There have been some interesting developments regarding iPhones and forensics since our first post along these lines that impact attorneys and e-discovery professionals. There are also plenty of items of importance that have remained constant. Here we will cover a healthy mix of both as they relate to access to, and preservation of, iOS data once you find it. The below has a number of legal implications – knowing when data is and is not recoverable may impact issues regarding litigation holds, spoliation, and even the ability (or lack thereof) to comply with court orders compelling production of certain information. Understanding the roadblocks now may prevent accidental deletion/irreversible encryption of data, or over-promising to a court or opposing party as to what can be produced.
Issue 1 for the Client: Which iOS Device Model Do They Have?
For forensic purposes, an iPhone 4 or below, or a first generation iPad, is much easier to forensically process than their newer, sleeker siblings. Passcode extraction, and often “physical” extraction of the device, the best kind possible forensically, are usually options with those older devices. With the advent of the iPhone 4S (the first phone with “Siri”) and the second generation iPad, however (and every model since), forensic analysis has become a bit more restricted and challenging with Apple’s new encryption and security features. Generally, less data-rich “logical” extractions must be performed on these devices.
It isn’t all bad, however. Even with more restrictive extractions on the newer devices, recovery of deleted data is fairly routine – SMS and MMS messages, Notes, call records, and calendar entries, according to this author’s testing. On the older devices where a more expansive extraction is possible, however, you may be able to recover a more rich set of deleted data.
Issue 2 For the Client: Do You Have All of Their Passcodes/Passwords?
In our last post, we discussed the different places that data may reside (or hide) when dealing with a legal matter involving iOS devices. We didn’t really address the hurdles that come with accessing that data once you find it, however. First and foremost, even a skilled forensic investigator will need the passcode to an iPhone 4S or above when performing a forensic investigation of that device (unless it is jailbroken – see below with disclaimers). If the client does not have the access code, and you are involved in a civil proceeding or investigation, you are more or less stuck, at least as far as existing technology goes. If you are law enforcement, you may have some recourse with Apple to unlock the phone, but I don’t address the legal procedures here, only the forensic processes. This very issue is currently playing out in the highly publicized legal proceedings surrounding South African sprinter Oscar Pistorius in his upcoming trial for the alleged murder of his girlfriend Reeva Steenkamp.
Issue 2A: Is the Client’s Device “Jailbroken”?
Before giving up hope, ask the client one last thing as noted above: whether their iPhone has been jailbroken (I do not recommend or endorse jailbreaking an iPhone as it is a lot like cutting the seatbelt out of your car, it removes a lot of the nice security features Apple has worked hard to put in place, there are also other potential problems including Apple possibly denying support for the device). If a phone is jailbroken, however, there may be some forensic tools out there that will assist in extracting the passcode (we make no specific endorsement on this blog), which will then in turn allow an investigator to examine the device.
The above solely refers to the passcode to the phone itself (again, the four digit unlock code most of us know and love). There may be a second password issue to consider, lurking in the background, however. Most forensic extraction methods pull from the phone what is called a “backup” file. It is more or less the same type of file that would be stored in iTunes, if you back up your iPhone there. Problem: If you’ve set your iPhone to create encrypted backups in iTunes, the forensic extraction process will also create an encrypted backup. And if you don’t realize your iPhone is backing up to your computer, its a pretty good bet you don’t know what the passcode is to unlock that encrypted file, either. The locked file isn’t of much use without the password. Sometimes apparently Apple even chooses this password for the user if they enable this option but don’t create one. Forgetting or not knowing this password is such a common problem, Apple has devoted a help page specifically to this issue. Again, if you don’t have this passcode (and you’re not law enforcement), good luck having your forensic investigator crack the encryption on the resulting backup file.
Did Someone Say Encryption?
Encryption actually one of the most robust security features on the iPhone 4S’s and above and the newer iPads. Encryption is enabled by default. Encryption when you passcode lock the phone. Encryption of deleted data, or “unallocated” space on the phone. And no one but Apple seems to know how to get past it. A great security feature if you are the end user, but perhaps frustrating from a discovery/investigations perspective.
This dynamic creates the passcode issues noted above for the newer iOS devices, but it also creates another interesting issue: the rise of “factory wiping” as a way to deny access to forensically valuable iOS information. As noted in the link, factory “wiping” doesn’t really wipe all of the data on the newer devices, but by default the data is encrypted, and “wiping” the device deletes the encryption key. So, any slim chance for a forensic investigator to ever claw back the data appears to be likewise erased (contrast this with, sometimes, the ability to recover forensically valuable data from factory wiped iPhone 4’s and below, as well as various Android and other mobile devices). With certain types of mobile devices there may be evidentiary value in a “wiped” device, but the iPhone 4S’s and above, and the newer iPad’s, not so much (save for perhaps obtaining the last date the device was wiped).
As always, feel free to contact the author with any questions at firstname.lastname@example.org. Until next time, CW