Unless you’re using GrayShift or Cellebrite services for iPhone extraction, jailbreaking is a required pre-requisite for physical acquisition. Physical access offers numerous benefits over other types of extraction; as a result, jailbreaking is in demand among experts and forensic specialists.
We live in the era of mobile devices with full-disk encryption, dedicated security co-processors and multiple layers of security designed to prevent device exploitation. The recent generations of Apple mobile devices running iOS 10 and 11 are especially secure, effectively resisting experts’ efforts to extract evidence. Yet, several solutions are known to counter Apple’s security measures even in iOS 11 and even for the last-generation devices. It is not surprising that Apple comes up with counter measures to restrict the effectiveness and usability of such methods, particularly by disabling USB data connection in iOS 11.4 after prolonged inactivity periods (well, in fact it is still in question whether this feature will be available in new iOS version or not; it seems it is not ready yet, and may be delayed till iOS 12).
In the world of mobile forensics, physical acquisition is still the way to go. Providing significantly more information compared to logical extraction, physical acquisition can return sandboxed app data (even for apps that disabled backups), downloaded mail, Web browser cache, chat histories, comprehensive location history, system logs and much more.
iOS forensics is always a lot of fun. Say, you’ve got an iPhone of a recent generation. It’s locked, you are blank about the passcode, and the worst part is it’s more than just the four proverbial digits (the last iOS defaults to six). And you don’t have their computer, and there is not an iCloud account either. A horror story where no one, even us, can do anything about it.
In today’s world, everything is stored in the cloud. Your backups can be stored in the cloud. The “big brother” knows where you had lunch yesterday and how long you’ve been there. Your photos can back up to the cloud, as well as your calls and messages. Finally, your passwords are also stored online – at least if you don’t disable iCloud Keychain. Let’s follow the history of Apple iCloud, its most known hacks and our own forensic efforts.