FARADAY that phone BEFORE you turn it on. Then while is a faraday bag, or preferably a Stronghold Box, put it in airplane mode. If the suspect activated the wipe feature before he visits your office you are hosed. The iPhone 4s only takes 1 second to start the wiping process as all it has to do is wipe the encryption key and all data is gone forever. Also, all that you will get is logical data off the 4s. Lantern is probably the best tool for that but if you have a UFED that will work too.
FARADAY that phone BEFORE you turn it on. Then while is a faraday bag, or preferably a Stronghold Box, put it in airplane mode. If the suspect activated the wipe feature before he visits your office you are hosed. The iPhone 4s only takes 1 second to start the wiping process as all it has to do is wipe the encryption key and all data is gone forever. Also, all that you will get is logical data off the 4s. Lantern is probably the best tool for that but if you have a UFED that will work too.
I am hoping that our local LE took precautions when they seized the phone. That was over a year ago, so I could be holding a wiped phone and not know it.
Do you consider Lantern better than Cellebrite for iPhones or just in general?
FARADAY that phone BEFORE you turn it on. Then while is a faraday bag, or preferably a Stronghold Box, put it in airplane mode. If the suspect activated the wipe feature before he visits your office you are hosed. The iPhone 4s only takes 1 second to start the wiping process as all it has to do is wipe the encryption key and all data is gone forever. Also, all that you will get is logical data off the 4s. Lantern is probably the best tool for that but if you have a UFED that will work too.
I am hoping that our local LE took precautions when they seized the phone. That was over a year ago, so I could be holding a wiped phone and not know it.
They generally don't, but I've been surprised on many occasions.
Hopefully it's not to late to post this for you. Your best option taking into account you do not have the pass code and it will only be entered once is to do a logical extraction with XRY or celebrite or whatever tool you are using. Any tool that reboots the phone will kill any chance you have of getting anything.
Turning off the requirement for a pass code requires you to enter the pass code a second time.
Doing a physical extraction with Cellebrite requires the phone to be rebooted, thus needing the pass code again.
You really should practice your exact scenario a couple of times because this does sound like a one shot deal and is such a bizarre scenario that previous experience won't address the particular issues.
Not sure if it's too late for this, but an easy way to tell if the phone has been wiped already is if there is no pass code. Unless the user has been able to interact with the phone after a wipe (or possibly if it was synced with iCloud - not sure on that one), it should require no pass code. Since it's prompting you for one, there should be at least *some* data on it.
Did one of these two months or so back, Advanced Logical will get you a good amount of evidence and does not require a reboot. Just be sure to turn off that auto lock as mentioned.