Elcomsoft shared an article on how Apple’s Stolen Device Protection (SDP) is creating new challenges for digital forensic examiners. Designed to protect users from device theft and account compromise, SDP places Face ID or Touch ID authentication in front of critical actions, including the “Trust This Computer” pairing process used by many forensic acquisition tools. As a result, investigators may no longer be able to establish a new forensic pairing with an iPhone even when the device passcode is known.
The article explains that SDP can prevent advanced logical acquisitions, block the creation of new pairing records, and introduce security delays that require biometric authentication. While existing, valid pairing records may still provide a path for acquisition, new pairings on previously unknown forensic workstations can be effectively blocked without access to the device owner’s biometrics.
Key Takeaways
- Stolen Device Protection adds additional security controls to modern iPhones.
- Face ID or Touch ID may be required before certain forensic acquisition methods can proceed.
- Knowing the device passcode may no longer be sufficient to establish a new trusted computer relationship.
- Existing pairing records may become significantly more valuable during investigations.
- New forensic workstations may be unable to create trusted pairings without biometric authentication.
- Advanced logical acquisition workflows may be affected.
- Investigators may need to adjust collection procedures for devices protected by SDP.
- Law enforcement and forensic laboratories should review current iPhone acquisition processes and training.
- The feature highlights Apple’s continued focus on protecting user data, even when a device passcode is known.
- Proper evidence preservation and early acquisition efforts are becoming increasingly important.
For forensic laboratories, law enforcement agencies, and incident response teams, Apple’s Stolen Device Protection represents one of the most significant changes to iPhone acquisition workflows in recent years. Understanding how SDP affects evidence collection can help investigators adapt their procedures and maximize the likelihood of successful acquisitions from modern iOS devices.