:py:mod:`dissect.target.loaders.itunes` ======================================= .. py:module:: dissect.target.loaders.itunes Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.loaders.itunes.ITunesLoader dissect.target.loaders.itunes.ITunesBackup dissect.target.loaders.itunes.FileInfo dissect.target.loaders.itunes.KeyBag dissect.target.loaders.itunes.ClassKey Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.loaders.itunes.translate_file_path dissect.target.loaders.itunes.parse_key_bag dissect.target.loaders.itunes.aes_decrypt dissect.target.loaders.itunes.aes_unwrap_key Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.loaders.itunes.HAS_PYSTANDALONE dissect.target.loaders.itunes.HAS_CRYPTO dissect.target.loaders.itunes.DOMAIN_TRANSLATION .. py:data:: HAS_PYSTANDALONE :value: True .. py:data:: HAS_CRYPTO :value: True .. py:data:: DOMAIN_TRANSLATION .. py:class:: ITunesLoader(path: pathlib.Path, **kwargs) Bases: :py:obj:`dissect.target.loader.Loader` Load iTunes backup files. .. rubric:: References - https://support.apple.com/en-us/HT204215 .. py:method:: detect(path: pathlib.Path) -> bool :staticmethod: Detects wether this ``Loader`` class can load this specific ``path``. :param path: The target path to check. :returns: ``True`` if the ``path`` can be loaded by a ``Loader`` instance. ``False`` otherwise. .. py:method:: map(target: dissect.target.target.Target) -> None Maps the loaded path into a ``Target``. :param target: The target that we're mapping into. .. py:class:: ITunesBackup(root: pathlib.Path) Parse a directory as an iTunes backup directory. .. py:property:: identifier :type: str .. py:method:: open(password: Optional[str] = None, kek: Optional[bytes] = None) -> None Open the backup. Opens the Manifest.db file. Requires a password if the backup is encrypted. :param password: Optional backup password if the backup is encrypted. :param kek: Optional kek if the password is unknown, but the derived key is known. .. py:method:: derive_key(password: str) -> bytes Derive the key bag encryption key from a given password. .. py:method:: files() -> Iterator[FileInfo] Iterate all the files in this backup. .. py:class:: FileInfo(backup: ITunesBackup, file_id: str, domain: str, relative_path: str, flags: int, metadata: bytes) Utility class that represents a file in a iTunes backup. .. py:property:: mode :type: int .. py:property:: size :type: int .. py:property:: encryption_key :type: Optional[str] .. py:method:: __repr__() -> str Return repr(self). .. py:method:: get() -> pathlib.Path Return a Path object to the underlying file. .. py:method:: create_cipher() Return a new AES cipher for this file. .. py:class:: KeyBag(buf: bytes) Parse and implements a simple key bag. .. py:method:: unlock_with_passcode_key(key: bytes) -> None Attempt to unlock the passcode protected keys in this key bag with the given decryption key. .. py:method:: unwrap(key: bytes) -> bytes Unwrap a given key. Wrapped keys are prefixed with a 32bit protection class. .. py:class:: ClassKey(uuid: bytes, protection_class: int, wrap_type: int, key_type: int, wrapped_key: bytes, public_key: Optional[bytes] = None) Represent a class key that is stored in a key bag. .. py:property:: unwrapped :type: bool Return whether this key is already unwrapped. .. py:attribute:: WRAP_PASSCODE :value: 2 .. py:method:: from_bag_dict(data: dict[str, Union[bytes, int]]) -> ClassKey :classmethod: .. py:method:: unwrap(kek: bytes) -> None Attempt to unwrap this key. .. py:function:: translate_file_path(domain: str, relative_path: str) -> str Translate a domain and relative path (as stored in iTunes backups) to an absolute path on an iOS device. .. py:function:: parse_key_bag(buf: bytes) -> tuple[dict[str, bytes, int], dict[str, ClassKey]] Parse the BackupKeyBag buffer. Simple TLV format. .. py:function:: aes_decrypt(data: bytes, key: bytes, iv: bytes = b'\x00' * 16) -> bytes Helper function to easily decrypt some data with a default IV. .. py:function:: aes_unwrap_key(kek: bytes, wrapped: bytes, iv: int = 12008468691120727718) -> bytes AES key unwrapping algorithm. Derived from https://github.com/kurtbrose/aes_keywrap/blob/master/aes_keywrap.py