Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
In this publication, we’ll discuss acquisition approach to an iOS device under these specific circumstances:
1. Runs iOS 8.x through 10.x
2. When seized, the device was powered on but locked with a passcode and/or Touch ID
3. Device was never powered off or rebooted since it was seized
4. Does not have a jailbreak installed and may not allow installing a jailbreak
5. Investigators have access to one or more computers to which the iOS device was synced (iTunes) or trusted (by confirming the “Trust this PC” pop-up on the device) in the past
At first sight this list may seem detailed, but in fact if the iPhone was captured in the state of the screen locked and kept in its current state, it is possible to gain access to the information in the device using a so-called lock files or pairing record. First, let’s talk about the pairing relationships. In terms of iOS forensics, a pairing is a trusted relationship between the iOS device and a computer (Mac or PC). Once a pairing relationship is initially established (by unlocking the iOS device with Touch ID or passcode and confirming the “Trust this PC” prompt), the two devices exchange cryptographic keys, and the computer is granted trusted access to the iPhone even if the iPhone’s screen is locked. The company would use a pre-established trust relationship to produce a backup of the locked device.
Talking about Personal Lockdown Records, they are files that are stored on the computer to which the device is synchronized with the IOS. These files are created the first time the user connects their IOS device to a computer that is running ITunes. Forensic specialists routinely use lockdown records to produce a full device backup of the connected phone. Quick Guide: How to Use Lockdown records to get the backup and retrieve files can be explored here.
Multiple forensic tools exist allowing to view and analyze mobile backups. Following established guidelines on seizing and storing mobile devices is a must for successful acquisition.
In conclusion, we want to say that It may be possible to perform acquisition of iOS devices found locked but powered-on. Lockdown files may exist on the user’s Mac or PC. Those files can be used to obtain backup from an iOS device provided that the device was never allowed to power off or reboot after the seizure. Following established guidelines on seizing and storing mobile devices is a must for successful acquisition.
Speak to a Specialist Now
Get Help Now