With the release of iOS 17.3, Apple introduced a new security feature called “Stolen Device Protection.” This functionality is designed to prevent unauthorized access to sensitive data in cases where a thief has gained knowledge of an iPhone’s passcode. While this feature significantly enhances security for end users, it simultaneously creates substantial obstacles for digital forensic experts, complicating lawful data extraction.

A Roadblock to Logical Extraction

Gaining access to data on Apple devices has historically been most feasible through standard mechanisms leveraged by many forensic tools, including iOS Forensic Toolkit, as part of an advanced logical extraction process. Alternative methods, such as low-level extraction, are either limited to older devices and iOS versions (currently, iOS 16.6.1 is the latest iOS build supported by iOS Forensic Toolkit) or legacy devices. Cloud-based analysis also presents challenges, as it requires full user credentials, and the device passcode is required on top of that to access end-to-end encrypted data.

For logical extraction to work, an iPhone must first establish a trusted pairing relationship with a computer. This process requires the user to manually confirm “trust”, and enter their screen lock passcode on the device. During pairing, the phone generates a key pair, with one key stored on the computer and another kept on the device. Without these keys, data exchange between the phone and the computer is impossible. Before logical data extraction can proceed, this pairing step must be completed. However, with “Stolen Device Protection” enabled, biometric authentication is now required at this stage.

If the device owner is absent or unable to provide biometric authentication, logical extraction becomes virtually impossible.

When Did It Start?

Prior to iOS 17.3 (specifically, its Developer Preview version, where the feature was first introduced), pairing an iPhone with a computer and establishing trust required only the device’s screen passcode. With “Stolen Device Protection” enabled, an additional layer of security is introduced. With this feature enabled, for pairing with a new computer or performing various other security-sensitive actions (detailed in Apple’s documentation), merely entering the passcode is no longer sufficient. Instead, biometric authentication via Face ID or Touch ID is required in addition to the passcode.

Interestingly, Apple’s official description of “Stolen Device Protection” does not explicitly mention the biometric authentication requirement for computer pairing. Nevertheless, forensic experts have observed that the protection is indeed enforced.

Alternative Forensic Access Methods

We’ve always said that logical extraction was the most straightforward and broadly compatible forensic extraction method. With this new security measure in place, this extraction technique becomes limited, but other, low-level extraction methods, may not be available at all.

Low-level extraction faces significant compatibility issues. As of now, the most recent iOS version supported by iOS Forensic Toolkit utilizing the low-level extraction agent is iOS 16.6.1, which predates “Stolen Device Protection.”

Cloud analysis has its own limitations. Accessing the bulk of user data requires full account credentials, while decrypting end-to-end encrypted content also requires the device screen lock passcode.

For devices protected by the new feature, manual review may be the only viable forensic method. This process involves visually inspecting the device’s contents while documenting findings through photos, videos, or screenshots.

Manual inspection may involve browsing through the device and sharing selected data via AirDrop or cloud services, and capturing screen content through screenshots, photos, and video recordings.

Advantages:

• Quick and simple.
• Compatible with any unlocked device.

Disadvantages:

• Not forensically sound (and often not legally admissible).
• Alters the data on the device.
• The integrity of digital evidence collected this way is questionable, necessitating thorough documentation of every step taken.
• Only a limited subset of data is accessible. Sensitive information, such as saved passwords, remains protected by “Stolen Device Protection” unless accessed in a “Familiar Location.”

Manual inspection should only be used as a last resort when other methods are unavailable. Even then, legal and procedural constraints must be carefully considered.

Disabling Stolen Device Protection

While disabling the feature is possible, there are still several challenges to overcome. Obviously, the feature itself is protected with biometric authentication; to disable “Stolen Device Protection” biometric authentication is mandatory. Even worse, iOS will invoke an additional one-hour time delay if the device is not in a “Familiar Location”. The delay means that the user must authenticate twice- once to initiate the deactivation and again after the delay period ends. Finally, if the user enables the strict setting (more on that in the following chapter), this additional delay will be also enforced even if the device is in a “Familiar Location”.

The Role of “Familiar Locations”

Apple allows users to configure security settings so that certain protections, including the one-hour delay, only apply when the device is outside “Familiar Locations.” By default, “Stolen Device Protection” applies these additional safeguards only when the iPhone is away from locations it recognizes, such as home or work. Apple has not disclosed the precise mechanisms used to determine these locations. Users can manually override this default behavior, thus enabling the one-hour delay regardless of whether or not the device is in a “Familiar Location”.

Backups and Device Transfers

According to Apple’s documentation, “When you restore from iCloud Backup or transfer directly from a previous iPhone to a new one, your device settings — including Stolen Device Protection — are also restored. After a short delay to sync familiar locations from iCloud, the Stolen Device Protection security measures automatically resume on your new device.”

In addition, initiating the direct transfer from an old iPhone to a new one also requires biometric authentication.

Conclusion

Five years ago, we talked about Apple’s reliance on a single security factor: the screen locl passcode. At the time, knowing this passcode was often sufficient to gain full access to the device and even reset iCloud credentials. With “Stolen Device Protection,” Apple has taken a step toward diversifying security layers by requiring biometric authentication for critical operations.

While this feature improves user security by preventing unauthorized access to stolen devices, it significantly complicates forensic investigations. Digital forensic specialists facing additional security barriers must now overcome new challenges in data extraction.