With each new release by a Mobile OS developer comes changes that affect the way the data is obtained from these devices, with the release of iOS 16 by Apple, there were some major changes.
ADF Solutions has been at the forefront of collecting this data in early case assessments, digital forensic triage, consent searches (victim, witness) and logical acquisitions with parsing of data. One of the changes Apple made was to add Developer Mode, which is not easily turned on by someone who is not a developer.
Apple Developer Mode and Apple ID
Developer mode was introduced in iOS 16 and watchOS 9 with the purpose of protecting users from inadvertently installing harmful applications on their devices. The connection between ADF Mobile forensic tools and the iOS device requires a Developer/User relationship in order to properly document the screenshots from that device.
Since ADF digital forensic tools are used in situations where access to the device is necessary, you will also now need the user to provide the AppleID in order to invoke developer mode. While this can present an issue with some mobile device owners, we recognize that users of Mobile Device Investigator and Digital Evidence Investigator PRO are investigators first and if it wasn't for their investigative skills the digital evidence would most likely walk away. The Apple ID is only required if screenshots are necessary, you will still be able to obtain logical acquisitions and preview without developer mode turned on.
Digital Forensic Screenshots on iOS Devices
ADF Mobile tools will walk you through the process when you choose to obtain screenshots from an iOS 16 device that has a Face, Touch or Passcode assigned. Once the passcode is turned off (with the Apple ID) the phone will reboot and Developer Mode will be turned on, now allowing screenshots to be taken from the device. No data will be lost or removed when removing the passcode, security items will just need to be enabled again.
When complete, developer mode is easily turned off in Privacy & Security settings. If the user was using Wallet or Apple Pay, they will need to be enabled again in settings as well. Secure banking apps may need to be signed into again as well. When working with victims and witnesses, or any consent type collection, this simplified process will ensure your data and evidence is documented properly while maintaining a chain of custody. Victims and witnesses will be more apt to share when they know you are working with them and only collecting the data that is relevant.
