Note: This thread is constantly updated (until I die). Please scroll down to the very bottom for the latest news and tips.
This setup was tested with:
Modern iPhone that is no more than 2 years old
iOS 18✅
Windows 11
External USB✅
iMazing✅
-Utilize iCloud. You may hate the cloud for privacy, but this will come in handy later. There cheapest plan is $2.99 for 200GB.
-Enable Advanced data protection. Advanced data protection makes subpoenas and search warrants to apple nearly useless. Unless there is something valuable in your contacts app, mail app, or generic account/device info. Without this enabled, forensic examiners can quickly have their hands on all of your valuable iCloud data. If you’re a US citizen, the fourth amendment is currently a joke and law enforcement abuse the “good faith” exception in court when they are caught doing sketchy things involving search and seizure/drafting overly broad search warrants. Read more about standard vs advanced data protection here.
-(Optional) Delete the trace of your recovery key. When setting up advanced data protection you should have been prompted for a recovery method. Obviously using a recovery contact is insecure so the key would be the best option. But if there’s even a 0.01% chance of that photo/note of the recovery key getting obtained, let’s not take that risk. If we lose the data we lose it. Oh well…
-Uncheck access iCloud data on the web. There’s no good reason to have this enabled. You’re just exposing your self to more extraction methods such as a iCloud extractor. To turn this off, navigate to Settings > iCloud+ then scroll down to the bottom.
-Use a third party password manager instead of keychain/passwords app
Limit the amount of data they can get their hands on from let’s say a “keychain extraction” by not utilizing it for every single one of your logins.
-Toggle usb accessories. This setting won’t really matter once we turn on lockdown mode.
-Use long alphanumeric password. Assume a bruteforce is always possible and never use a short password. Forget about your “convenience”. Face ID should help with that.
-Disable control center access from lockscreen. Gets rid of certain attack vectors (AFU). We will later enforce this with a profile.
-Don’t display content in push notifications. Less visible data during a “take pictures of device” extraction.
-Frequently clear in app caches if the setting is available. Clears up unwanted traces of activity.
-Follow up with an app delete after clearing the cache. Apps store data in multiple locations on iOS. This may or may not do the final cleanup. Make sure iCloud isn’t backing up the app data for that specific app as well. You may have to check that each time you reinstall it.
-Turn on stolen device protection This feature is a forensic nightmare. When enabled, you cannot do any of the following without biometric authentication
-
Use passwords or passkeys saved in Keychain
-
Use payment methods saved in Safari (AutoFill)
-
Turn off Lost Mode
-
Erase all content and settings
-
Apply for a new Apple Card
-
View your Apple Card or Apple Cash virtual card number
-
Take certain Apple Cash and Savings actions in Wallet (for example, Apple Cash or Savings transfers)
-
Use your iPhone to set up a new device (for example, Quick Start)
-
Change your Apple Account password
-
Sign out of your Apple Account
-
Update Apple Account security settings (such as adding or removing a trusted device, Recovery Key, or Recovery Contact)
-
Add or remove Face ID or Touch ID
-
Change your iPhone passcode
-
Reset All Settings
-
Enroll in Mobile Device Management
-
Turn off Stolen Device Protection
-Turn off significant locations. Significant locations gives forensic examiners that lovely map of all the places you’ve been with great detail. There’s several other sources for location info as well. It’s best to just turn off location services, bluetooth, wifi, find my, etc. when they aren’t needed. All depends on what you’re willing to expose.
- Killswitch - Shortcut cool lil button to quickly put your device in BFU
-Lock all sensitive apps with face id. This will prevent snooping through your apps without biometric authentication. Do not use the hide app option. You don’t want to make certain apps stand out from others in case a extraction is successful.
-Do not allow your apple watch to unlock your iPhone. Opening up more attack vectors for no good reason.
- If you use SMS/iMessage, make sure they are backed up to iCloud. Set the expiry date to 30 days so that only the most recent messages are stored locally and the cloud ones are protected by advanced data protection. I have a theory that even when your device is seized, if this setting is on it’ll still delete the messages off your device if 30 days has passed regardless of internet connectivity/power off but I may be wrong. May apply to recently deleted photos as well.
-Delete your google account if you haven’t already self explanatory….
-Supervise your iOS device(s). This will allow you to turn on important anti-forensics features that cannot be bypassed if setup correctly. You can even see cellebrite cry about it in this PDF. I recommend using apple configurator on MacOS or iMazing on Windows. Supervising your device(s) will wipe your device so be sure to backup to iCloud before proceeding.
-Create a MDM profile with the following payloads.
allowEnterpriseAppTrust
false
allowAppInstallation (IMPORTANT)
false
allowESIMModification
false
allowHostPairing (IMPORTANT)
false
allowiTunesFileSharing
false
allowLockScreenControlCenter
false
allowUIConfigurationProfileInstallation
false
forceAuthenticationBeforeAutoFill
true
forceEncryptedBackup (IMPORTANT)
true
forceITunesStorePasswordEntry
true
forcePreserveESIMOnErase
true
forceWiFiPowerOn
true
allowScreenShot
false
allowFilesUSBDriveAccess
false
-allowAppInstallation false allowHostPairing false are the most important ones as they block those sneaky forensic agents from being installed on the device if they somehow manage to overcome USB restrictions. You can remove the profile temporarily to install or update apps as needed. forceWiFiPowerOn will prevent the examiner from disabling WiFi. I don’t think anything will be “forensically sound” with that setting on lol. Be sure to sign the profile with a certificate before installing it on your device(s).
-Since we are configuring MDM without using apple business manager, the profile can be removed by simply resetting the device (wipes all data though) or with the device passcode. To prevent device passcode removal make sure to configure a Profile Removal Password. I’d recommend typing some random gibberish 90 character password that you’ll forget about since as long as you have the computer that configured the profile, you can just remove it from there via a USB connection.
-Turn on encrypted backups + stolen device protection. This can be configured using iMazing/iTunes etc. Usually when forensic examiners come across an encrypted itunes backup password, they will use the “reset all settings” to remove it so programs like cellebrite can set their own encryption password. But with stolen device protection this action will require a security delay and face ID. Face ID can also be used to lock apps which combats the (taking pictures of everything that can be seen on the device) method. Stolen device protection should be configured with security delay set to always.
-Turn on lockdown mode. Lockdown mode is needed to quickly lockdown the usb port instead of relying on apple’s non configurable 1 hour time limit. If you lock your device, the usb connection will be restricted in about 10 seconds until unlocked again. No need to even use the power button 5 times trick.
-Secure the PC where the MDM is managed. Since we are using a local MDM solution, your security relies on how safe your computer is. For windows you should be using bitlocker with tpm+pin+startup key protectors for max protection. Extra brownie points if you buy 10 USB’s that are shaped like pens and put a fake startup key on 9 of them lol. Without the startup key, nothing can be bruteforced because there is no input for the pin without the key being inserted first. You should also delete and disable the bitlocker recovery key for extra lulz. For Macbooks use FileVault and avoid using the same iCloud account as your phone.
This tutorial will be updated as new things are discovered. Please let me know if you have any suggestions or if I am wrong about a feature. Enjoy!