Updates

Updates (last updated 06/11/2018)

Examination of Apple iOS Devices

The Virginia Department of Forensic Science’s (DFS) Digital & Multimedia Evidence Section is now able to provide security measure bypass and enhanced data extraction services for the following Apple devices and iOS versions:
     Device Support
  • iPhone 5
  • iPhone 5c
  • iPhone 5s
  • iPhone 6 & 6 Plus
  • iPhone SE
  • iPhone 6s & 6s Plus
  • iPhone 7 & 7 Plus
  • iPhone 8 & 8 Plus
  • iPhone X
  • iPad Air & Air 2
  • iPad mini 2, 3, 4
  • iPad (2017)
  • iPad Pro (1st & 2nd gen)
  • iPod Touch (5th & 6th gen)
     iOS Support
  • 9.x
  • 10.x
  • 11.x
     Additional Information
  • Supports before and after first unlock state
  • Supports disabled iOS devices
  • Supports 4-digit, 6-digit, and complex passcodes
  • Complete file system extraction
  • Extracts data (e.g. e-mail communications) not accessible in traditional iTunes backups
In order to be able to expedite these services for our user agencies, we will be utilizing the following tiered examination approach.
For user agencies with mobile device data analysis capabilities we will:
  1. Identify the passcode on the device;
  2. Provide a full file system, memory (when available), and keychain extraction of the device.
For user agencies with limited or no mobile device data analysis capabilities, or the analysis is deemed necessary (e.g. beyond the capabilities of the submitting agency), we will additionally:
           3. Analyze the acquired data for requested information.
If it is determined that the passcode identification process will take an exceedingly long time, the process may be terminated by DFS and the device returned to the submitting agency in its secured state.  However, any data (e.g. location information, notifications, multimedia, etc.) that is accessible while the device is secured will be provided.
Secured Apple devices running version 10.3.2 and above of iOS require specific handling in order maximize the speed of passcode identification. The following evidence handling guidelines should be followed:
  1. Ensure the device stays powered on and is sufficiently charged – DO NOT ALLOW THE DEVICE TO REBOOT;
  2. Shield the device from communication networks by putting the device into Airplane Mode, removing the SIM card, and placing it in a shielded enclosure;
  3. Submit the device to the Central laboratory as soon as possible.

JTAG and Chip-Off Data Acquisition Services

The DME Section is now offering JTAG and Chip-Off data acquisition services for candidate devices (Apple devices are not supported) that have limited support using more common hardware/software solutions.

  •  JTAG (Joint Test Action Group) is a non-destructive process that involves connecting to a specific combination of Test Access Ports (TAPs) on a device’s circuit board and instructing the processor to transfer the raw data stored on connected memory chips.
  •  Chip-Off is a destructive process that involves physically removing the memory chip(s) from a device’s circuit board and reading it on an external reader.

For both options, the memory dump that is obtained can then be analyzed to identify any areas of interest. Examples of where JTAG or Chip-Off may be applied include:

  •  Non-bypassable security measures, such as a PIN code, password, passphrase, or pattern lock
  •  Non-functional (e.g. damaged, etc.) devices that cannot be repaired
  •  Prepaid (“burner”) cellular phones with vendor-disabled data ports