iTunes backup (Extraction)
MOBILedit Forensic uses iTunes backup for extracting data from iOS devices.
To extract as much data as possible, it is necessary to create an encrypted iTunes backup by setting a password/PIN if the device user has not already set one.
If a password is not entered, the backup will be unencrypted and contain less data.
If the user of the device has already configured the iTunes backup to be encrypted, by previously setting a password, it is necessary to know the user's password. MOBILedit Forensic Pro will prompt you to enter the iTunes backup password if known.
If you do not know the user password, you can use the Password toolbox to make a brute force attack and identify the correct password. This feature is only available in the MOBILedit Forensic ULTRA edition of our software.
However, many users do not set this password; if they do set one, it may be the same as the PIN if you are lucky.
If no password has been set, MOBILedit Forensic will ask you to set the iTunes password temporarily to “123”.
The reason is that encrypted iTunes backup contain more data.
From iOS 16.1. the iTunes backup may need to be confirmed on the device by entering the device’s lock screen PIN/password.
After the extraction, the password setting is removed.
If the extraction is cancelled for any reason or, if the iTunes backup password is not removed, there will be a button to remove the password on the connection page below the device.
For iOS 16.1 and above, removing the backup password will also have to be confirmed by entering the lock screen PIN/password on the device.
