Forensic Implications of iOS 11 Security Measures

iOS 11 implements a number of new security measures, some of which are not advertised and not widely known to the forensic crowd. We researched the new OS and discovered a number of things carrying important forensic implications for our users. The new release complicates logical acquisition, removes notifications from backups, yet leaves existing pairing records untouched.

iOS 11 comes with several enhancements to its security model.

Establishing trust with a new computer now becomes a two-step process, and requires supplying device passcode in addition to confirming the “Trust this computer?” prompt. Pairing an iOS device with a PC is required in order to perform logical acquisition. Without first pairing the iOS device to a computer, experts will be unable to make a local backup of the device. This in turn would leave iCloud as the only remaining acquisition option. Note that existing pairing relationships seem unaffected by the upgrade, and pairing records extracted from the user’s Mac or PC can still be used to establish trusted relationship. If a pairing record is used to pull a backup with Elcomsoft iOS Forensic Toolkit, the requirement to enter passcode is lifted. We believe this change to carry significant consequences from the legal standpoint. While in certain cases the user may be compelled to unlock their device using their fingerprint, obtaining the passcode from the user may be challenging and, in many jurisdictions, not legally possible.

The new SOS Mode makes it easy for iPhone users to quickly disable Touch ID by simply tapping the sleep/wake button 5 times in rapid succession. This renders fingerprint unlocks impossible and requires a passcode to unlock the device. This feature can be used to discretely disable Touch ID in situations where the user might be compelled to unlock their phone with a fingerprint. Once Touch ID is disabled, there is no other way to unlock the device but using the passcode or making use of an existing pairing record. Using the SOS mode does not automatically invalidate existing pairing records. In order to use pairing records for unlocking the device, is essential that the iPhone in question remains powered on and is not allowed to shut down or reboot before the unlock is attempted.

Yet another discovery with iOS 11 new security model is related to notifications. In previous versions of iOS, notifications originated from all apps and services were stored in both local and cloud backups. Since only 7 days worth of notifications were user-accessible, undismissed notifications would be carried over indefinitely without the user knowing of their existence. This was removed from iOS 11. Undismissed notifications are no longer part of local or cloud backups. This leaves experts with one less piece of information extractable from iOS backups.

We made additional discoveries about iOS 11 enhanced security model. The full article is available in our official blog.

See also