dissect.target.loaders.itunes

Module Contents

Classes

ITunesLoader	Load iTunes backup files.
ITunesBackup	Parse a directory as an iTunes backup directory.
FileInfo	Utility class that represents a file in a iTunes backup.
KeyBag	Parse and implements a simple key bag.
ClassKey	Represent a class key that is stored in a key bag.

Functions

translate_file_path	Translate a domain and relative path (as stored in iTunes backups) to an absolute path on an iOS device.
parse_key_bag	Parse the BackupKeyBag buffer. Simple TLV format.
aes_decrypt	Helper function to easily decrypt some data with a default IV.
aes_unwrap_key	AES key unwrapping algorithm.

Attributes

HAS_PYSTANDALONE
HAS_PYCRYPTODOME
DOMAIN_TRANSLATION

dissect.target.loaders.itunes.HAS_PYSTANDALONE = True

dissect.target.loaders.itunes.HAS_PYCRYPTODOME = True

dissect.target.loaders.itunes.DOMAIN_TRANSLATION

class dissect.target.loaders.itunes.ITunesLoader(path: pathlib.Path, **kwargs)

Bases: dissect.target.loader.Loader

Load iTunes backup files.

References

• https://support.apple.com/en-us/HT204215

static detect(path: pathlib.Path) → bool

Detects wether this Loader class can load this specific path.

Parameters:

path – The target path to check.

Returns:

True if the path can be loaded by a Loader instance. False otherwise.

map(target: dissect.target.target.Target) → None

Maps the loaded path into a Target.

Parameters:

target – The target that we’re mapping into.

class dissect.target.loaders.itunes.ITunesBackup(root: pathlib.Path)

Parse a directory as an iTunes backup directory.

property identifier: str

open(password: str | None = None, kek: bytes | None = None) → None

Open the backup.

Opens the Manifest.db file. Requires a password if the backup is encrypted.

Parameters:

• password – Optional backup password if the backup is encrypted.

• kek – Optional kek if the password is unknown, but the derived key is known.

derive_key(password: str) → bytes

Derive the key bag encryption key from a given password.

files() → Iterator[FileInfo]

Iterate all the files in this backup.

class dissect.target.loaders.itunes.FileInfo(backup: ITunesBackup, file_id: str, domain: str, relative_path: str, flags: int, metadata: bytes)

Utility class that represents a file in a iTunes backup.

property mode: int

property size: int

property encryption_key: str | None

__repr__() → str

Return repr(self).

get() → pathlib.Path

Return a Path object to the underlying file.

create_cipher()

Return a new AES cipher for this file.

class dissect.target.loaders.itunes.KeyBag(buf: bytes)

Parse and implements a simple key bag.

unlock_with_passcode_key(key: bytes) → None

Attempt to unlock the passcode protected keys in this key bag with the given decryption key.

unwrap(key: bytes) → bytes

Unwrap a given key.

Wrapped keys are prefixed with a 32bit protection class.

class dissect.target.loaders.itunes.ClassKey(uuid: bytes, protection_class: int, wrap_type: int, key_type: int, wrapped_key: bytes, public_key: bytes | None = None)

Represent a class key that is stored in a key bag.

property unwrapped: bool

Return whether this key is already unwrapped.

WRAP_PASSCODE = 2

classmethod from_bag_dict(data: dict[str, bytes | int]) → ClassKey

unwrap(kek: bytes) → None

Attempt to unwrap this key.

dissect.target.loaders.itunes.translate_file_path(domain: str, relative_path: str) → str

Translate a domain and relative path (as stored in iTunes backups) to an absolute path on an iOS device.

dissect.target.loaders.itunes.parse_key_bag(buf: bytes) → tuple[dict[str, bytes, int], dict[str, ClassKey]]

Parse the BackupKeyBag buffer. Simple TLV format.

dissect.target.loaders.itunes.aes_decrypt(data: bytes, key: bytes, iv: bytes = b'\x00' * 16) → bytes

Helper function to easily decrypt some data with a default IV.

dissect.target.loaders.itunes.aes_unwrap_key(kek: bytes, wrapped: bytes, iv: int = 12008468691120727718) → bytes

AES key unwrapping algorithm.

Derived from https://github.com/kurtbrose/aes_keywrap/blob/master/aes_keywrap.py