Examination of Apple iOS and Android Devices

The Virginia Department of Forensic Science’s (DFS) Digital & Multimedia Evidence Section is able to provide security measure identification / bypass and enhanced data extraction services for several Apple devices and iOS versions, and Android devices, operating system versions, and security mechanisms.

In order to be able to expedite these services for our user agencies, we will be utilizing a tiered examination approach.

For user agencies with mobile device data analysis capabilities we will:

  1. Identify the passcode on the device (when available);
  2. Provide a physical, full or partial file system, memory (when applicable/available), and keychain (when applicable/available) extractions of the device.

For user agencies with limited or no mobile device data analysis capabilities, or the analysis is deemed necessary (e.g. beyond the capabilities of the submitting agency), we will additionally:

  1. Analyze the acquired data for requested information.

If it is determined that the passcode identification process will take more than three (3) months, the process may be terminated by DFS and the device returned to the submitting agency in its secured state. However, any data (i.e. partial file system extraction) that is accessible while the device is secured will be provided.

Secured Apple and Android devices with an unknown passcode require specific handling in order to maximize the amount of data available for extraction and the speed of passcode identification. The following evidence handling guidelines should be followed:

  1. If the device is seized powered on:
    1. Ensure the device stays powered on and is sufficiently charged – DO NOT ALLOW THE DEVICE TO POWER OFF OR REBOOT;
    2. Shield the device from communication networks by putting the device into Airplane Mode and placing it in a shielded enclosure;
      1. If neither options are available, remove* the Universal Integrated Circuit Card (UICC) (aka Subscriber Identity Module [SIM] card) from the device;
        *Removing the UICC from a device that is powered on may result in the device being placed into a more secure state;
    3. Submit the device to the Central Laboratory as soon as possible.
  2. If the device is seized powered off:
    1. If applicable, remove its battery and UICC
      1. For applicable mobile devices, it is important to determine if the device (handset) contains a UICC or flash memory card such as a micro Secure Digital (microSD) card
        1. Either card can be located internally, typically under the battery, or externally along the side of the device;
        2. These storage devices should be indicated on the RFLE as additional items of evidence; typically as sub-items to the handset.
        3. Also, if the device is reliant on a UICC to authenticate the device to a service provider’s network(s), removal may be an additional shielding measure.

JTAG, ISP and Chip-Off Data Acquisition Services 

The DME Section offers JTAG, ISP and Chip-Off data acquisition services for candidate devices (Apple devices are not supported) that have limited support using more common hardware/software solutions.

  •  JTAG (Joint Test Action Group) is a non-destructive process that involves connecting to a specific combination of Test Access Ports (TAPs) on a device’s circuit board and instructing the processor to transfer the raw data stored on connected memory chips
  • In-System Programming (ISP) is a non-destructive process that involves connecting to specific points on a device, bypassing the device’s processor, to directly read the device’s memory
  • Chip-Off is a destructive process that involves physically removing the memory chip(s) from a device’s circuit board and reading it on an external reader

For both options, the memory dump that is obtained can then be analyzed to identify any areas of interest. Examples of where JTAG, ISP or Chip-Off may be applied include:

  • Non-bypassable security measures, such as a PIN code, password, passphrase, or pattern lock
  • Non-functional (e.g. damaged, etc.) devices that cannot be repaired
  • Prepaid (“burner”) cellular phones with vendor-disabled data ports