RE: iOS8 Mobile Operating System Encryption Issues

Android users can lock a phone with a pattern

or pin code as well.
Biometric: a biometric locked phone is one in
which the user unlocks the phone with a
fingerprint, retinal scan or facial recognition.

Potential Ways to access a locked iPhone:

There are a couple of workarounds to the new
Apple encryption policy depending on how the
iDevice itself was locked: biometric, or
passcode.
Use of a court order to compel biometrics:
First, if your suspects phone is locked with
biometrics, we can obtain a court order which
would compel the user to for example, place his
or her thumb/finger on the device to unlock it.
The Fifth Amendments guarantee that no
person be compelled in any criminal case to be
a witness against himself, may not apply when
it comes to biometric-based fingerprints (things
that reflect who we are) as opposed to
memory-based passwords and PINs (things we
need to know and remember).
It appears that authentication systems based
upon physical tokens or biometrics would be
considered non-testimonial evidence and
therefore not protected by the Fifth
Amendment. The compulsory production of a
finger to unlock a cellular device would be akin
to the similar compulsory production of blood,
urine, fingerprints, voice samples, and
handwriting exemplars currently ordered by the
courts. (See People v. Clark (1993) 5 Cal.4th
950,1003-1004.) Furthermore, the defendant
has no right to refuse to obey such an order and
any refusal is admissible evidence of the
defendants consciousness of guilt.
Unlike biometrics, compelling a defendant to
divulge his password is much more likely to
implicate the Fifth Amendments protections.

Recently in U.S. v Doe (11th Cir. 2012) 670 F.3d

1335 the Court held that compelling an
encryption password would require defendant
to render testimonial evidence against himself.
The Court explained that [t]he touchstone of
whether an act of production is testimonial is
whether the government compels the individual
to use the contents of his own mind to
explicitly or implicitly communicate some
statement of fact. (Id. at 1345 [quoting Curcio
v. United States (1957)354 U.S. 118, 128].). The
Court then concluded that decryption and
production of the hard drives at issue would
require the use of the contents of Does mind
and could not be fairly characterized as a
physical act that would be non-testimonial in
nature. (Id. at 1346.)

Use of iCloud Backup:

First steps: Inspect the outside of the device for
an IMEI2 number. This number is one of the
possible keys to finding an associated iCloud
account. If the phone you have seized has the
IMEI printed on the back of the device,
document that (iPhone 6s and some 5s have
the IMEI on the back, the older models do not).
However, if the IMEI number on the back is not
readily visible such as having a case or cover,
removing the protective case would likely
constitute a search.
If you think you know the phone number of the
phone, dial that number and see if it rings and
document your efforts. The phone number
itself is one of the possible keys to finding an
associated iCloud account. Using the phone to
dial 911 would likely constitute a search.
***DO NOT TURN THE DEVICE OFF***
This is because the phone will require the
passcode when the phone is restarted. Secure
the phone in a Faraday bag and plug it into a
power source. Leave the phone on until youre
able to secure a court order to compel the

(International Mobile Equipment Identity) number,

which is a 15 or 17 digit code

www.policetechnical.com

RE: iOS8 Mobile Operating System Encryption Issues

suspect to place his/her fingerprints on the
device. Then do forensics immediately.
Question the owner of the phone. Can you get
consent to search: in writing is best? Ask, what
is your pass code? What is your AppleID3?
What is your iCloud email address? What is
your AppleID passcode? What is your phone
number? Do you synch your iPhone to the
cloud or a computer? What name, address, and
DOB used to activate cellphone service?
Second Steps: If you did not learn the IMEI
and/or phone number during the initial seizure
of the phone you will need to write a search
warrant to either further inspect for the IMEI
number by examining the SIM tray (which has
the IMEI etched on it, or by removing the case.
A search warrant is also needed to call a 911
dispatcher from the cellphone to learn its
number.
Third Steps:
Preservation letter: As soon as you determine
the IMEI/AppleID/Phone Number of the phone
send a preservation letter to Apple. The
IMEI/AppleID/Phone number will allow to Apple
to identify and preserve the correct iCloud
account and iCloud backup. Apples fax number
for preservation requests is
Search Warrant for AppleID: Once the
preservation letter has been submitted, you
should write a warrant to Apple to obtain the
email address of the iCloud account associated
with the phone number and/or IMEI you
obtained from the device. This Apple ID number
is the email address used to activate the phone
and maintain the iCloud account.
Search Warrant to reset iCloud account: A
follow up search warrant should then be sought
ordering Apple to reset the password for the
3

An Apple ID is available free of charge and can be

obtained by signing up at the My Apple ID webpage. An
Apple ID must be a valid email address, for example

iCloud account associated with your suspect

phone. Once Apple has reset the password, we
would be able to sync the iCloud account the
suspect uses to a phone the DA's Office, or your
agency purchases, and hopefully obtain the
data you need for your case. We would then be
able to view the data from the phone on our
device. Keep in mind that the Apple data will be
from the last time the iCloud account was
synced. If your suspect hasn't synced the phone
to the Cloud in days or weeks, then you may not
get current data.
Note: Apple is still implementing this resetting
methodology as of 9/30/14. The reset
password is generally resent to the original
email address only, which of course law
enforcement does not control. Apple is aware
of this issue and will develop a policy to get the
new passcode to the submitting agency. In the
meantime you can contact
, Legal
Compliance Manager at
. A
good suggestion is that once you have typed
out the warrant for Apple to reset the iCloud
password, sending Apple a soft copy of it for
their review. Not the Affidavit or Statement of
Probable cause, just the warrant. You can email
them to
Be patient with them.
Use of iTunes Backup: An iTunes backup can be
used in place of or in addition to an iCloud to
backup. If the suspect admits to synching his or
her phone to a computer, we can examine that
computer forensically and possible obtain the
unlock code, located in a .plist file, to the
phone. Seize the computer and contact a
forensic examiner. Prepare to preserve the
iCloud account as above and additionally write
a search warrant for the computer.
Sample Search Warrant language could
include: If you secure a warrant for Apple to
username@example.com, protected by a password that
is an alphanumeric string of at least 8 characters, and case
sensitive.

www.policetechnical.com

RE: iOS8 Mobile Operating System Encryption Issues

reset the password, your warrant should also
include language that authorizes you to then
review the data that Apple sends you, and what
specifically youre looking for in those records.
If you want the text messages only, you may not
have authority to search the emails. Apple will
send you the complete iCloud backup, not just
certain portions. It will be incumbent on the
investigator to look only in those places that the
evidence would be likely found.

About the Author:

is the Senior Inspector for the
Contra Costa County District Attorneys Office.
He can be reached at

Upon receipt of the records, the government is

authorized to search through the produced
records and to copy those files that are
particularly described within the warrant
With that data on the law enforcement phone,
we could perform forensics to extract that data.
Your warrant should include this information as
well, and perhaps a search procedure for this
step. Such language could include:
In the forensic review of any device or image
under this warrant the government will take
reasonable efforts to use methods and
procedures that will locate and expose those
categories of files, documents, or other
electronically-stored information that are
identified with particularity in the warrant,
while minimizing exposure or examination of
irrelevant, privileged, or confidential files, to the
extent reasonably practicable.
Apple does not have any language at this point,
so be very specific in your wish list wording
when asking for the password to be reset.
Apple legal compliance is aware of these issues
and they will be setting up language and
policies to deal with this issue soon.
Apple Guidelines: Here is a copy of the most
recent law enforcement guidelines published by
Apple.
http://images.apple.com/privacy/docs/legalprocess-guidelines-us.pdf

www.policetechnical.com