Authors: Sunbum Song, Hongseok Yang, Eunji Lee, Sangeun Lee, Gibum Kim
DFRWS APAC 2025
Abstract
To acquire data stored on damaged devices, forensic analysts have conventionally removed the flash memory from the device and directly extracted the data from it. This process, often called ‘chip- off’ technique, has faced difficulties in application as data encryption technologies are being widely adopted. Except for rare instances where highly advanced chip transplantation is necessary, analysts generally attempt to repair the damaged modules as much as possible. When critical modules in an iPhone are damaged, the device experiences a phenomenon known as panic-full, in which the device repeatedly reboots, preventing analysts from acquiring data within. This research reviews the previously disclosed causes and analysis methods of panic-full through experiments. Furthermore, for cases where module replacement does not resolve the panic-full status, this paper provides diagnosis methods to detect damages to logic boards and as well as jumper point information. Lastly, based on above findings, an improved physical recovery process for iPhones in panic-full status is suggested. This study has been conducted on limited models of iPhone models, yet with Apple’s unified hardware ecosystem, the findings and methodologies suggested in this paper can be easily extended to other models.