“Can you unlock that iPhone?” is one of the most common questions we hear on various events and from our customers. There is no simple answer, but more often than not some options are available.

Just a few years back, the most common question was “can you crack that password?” We are still being asked that every other day, but locked iPhones are now more abundant than unknown passwords. There is a simple explanation for that: the iPhone is an ultimate source of evidence. That, before we even mention the many urgent cases when the phone needs to be unlocked.

Cover all possible scenarios in one short article would not be possible; for (much) more details you are welcome to read our Smartphone forensics book that explores the topic in depth. Keep reading to see what can be done in some cases.

So can we, or can we not unlock that iPhone? I hate to disappoint, but in most cases you cannot, especially if the iPhone in question runs iOS 8 or newer and especially if you are targeting a fairly recent model (such as the iPhone 6S, which is two years old by now). A software unlock does not exist for these models and versions of iOS.

You cannot even rely on hardware-based solutions such as the IP-BOX. We have the V3 box that should be able to unlock the iPhone 7 with iOS 10, and it only works occasionally. There is a good chance to brick the device with all its data gone forever. It is also worth mentioning that checking just one passcode takes anywhere from 5 to 15 minutes, which turns into at least 10 years of trying to recover the default 6-digit code. Still, this could be the hardware that’s used internally by a few big-name forensic firms to provide iPhone unlock services to the law enforcement. (Tip: you can do the same with those Chinese boxes at a fraction of the price, even if it’s risky).

Surprisingly, the best and safest alternative to those devices is good old logical acquisition, which may also work for locked devices.

The trick here is making use of lockdown files, or iTunes pairing records. We wrote about them in the past:

• Dealing with a Locked iPhone
• iOS Logical Acquisition: The Last Hope For Passcode-Locked Devices?
• Forensic Implications of iOS Lockdown (Pairing) Records
• How Can I Break Into a Locked iOS 10 iPhone?
• New Security Measures in iOS 11 and Their Forensic Implications

If you are not familiar with that method and don’t have the time to read a long article, I will explain briefly. In a nutshell, once a locked iPhone is connected to a PC or Mac for the first time, you will be prompted to confirm whether you trust that computer or not. You might have seen it even on airplane entertainment systems; this means that there is a computer behind the USB port, yet for your own safety don’t try any exploits out there.

For faster charging, tap ‘Trust this device’

So what happens if you press the “Trust” button? First, in order to tap that button, you’ll have to unlock the phone. Before iOS 11, you could use the Touch ID for that, but iOS 11 now requires a passcode in order to confirm the “Trust”; read (link) for details. Second, the iPhone creates a pair or keys required to exchange data between the iPhone and this particular desktop, without the need to unlock the iPhone every time you connect it to the PC. In practice, this simplifies the syncing the data (or making backups) as you will not have to unlock the iPhone every time.

For us, that means that we can use the pairing record (a small XML file saved on the computer) to do the same on any desktop – even if you don’t know the passcode.

There is one problem though: starting with iOS 8, almost all data on the iPhone is encrypted. The encryption is based on a combination of a hardware-specific key and user’s passcode. When you unlock the iPhone for the first time (after you switch it on or reboot), the data is decrypted, and the backup service is started (waiting for commands). Only then can we make a backup (which could be password-protected, but that’s another story).

Again, we can use a pairing record to perform logical acquisition of a passcode-locked iPhone only if was unlocked at least once (but is currently in the locked state).

It is also important to know that the lockdown record remains valid even if the passcode is changed.

If you ever used our iOS Forensic Toolkit, you noted that includes the logical acquisition option that works better that iTunes itself. First, iOS Forensic Toolkit prevents the device from automatically syncing with the PC; and second, it automatically sets a known backup password in order to get access to the keychain.

However, logical acquisition options in iOS Forensic Toolkit are not limited to making a backup. There is also the (I)nfo option. That option works even for locked devices and even if you do not have a lockdown record.  Here is what you get (data from a real device, just with some sensitive data reducted):

<key>BuildVersion</key>
<string>15A432</string>
<key>DeviceClass</key>
<string>iPhone</string>
<key>DeviceColor</key>
<string>1</string>
<key>DeviceName</key>
<string>Vladimir's iPhone 7</string>
<key>HardwareModel</key>
<string>D101AP</string>
<key>HasSiDP</key>
<key>ProductType</key>
<string>iPhone9,3</string>
<key>ProductVersion</key>
<string>11.0.3</string>
<key>UniqueChipID</key>
<integer>NNNNNNNNNNNNNNNN</integer>
<key>UniqueDeviceID</key>
<string>xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx</string>
<key>WiFiAddress</key>
<string>XX:XX:XX:XX:XX:XX</string>

What did we learn about the device? We’ve got the device name (in most cases, this includes the owner’s name), device color, exact device model (not a generic “iPhone 7”), iOS version and build number, chip ID (might help identify device origin), unique device ID, and the MAC address of the phone’s Wi-Fi adapter.

This isn’t much, but it might be helpful – including the last item (you may use the MAC address to search for this device in Wi-Fi connection logs).

But what if we do have a lockdown record? In this case, we’ll obtain a bit more data. The additional bits include: MAC address of the device Bluetooth adapter; ICCI/IMEI/IMSI, phone number (even if the SIM card is removed) and device time zone.

And now, a little surprise. The above data is available even if the device has not been unlocked after a reboot (but the lockdown record itself is still needed).

Now about something really new. We somehow missed the ability to query some other services running on the iPhone, but in the new version of EIFT to be released shortly, this is what you’ll get in addition to what we already mentioned:

Whether cloud backups are enabled or not

• Whether iTunes backup password is set
• Date/time when the last local backup was created
• Date/time when the last iCloud backup was created
• Total space and free space on the device
• iOS interface language and current locale
• The list of accounts where the address book, notes, calendars and bookmarks are being synced between the device and the cloud. Microsoft Exchange only shows the name of the account, but for Google, we have the user’s email address.

Not bad, right? Again, the lockdown record should be in place,

There are some other bits such as:

ChinaBrick: false
GoogleMail: false
NTSC: false
NoVOIP: false
NoWiFi: false

That looks like the list of restrictions for this specific device, maybe specific to China and some countries in the Middle East.

And just for fun: while examining the output of the service that returns the data volume, we discovered the following:

CalculateDiskUsage: OkilyDokily

Looks like Apple employs at least one Simpson’s fan 🙂 In fact there is much more of this in leftover settings.

Conclusion

If you are examining an iPhone device, always examine the user’s desktop computer(s) as well. If you manage to discover one or more lockdown records, you might be able to extract more than you initially thought. There might be more steps required such as finding local backups, locating and decrypting iCloud tokens, and so on, and so forth. If you need help, we’re always here.