Implications of iOS 10 on Mobile Forensics
Last week one of our forensic analysts, Bruce Hunter, described the impact of iOS 10 on mobile forensics. In case you miss it, here is quick recap, or you can view a recording of the webinar.
Since the release of iOS 10 on September 13th, 2016, almost 75% of all iOS devices are running iOS 10. This is the fastest adoption rate of any iOS operating system. This means iOS 10 will be highly prevalent amongst seized devices.
In order to perform an exam of an iOS 10 devices, the latest version of ITunes (12.5.1 or above) must be installed. The biggest change affecting forensics is that iTunes now protects private/var/db/lockdown. This may cause the forensic tool to view the device as locked, even if the device is unlocked on a Mac.
Previously, file acquisition was capable via Apple File Conduit (AFC), which is a package that allows for access to the filesystem through USB connection. iOS 10 has shut this off, which can affect files found in many different paths.
iTunes backups are set to encrypt iPhone backups. When this is set, the iPhone itself makes encrypted backups. If the password is not known for the encrypted backup, the data will not be able to parse. On a positive note, examiners are finding encrypted backups are backing-up additional files, then if no encryption took place.
Mobile Device Management
iOS 10 has made it easier for IT departments to manage company phones. This means more internal policies may be in effect, putting even more restrictions on the phone; such as forcing encrypted backups, or turning off applications such as the camera. This can lead to even more restrictions to file acquisition.