When building a legal case, it is not uncommon for a private investigator to need to perform digital forensics on an iPhone. As so many people rely upon these devices not only for communication, but also for saving and sharing important information, there may often be pertinent data within the backup files, or saved on the device itself. The ultimate goal of the investigator is to extract the necessary data without modifying or damaging any files or information.
Apple has its own unique operating system which is noticeably different from the Android operating system. In order to understand how investigators are able to overcome the obstacles associated with tapping into iPhone data, it is first necessary to distinguish the differences between the barriers we face. There are two different safeguards that can be used for protection: a passcode for the handset and an iOS backup password. Let’s take a closer look at each.
Many users will opt to place a passcode on their actual handset. When this is the case, an individual would need to enter a passcode in order to get past the locked screen on the phone. This is why devices with these codes in place are often referred to as locked handsets. An individual may put one of these passcodes in place if they are worried about others using the device without permission. The phone will never leave the initial lock screen without the correct passcode entered.
There are three different types of codes that can be used in this situation. The most commonly used version is the simple passcode, which is more like a pin number. This is the default passcode setting, and requires the user to enter four numbers before the phone will be unlocked.
By visiting the settings application within the device, the user can opt to make the passcode more sophisticated. This type of passcode can be either numerical only or it can be even more complex and contain numbers, letters, and spaces. If the user has chosen the most complex version of the passcode, or passphrase, a full keyboard will appear on the lock screen instead of a numeric pad.
Fortunately, we now have the forensic technology available to recover these handset passcodes. Third-party innovative software products are used to retrieve the codes. The amount of time needed to recover the passcodes may vary depending upon the complexity of the code.
iOS back up passwords protect the iPhone information that has been stored using the iTunes application. The data is encrypted and stored on a synced computer instead of on the handset. The user must opt to have the backup information encrypted; this is not the default iTunes setting. Users may also have backup encryption software enabled in addition to the services provided by iTunes.
In order for a private investigator to extract the necessary files safely and accurately, they will need to first know or retrieve the backup password or passphrase. If the passphrase is not already known, a third-party recovery tool may be used to retrieve it. A great example of this type of innovative recovery software includes Elcomsoft’s Phone Password Breaker.
Once the password has been discovered and entered, all of the encrypted folders should then be accessible. The private investigation firm can import all folders and files that are relevant to the case and the information can be analyzed.