How to Acquire an iOS 11 Device Without the PIN/Passcode
As you may be aware, iOS 11 changed the way in which the user authenticates a trust relationship between an iOS device and the computer being used to create a backup or forensic tool being used to create an acquisition. When a forensic examiner goes to create an iOS backup, either with a forensic tool or with iTunes, they will now be prompted not only to trust the computer, but for their device passcode to enable that trust. This can be a problem when the examiner was relying on a fingerprint for device access which at times can be easier to compel than the Passcode for the device.
So What Can We Do?
With iOS 11, you can still do a cloud backup without the need for the pin code for the device. Many users of iOS 11 will enable two-factor authentication (2FA) because the operating system strongly encourages it. When doing a cloud acquisition, if 2FA is enabled, the user will be required to access the device when using a commercial tool, like AXIOM Cloud, to finish the authentication.
The great thing is, to obtain the Apple ID Verification Code, you can use Touch ID or facial recognition as dictated by the iPhone model to get to the verification code! Enter the verification code, and you will be able to obtain the backup. This does require the iTunes account email and password, but often times this can be recovered from other devices as users often reuse accounts IDs and passwords, so the Gmail account and password recovered from the computer may be the same credentials necessary to recover data from the cloud.
It is important to keep in mind that there is a time limitation on using fingerprint and facial recognition to unlock before the passcode is required which is based on the last time the device was unlocked.
In summary, the fear of not being able to obtain forensic images of iOS devices because we now need a Passcode to bypass can be overcome via using a cloud acquisition providing you have access to the username and password for the iTunes account, access to the backup network (to force a fresh cloud backup) plus the device and the fingerprint or facial recognition if 2FA is being utilized.
Jessica Hyde
Director, Forensics
Looking to learn more about advanced mobile forensics? Our brand new AX300 course will teach you how to leverage Magnet AXIOM and Magnet ACQUIRE to improve their mobile device investigations. Learn all about it here.