In digital forensics why is knowing the passcode of an iPhone device so important? The simple answer is the passcode will likely make or break an analyst's access to the iPhone data. To fully explore this concept, let's briefly explore how an iPhone's security works and a short history of the iPhone's security features.
An iPhone has two basic partitions or data storage areas. The system partition contains the operating system (iOS) and the installed applications. The user data partition stores the user and application data. When an iPhone updates or upgrades the operating system, only the system partition is effected. The data partition remains intact or unchanged during a system update.
One of the key security features of an iPhone is that when the phone is turned off or locked, both the system and user data partitions are encrypted. Thus, unlocking the phone is synonymous with decrypting the data on the phone.
The on/off status of the phone determines how the user can access/decrypt the phone. If the phone is turned off, the passcode is required to unlock/decrypt the phone data when the phone is turned on. Neither Touch ID nor Face ID (if enabled by the owner/user) can unlock a powered off device. There are also other cirucumstances in which the passcode and not Touch ID or Face ID must be used to unlock the device. If the device has not been unlocked for 48 hours, the passcode is required for unlocking. If the passcode has not been used to unlock the phone in the last 6 to 7 days, the passcode is required. If Face ID or Touch ID have not been used to unlock the device in the past 4 hours, the passcode is required. So, even users who use alternative unlock methods are still sometimes required to use the passcode to unlock the device.
Another very important security feature of an iPhone is the implementation of a limit on the number of unsuccessful passcode logon attempts. Going back to the iPhone version 4, there was no limit on the number of unsuccessful passcode logon attempts. A forensic analyst could use specialized software to perform a brute-force attack on an iPhone 4 passcode. An iPhone 4 accepted only a 4-digit numeric passcode. The brute-force passcode attack would begin by trying the passcode '0000' to identify the device passcode. The software would then sequentially try '0001'; then '0002'; then '0003' and so on until the correct passcode was identified. During my previous employment as an FBI digital analyst, I was able to successfully access several iPhone 4 devices using this brute-force passcode attack method. The process could take less than a minute or as much as an hour, but eventually the passcode was obtained.
Beginning with iPhone version 5 and continuing to today's latest versions, failed passcode logon attempts can result in the lockout of the phone. On the 6th consecutive failed passcode attempt, the phone will be locked for 1 minute - the user must wait 1 minute before attempting a 7th passcode attempt. For the 7th consecutive failed attempt, the phone is locked for 5 minutes. For the 8th consecutive failed attempt, the phone is locked for 15 minutes, and for the 9th consecutive failed attempt, the phone is locked for 1 hour. On the 10th consecutive failed passcode logon attempt, the phone data is erased and a restore/reset of the phone is required. As the reader can see, the implementation of the limit on the number of unsuccessful passcode logon attempts has made the brute-force method of unlocking a modern iPhone unavailable to forensic analysts.
While there are a limited number of commercial applications which have been successful in bypassing the iPhone passcode logon, those tools work on a limited number of iPhone models and are quite expensive (~$5,000 and up). Some of those commercial tools are only available to law enforcement and government agencies making them unavailable to private forensic analysts.
While attempts have been made to force Apple to assist in unlocking devices, Apple has continually objected to those attempts. Apple's objection is due to its company policy in which Apple will never undermine the security features of its products. In 2016, the FBI sued Apple in federal court requesting the Court require Apple to create a new software which would enable the FBI to access an iPhone recovered from one of the shooters in the 2015 terroist attack in San Bernidido, California which killed 14 people. Apple objected and prior to the Court resolving the dispute, the FBI found a third-party who was able to unlock the phone. The suit was dismissed without a resolution by the Court. To this date, Apple continues to maintain it cannot access a locked iPhone.
The bottom line, especially for private forensic analysts like myself, is that a known passcode is the best, and likely only method to access the data on an iPhone. Luckily, I am almost always retained by an attorney/client who knows the passcode and is voluntarily granting access to a device. But, I have been approached to unlock an iPhone owned by a deceased family member where the surviving family did not know the passcode. Unfortunately, I was unable to assist these clients where the iPhone passcode is not known.
Hopefully you found this post to be informative. If so, check back for future posts on simplifying digital forensics.