In recent versions of iOS, successful acquisition of a locked device is no longer a given. Multiple protection layers and Apple’s new policy on handling government requests make forensic experts look elsewhere when investigating Apple smartphones.
In this publication, we’ll discuss acquisition approach to an iOS device under these specific circumstances:
1. Runs iOS 8.x through 10.x
2. When seized, the device was powered on but locked with a passcode and/or Touch ID
3. Device was never powered off or rebooted since it was seized
4. Does not have a jailbreak installed and may not allow installing a jailbreak
5. Investigators have access to one or more computers to which the iOS device was synced (iTunes) or trusted (by confirming the “Trust this PC” pop-up on the device) in the past
