With iOS 11.4.1 (released July, 2018) comes a new feature call “USB Restricted Mode.” With this update, this mode is enabled by default, even though it appears off (see picture). It locks down the lightning port after one hour of no password being entered on the device. That means if you have not entered the password in the last hour, no data can be sent or received through the lightning port (charging port) on the computer.

This could have an impact on mobile forensics. Mobile forensic tools such as Cellebrite work by connecting to the device through that lightning port. The tools then download the data over that connection. If the port is locked down, the tool will be unable to download any data.

Many in the media believe this update is designed to lock out a new forensics tool called Graykey. Graykey was capable of unlocking iPhones by obtaining their passwords, without the user’s permission. While not a lot is known about how Graykey works, it connects to the phone through the phone’s lightning port. If the lightning port is disabled, Graykey may not function.

Outside of Graykey, this update has little impact on digital forensic. Prior to the release of Graykey a few months ago, examiners needed the phone’s password/passcode to access the device. When the device connects to a tool such as Cellebrite (or even when it connects to a computer the user can back it up to iTunes), it prompts the user to enter the password to pair the phone with the device. If a forensic examiner did not have the password, they would not be able to download the data.

In the end, this update will have little impact on the day-to-day operations of digital forensic examiners. It is just the latest in the continuing cat-and-mouse game of vendors adding better security and digital forensic examiners’ need to find ways around the security to access the data on the device.