Encrypted Backup Password and PIN Code – Not the Same Thing
Here’s a common misconception that can lead to some frustration in iPhone and iPad investigations: What is a device’s “encrypted backup password?” Is that simply another name for the PIN code?
In fact, for iOS devices, the encrypted backup password is a completely separate thing from the user’s PIN code on the device.
What Is an Encrypted Backup Password?
The encrypted backup password is a password that a user sets in iTunes when backing up his or her device to a computer. If the user checks the Encrypt iPhone backup checkbox, this sets a flag on the device that tells it to encrypt all future backups with a password. Once this is done, the user doesn’t have to enter the password again (except if and when restoring a backup or disabling the checkbox), so it is easy to forget this password.
When the user first checks the checkbox, the user is prompted to create a password.
Once this setting is enabled, all future backups will be encrypted with this password.
Part of the logical acquisition process in BlackLight and Mobilyze uses Apple’s backup function to create an iTunes backup from the device. If encrypted backups are enabled, BlackLight or Mobilyze will prompt the user for the encrypted backup password in order to acquire and decrypt the backup. Without the backup password, only ancillary data will be available for collection – media and some third-party application data. The backup function collects the majority of the core data (SMS, call history, contacts, etc.). To acquire data without the backup, start the acquisition in BlackLight or Mobilyze and select Skip when prompted for the encrypted backup password. BlackLight or Mobilyze will acquire everything it can outside of the backup, which as of iOS 8, isn’t much. (The ancillary data functions no longer have access to much of the file system. For a more in-depth explanation, see the archived blog entry iOS 8 and Its Impact on Investigations.)
On rare occasions (according to Apple’s community forums), this password can accidentally be set by the user during a major firmware upgrade through iTunes.
For more information about encrypted backups, see Apple’s knowledge base article on the subject:
If the password is unknown to an examiner, there are multiple tools on the market that may be able to assist.