Life cycle of plist in Lockdown changes dramatically in iOS 10

We could take advantage of plist to bypass Trust Relationship so as to extract data from a iDevice. Now it becomes an impossible mission in iOS 10.

As you could see the iOS version is iOS 10.0.2.

 

 

Now my workstation trust this iDevice, and the plist in Lockdown folder is right there.

 

 

Let my show you what happen to iOS 10. I poweroff this iDevice and power it on. Of course it's locked. You have to enter passcode or Touch ID.

 

 

Let's take a look at iTunes in my workstation. iTunes could not see anything in that iDevice...But the plist is still right there..What's matter with this iDevice???

 

 

The answer is that the life cycle of plist in Lockdown changes in iOS 10. That means if you seize an iDevice which is poweroff. The plist in suspect's PC/Laptop/Mac has no effects on that iDevice. You still need the passcode or Touch ID in order to got the data inside this iDevice.

 

I'm not sure why Apple doing this. Life cycle of plist in Lockdown changes dramatically  in iOS 10 being a bad influence on mobile forensics. iOS forensics is going dark in the very near future.