iPhone X only - we ...
 
Notifications
Clear all

iPhone X only - we are lost

9 Posts
5 Users
0 Likes
899 Views
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

We got a case in-lab of an iPhone X (A1865) only. No PC with iTunes backup, no iCloud of the suspect. Apple only confirmed the AppleID was used until end of Jan18 but the device last was in use confirmed Feb 2nd 18 UTC+1 0425h.

How can we after 5-times SOS button and FaceID downgrading to PassCode (Apple says 6-digit was used - I cannot believe this info) fastest unlock the iPhone X except by running Passware?

First Apple iOS stores the PassCode in the Secure Enclave. How can they say the PassCode is a 6-digit? This I hear the first time and cannot believe, I all the time thought all the PassCode info is never submitted to Apple servers, right?

Please help. Thank you.

 
Posted : 16/02/2018 3:41 pm
(@wotsits)
Posts: 253
Reputable Member
 

I'm not sure I follow some of your points.

You should be able to clearly see it is a 6 digit passcode when it requests passcode, right?

Why was the point about SOS necessary? If the device powered off, or more than 48 hours passed since being seized, then it would already be requiring the passcode.

I understand you've said no iTunes and no iCloud, but are you suggesting a brute force for this model/ios is feasible? Not that I know of.

 
Posted : 18/02/2018 1:07 pm
(@shahartal)
Posts: 27
Eminent Member
 

Rolf,
Not all is lost… your agency may submit the device (with the warrant) to Cellebrite's Advanced Services, this is what the service is for - helping Law Enforcement access evidence in very challenging cases.

The passcode type (4 digit, 6 digit, complex numeric, complex alphanumeric) is available without any special Secure Enclave access.
As was mentioned here, you can just power on and watch the screen…

 
Posted : 18/02/2018 5:43 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Thank you and Toda raba. I may was unclear in explaination. The iPhone X failbacks to PassCode by default as you mentioned. For my understanding the only surprising was that Apple told us that it is a 6-digit PassCode and I assumed that the PassCode itself never leaves the device to iCloud or iTunes backup. If, it would be possible to bruteforce outside the iPhone X - or just ask Apple to get it by warrant.

The fact is we cannot open. Under no life-threatening conditions we would send it to Petah Tikva for CAS. In this case a missing child is involved and its the device of the mother.

All too slow.

 
Posted : 19/02/2018 3:00 am
(@shahartal)
Posts: 27
Eminent Member
 

Rolf,
I'm sorry to hear about the missing child case, we try to get such phones processed as quickly as possible. Note there are other Cellebrite lab locations all over the world now (US, Canada, Germany, UK, Singapore, Japan…).

To the matter, Apple has no knowledge of the passcode itself and cannot bruteforce it, it was cryptographically designed to prevent that.

 
Posted : 19/02/2018 9:54 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

Thank you, Shahartal.

 
Posted : 19/02/2018 11:14 am
(@cellebrite_help)
Posts: 5
Active Member
 

For law enforcement issues we are 24/7 in Munich ready to serve. Just email to contact@cellebrite.com.

 
Posted : 19/02/2018 11:24 am
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
Topic starter
 

@Shahartal, we got informed that the device may runs iOS 11.3 beta 2 (15E5178f) out of the dev channel. Is Cellebrite already ready since Feb 6th 2018 release date of this beta?

I cannot find info about security changes since iOS 11 release except of the Meltdown/Spectre issue.

Does anybody has the email address of Zdziarsky at Apple?

 
Posted : 19/02/2018 11:47 am
(@dandaman_24)
Posts: 172
Estimable Member
 

Does anybody has the email address of Zdziarsky at Apple?

Try jonathan.zdziarsky@apple.com

 
Posted : 19/02/2018 8:10 pm
Share: