Several of you reached out with similar questions after watching our webinar titled “Fact or Fiction: What do you really know about iOS 13?”. To best answer them and make sure we’re all on the same page, I decided to write this short blog post. The questions are listed below with a brief description to clarify any confusion.

I. Does iOS 13 require the user to encrypt their backup?

Just to be clear, the backup must be encrypted to collect the most information from any iOS 13 device. It does not matter who, or what enables encryption. Below, you can see a few screenshots from Cellebrite Physical Analyzer below. In Figure 1., Cellebrite Physical Analyzer is alerting us that the backup is not encrypted. This is where you, the examiner, must make the right choice.

Figure 1.

The next screen (Figure 2.) will prompt you to check the box to enable temporary backup encryption. Checking this box ensures that the most amount of data is collected from the iOS device.

Figure 2.

If the device was previously encrypted by its user, the screenshot below will be shown. This means that the device currently has an iTunes encryption password tied to the device. Cellebrite Physical Analyzer will not prompt you to check the box because it’s not needed.

Figure 3.

Something worth noting is that all iOS backup collections should be encrypted (not just iOS 13), as we can collect much more when encryption is enabled. If Cellebrite UFED is used to perform the collection on the iOS device, similar messages will be conveyed. If the backup currently has an iTunes backup password associated with it, the screenshot below will be shown.

Figure 4.

If the device has not been encrypted with iTunes, the screenshot below will be shown.

Figure 5.

Just as we saw in Cellebrite Physical Analyzer, you will be prompted to check the box and enable a temporary password to collect the encrypted backup.

Figure 6.

Cellebrite Physical Analyzer will not prompt for the iTunes password unless something went wrong during the collection process. Should that occur, follow the steps shown in the next Q&A.

II. Can “disable iTunes encryption password” in the Cellebrite UFED settings under device tools remove the user-created iTunes password?

The feature built into Cellebrite UFED to Disable iTunes encryption password is designed to remove the “1234” that could be left behind by Cellebrite Physical Analyzer or Cellebrite UFED during a failed collection.

Figure 7.

When you select Disable iTunes encryption password it will only work when Cellebrite UFED or Cellebrite Physical Analyzer assigned the iTunes backup password when the examiner checked the box.

Figure 8.

Figure 9.

If the user set the iTunes encryption for the iOS device, this method will not work to remove that passcode.

III. What if I do not encrypt the backup?

If you do not encrypt the backup on iOS 13, you will not be able to collect Call logs, Safari artifacts, Apple Maps, Health, Wallet, and Keychain. A good example is shown below.

Figure 10.

Remember, for iOS 13 backup encryption is needed if you want to collect the most data from the device. Here at Cellebrite, we aim to provide you with the best solutions to support your Digital Intelligence needs. We want you to know that our methods of collection and parsing are built to guide you in the right direction and take the guesswork out of it. Any time you see an option to encrypt the backup for iOS 13 devices, you need to check that box.

Share this post