RE: iOS8 Mobile Operating System Encryption Issues
Android users can lock a phone with a pattern
or pin code as well. Biometric: a biometric locked phone is one in which the user unlocks the phone with a fingerprint, retinal scan or facial recognition.
Potential Ways to access a locked iPhone:
There are a couple of workarounds to the new Apple encryption policy depending on how the iDevice itself was locked: biometric, or passcode. Use of a court order to compel biometrics: First, if your suspects phone is locked with biometrics, we can obtain a court order which would compel the user to for example, place his or her thumb/finger on the device to unlock it. The Fifth Amendments guarantee that no person be compelled in any criminal case to be a witness against himself, may not apply when it comes to biometric-based fingerprints (things that reflect who we are) as opposed to memory-based passwords and PINs (things we need to know and remember). It appears that authentication systems based upon physical tokens or biometrics would be considered non-testimonial evidence and therefore not protected by the Fifth Amendment. The compulsory production of a finger to unlock a cellular device would be akin to the similar compulsory production of blood, urine, fingerprints, voice samples, and handwriting exemplars currently ordered by the courts. (See People v. Clark (1993) 5 Cal.4th 950,1003-1004.) Furthermore, the defendant has no right to refuse to obey such an order and any refusal is admissible evidence of the defendants consciousness of guilt. Unlike biometrics, compelling a defendant to divulge his password is much more likely to implicate the Fifth Amendments protections.
Recently in U.S. v Doe (11th Cir. 2012) 670 F.3d
1335 the Court held that compelling an encryption password would require defendant to render testimonial evidence against himself. The Court explained that [t]he touchstone of whether an act of production is testimonial is whether the government compels the individual to use the contents of his own mind to explicitly or implicitly communicate some statement of fact. (Id. at 1345 [quoting Curcio v. United States (1957)354 U.S. 118, 128].). The Court then concluded that decryption and production of the hard drives at issue would require the use of the contents of Does mind and could not be fairly characterized as a physical act that would be non-testimonial in nature. (Id. at 1346.)
Use of iCloud Backup:
First steps: Inspect the outside of the device for an IMEI2 number. This number is one of the possible keys to finding an associated iCloud account. If the phone you have seized has the IMEI printed on the back of the device, document that (iPhone 6s and some 5s have the IMEI on the back, the older models do not). However, if the IMEI number on the back is not readily visible such as having a case or cover, removing the protective case would likely constitute a search. If you think you know the phone number of the phone, dial that number and see if it rings and document your efforts. The phone number itself is one of the possible keys to finding an associated iCloud account. Using the phone to dial 911 would likely constitute a search. ***DO NOT TURN THE DEVICE OFF*** This is because the phone will require the passcode when the phone is restarted. Secure the phone in a Faraday bag and plug it into a power source. Leave the phone on until youre able to secure a court order to compel the
(International Mobile Equipment Identity) number,
which is a 15 or 17 digit code
www.policetechnical.com
RE: iOS8 Mobile Operating System Encryption Issues
suspect to place his/her fingerprints on the device. Then do forensics immediately. Question the owner of the phone. Can you get consent to search: in writing is best? Ask, what is your pass code? What is your AppleID3? What is your iCloud email address? What is your AppleID passcode? What is your phone number? Do you synch your iPhone to the cloud or a computer? What name, address, and DOB used to activate cellphone service? Second Steps: If you did not learn the IMEI and/or phone number during the initial seizure of the phone you will need to write a search warrant to either further inspect for the IMEI number by examining the SIM tray (which has the IMEI etched on it, or by removing the case. A search warrant is also needed to call a 911 dispatcher from the cellphone to learn its number. Third Steps: Preservation letter: As soon as you determine the IMEI/AppleID/Phone Number of the phone send a preservation letter to Apple. The IMEI/AppleID/Phone number will allow to Apple to identify and preserve the correct iCloud account and iCloud backup. Apples fax number for preservation requests is Search Warrant for AppleID: Once the preservation letter has been submitted, you should write a warrant to Apple to obtain the email address of the iCloud account associated with the phone number and/or IMEI you obtained from the device. This Apple ID number is the email address used to activate the phone and maintain the iCloud account. Search Warrant to reset iCloud account: A follow up search warrant should then be sought ordering Apple to reset the password for the 3
An Apple ID is available free of charge and can be
obtained by signing up at the My Apple ID webpage. An Apple ID must be a valid email address, for example
iCloud account associated with your suspect
phone. Once Apple has reset the password, we would be able to sync the iCloud account the suspect uses to a phone the DA's Office, or your agency purchases, and hopefully obtain the data you need for your case. We would then be able to view the data from the phone on our device. Keep in mind that the Apple data will be from the last time the iCloud account was synced. If your suspect hasn't synced the phone to the Cloud in days or weeks, then you may not get current data. Note: Apple is still implementing this resetting methodology as of 9/30/14. The reset password is generally resent to the original email address only, which of course law enforcement does not control. Apple is aware of this issue and will develop a policy to get the new passcode to the submitting agency. In the meantime you can contact , Legal Compliance Manager at . A good suggestion is that once you have typed out the warrant for Apple to reset the iCloud password, sending Apple a soft copy of it for their review. Not the Affidavit or Statement of Probable cause, just the warrant. You can email them to Be patient with them. Use of iTunes Backup: An iTunes backup can be used in place of or in addition to an iCloud to backup. If the suspect admits to synching his or her phone to a computer, we can examine that computer forensically and possible obtain the unlock code, located in a .plist file, to the phone. Seize the computer and contact a forensic examiner. Prepare to preserve the iCloud account as above and additionally write a search warrant for the computer. Sample Search Warrant language could include: If you secure a warrant for Apple to username@example.com, protected by a password that is an alphanumeric string of at least 8 characters, and case sensitive.
www.policetechnical.com
RE: iOS8 Mobile Operating System Encryption Issues
reset the password, your warrant should also include language that authorizes you to then review the data that Apple sends you, and what specifically youre looking for in those records. If you want the text messages only, you may not have authority to search the emails. Apple will send you the complete iCloud backup, not just certain portions. It will be incumbent on the investigator to look only in those places that the evidence would be likely found.
About the Author:
is the Senior Inspector for the Contra Costa County District Attorneys Office. He can be reached at
Upon receipt of the records, the government is
authorized to search through the produced records and to copy those files that are particularly described within the warrant With that data on the law enforcement phone, we could perform forensics to extract that data. Your warrant should include this information as well, and perhaps a search procedure for this step. Such language could include: In the forensic review of any device or image under this warrant the government will take reasonable efforts to use methods and procedures that will locate and expose those categories of files, documents, or other electronically-stored information that are identified with particularity in the warrant, while minimizing exposure or examination of irrelevant, privileged, or confidential files, to the extent reasonably practicable. Apple does not have any language at this point, so be very specific in your wish list wording when asking for the password to be reset. Apple legal compliance is aware of these issues and they will be setting up language and policies to deal with this issue soon. Apple Guidelines: Here is a copy of the most recent law enforcement guidelines published by Apple. http://images.apple.com/privacy/docs/legalprocess-guidelines-us.pdf