5 Easy Mistakes to Make in iOs Forensics

iphone being held

When it comes to mobile forensics, more so iPhones, many things can go wrong in data recovery. You can either lose the data permanently, or make it harder to retrieve the data. This is why it is crucial to learn the most common mistakes regarding iOs forensics and how to avoid them. Here are the five most common iOs forensics mistakes to avoid…

1. Power Off

When it comes to iOS forensics, it is important to ensure that the device content does not change, discharge, or get remotely wiped, according to cyber security experts, Computer Forensics Lab. While a powered-off device won’t make any connection or self-discharge, the device is not forensic friendly – it switches from AFU to BFU mode resulting in the following:

  • Encryption keys are deleted from the RAM
  • Passcode recovery attack becomes difficult
  • Biometric authentication is impractical
  • Logical acquisition becomes impossible 
  • Limited BFU extraction 

2. Ejecting Sim Card

Removing the Sim card is the next big mistake when it comes to iOs forensics. You remove a sim card to ensure no accidental connection to any mobile network. But once you disconnect the sim card on any iPhone device running on iOS 11, 12, or 13, the following will happen:

  • The device locks instantly.
  • Biometric unlocking is disabled – unless you have the passcode.
  • USB mode is restricted

3. Be Careful Holding the Device

Depending on how you hold a modern iPhone, there are chances you will waste one attempt to unlock the phone by pointing it towards the owner (suspect). Therefore, if the device comes with a Touch ID, do not touch the fingerprint reader. Otherwise, you will lose one of the five attempts to unlock the device.

4. Resetting Backup Password

Unless the phone can be jailbroken, the iTunes backup is the primary source of data. However, iPhone backups are unique in many ways. For instance, if the backup is password encrypted, that’s a big problem. From iOS 10.1 onwards, brute-force password recovery is impractical unless you have special software. But again, iOS 11 makes logical acquisition inconsequential – it allows the resetting of the iTunes backup password.

In Apple devices, all passwords are connected, and therefore if you try to reset the backup password, the device passcode also resets. This has terrible consequences. First, you lose all Wi-Fi saved passcodes, transaction history on Apple Pay, and other vital data. Secondly, you lose everything that you could do with the passcode. In a nutshell, resetting a backup password is a grave mistake.

5. iOS Logical Acquisition

Contrary to popular opinion, many things can go wrong with iOS logical acquisition (definition). For instance, when creating a backup with iTunes, you should never forget to disable iTunes sync before connecting the device to the PC; otherwise, the phone’s data may change. There is also more to the logical acquisition, including how to handle a backup without a password – not as easy as it may sound. Many things can go wrong, including not getting health data, Keychain, and browsing history.  

The above are some common mistakes made by forensic experts. Therefore, to avoid such errors, it is crucial to follow the right workflow, document all steps, and ensure that every step is repeatable and verifiable. In addition, cross-matching results and reporting are essential. Most importantly, using a ‘tool’ is not always right, as the tool’s effectiveness depends on many factors, including the device’s environment and technology.