Too many ‘ifs’ to crack Pistorius iPhone: expert

The likelihood of investigators getting any information off of Oscar Pistorius’ locked iPhone will need a lot of technical boxes to be ticked, a security expert has said.

This follows reports that investigators are having a tough time gaining access to the murder-accused paralympian’s phone for crucial evidence – with the much-publicised trial date drawing nearer.

Pistorius stands accused of murdering his model girlfriend, Reeva Steenkamp, on 14 February 2013.

Pistorius claimed that he believed Steenkamp was an intruder at the time the incident took place, and opened fire on her behind a closed door. The state is pursuing murder charges.

Two iPhones and a BlackBerry were taken as evidence in the case – though Pistorius reportedly could not remember the four-digit PIN code needed to unlock the phone at the time.

Pistorius’ legal representative, Brian Webber, has handed over Pistorius’ Apple ID and password to authorities. Investigators claim that the details are not correct.

On Thursday, 13 February, news outlet eNCA claimed to have gained access to Pistorius’ iTunes account using the Apple ID and password provided by Webber, without any issues.

“All it appears to reveal is that Oscar Pistorius likes legal TV dramas, cello concertos and dance music,” the news group said.

Investigators, however, are looking for more than download and app information – rather seeking to gain access to iMessage history and other data stored on the paralympian’s traceable digital footprint.

Content such as text messages and communication through message applications are not held by network operators (which only track “to” and “from” cellphone numbers), meaning RICA would not help with any content insight in this case.

Is the content even accessible?

According to an iPhone security expert, gaining access to data on a locked iPhone using an Apple ID and password alone is unlikely.

“With an iPhone 4S and above, no there isn’t a way to unlock the device without the PIN – you can’t do it with the Apple ID only,” the expert said.

“With the Apple ID you can wipe and restore the phone, but it requires that you have access to either on-computer or iCloud backups of the device.”

Previous version of Apple’s iOS software allowed users to bypass the PIN lock-screen using an emergency call exploit, while the iPhone tracking app, Find my iPhone, allowed a remote PIN reset.

Both of these work-arounds have since been removed by Apple.

If the incorrect PIN is repeatedly entered into the device a number of times, it locks up temporarily. There are options available to erase data from the device if the incorrect PIN is entered 10 times.

For iPhone users who “forgot” their passwords or blocked their devices, gaining access to their devices requires a system restore through iTunes (on-computer of iCloud back ups), or a complete system reset.

This process, again, has a few prerequisites which, if not met, means all data on the device will be lost.

To successfully bypass a locked device and restore its data:

  • The correct Apple ID and password associated with the required Apple account are needed.
  • The specific Apple account needs to be linked to the device in question.
  • The device needs to have been backed up to iCloud – or physically back-up to a computer.
  • The right data (iMessage and app data) needs to be backed up.
  • The account, device and passwords must have not been remotely tampered with.

“That’s quite a few ‘ifs’ – there’s a lot of hypothesis here,” the expert said.

In the Pistorius case and the problems investigators have been facing, the security expert weighed that it’s possible that the Apple ID provided isn’t the one used for the iCloud backups – if any exist.

A number of forensic tools exist that can extract data from the iCloud; however, proper processes need to be followed for any evidence to stand up in court.

Further, there’s no way to tell if Pistorius didn’t nuke his iMessage or WhatsApp history before handing it over to police, or restored his data to another device, remotely.

“He could maybe have closed his account remotely, and linked a new phone to a new account.”

Pistorius’s murder trial is set to start on 3 March 2014.

More on Oscar Pistorius

Pistorius iPhone code remains elusive: report

Apple asked for help in Pistorius murder case

Social media “disturbs” Pistorius family

The Oscar Pistorius shooting effect

Oscar Pistorius’ spin on the Internet

Must Read

Partner Content

Show comments

Trending Now

Follow Us

Too many ‘ifs’ to crack Pistorius iPhone: expert