Lockdown files, otherwise known as pairing records, are well known to the forensic crowd for their usefulness for the purpose of logical extraction. A pairing file created on one computer (the user’s) can be used by the expert to pull information from the iOS device – that, without knowing the PIN code or pressing the user’s finger to unlock the device. Lockdown records do carry their fair share of limitations. For example, their use is severely restricted if the device has just rebooted or powered on and was not unlocked with a passcode afterwards.
Despite that, pairing records have been immensely handy for mobile forensic specialists as they allowed accessing the data in the device without unlocking it with a passcode, fingerprint or trusted face. Specifically, until very recently, lockdown records had never expired. One could use a year-old lockdown file to access the content of an iPhone without a trouble.
Good things seem to end. In iOS 11.3 (beta) Release Notes, Apple mentioned they’re adding an expiry date to lockdown records.
To improve security, for a locked iOS device to communicate with USB accessories you must either connect an accessory via lightning connector to the device while unlocked or enter your device passcode while connected, at least once a week.
If you use iAP USB accessories over the Lightning connector (including assistive devices and wired CarPlay) or connect to a Mac/PC, you may therefore need to periodically enter your passcode if you have a passcode set on your iPhone, iPad, or iPod Touch.
As a result, mobile forensic experts can no longer expect lockdown records to survive for periods longer than one week. In order to clearly understand the consequences of this seemingly minor change, let us first look at the pairing records themselves.
In order to enable communications (e.g. file transfers) between the user’s iOS device (iPhone, iPad) and their computer, a trust relationship (or pairing) must be first established. Once a pairing relationship is initially established (by unlocking the iOS device with Touch ID or passcode and confirming the “Trust this computer?” prompt), the two devices exchange cryptographic keys, and the computer is granted trusted access to the iPhone even if the iPhone’s screen is locked.
With its initial release, iOS 11 made establishing trust relationship even more secure (and more time-consuming for the user) by requiring the user to enter their device passcode after confirming the “Trust this computer?” prompt.
Requiring the user to re-establish trust relationships every time they connect their iPhone or iPad to their computer would hamper usability, so Apple implemented a lockdown mechanism for caching pairing credentials.
Once the iPhone/iPad and the computer are paired, a pair of cryptographic keys is created. One key is stored in the iOS device, and another on the user’s computer. The part that is stored on the user’s computer is called “pairing record” or “lockdown record”. Technically, this record is a file stored on the user’s computer. This file can be used to re-establish a pairing relationship between the computer and iOS device without having to manually unlock the device every time.
If the lockdown file is transferred to another computer, that other computer would be also considered “trusted”. As a result, the expert could extract pairing records from suspects’ computers and use them to establish connectivity with their iPhone/iPad devices, and then extract information from those devices by making a local backup.
Prior to iOS 11.3, pairing records would survive through reboots, and would not expire.
Prior to iOS 8, pairing records were unique per device. Once created, the pairing record would even survive a factory reset. Apple used to obtain pairing records at the factory from each iPhone they sold. Once Apple was sent an iPhone accompanied with a law enforcement order, they would simply use their stored pairing record to make a local backup. All pairing records created between a given iOS device and *any* computer were identical; they would remain identical and usable even after a factory reset.
In iOS 8, this mechanism has changed; this was reflected in Apple’s updated privacy policy. Citing technical limitations, the company would no longer provide extraction services for devices running iOS 8 and never, not even with a court order. Pairing records were now dynamic; a unique pair of cryptographic keys was created when pairing the iOS device to a new computer. While pairing records would still survive through reboots, a factory reset (or the “Reset Network Settings” option in iOS) would invalidate all existing pairing records.
More information: Forensic implications of lockdown records
This pairing mechanism was carried over unchanged to iOS 9 and iOS 10.
iOS 11 added an additional protection mechanism, now requiring a passcode to establish trust. Previous versions of iOS allowed establishing trusted relationship by simply confirming the “Trust this computer?” prompt on the device screen, which enabled experts to extract data from devices that were unlocked with a fingerprint.
Pressing the suspect’s fingerprint against Touch ID sensor could present a lesser legal challenge for the law enforcement compared to making the suspect disclose their passcode.
In iOS 11, Apple addressed this exact vulnerability by demanding a passcode in order to establish a new trust relationship. Forensic experts are now required to know the passcode; Touch ID alone can no longer be used to unlock the device and perform logical acquisition.
Notably, lockdown records would *still* survive through reboots and *still* not carry a defined expiry date. Forensic experts could *still* pull a lockdown file from the user’s computer, and successfully use that file to extract the content of a locked iOS device without knowing the passcode or unlocking the device with the user’s fingerprint.
More information: New Security Measures in iOS 11 and Their Forensic Implications
Finally, back to the point. In iOS 11.3 (beta), Apple made the pairing mechanism even more secure. According to iOS 11.3 Release Notes, Apple is adding an expiry date of one week to lockdown records.
To improve security, for a locked iOS device to communicate with USB accessories you must either connect an accessory via lightning connector to the device while unlocked or enter your device passcode while connected, at least once a week.
If you use iAP USB accessories over the Lightning connector (including assistive devices and wired CarPlay) or connect to a Mac/PC, you may therefore need to periodically enter your passcode if you have a passcode set on your iPhone, iPad, or iPod Touch.
Once iOS 11.3 rolls out, forensic specialists will have to adapt to Apple’s new policy. If they want access to suspects’ lockdown records, they’ll have to act fast. Even one week is never guaranteed, as they may never know the time the user last connected their iOS device to the computer.