In recent versions of iOS, successful acquisition of a locked device is no longer a given. Multiple protection layers and Apple’s new policy on handling government requests make forensic experts look elsewhere when investigating Apple smartphones.

In this publication, we’ll discuss acquisition approach to an iOS device under these specific circumstances:

1. Runs iOS 8.x through 10.x
2. When seized, the device was powered on but locked with a passcode and/or Touch ID
3. Device was never powered off or rebooted since it was seized
4. Does not have a jailbreak installed and may not allow installing a jailbreak
5. Investigators have access to one or more computers to which the iOS device was synced (iTunes) or trusted (by confirming the “Trust this PC” pop-up on the device) in the past

While this list may appear extensive and overly detailed, in real life it simply means an iPhone that was seized in a screen-locked state and stored properly in its current state (i.e. not allowed to power down or reboot). If this is the case, we might be able to access information in the device by using a so-called lockdown file, or pairing record. This record may be available on the suspect’s home or work PC that was either used to sync the iOS device with iTunes or simply used for charging if the suspect ever tapped “OK” on the “Trust this PC” pop-up.

About Pairing Relationships

In terms of iOS forensics, a pairing is a trusted relationship between the iOS device and a computer (Mac or PC). Once a pairing relationship is initially established (by unlocking the iOS device with Touch ID or passcode and confirming the “Trust this PC” prompt), the two devices exchange cryptographic keys, and the computer is granted trusted access to the iPhone even if the iPhone’s screen is locked.

Once established, pairing relationships are maintained through reboots. However, the iPhone must be unlocked with a passcode at least once after the reboot. Pairing relationships survive passcode changes; however, since iOS 8 all existing pairing relationships will be lost upon factory reset.

iOS 7 and older: Once established, a pairing relationship will never expire. In iOS 7 and older, established trust would survive through reboots and factory resets. Moreover, if the device is running iOS 7 or earlier, it can be unlocked with a pairing record immediately after it’s turned on (unlocking with passcode not required). This is why it was possible for Apple to extract information from locked iPhones sent in by the government. The company would use a pre-established trust relationship to produce a backup of the locked device. In iOS 8, all existing pairing relationships were invalidated; established trust does not survive through a factory reset, and accessing device data with a pairing record now requires a passcode unlock after a reboot.

About Lockdown Records (Pairing Records)

Lockdown records, or pairing records, are files that are stored on the computer to which the iOS device syncs to. These files are created the first time the user connects their iOS device to a PC that has iTunes installed. Lockdown records are used to re-establish a pairing relationship between the computer and iOS device, allowing the user to conveniently sync their iPhone by simply connecting it to their computer and without having to manually unlock the device every time.

Forensic specialists routinely use lockdown records to produce a full device backup of the connected phone. A lockdown file can be extracted from the original computer and used on a different Mac or PC to re-establish pairing relationship; all that without unlocking the iPhone with a passcode or Touch ID.

Where Lockdown Records Are Stored

Lockdown records are saved in the following locations:

Windows Vista, 7, 8, 8.1, Windows 10:

%ProgramData%\Apple\Lockdown

Windows XP:

%AllUsersProfile%\Application Data\Apple\Lockdown

macOS:

/var/db/lockdown

Do Lockdown Records Expire?

There is no definite information on the expiry of lockdown records. Since Apple has full control over iOS, it may introduce various expiration rules similar to Touch ID expiry. Officially, pairing relationships last until revoked.

“Trusted computers can sync with your iOS device, create backups, and access your device’s photos, videos, contacts, and other content. These computers remain trusted unless you change which computers you trust or erase your iOS device.” https://support.apple.com/en-us/HT202778

It is possible for the user to revoke trusted relationship with any given PC by performing the following procedure:

“If you don’t want to trust a computer or other device anymore, change the privacy settings on your iPhone, iPad, or iPod touch: In iOS 8 or later, tap Settings > General > Reset > Reset Location & Privacy. Now when you connect to formerly trusted computers, the Trust alert will ask you whether you trust that computer.” https://support.apple.com/en-us/HT202778

Pairing relationships established with devices running iOS 7 or earlier never expire and survive reboots and factory resets. Once such devices get updated to iOS 8 or newer, all existing trust relationships are revoked and must be re-established under new rules.

Since iOS 8, all pairing relationships remain unavailable after the device restarts or powers on until the device is unlocked (at least once) with a passcode.

The ultimate question, of course, is “how much time exactly do I have to use a lockdown record before it expires?” While there is no definite answer to this question, various publications refer to wildly different timeframes. We were able to check some of those claims.

Do lockdown records expire in 48 hours since last unlock?

No. We tested with multiple devices running all major versions of iOS since 8.1 all the way through 10.2 beta, and found that we were able to use lockdown records to obtain backups way past the 48 hours. In fact, we repeated the test (on iOS 10.1 only), this time waiting for 5 days since last unlock, and we were still able to obtain the backup by using a lockdown file.

Do lockdown records expire in 30, 60 or 90 days?

We cannot support this claim, but we can’t reject it either. A single oldest pairing record we have is nearly 4 months old, and it still can be used to produce a backup. However, this single pairing record comes from an iOS 8.1 device; we did not have old enough pairing records for our other devices. As Apple has full control over iOS, it can introduce various expiration rules at any time.

At this time, we believe it’s safe to assume that existing lockdown record would not expire based on their age alone. However, they may or may not be able to be used to unlock an iOS device if the device was passively stored for more than 30 days.