Skip to main content
Skip table of contents

iOS

Since the release of iOS 18.2, Stolen Device Protection adds an extra layer of security by blocking critical actions such as changing device passcode, Apple ID password, or approving a “Trust This Computer” prompt, unless the user verifies their identity using Face ID or Touch ID. Importantly, there is no option to use a passcode as a fallback.

If Stolen Device Protection is set to Away from Familiar Locations and the device is not at a recognized place like “home or work” or if it’s set to Always, a Security Delay will be required before you can disable this feature.

We recommend checking the Stolen Device Protection settings immediately if you acquire a phone from the suspect, and disabling it if possible.

The following article will explain everything you need to know to connect an iPhone with MOBILedit Forensic. iPhone can be connected either by cable or via Wi-Fi. All iOS versions are supported.

With the advances in iOS security, it is becoming commonplace that you need to know the PIN code to extract data successfully from iOS devices. The Lockdown method can bypass the screen lock with some iOS versions if the PIN code is unknown.

For successful extraction from iPhone is required to know the iTunes backup password. Without the iTunes backup password, the final result will not show much data, such as data from WhatsApp, Contacts, Photos, etc.

With iOS 15.7.6 and 16.1 or later, you must enter your phone passcode when creating an iTunes backup. This is not required in iOS 16.0 and below (excluding iOS 15.7.6).

If you are not able to obtain the iTunes backup password and don't need to analyze data from the old iTunes backup, with iOS 11 or later, you can make a new encrypted backup of your device by resetting the password.

  1. On your device, go to Settings > General > Transfer or Reset [Device] > Reset.

  2. Tap Reset Network Settings and enter your device passcode.

  3. Follow the steps to reset your settings. This won't affect your user data or passwords, but it will reset settings like display brightness, Home Screen layout, and wallpaper. It also removes your encrypted backup password.

However, this operation:

  • requires to enter the passcode

  • deletes some evidence. For example; Bluetooth-connected devices, WiFi connections and passwords. It is a trade-off as to whether or not to reset settings to get other evidence.

The advantage of MOBILedit Forensic is that it can extract data from the iPhone from a computer with iTunes for Windows installed or without, which are very different ways of communication.

iTunes for Windows not installed

It is not always necessary for the iTunes Windows application to be installed to use MOBILedit, which is usually required by other mobile forensic solutions. MOBILedit can communicate directly with iPhones or iPads using our direct Apple device driver, which can be downloaded from our website. But please remember, iTunes needs to be installed if you wish to communicate with an Apple Watch or a jailbroken iOS or iPadOS device.

Connection steps:

  1. Install the correct Apple drivers.

  2. Connect the device to a USB

  3. Enable device communication

    1. If you know the passcode
      I. Unlock the device screen.
      II. Disable the “Auto-Lock” option.
      III. Confirm the trust message on the device screen.

    2. If you don’t know the passcode, use the Lockdown method

If you want to use the checkra1n Jailbreak, the installation of iTunes is still required, since the communication requires Apple mobile device service rather than our direct driver.

iTunes for Windows installed

If the iTunes Windows application is installed, MOBILedit will communicate with the iPhone using the Apple Mobile Device Service, which is already part of the iTunes installation.

You can follow the same connection step procedures above, starting from point 2.

Do not turn off the Apple Mobile Device Service while the iOS device is connected to MOBILedit Forensic. If the service is stopped it will disconnect the device and communication with MOBILedit Forensic. MOBILedit Forensic will repeatedly try to regain communication yet will be unable to.

Jailbroken iPhone and Full file system extraction

If the iPhone is jailbroken, MOBILedit can extract all files, including application sandboxes or system files. To achieve this, MOBILedit needs iTunes installed, so please follow the above instructions. You can jailbreak iPhones using the USB drive in the MOBILedit Connection Kit. It is a small Linux live distribution that contains the Bootra1n software used to deploy Checkra1n.

Even with jailbreak, device encryption is still working, e.g., if the device was not unlocked after reboot, a limited set of data is available for extraction. Also, some applications protect files, when the phone is locked, so for full filesystem extraction, you still need to unlock the phone.

Here is a handy decision-making chart to guide you through iOS extraction and analysis:

iOS decision making.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close