LAPD cracks iPhone 5S in murder case, but it probably wasn't encrypted
An iPhone 5S being held as evidence in the investigation of a 2014 murder has reportedly been unlocked by the Los Angeles Police Department, though the timing of the crime suggests that the phone in question may not have been protected by encryption.
Detectives seized the phone shortly after the murder of April Jace, late wife of actor Michael Jace, according to court records reviewed by the Los Angeles Times. While the phone has been in the LAPD's possession since 2014, they were only recently able to access its contents.
Standing in their way was the phone's passcode, making for a circumstance similar to the now-infamous San Bernardino case.
However, the iPhone 5S used by the victim has been in police possession since before iOS 8 -- with stronger encryption enabled by default -- was released. This means the device in question was running iOS 7, which did not ship with strong, system-wide encryption enabled and left many portions of the system open to recovery.
As a result, it's likely that the phone was not protected by anything more substantial than the passcode lock.
The LAPD notes in its court filings only that it contracted a "forensic cellphone expert" who could "override the locked iPhone function." The warrant was issued without going into further detail, though a number of methods for bypassing the passcode lock on various iOS devices -- many revolving around the iPhone's power circuitry -- have been detailed in recent years.
Detectives seized the phone shortly after the murder of April Jace, late wife of actor Michael Jace, according to court records reviewed by the Los Angeles Times. While the phone has been in the LAPD's possession since 2014, they were only recently able to access its contents.
Standing in their way was the phone's passcode, making for a circumstance similar to the now-infamous San Bernardino case.
However, the iPhone 5S used by the victim has been in police possession since before iOS 8 -- with stronger encryption enabled by default -- was released. This means the device in question was running iOS 7, which did not ship with strong, system-wide encryption enabled and left many portions of the system open to recovery.
As a result, it's likely that the phone was not protected by anything more substantial than the passcode lock.
The LAPD notes in its court filings only that it contracted a "forensic cellphone expert" who could "override the locked iPhone function." The warrant was issued without going into further detail, though a number of methods for bypassing the passcode lock on various iOS devices -- many revolving around the iPhone's power circuitry -- have been detailed in recent years.
Comments
They may have used whatever unpacted exploits to brute force the passcode though, though even that would not have worked if someone had touchID (to make more likely to use a long passcode) and actually used a 8 alpha character passcode.
This "double encryption" is used so users can easily change the passcode without having to re-encrypt all user data. It's also so employers that provide iPhones to employees can use MDM to get a backdoor decryption token without needing to know the user's passcode.
FileVault2 on Mac OS X also uses this double encryption method to support multiple users and recovery keys.
I assume the LA police had the body in the morgue ... if the iPhone used TouchID ...
However, you don't need access to the device to get any of that data. Photos are available by subpoenaing Apple for iCloud data (Photostream). Contacts are available via either iCloud or the cell phone carrier. Messages can be retrieved via cell carrier (SMS). And sending a subpoena to Apple can tell LEOs of all users a person contacted with iMessage (even if it won't contain the text) due to the nature of public key cryptography.
And for Contacts and Photos, numerous lock screen bypasses existed in iOS 7 and 8 that permitted access to both.
As for contacts, photos, etc, is not very relevant to this case, but I would say that your assumptions would prove false in many situations, since not everyone uses iCloud that way nor contacts are just phone numbers
when iOS 8 came out the dcim folder feature was disabled. Now if you are running Windows and you see a dcim folder in explorer. it's only three because you have iTunes installed. On an iPhone running iOS 8 and a Windows computer without iTunes installed , all the photos stay on the iPhone because you can't browse it with explorer.
But it still didn't permit access to the most important data, third party app data, as it was encrypted with a passcode derived key.
In iOS 8, Apple Signed software can no longer bypass the "Trust this computer" dialog.