Hi all,
We have an iPhone 6S which had been left on on after seizure and, sometime during chain of custody was remotely erased and locked to the username/password of the registered owner.
The device itself is locked in a boot loop, simply displaying the Apple logo and vibrating every 5 secs. On connecting to the forensic workstation, iTunes advises that the device has been remotely erased and locked, requiring the user login credentials to unlock.
We have previously had success with obtaining timestamps from remotely wiped iOS devices, however as this one has locked and is stuck in a boot loop, we are unable to get anything from it using Oxygen, Cellebrite or XRY.
Does anyone have any non-destructive methods as to how we can 'free' the device from it's boot loop which could potentially enable us to take a basic extraction and gather some timestamp information from the data, to indicate when the wipe occurred?
DFU mode does not affect this boot loop.
Thanks in advance!
I've not had the need to check for this information previously, but let's say the phone is locked and you're just out of luck.
Could you not serve legal process on Apple and receive an IP log for the iCloud account and possibly obtain information on when the wipe code was sent?
I'm just thinking if you can't get it from the phone there may be an alternative.
There are theories, but from my experience, in reality you can't do nothing with the device in this state.
Try finding the Apple account used on the device and focus on the iCloud, not the device itself, maybe you find something there. Good luck!