The Future of iOS Forensics: What’s Really In Store for the Mobile Device Forensic Examiners?

Sean Morrissey, CEO Katana Forensics

Apple is still charging full ahead with protecting the privacy of its users, but what is the cost of not being able to access that data in the case of a terrorist threat, missing child, or other serious crime? The largest issue investigators will find with iOS 11 is the lack of extracting a “logical” (iTunes) backup from the devices without a passcode.  Yes, you heard me.  When an investigator plugs in an iOS 11 driven device, the device will ask for the passcode of the device prior to backing up.  No passcode… No Data.

This brings new life to the pairing record extraction. Hello 3 years ago, but hey, it works.  However, you can indeed extract from the device is an active pairing record can be used, but there is the trick… gaining access to an active pairing record is a challenge as a lot of people do not plug their devices in to computer system anymore.

Not exactly a great position for forensic examiners.

And, now Apple also released the embedded SIM for Apple Watch (the iPhones still removable SIMs), which was originally a Steve Jobs idea.  This means no SIM to remove and extract data for analysis. Oh, get this…  The Apple Watch doesn’t need an iPhone to pair with anymore..ouch. In the past, the watch was synced with the iPhone, but now that Apple is eliminating the need for a device all the time, it is a “wait and see” to determine how the technology will function (I am researching as this article is being prepped for publishing).  Apple mentioned in its Keynote that the Apple Watch and the iPhone will have the same number, so it gave some indication that maybe an iPhone is still required, but not required to be in close proximity of the Apple Watch. Katana Forensics will keep you posted with the latest research on this topic.

For years, law enforcement has relied on tracking capabilities built in to mobile phones. While this same tracking technology is included in the new Apple Watches, it’s throwing a wrench in certain aspects of forensic work and of course, creating new challenges for the investigative community.

For starters, it’s no longer possible, at least at the moment, for investigators to distinguish which device was used to make a call; both the Apple Watch and iPhone use the same phone number. It’s unclear at the moment of call history databases have flags for which device made a call. Will carriers log these calls the same as those from a phone?

Right now, there are still many unanswered questions – ones that law enforcement and private investigators are anxiously awaiting the answers to.

But waiting isn’t something they’re interested in, especially considering Apple’s reputation for user privacy. Many people are hoping that Apple will be forced to change the way it protects its users, especially in criminal cases, but it’s not looking like any decision against Apple is in the near future, much to the dismay of prosecutors that see Apple as impeding criminal investigations.

But, much in line with the company’s persona, Apple has its eye on entirely different questions, working to answer the call for Augmented Reality and establishing FaceID in lieu of TouchID. Providing quality 3D modeling of a user’s face, this facial recognition, while not new technology, it does seem much more advanced that the Android version.  Apple claims high quality masks or images will not unlock the device.  Only the users “engaged” face will open it, meaning, the user must be looking at the camera. This could make it easier for an examiner to open a phone with an in-custody suspect.  What is the expectation of privacy on a person’s face?

The question is, then, when will the next FBI legal challenge to Apple be filed? And will it have the agility to maneuver around the many obstacles that are in its future?

Time will tell, but we think we know the answer.

To keep up to date with this issue, join our mailing list at Katana Forensics.

Categories: Blog