As you’ve discovered, multiple security features have been released as part of Apple’s biometric authentication system and Stolen Device Protection – most being very restrictive to performing evidence acquisitions. Many of these were released starting with iOS 17.3 and have only become more robust with successive releases. Until this feature is turned off, you will likely not be able to perform a traditional acquisition. However, DATAPILOT has multiple workaround methods to help law enforcement complete a forensic acquisition.
Stolen Device Protection can include the following:
1. Location – if the iPhone is away from a designated trusted location (home, work, etc.) and the passcode is known, this will prevent someone who has stolen the device and knows the passcode from making critical changes to the device. One option to try is to go to the suspect’s residence (or other trusted location) and disable Stolen Device Protection. Special attention should be given to finding a trusted wi-fi network.
2. Biometric authentication – Face ID or Touch ID is typically required to change settings on the device or turn off this feature
3. Security Delay – prevents immediate changes – ie: Apple Account password – 60 minutes
To turn off Stolen Device Protection if not activated: Settings > Face ID & Passcodes > likely biometric Face ID and enter passcode – might have to wait for security delay (typically 60 minutes) if not in a trusted location.
To turn off Face ID for specific tasks: Settings > Face ID & Passcodes > enter passcode (might request Facial ID) – turn off options you want to disable
To turn off Face ID completely: Settings > Face ID & Passcode > enter passcode > tap Reset Face ID
With these new security features in newer iOS versions, might need to check / add the above instructions to iPhone acquisition SOP and check that they are disabled while you are still with the suspect or witness / victim. Sometimes a suspect will hand over their phone, be released and then report it as “stolen” to enable the security features.
Bypass:
DATAPILOT’s unique HDMI capturing capability allows our DP10, DPX, and DP Desktop to acquire evidence by screen-mirroring the target device. This unique method bypasses Apple’s “trust” requirement, allowing you to easily preserve evidence from the phone, as long as it is unlocked.
