On September 17, Apple released iOS 8, one of the most secure operating systems available on any platform. Specific features of iOS 8 allow for greater security for the end user, and enhanced security within the iCloud service gives customers more peace of mind. Whenever technology changes, investigators and analysts have to pause and rethink methods with which they have previously found success. For iOS 8 and the latest iteration of iCloud, we have noted areas of concern. Some of these concerns are also relevant for previous iOS versions, but are included here for completeness and/or to demonstrate change.
Protection of an iOS 8 Device
As with any device, the iOS 8 device must be protected immediately upon its seizure because the device can be affected through external sources such as iCloud.com and the Find My iPhone app. To protect the device, one should attempt to perform all four of the following steps:
- Ensure the device stays powered on and sufficiently charged
- Place the device into Airplane Mode
- Remove the SIM card from the device
- Secure the device in a Faraday bag or cage
Obtain the PIN Code or Passphrase, or the Pairing Certificate
It is imperative to have either the code used to secure the device, or the pairing certificate from a "trusted" computer. Without having at least one pairing certificate, no communication with the device can take place. The pairing certificate may be located on any computer that the iOS device has connected to while in an unlocked state. This may include computers owned by the iOS device owner, as well as any other computer the device was connected to while unlocked, and for which the "Trust" option was selected by the user on the device.
It is critical to remember that with iOS 8, the device must stay powered on, and not allowed to reboot, in order to use the pairing certificate for a logical acquisition.
Restart of an iOS 8 Device
As is true with previous versions of iOS, if a device is allowed to power down and reboot (or is forced to reboot), the device enters a locked state requiring the passphrase. At this point, iOS 8 will not allow access to any file content on the device until the device is unlocked for the first time. This is a Data Protection class referred to by Apple as “Protect Until First User Authentication." Upon seizing any iOS device, it is highly imperative that an analyst remember to keep the device powered on and to prevent it from restarting so as to maximize the chance of analytical success.
iOS 8 Devices Continue to Backup
iOS 8 does not change the fact that iOS devices perform backups either to iCloud or to a local computer. The user's backups continue to be useful for analysis. A backup may be locally encrypted on the computer, requiring additional work before analysis can commence.
Retrieval of Data from the iOS 8 Device
Communication between an iOS device and a computer is performed via establishment of a “trust." iOS 7 and earlier allowed for several methods of communication when a trust had been established. iOS 8 has disabled file relay, a device service that enabled unique data and metadata to be gathered. With iOS 8, the primary services for acquisition are iTunes Backups and Apple File Conduit (AFC). The backup includes voicemail, voice memos, call history, SMS and iMessages, photos and videos taken on the device, and third-party app data. AFC has access to music, all pictures and videos, and third-party app data.
In the recent past, iCloud backups have been obtainable via legal documentation to Apple. They have also been obtainable through third-party applications that communicate with iCloud.com in the same manner as an iOS device. However, Apple has enhanced iCloud to include both two-factor authentication for obtaining information directly from iCloud, as well as notifying the end user whenever data is being accessed. Due to such notifications, an iOS device owner now knows when anyone is running a third-party application to obtain the owner's iCloud data. The device owner can then react by erasing data. iCloud backups, iTunes purchase history, iCloud sync data, email, and communication metadata continue to be available from Apple in cases when the appropriate legal paperwork is served.
Apple and Physical Device Data Extraction
As of the release of iOS 8, Apple has publicly notified law enforcement that the company is not technically capable of obtaining any information from an iOS 8 device. Apple will not accept an iOS 8 device for any reason. However, any iOS 7 and earlier device can still be sent to Apple for data extraction.
External Data Locations
iOS 8 has enhanced the user experience with new controls and user integration. HomeKit and HealthKit are two areas that will likely expand greatly in the coming months. HomeKit is the framework for home automation. This development ushers in the potential of many other devices within a home containing metadata or data about user interactions. HealthKit is a framework for monitoring a user’s health. Health-related data is well protected on the device, but may exist outside the bounds of the device on wearable technology or with a connected healthcare provider. Lastly, Apple has announced Apple Pay, to be available this month in over 220,000 locations. Apple Pay will allow a person to make payments via the iOS device itself. The payment interaction will lead to records on the device, possibly to include relevant locations. This technology will require further research before analysts learn all the information that could potentially be gained from a user's Apple Pay transactions.
The release of iOS 8 has greatly increased security for the end user. This enhanced security means the field of digital forensics must adapt to the set of rules that are now in place. Just as in years past, it is imperative that forensic professionals know how to best secure devices, what data may be available for specific versions of the operating system, and where external data and metadata exists. While Apple has presented some unique challenges for law enforcement, it is important to remember that a user needs access to his or her data. Therefore, there is also a method for law enforcement to access that same data when necessary.
The following resources may be consulted for further information.
Apple's Legal Process Guidelines:
More from Apple:
Set up and use iCloud Tabs (Safari tabs available on all devices, part of syncing)
From The Apple Examiner:
Lockdown Folder Locations (Pairing certificates)
From BlackBag's Blog Archive