MDI Doesn’t Replace Full File Extraction Tools—It Makes Them Better
iOS Stolen Device Protection: A Game-Changer for Users and a Challenge for Law Enforcement
iOS Stolen Device Protection: Navigating new iOS security in your mobile device investigations
Apple’s Stolen Device Protection, introduced with iOS 17.3 and enhanced in subsequent updates, is a robust security feature designed to safeguard iPhone users’ data if their device is stolen, even if the thief knows the passcode. This feature adds critical layers of protection, particularly when the device is away from familiar locations like home or work. However, while it strengthens user privacy, it presents significant challenges for law enforcement investigators conducting iOS investigations.
Stolen Device Protection requires biometric authentication—Face ID or Touch ID—for sensitive actions like accessing stored passwords, credit cards, or changing Apple Account settings. If the iPhone is not in a familiar location, a one-hour security delay is enforced for critical changes, followed by a second biometric check. This ensures that thieves cannot quickly alter account settings or access sensitive data, giving victims time to activate Lost Mode via Find My, which locks the device remotely. For users, this feature significantly reduces the risk of financial theft or data loss, as seen in cases where thieves have exploited passcodes to drain bank accounts or lock owners out of their Apple IDs.
For law enforcement investigators, however, Stolen Device Protection complicates digital investigations.
When working with an iOS device away from the user's familiar locations, even in consensual situations, where the passcode to the device is known, biometric authentication will still be required after the passcode is entered.
Workarounds, such as disabling Stolen Device Protection via Settings (requiring biometrics and a delay if not in a familiar location), are not always feasible. We need to anticipate any iPhone we encounter will have SDP enabled and must act, with the consensual party, to turn off SDP in that familiar location. If you are not in a familiar location, you will have to have the consensual party stay long enough to enter the second biometric authentication after an hour. Knowing this allows you to try and determine if a familiar location is closer than waiting the hour, and then moving to that location.
Additional steps are not required, when you are in a familiar location, the user can use the device passcode like usual. What is a familiar location? Familiar locations typically include your home, work, and certain other locations where you regularly use your iPhone. While there is not a list of familiar locations available to you in settings, you can look at Settings → Privacy & Security → Location Services → System Services → Significant Locations, which may show a recent location close to your current location, other than home or work. This allows you to adapt and overcome if time is of the essence.