Updates (last updated 04/21/2020)
Examination of Apple iOS Devices
The Virginia Department of Forensic Science’s (DFS) Digital & Multimedia Evidence Section is able to provide security measure bypass and enhanced data extraction services for the following Apple devices and iOS versions:
- iPhone 4S
- iPhone 5
- iPhone 5c
- iPhone 5s
- iPhone 6 & 6 Plus
- iPhone SE
- iPhone 6s & 6s Plus
- iPhone 7 & 7 Plus
- iPhone 8 & 8 Plus
- iPhone X
- iPhone XR, XRS & XS Max
- iPhone 11
- iPad Air & Air 2
- iPad mini 2, 3, 4
- iPad (2017)
- iPad Pro (1st & 2nd gen)
- iPod Touch (5th & 6th gen)
- Supports before and after first unlock state
- Supports disabled iOS devices
- Supports USB Restricted devices
- Supports 4-digit, 6-digit, and complex passcodes
- Complete file system extraction
- Extracts data (e.g. e-mail communications) not accessible in traditional iTunes backups
In order to be able to expedite these services for our user agencies, we will be utilizing the following tiered examination approach.
For user agencies with mobile device data analysis capabilities we will:
- Identify the passcode on the device (when available);
- Provide a full or partial file system, memory (when available), and keychain extractions of the device.
For user agencies with limited or no mobile device data analysis capabilities, or the analysis is deemed necessary (e.g. beyond the capabilities of the submitting agency), we will additionally:
- Analyze the acquired data for requested information.
If it is determined that the passcode identification process will take an exceedingly long time, the process may be terminated by DFS and the device returned to the submitting agency in its secured state. However, any data (i.e. partial file system extraction) that is accessible while the device is secured will be provided.
Secured Apple devices running version 10.3.2 and above of iOS require specific handling in order maximize the amount of data available for extraction and the speed of passcode identification. The following evidence handling guidelines should be followed:
- Ensure the device stays powered on and is sufficiently charged – DO NOT ALLOW THE DEVICE TO REBOOT;
- Shield the device from communication networks by putting the device into Airplane Mode, removing the SIM card, and placing it in a shielded enclosure;
- Submit the device to the Central laboratory as soon as possible.
JTAG, ISP and Chip-Off Data Acquisition Services
The DME Section offers JTAG, ISP and Chip-Off data acquisition services for candidate devices (Apple devices are not supported) that have limited support using more common hardware/software solutions.
- JTAG (Joint Test Action Group) is a non-destructive process that involves connecting to a specific combination of Test Access Ports (TAPs) on a device’s circuit board and instructing the processor to transfer the raw data stored on connected memory chips
- In-System Programming (ISP) is a non-destructive process that involves connecting to specific points on a device, bypassing the device’s processor, to directly read the device’s memory
- Chip-Off is a destructive process that involves physically removing the memory chip(s) from a device’s circuit board and reading it on an external reader
For both options, the memory dump that is obtained can then be analyzed to identify any areas of interest. Examples of where JTAG, ISP or Chip-Off may be applied include:
- Non-bypassable security measures, such as a PIN code, password, passphrase, or pattern lock
- Non-functional (e.g. damaged, etc.) devices that cannot be repaired
- Prepaid (“burner”) cellular phones with vendor-disabled data ports