For encrypted backups, the backup files are encrypted using the Advanced Encryption Standard-256 (AES-256) algorithm in the Cipher Block Chaining (CBC) mode, with a unique key and a null initialization vector (IV). The unique file keys are protected with a set of class keys from Backup keybag. The class keys in Backup keybag are protected with a key derived from the password set in iTunes through 10,000 iterations of the Password-Based Key Derivation Function 2 (PBKDF2). In iOS 10.2 this mechanism was upgraded, so now, there are 10,000,000 iterations.

Many free and commercial tools provide support for encrypted backup file parsing if the password is known. Unfortunately, it's not always true, so sometimes forensic examiners have to crack such passwords. The next section will walk you through this process, with Elcomsoft Phone Breaker.