Posts Tagged ‘trust relationship’

iOS 11.3 Adds Expiry Date to Lockdown (Pairing) Records

Thursday, January 25th, 2018

Lockdown files, otherwise known as pairing records, are well known to the forensic crowd for their usefulness for the purpose of logical extraction. A pairing file created on one computer (the user’s) can be used by the expert to pull information from the iOS device – that, without knowing the PIN code or pressing the user’s finger to unlock the device. Lockdown records do carry their fair share of limitations. For example, their use is severely restricted if the device has just rebooted or powered on and was not unlocked with a passcode afterwards.

Despite that, pairing records have been immensely handy for mobile forensic specialists as they allowed accessing the data in the device without unlocking it with a passcode, fingerprint or trusted face. Specifically, until very recently, lockdown records had never expired. One could use a year-old lockdown file to access the content of an iPhone without a trouble.

Good things seem to end. In iOS 11.3 (beta) Release Notes, Apple mentioned they’re adding an expiry date to lockdown records.

To improve security, for a locked iOS device to communicate with USB accessories you must either connect an accessory via lightning connector to the device while unlocked or enter your device passcode while connected, at least once a week.

If you use iAP USB accessories over the Lightning connector (including assistive devices and wired CarPlay) or connect to a Mac/PC, you may therefore need to periodically enter your passcode if you have a passcode set on your iPhone, iPad, or iPod Touch.

As a result, mobile forensic experts can no longer expect lockdown records to survive for periods longer than one week. In order to clearly understand the consequences of this seemingly minor change, let us first look at the pairing records themselves.

Pairing in iOS

In order to enable communications (e.g. file transfers) between the user’s iOS device (iPhone, iPad) and their computer, a trust relationship (or pairing) must be first established. Once a pairing relationship is initially established (by unlocking the iOS device with Touch ID or passcode and confirming the “Trust this computer?” prompt), the two devices exchange cryptographic keys, and the computer is granted trusted access to the iPhone even if the iPhone’s screen is locked.

(more…)

Can You Unlock That iPhone?

Monday, October 30th, 2017

“Can you unlock that iPhone?” is one of the most common questions we hear on various events and from our customers. There is no simple answer, but more often than not some options are available.

Just a few years back, the most common question was “can you crack that password?” We are still being asked that every other day, but locked iPhones are now more abundant than unknown passwords. There is a simple explanation for that: the iPhone is an ultimate source of evidence. That, before we even mention the many urgent cases when the phone needs to be unlocked.

Cover all possible scenarios in one short article would not be possible; for (much) more details you are welcome to read our Smartphone forensics book that explores the topic in depth. Keep reading to see what can be done in some cases.

(more…)