Mobile Phone Forensics
Security researcher Bernd Marienfeldt recently published his findings on the general state of iPhone security and has exposed a rather significant vulnerability present in the current iterations of the iPhone. It appears that even when the iPhone is set to require a PIN (plus encryption, in the case of the 3GS), that Ubuntu 10.04 (and probably any similarly configured Linux variant) will automount the flash storage on the iPhone, even when in a “protected state.” Marienfeldt states:
I uncovered a data protection vulnerability , which I could reproduce on 3 other non jail broken 3GS iPhones (MC 131B, MC132B) with different iPhone OS versions installed (3.1.3-7E18 modem firmware 05.12.01 and version 3.1.2 -7D11, modem 05.11.07) , all passcode (4 digits) protected which means the vulnerability bypasses authentication for various data where people most likely rely on data protection through encryption and do not expect that authentication is not in place.
Apple has been made aware of the vulnerability and has been able to reproduce it; however, they have not given any guidance as to when a fix should be expected.
Aside from the possible malicious consequences of this vulnerability, from a forensics standpoint, the vulnerability (while it lasts), could provide a duly authorized forensics examiner the ability to possibly access stored data on a seized iPhone, even when protected by a PIN and hardware encryption (in the case of the iPhone 3GS). Remember to remove the SIM card immediately upon seizure as an iPhone can be remotely wiped (given an active data connection), which will eliminate the possibility of data recovery.