • open a VirtualFilesystem, add your files into it and add it to target.filesystems.

You don’t need to manually parse volumes or filesystems in your loader, just add the highest level object you have (e.g. a Container of a VMDK file) to the target. However, sometimes you need to get creative. Take a look at the ITunesLoader and TarLoader for some creative examples.

Parameters:

path – The target path to load.

static detect(path)#

Detects wether this Loader class can load this specific path.

Parameters:

path – The target path to check.

Returns:

True if the path can be loaded by a Loader instance. False otherwise.

map(target)#

Maps the loaded path into a Target.

Parameters:

target – The target that we’re mapping into.

class dissect.target.loaders.itunes.ITunesBackup(root)#

Parse a directory as an iTunes backup directory.

property identifier#
open(password=None, kek=None)#

Open the backup.

Opens the Manifest.db file. Requires a password if the backup is encrypted.

derive_key(password)#

Derive the key bag encryption key from a given password.

files()#

Iterate all the files in this backup.

class dissect.target.loaders.itunes.FileInfo(backup, file_id, domain, relative_path, flags, metadata)#

Utility class that represents a file in a iTunes backup.

property mode#
property size#
property encryption_key#
__repr__()#

Return repr(self).

get()#

Return a Path object to the underlying file.

create_cipher()#

Return a new AES cipher for this file.

class dissect.target.loaders.itunes.KeyBag(buf)#

Parse and implements a simple key bag.

unlock_with_passcode_key(key: bytes)#

Attempt to unlock the passcode protected keys in this key bag with the given decryption key.

unwrap(key)#

Unwrap a given key.

Wrapped keys are prefixed with a 32bit protection class.

class dissect.target.loaders.itunes.ClassKey(uuid, protection_class, wrap_type, key_type, wrapped_key, public_key=None)#

Represent a class key that is stored in a key bag.

property unwrapped#

Return whether this key is already unwrapped.

WRAP_PASSCODE = 2#
classmethod from_bag_dict(data)#
unwrap(kek)#

Attempt to unwrap this key.

dissect.target.loaders.itunes.translate_file_path(domain, relative_path)#

Translate a domain and relative path (as stored in iTunes backups) to an absolute path on an iOS device.

dissect.target.loaders.itunes.parse_key_bag(buf: bytes)#

Parse the BackupKeyBag buffer. Simple TLV format.

dissect.target.loaders.itunes.aes_decrypt(data, key, iv=b'\x00' * 16)#

Helper function to easily decrypt some data with a default IV.

dissect.target.loaders.itunes.aes_unwrap_key(kek, wrapped, iv=12008468691120727718)#

AES key unwrapping algorithm.

Derived from https://github.com/kurtbrose/aes_keywrap/blob/master/aes_keywrap.py