Skip to main content

Apple iPhone encryption making it easy for criminals, tough for forensic scientists

Forensic security experts are at the end of their tether with Apple after it was revealed the firm’s iPhone 5S could easily be wiped clean by criminals looking to remove all trace of illicit activities on the device.

The decision by Apple to encrypt data on the newest version of the iPhone is behind the problem that means a factory reset is all that thieves need to do in order to wipe the entire handset clean including the decryption key, Jason Solomon, a forensic investigator with Klein and Co, told The Register.

"This means we can't get a full physical image of the phone," Solomon said. "The whole phone is encrypted and the keys are stored on the device, so when you erase the phone you erase the key and [forensics] can't decrypt it."

Related: A closer look at activation lock, Apple’s iOS 7 iPhone theft prevention system

Some of the instances that have already come to light, according to Solomon, have seen the device wiped of all traces of data before the commencement of investigations. It leaves forensic investigators in a quandary and evidence can only be gathered in the form of a time and data stamp of when the factory reset has been performed on the device.

One of the only other ways that forensic experts have been able to recover data is to jailbreak the iPhone, which is something that Apple has always made extremely difficult and the 5S is one that cannot currently be jailbroken.

"Even if we can't do forensics today, as soon as a jailbreak drops, the game changes completely," said Chris Coutis, an Australian based forensics professional.

Related: Why we may never see a jailbreak for iOS 7 on the iPhone and iPad

Jailbreaking an iPhone allows the experts to gain access to the bootloader and the opportunity to take a critical sector-level image. The method used by forensics experts to jailbreak the iPhones creates a RAM disk from where probing software can then be loaded.