iOS 11 May be the end for digital forensics as we know it.
Apple has been making many advancements all in the name of their user’s privacy. This became big headlines when the FBI and Apple became involved in a legal battle that was never settled over an FBI request to force Apple to unlock / decrypt an iPhone. Although this matter was never settled in court due to the FBI finding a third party to assist them in unlocking the device, the battle is still silently being waged by Apple.
Sean Morrissey, CEO of Katana Forensics has seen the beta versions of iOS 11 and now that the GM is available, his concerns for the Digital Forensics community hit the red alert status. His cause for the alert? In the soon-to-be released version of iOS, extracting data via the standard Apple Backup Service (aka ‘logically’) is no longer possible without the users passcode, whether they are digits or alphanumeric. He states that this is obviously a huge challenge for law enforcement and others conducting digital investigations that sometimes involve iOS devices. It will result in delays and some cases the loss of data in an investigation if it can not be secured quickly.
In the case of US Customs, this may not be a large issue. As people come in to the border, the availability of fast triage types of extractions could be the norm. Customs officials may require individuals to supply the passcode to do a quick data dump or they could be significantly delayed or denied entry in to the US. Will it slow the process down? Maybe. They already search some devices at the border as a security precaution.
It is not yet clear if their are any changes to techniques law enforcement utilize with iCloud, but after tomorrow’s announcement of the new hardware and software, things may become more clear.
A few versions ago, Apple added the notorious “Trust this Device?” to help educate their users with the security of their ‘pairing record’, which led to fewer trust certificates being left on local machines. This update makes all previous seem like minor inconveniences for investigators. Sure, we all understand the need for secure data in todays world of stolen identities and corporate IP theft, but what about the need to examine the contents of a missing child’s messages for clues to their location, to discover details of a terror plot that could save thousands or solve countless crimes where time is of the essence?
Another little “feature” of the new iOS device is being called “S.O.S. Mode”. This allows someone to tap the home button five time in order to access a dial pad to call emergency services. It also brings up a users medical information, should they have put it in their phone. This is always a good idea for those with special medial conditions. What it does in the background however it s bit more interesting. Once the mode is activated, iOS silently deactivates Touch ID. This means the only way to unlock the phone is to enter the user’s passcode, which in some cases could be a longer alphanumeric phrase.
There has been a lot of speculation with Apple’s Facial Recognition and how it relates to the security of the device. I know we will be glued to Apple’s announcement to learn the latest and we will be watching any upcoming litigation from the governments to obtain data that may be critical in an investigation.