We want to start with the bad news: if you are examining an iPhone that runs iOS 8 or newer, and especially if it's a newer device, for example, the iPhone 6s, your chances of unlocking it are not good at all.

Of course, there are some hardware-based solutions, such as IP-BOX 3, but all of them work only occasionally, and using one of them can even result in bricking the device. With iOS 11, this problem becomes even more severe – even if the device under examination is not passcode protected, you will need the passcode anyway as it must be entered to confirm the trust between the device and your workstation.

So, what should a mobile forensic examiner do? Use the lockdown files! The lockdown files, which are stored as a plist file on trusted computers, allow you to trick the device into believing it's unlocked or trusted on the forensic workstation.

The lockdown files are located in the following locations:

• /var/db/lockdown on macOS
• C:ProgramDataAppleLockdown on Windows 7 and later releases

You must be aware that unlocking with a lockdown file only works if the device was unlocked with a passcode at least once after the last reboot.

There are also some advanced techniques that exist. These include fingerprint molds to trick Touch ID, masks to trick Face ID, and NAND mirroring to bypass passcode entry limits. 

The first technique was first demonstrated by Jason Chaikin. He demonstrated how to bypass Touch ID by lifting another person's fingerprint with common molding materials, such as dental mold and Play-Doh.

The second technique was demonstrated as a proof of concept by the Vietnamese cybersecurity firm Bkav. They created a mask that can be used to trick the Face ID feature using a combination of three-dimensional printing, makeup, and two-dimensional images.

The last technique was demonstrated by Sergei Skorobogatov, a senior research associate at the Cambridge Computer Laboratory's Security Group. This technique allows you to bypass passcode entry limits by soldering off the iPhone's flash memory chip and cloning it. This technique should work on any iOS device up to iPhone 6s Plus.