Leaked documents show phones that well-known mobile forensics companies can and cannot unlock

According to law enforcement documents obtained, officers warned other officials and forensic experts that devices securely stored for forensic examination would inexplicably restart, returning to a state that was more difficult to unlock.

The specific reason for the restart is unclear, but the author of the document appears to be law enforcement officials from Detroit, Michigan, who speculate that Apple may have introduced a new security feature in the .

This feature will inform nearby devices to restart after being disconnected from the cellular network for a period of time.

After rebooting, it is generally safer and can defend against tools designed to crack phone passwords and steal phone data.

The document states:

The purpose of this notice is to raise awareness of a situation where devices may restart shortly after losing cellular network connection (the observation period may be within a few hours).

Apple has not responded to whether such updates were rolled out in a timely manner.

In any case, the reported reboot incident highlights the ongoing cat-and-mouse game between law enforcement and forensic experts on one side, and smartphone manufacturers Apple and Google on the other.

The file was obtained from a mobile forensics source.

Subsequently, the second mobile forensics source confirmed the document, affirming that they had seen the same document and sent a segment of it for verification.

Allowing sources to discuss sensitive industry developments anonymously.

The document states that multiple devices are in the "() after first unlock" state in a digital forensics laboratory.

It means that since the last boot, someone (usually the device owner) has unlocked the device at least once using a password or a similar password.

Typically, law enforcement agencies can more easily access devices that are in a state using specialized tools.

According to the previously released document listing the unlocking features, this includes tools such as.

The document states:

Due to the inhalation of air, the devices experienced a restart for some reason, causing them to lose their state.

This includes those in flight mode, and even those placed in Faraday boxes.

A Faraday cage will block electronic signals from reaching the device, such as erase commands, and prevent it from communicating with cellular networks.

The document states that after rebooting, the device enters the () state before the first unlock.

This makes unlocking significantly more difficult, and according to the document, they cannot be cracked using existing tools.

The document states that on the day of the month, three running . (the latest major version of the Apple operating system) were brought into the lab.

The assumption of law enforcement officials is that "if conditions permit, the device brought into the laboratory with . would communicate with other devices already powered on in the vault."

After a long period of inactivity or disconnection, this communication sends a restart signal to the device.

They believe that this could apply not only to devices used as evidence input, but also to personal devices of forensic examiners.

This is truly bizarre, astonishing, and the law enforcement officials' assumption is "highly suspicious."

The idea of regularly restarting a phone after prolonged periods without network is quite clever. I'm surprised if Apple really did this on purpose.

The document concludes with a series of recommendations for those attempting to extract information from it.

If the laboratory equipment has not been exposed to the equipment, please take immediate action to isolate these devices.

The lab should conduct a current inventory of its equipment and determine if any of the equipment has been restarted and lost its state. One suggestion reads.

The document concludes that:

This issue needs to be widely disseminated in the forensic and investigative fields to raise awareness and spread the message.