After a year of legal wrangling, an iPhone 4S in my custody will be unlocked per Court Order. The defendant will enter the passcode into the phone, but the State will not be allowed to see the passcode being entered, so I will have one shot to download the contents. Given those circumstances, my idea is to immediately modify the settings to allow for USB debugging and to Stay Awake. At that point I would connect it to Cellebrite iOS Device Extraction.
Is there any other techniques you would employ to increase my chances for a successful download, knowing that any problem that would require re-entering the password would leave me FUBAR?
Thanks from Tucson, AZ
First off Debugging and Stay Awake are Android features. So long as you know how to operate your software you should be fine.
As a side note which firm are you with? We are in Phoenix.
Oops. Juggling too many phones. On this iPhone, I have to disable the Auto-Lock feature after it gets logged in. I just wanted to make sure I wasn't missing a setting that could lock the phone. I've done the Advanced Logical extractions, leaving me with quite a few plists and dbs to look through, but little else.
I'm the digital forensic analyst at the Pima County Attorney's Office.
Gotcha. Once the phone is unlocked it should remain unlocked so long as there is activity (moving around between screens is a good way). I would avoid changing any settings if possible, but shouldn't be a problem if you do. Good luck!
Oops. Juggling too many phones. On this iPhone, I have to disable the Auto-Lock feature after it gets logged in.
You could also go in and disable the handset lock altogether, but that would require entering the code a second time, and from the sounds of it that may cause you difficulties. But that at least would cover you in case for some unplanned reason you need to power down the phone.
Since this is a one-shot deal, I strongly recommend you head over to eBay and buy an iPhone 4S to practice on. I think what you need to do is possible with Cellebrite UFED, but some tools ask you to reboot the phone, and rebooting means it will be locked again.
Try all the different scenarios you can think of with how the phone is locked and the auto-lock timeout set. Also make sure to consider what might happen when the phone is powered on. Do you have it isolated from the network?
Gotcha. Once the phone is unlocked it should remain unlocked so long as there is activity (moving around between screens is a good way). I would avoid changing any settings if possible, but shouldn't be a problem if you do. Good luck!
Thanks! According to Cellebrite (my only option, except for freebies and trials), I only need to disable the Auto-Lock. I would assume that is to prevent lockouts if something goes wrong during the download. [[fingers crossed]]
Oops. Juggling too many phones. On this iPhone, I have to disable the Auto-Lock feature after it gets logged in.
You could also go in and disable the handset lock altogether, but that would require entering the code a second time, and from the sounds of it that may cause you difficulties. But that at least would cover you in case for some unplanned reason you need to power down the phone.
Unfortunately, I won't be allowed to know the passcode. The defendant will arrive in my office, secretly put in the passcode, and that will be my opportunity to get what I can get.
Which brings me to another question – is there a way to find the passcode on the iPhone 4S after it has been opened? That would solve a lot of worries.
Since this is a one-shot deal, I strongly recommend you head over to eBay and buy an iPhone 4S to practice on. I think what you need to do is possible with Cellebrite UFED, but some tools ask you to reboot the phone, and rebooting means it will be locked again.
Try all the different scenarios you can think of with how the phone is locked and the auto-lock timeout set. Also make sure to consider what might happen when the phone is powered on. Do you have it isolated from the network?
I would love to be able to do that BUT since I work for county law enforcement, everything I need to buy must be approved and purchased by the county, which could easily take months, which is usually time that I don't have. Cellebrite only asks to have the Auto-Lock disabled and then it launches into the download without reboot (according to the dry-run I tried after connecting the locked iPhone).
After charging the phone (it was dead), once I turned it on to see what I had, I could see that there was not any network service (the phone had been in our local PD evidence storage for a year). To be safe, once I have the passcode entered, I will place it in my Ramsey box and go from there.
Has it been decided whether the Defendant will stay in your office until the examination is complete? Are you being provided with a minimum amount of time with the device?
I ask because I'm wondering if it's possible to inform the court that due to the methods by which you will be obtaining the data, it may become necessary to enter the passcode more than once. If the court is already assuming you'll need a few hours with the phone and the Defendant will be present at your office during that time, I don't think they'd have a problem ordering him to enter it two or three times instead of once. As long as the time frame is reasonable (so it doesn't appear you're wasting the Defendant's time) and it's addressed beforehand, I think this should be a fair middle ground.