希望访问中文页面? 请点此(简体中文版)  

Posted on: March 11, 2016

in Blog

eDiscovery Update: FBI vs. Apple – Thinking Outside the Phone

This post was originally published on The Daily Record.

This post explains the privacy controversy between Apple and the FBI and explains Apple’s encryption software and alternative methods to retrieve ESI.

Unless you have been living under a rock for the past few weeks you’ve likely heard about the privacy bout of the millennia, Apple vs. FBI. If not, here is a really short recap - The FBI wants Apple to modify its iPhone operating system so it can review the contents of the phone used by the San Bernardino terrorist. The FBI thinks Apple should comply and help fight the war on terror. The federal government is appealing to populous sentiment by suggesting that the phone’s contents may aid in finding other plotters or thwart future attacks. Hard to argue with that?! Apple on the other hand isn’t caving and instead is taking the righteous position of protecting the privacy of its customers. Apple has stated that creating a backdoor for this one situation could potentially jeopardize the security and privacy for all of Apple’s customers. Good for Apple?! Regardless of whose side you are on, this is a relevant debate and one that has impassioned many pundits, technologists and business leaders to step forward and opine on the topic. 

Learn how to handle the hurdles for different mobile device operating systems when responding to a data preservation trigger.

Personally, this is a matter near and dear to me since I live and breathe digital forensics and electronic discovery each day. Every day we are extracting data from phones for recovery or discovery purposes. Even if we don’t have the proper credentials we sometimes are able to “crack” phones. However, the success of that endeavor is dependent on the device and its operating system. Protections on older iPhones (iOs 8 and earlier) can be bypassed using current technology but the current iOs has a security feature that will wipe the phone rendering the data unreadable, if more than ten incorrect attempts are made to enter a pin code. This security feature is great for consumers, but the FBI obviously doesn’t like it.

Cracking Apple's Security Feature

From what I know and have read, my company uses the same technology that the police and investigating organizations use to conduct investigations on mobile devices. This is why the answer has been a resounding “NO” when my colleagues and friends have asked me if my company or I could get crack the phone in question and bypass Apple’s new security feature. However, my answer is a decisive “YES” when asked if there are any other measures we could take in an attempt to view data stored on the phone.

OK, let’s forget about a brute force attack on the iPhone. It won’t work. What are these other methods? I read an article where a proposed method called “decapping” was put forth as a possibility to “crack” the phone. Decapping is apparently an intricate process that involves shooting a laser at one component after completely disassembling the phone. Hmmmm, sounds suspect to me and risky. 

What else can we do? 

Let’s think outside the box or rather, outside the phone. 

Let’s start with the premise that all people are lazy. Yes, you are lazy too (lazy about passwords that is) and where do we use our passwords? We use the same passwords for multiple sites and systems. Trying to manage different passwords for every system and site would be maddening. There are password management systems that one could use, but remember, we are lazy. 

iPhones are typically backed up to the cloud (iCloud). iCloud doesn’t require a pin code; it uses a password. For anyone who has changed iPhones for whatever reason they know that a full restore from the magical iCloud is a wonderful thing! 

So how would we find that password? Assuming one existed, I would examine the laptop or desktop used by the individual in question. The examination would include an attempt to identify cached or stored passwords in Internet browsers or other applications. This is common practice in most digital forensic examinations and you would be surprised to see what is stored on computers, or maybe you wouldn’t. Remember, we are lazy and when a website asks us if we want to store a password we say, YES! 

Once found, one could try the passwords on the iCloud account in an attempt to gain access. If successful and depending on the iCloud settings, one could review contacts, emails, pictures and other information. Additionally, if the proper password is found one could setup a new iPhone using the iCloud account. Voila! Problem solved. But would this actually work and solve the problem? 

I spoke with another digital forensic expert, Ryan Duquette, partner at Hexigent Consulting, about my plan. Duquette, who formerly worked in law enforcement as a digital forensic examiner outside of Toronto, agrees that my proposed method could be used and one he has used successfully in past criminal investigations. We also both agree that a full restore of the phone may not get all the information, specifically potentially telling deleted ESI. However, that doesn’t mean it is a futile or useless exercise. He stated that “a full restore of an iPhone may retrieve emails, text messages, contacts and recent phone calls. Information that I am sure an investigator would find useful.”

Duquette goes on to mention, “There might be an iTunes backup on the computer as well, which if unencrypted can be accessed and be used to glean relevant information.” This is yet another potential gem sitting in plain sight and outside the phone.

I trust that investigators in this matter have taken all of the aforementioned steps in an attempt to gather information, but the point of this article goes beyond this case. As an attorney or corporate investigator, you may encounter password protected files or encrypted devices when gathering or attempting to access ESI for discovery or investigations. If this is the case and it is critical to gain access to the information, and you have the legal authority to do so, then you may want to seek outside assistance from a digital forensic expert to help you think outside the phone. I foresee this as only the beginning of encryption and data protection issues as they relate to electronic discovery, regardless if it’s in civil or criminal proceedings. 

Which side are you on? Do you feel that Apple should be forced to provide a mechanism to access the data on the phone? If there is not a legal obligation, do they have a moral one?

Discover More:



Discover More Categories

D4 Weekly eDiscovery Outlook

Power your eDiscovery intellect with our weekly newsletter.