Examination of Apple iOS Devices

The Virginia Department of Forensic Science’s (DFS) Digital & Multimedia Evidence Section is able to provide security measure bypass and enhanced data extraction services for several Apple devices and iOS versions.

In order to be able to expedite these services for our user agencies, we will be utilizing the following tiered examination approach.

For user agencies with mobile device data analysis capabilities we will:

  1. Identify the passcode on the device (when available);
  2. Provide a full or partial file system, memory (when available), and keychain extractions of the device.

For user agencies with limited or no mobile device data analysis capabilities, or the analysis is deemed necessary (e.g. beyond the capabilities of the submitting agency), we will additionally:

  1. Analyze the acquired data for requested information.

If it is determined that the passcode identification process will take an exceedingly long time, the process may be terminated by DFS and the device returned to the submitting agency in its secured state. However, any data (i.e. partial file system extraction) that is accessible while the device is secured will be provided.

Secured Apple devices with an unknown passcode require specific handling in order maximize the amount of data available for extraction and the speed of passcode identification. The following evidence handling guidelines should be followed:

  1. Ensure the device stays powered on and is sufficiently charged – DO NOT ALLOW THE DEVICE TO POWER OFF OR REBOOT;
  2. Shield the device from communication networks by putting the device into Airplane Mode and placing it in a shielded enclosure;
    1. If neither options are available, remove* the Universal Integrated Circuit Card (UICC) (aka Subscriber Identity Module [SIM] card) from the device;
      *Removing the UICC from a device that is powered on may result in the device being placed into a more secure state;
  1. Submit the device to the Central laboratory as soon as possible.

JTAG, ISP and Chip-Off Data Acquisition Services 

The DME Section offers JTAG, ISP and Chip-Off data acquisition services for candidate devices (Apple devices are not supported) that have limited support using more common hardware/software solutions.

  •  JTAG (Joint Test Action Group) is a non-destructive process that involves connecting to a specific combination of Test Access Ports (TAPs) on a device’s circuit board and instructing the processor to transfer the raw data stored on connected memory chips
  • In-System Programming (ISP) is a non-destructive process that involves connecting to specific points on a device, bypassing the device’s processor, to directly read the device’s memory
  • Chip-Off is a destructive process that involves physically removing the memory chip(s) from a device’s circuit board and reading it on an external reader

For both options, the memory dump that is obtained can then be analyzed to identify any areas of interest. Examples of where JTAG, ISP or Chip-Off may be applied include:

  • Non-bypassable security measures, such as a PIN code, password, passphrase, or pattern lock
  • Non-functional (e.g. damaged, etc.) devices that cannot be repaired
  • Prepaid (“burner”) cellular phones with vendor-disabled data ports