Apple iPhones have always posed a significant challenge for law enforcement investigations and digital forensics. When a device’s passcode is unknown and forensic tools are unable to break in, the solution has been to collect the suspect’s data from the cloud. Apple’s Advanced Data Protection ends this investigative technique.
iCloud encryption and data security
Apple uses encryption to protect user information and two-factor authentication for newly created Apple IDs. To understand how encryption affects law enforcement investigations, let’s take a look at how encryption and data protection works within the Apple ecosystem.
All user data stored in iCloud is encrypted, however, there are two types of encryption used to secure user data: Standard Encryption and End-to-end Encryption.
Standard encryption: Files that are secured with standard encryption are accessible by Apple as they hold a key to the file. Files like phone backups and photos have traditionally used standard encryption.
End-to-end encryption: End-to-end encrypted data can be decrypted only on trusted devices that the user has signed into with their Apple ID. Trusted hardware is used in the encryption process to generate the encryption keys. When end-to-end encryption is used, not even Apple, can read a user’s data as they don’t have a copy of the key.
What evidence can be read when collected with a search warrant depends entirely on the level of data protection that the user selects.
iCloud Standard Data Protection
All iCloud accounts come with Standard Data Protection as the default configuration. The bulk of a user’s data is secured with standard encryption and can be decrypted by Apple using their copy of the key. If you are familiar with iCloud search warrant productions, all the categories of data you are familiar with seeing were secured with standard encryption.
Standard Data Protection uses end-to-end encryption for 15 data categories including passwords stored in their iCloud Keychain.
iCloud Advanced Data Protection
Apple released Advanced Data Protection as an optional level of security in December of 2022. ADP increases the number of data categories that use end-to-end encryption to 25. If a user has enabled ADP, an iCloud search warrant will produce Apple email, contacts and their calendar. The remainder of the production is encrypted; the folder structure of the production is the same as ever, however, the folder contains encrypted blob files along with Chunkdetails.csv with hexadecimal checksum values.
The table below show what iCloud evidence items use standard or end-to-end encryption and where the encryption keys are stored.
Standard data protection | Advanced Data Protection | |||
Encryption | Keys | Encryption | Keys | |
Apple Card transactions | End-to-end | End-to-end | ||
Calendars | Standard | Standard | ||
Contacts | Standard | Standard | ||
Freeform | Standard | End-to-end | ||
Health data | End-to-end | End-to-end | ||
Home data | End-to-end | End-to-end | ||
iCloud Backup | Standard | End-to-end | ||
iCloud Drive | Standard | End-to-end | ||
iCloud Mail | Standard | Standard | ||
Journal data | End-to-end | End-to-end | ||
Keyboard learned vocabulary | End-to-end | End-to-end | ||
Maps | End-to-end | End-to-end | ||
Memoji | End-to-end | End-to-end | ||
Messages in iCloud | End-to-end | End-to-end | ||
Notes | Standard | End-to-end |