FBI mishandled evidence again
Here's the deal,
1) Confiscate the telephone while it's still powered on and the pin code has been used at least once. When this happens, all data is able to be decrypted through the normal operating system read and write commands. Also, simply dropping or tossing the phone should leave the phone in a still stable state for reading this data.
2) Attach an external charger to the phone immediately and leave it powered up the entire time until it has reached the forensics lab for data extraction.
3) Open the phone carefully avoiding removing the power cable and battery cables at the same time.
4) Ensure the power cord is securely inserted
5) Remove the iPhone battery and the main screws supporting the system board. It is ok to remove the screen as well. This won't impact the phone operating.
6) Reattach the battery (better yet, attach a battery that you're 100000% sure is charged). Hot glue the battery connector in place to make sure it doesn't come lose.
7) Disconnect the power cord from the base of the phone
8) Life the system board from the phone (gently of course)
9) Depending on the model, there are a minimum of 5 individual exposed vias or test points for each of the 4 relevant JTAG pins on the Apple CPUs.
10) Using the ARM ICE debuggers, connect to the CPU and switch to single step mode.
11) Door is open... from here you can
a) Extract the hash for the pin code to unlock the device properly. Run the has through John the Ripper to identify a 4 digit collision.
b) Extract the finger print points used for user verification so they can be fed into the device electronically to unlock sensitive data including bank accounts.
c) Image the flash after it's been decrypted by calling block access functions on the flash through the OS and therefore decoding the data in the process to get an unencrypted copy (will take as much as 3-4 days due to JTAG performance limitations)
d) Upload a new program to perform the same copy but bypassing app restrictions and perform it over wireless... takes about an hour.
e) Call system file i/o functions to read individual files... surprisingly difficult given the object oriented nature of the IOS file store.
There are endless methods for extracting data from an iPhone.
Alternative for powered off devices :
1) Image the flash via flash JTAG pins (unfortunately slow but effective).
2) Remove and copy all nvram (haven't done this yet... so would test on disposable test devices first)
3) Solder an FPGA in place of the NVRAM devices and use Altera/Xilinx logic probe functions to capture and decode write operations to the NVRAM
4) Follow similar steps to hijacking the kernel via ARM debugger, call the phone PIN code unlock functions and brute force, reset the phone after 3 tries.
5) Recopy the flash and compare the input (original and changed) as well as the NVRAM changes. Change the modified blocks back to the original values.
6) Repeat step 4 and reset only changed blocks after 3 tries. Brute force the 4 digit PIN.
I can probably come up with 20 other ways if I needed to. The first crack on iPhone 6S Plus I did took 23 hours and 5 Red Bulls. I wasn't really even trying very hard... probably spent 2/3 of the time reading and watching TV shows.
I really just can't see why this is such a big deal. If the phone can decrypt the data to begin with, it's going to be relatively simple to get it back. It doesn't even require someone particularly educated, I'm pretty sure more than half the guys I went to electronics class in high school with back in 1989 could do this.
Maybe the FBI (and others) should spend less time screwing around with court orders, quit listening to idiots in suits and instead, swing by a local maker space and look for a guy with Aspergers who really likes puzzles.