Forensic Implications of iOS Lockdown (Pairing) Records
In this publication, we’ll discuss acquisition approach to an iOS device under these specific circumstances:
1. Runs iOS 8.x through 10.x
2. When seized, the device was powered on but locked with a passcode and/or Touch ID
3. Device was never powered off or rebooted since it was seized
4. Does not have a jailbreak installed and may not allow installing a jailbreak
5. Investigators have access to one or more computers to which the iOS device was synced (iTunes) or trusted (by confirming the “Trust this PC” pop-up on the device) in the past
At first sight this list may seem detailed, but in fact if the iPhone was captured in the state of the screen locked and kept in its current state, it is possible to gain access to the information in the device using a so-called lock files or pairing record.
First, let’s talk about the pairing relationships. In terms of iOS forensics, a pairing is a trusted relationship between the iOS device and a computer (Mac or PC). Once a pairing relationship is initially established (by unlocking the iOS device with Touch ID or passcode and confirming the “Trust this PC” prompt), the two devices exchange cryptographic keys, and the computer is granted trusted access to the iPhone even if the iPhone’s screen is locked. The company would use a pre-established trust relationship to produce a backup of the locked device.
Talking about Personal Lockdown Records, they are files that are stored on the computer to which the device is synchronized with the IOS. These files are created the first time the user connects their IOS device to a computer that is running ITunes. Forensic specialists routinely use lockdown records to produce a full device backup of the connected phone.
Quick Guide: How to Use Lockdown records to get the backup and retrieve files can be explored here.
Multiple forensic tools exist allowing to view and analyze mobile backups. Following established guidelines on seizing and storing mobile devices is a must for successful acquisition.
In conclusion, we want to say that It may be possible to perform acquisition of iOS devices found locked but powered-on. Lockdown files may exist on the user’s Mac or PC. Those files can be used to obtain backup from an iOS device provided that the device was never allowed to power off or reboot after the seizure. Following established guidelines on seizing and storing mobile devices is a must for successful acquisition.