Sean Morrissey, CEO of Katana Forensics has seen the beta versions of iOS 11 and now that the GM is available, his concerns for the Digital Forensics community hit the red alert status. His cause for the alert? In the soon-to-be-released version of iOS, extracting data via the standard Apple Backup Service (aka ‘logically’) is no longer possible without the user’s passcode, whether they are digits or alphanumeric. He states that this is obviously a huge challenge for law enforcement and others conducting digital investigations that sometimes involve iOS devices. It will result in delays and some cases the loss of data in an investigation if it can not be secured quickly.
In the case of US Customs, this may not be a large issue. As people come into the border, the availability of fast triage types of extractions could be the norm. Customs officials may require individuals to supply the passcode to do a quick data dump or they could be significantly delayed or denied entry into the US. Will it slow the process down? Maybe. They already search for some devices at the border as a security precaution.
It is not yet clear if there are any changes to techniques law enforcement utilize with iCloud, but after tomorrow’s announcement of the new hardware and software, things may become more clear.
A few versions ago, Apple added the notorious “Trust this Device?” to help educate their users with the security of their ‘pairing record’, which led to fewer trust certificates being left on local machines. This update makes all previous seem like minor inconveniences for investigators. Sure, we all understand the need for secure data in today’s world of stolen identities and corporate IP theft, but what about the need to examine the contents of a missing child’s messages for clues to their location, to discover details of a terror plot that could save thousands or solve countless crimes where time is of the essence?
Another little “feature” of the new iOS device is being called “S.O.S. Mode”. This allows someone to tap the home button five times in order to access a dial pad to call emergency services. It also brings up users’ medical information, should they have put it on their phone. This is always a good idea for those with special medical conditions. What it does in the background however it s a bit more interesting. Once the mode is activated, iOS silently deactivates Touch ID. This means the only way to unlock the phone is to enter the user’s passcode, which in some cases could be a longer alphanumeric phrase.
There has been a lot of speculation with Apple’s Facial Recognition and how it relates to the security of the device. I know we will be glued to Apple’s announcement to learn the latest and we will be watching any upcoming litigation from the governments to obtain data that may be critical in an investigation.