Hey all,
I've got an iPad2 exhibit which is disabled. It has the iPad is disabled red graphic on it and says to wait 22million minutes to retry the passcode. This would be about 41 years, which is typically longer than an examination should take.
As far as I can see I have three options.
1) wait 41 years
2) wait slightly less than 41 years for one of the vendors to bring out a product that will perform a physical extraction on an iPad2
3) Go through the computers that were seized alongside this phone and restore this phone using a virtual machine using iTunes.
If option 3 merely unlocks the device using the certificates stored in the synced backup and doesn't change any data on the device then I would go for that, but I don't have an iPad2 to test that on. Can anyone enlighten me on what data would change if the device was unlocked with a synced iTunes account?
An update
It turns out that this iPad2 may have locked itself because the battery has run totally flat and the SIM card has been removed. This means that the time and date reset to factory default and it cannot communicate with the Apple Time servers to get the accurate time, meaning that there are 41 years between when it thinks now and when it thinks you can next enter your passcode.
This means that there are two more options
Put the SIM card back in and hope that the owner has not set it to remotely wipe
Put in a non-data-enabled SIM, although where you'd find a non-data-enabled microSIM I do not know.
That's where you want to use a Faraday bag/box, no?
That's where you want to use a Faraday bag/box, no?
Well the point of putting a SIM back in it would be for it to reconnect to the Apple servers to update the time, so a Faraday bag wouldn't be of much use
Right. It's option 3 in your original post then. Do you have the iPad's pass code?
Not clean, and touches original data. Same with almost all mobile device data extractions. I don't know what data such extractions touch, but is that important in this particular case? It certainly won't add any pictures, messages, documents that weren't already there and it won't modify jpg exif data, SMS service centre time stamps, document content, etc. which should be enough for court admissibility.