Join Us!

iPhone 4S to be unl...
 
Notifications
Clear all

iPhone 4S to be unlocked - next move?  

Page 1 / 2
  RSS
pnares
(@pnares)
New Member

After a year of legal wrangling, an iPhone 4S in my custody will be unlocked per Court Order. The defendant will enter the passcode into the phone, but the State will not be allowed to see the passcode being entered, so I will have one shot to download the contents. Given those circumstances, my idea is to immediately modify the settings to allow for USB debugging and to Stay Awake. At that point I would connect it to Cellebrite iOS Device Extraction.

Is there any other techniques you would employ to increase my chances for a successful download, knowing that any problem that would require re-entering the password would leave me FUBAR?

Thanks from Tucson, AZ

Quote
Posted : 06/11/2013 9:11 pm
sgreene2991
(@sgreene2991)
Member

First off Debugging and Stay Awake are Android features. So long as you know how to operate your software you should be fine.

As a side note which firm are you with? We are in Phoenix.

ReplyQuote
Posted : 06/11/2013 9:55 pm
pnares
(@pnares)
New Member

Oops. Juggling too many phones. On this iPhone, I have to disable the Auto-Lock feature after it gets logged in. I just wanted to make sure I wasn't missing a setting that could lock the phone. I've done the Advanced Logical extractions, leaving me with quite a few plists and dbs to look through, but little else.

I'm the digital forensic analyst at the Pima County Attorney's Office.

ReplyQuote
Posted : 07/11/2013 1:43 am
sgreene2991
(@sgreene2991)
Member

Gotcha. Once the phone is unlocked it should remain unlocked so long as there is activity (moving around between screens is a good way). I would avoid changing any settings if possible, but shouldn't be a problem if you do. Good luck!

ReplyQuote
Posted : 07/11/2013 4:29 am
Adam10541
(@adam10541)
Senior Member

Oops. Juggling too many phones. On this iPhone, I have to disable the Auto-Lock feature after it gets logged in.

You could also go in and disable the handset lock altogether, but that would require entering the code a second time, and from the sounds of it that may cause you difficulties. But that at least would cover you in case for some unplanned reason you need to power down the phone.

ReplyQuote
Posted : 07/11/2013 5:42 am
Bulldawg
(@bulldawg)
Active Member

Since this is a one-shot deal, I strongly recommend you head over to eBay and buy an iPhone 4S to practice on. I think what you need to do is possible with Cellebrite UFED, but some tools ask you to reboot the phone, and rebooting means it will be locked again.

Try all the different scenarios you can think of with how the phone is locked and the auto-lock timeout set. Also make sure to consider what might happen when the phone is powered on. Do you have it isolated from the network?

ReplyQuote
Posted : 07/11/2013 7:56 pm
pnares
(@pnares)
New Member

Gotcha. Once the phone is unlocked it should remain unlocked so long as there is activity (moving around between screens is a good way). I would avoid changing any settings if possible, but shouldn't be a problem if you do. Good luck!

Thanks! According to Cellebrite (my only option, except for freebies and trials), I only need to disable the Auto-Lock. I would assume that is to prevent lockouts if something goes wrong during the download. [[fingers crossed]]

ReplyQuote
Posted : 07/11/2013 9:03 pm
pnares
(@pnares)
New Member

Oops. Juggling too many phones. On this iPhone, I have to disable the Auto-Lock feature after it gets logged in.

You could also go in and disable the handset lock altogether, but that would require entering the code a second time, and from the sounds of it that may cause you difficulties. But that at least would cover you in case for some unplanned reason you need to power down the phone.

Unfortunately, I won't be allowed to know the passcode. The defendant will arrive in my office, secretly put in the passcode, and that will be my opportunity to get what I can get.

Which brings me to another question – is there a way to find the passcode on the iPhone 4S after it has been opened? That would solve a lot of worries.

ReplyQuote
Posted : 07/11/2013 9:08 pm
pnares
(@pnares)
New Member

Since this is a one-shot deal, I strongly recommend you head over to eBay and buy an iPhone 4S to practice on. I think what you need to do is possible with Cellebrite UFED, but some tools ask you to reboot the phone, and rebooting means it will be locked again.

Try all the different scenarios you can think of with how the phone is locked and the auto-lock timeout set. Also make sure to consider what might happen when the phone is powered on. Do you have it isolated from the network?

I would love to be able to do that BUT since I work for county law enforcement, everything I need to buy must be approved and purchased by the county, which could easily take months, which is usually time that I don't have. Cellebrite only asks to have the Auto-Lock disabled and then it launches into the download without reboot (according to the dry-run I tried after connecting the locked iPhone).

After charging the phone (it was dead), once I turned it on to see what I had, I could see that there was not any network service (the phone had been in our local PD evidence storage for a year). To be safe, once I have the passcode entered, I will place it in my Ramsey box and go from there.

ReplyQuote
Posted : 07/11/2013 10:06 pm
MadRhetoric
(@madrhetoric)
New Member

Has it been decided whether the Defendant will stay in your office until the examination is complete? Are you being provided with a minimum amount of time with the device?

I ask because I'm wondering if it's possible to inform the court that due to the methods by which you will be obtaining the data, it may become necessary to enter the passcode more than once. If the court is already assuming you'll need a few hours with the phone and the Defendant will be present at your office during that time, I don't think they'd have a problem ordering him to enter it two or three times instead of once. As long as the time frame is reasonable (so it doesn't appear you're wasting the Defendant's time) and it's addressed beforehand, I think this should be a fair middle ground.

ReplyQuote
Posted : 07/11/2013 11:52 pm
pnares
(@pnares)
New Member

Has it been decided whether the Defendant will stay in your office until the examination is complete? Are you being provided with a minimum amount of time with the device?

I ask because I'm wondering if it's possible to inform the court that due to the methods by which you will be obtaining the data, it may become necessary to enter the passcode more than once. If the court is already assuming you'll need a few hours with the phone and the Defendant will be present at your office during that time, I don't think they'd have a problem ordering him to enter it two or three times instead of once. As long as the time frame is reasonable (so it doesn't appear you're wasting the Defendant's time) and it's addressed beforehand, I think this should be a fair middle ground.

I have talked with the prosecuting attorney, and she understands the court order to be a one-time unlock of the phone by the defendant. I have asked the first question you posed about the defendant remaining in my office for the duration of the download, and because I can't quantify how much time it will require, she says no. I have not been saddled with a time constraint, however.

I wish "fair" was admissible as an argument for a judge to rule on here, but the defense usually gets most of the breaks. (

ReplyQuote
Posted : 08/11/2013 2:25 am
ludlowboy
(@ludlowboy)
Member

Try and put a hidden camera in the area that the phone is going to be unlocked and make sure you thoroughly clean the screen before giving it to the defendant.
It the phone does lock a bit of fingerprint powder combined with the output from the camera will give you a good chance of working out the password.

ReplyQuote
Posted : 08/11/2013 2:44 am
sgreene2991
(@sgreene2991)
Member

Try and put a hidden camera in the area that the phone is going to be unlocked and make sure you thoroughly clean the screen before giving it to the defendant.
It the phone does lock a bit of fingerprint powder combined with the output from the camera will give you a good chance of working out the password.

Somehow I doubt that would go over well with any of the parties…

ReplyQuote
Posted : 08/11/2013 2:57 am
DCS1094
(@dcs1094)
Active Member

Try and put a hidden camera in the area that the phone is going to be unlocked and make sure you thoroughly clean the screen before giving it to the defendant.
It the phone does lock a bit of fingerprint powder combined with the output from the camera will give you a good chance of working out the password.

Best idea yet! lol

In all seriousness… take auto lock off straight away, complete your extraction on Cellebrite PA and if it were me, i'd dual tool this one to maximize the data obtained. No harm in using a 2nd tool!

…Still i do quite like ludlowboy's suggestion!! 8)

ReplyQuote
Posted : 08/11/2013 4:32 am
Adam10541
(@adam10541)
Senior Member

UFED PA can only do advanced logical on iPhone 4S so once the phone is unlocked you will not need to reboot it to do the download. As long as you disable autolock straight away you will be fine.

And as DCS1094 suggested run another tool across it as well while it's unlocked.

Oh and if it were me I'd put it straight in Airplane mode before anything else, just in case your bad guy has his iPad in the car out the front planning to log straight in to 'find my iphone' and initiate a remote wipe.

ReplyQuote
Posted : 08/11/2013 5:43 am
Page 1 / 2
Share: