The government, your computer and the iPhone
COMPUTER FORENSICS: THE MYTH SURROUNDING GOVERNMENTAL INTRUSION INTO OUR COMPUTERS AND THE NOW IMFAMOUS CASE OF THE APPLE PHONE
I knew the Government had obtained the contents of the now infamous “Apple Phone” before the ink had dried on the Government’s first pleading. I didn’t know it because of intelligent intuition (the subject of our first blog post), but because, as the lead lawyer in United States v. Jeffrey, Feldman www.wired.com/2013/08/feds-crack-encrypted-drives.
I was the first to discover that the United States Department of Justice employed contractors who created programs that violate the Fourth Amendment – so they didn’t have to. http://forensics.umass.edu/
The Government hires organizations to cheat and violate the Fourth Amendment so they can claim technological ignorance. Government contractors have written as early as 2011 that “[t]he exact extent to which investigators can exploit a network protocol to gather information remotely is unsettled law.” forensics.umass.edu/pubs/Walls.hotsec.2011.pdf
Assuming the San Bernardino hijackers had Amazon or any other network on, their phone would have allowed the Government to access the iPhone by using another network to obtain registry information on the subject’s iPhone. Contained in the registry file are the passwords necessary to get into the phone. Inferring the Source of Encrypted HTTP Connections.
Marc Liberatore and Brian Neil Levine. In Proc. ACM conference on Computer and Communications Security (CCS), pages 255–263, October 2006. [PDF] [traces]
Knowing one government contractor cheated, I went in search of others and found www.sans.org and, sure enough, they too have a specialty section where I located a section called penetration testing, which is aptly named though it sounds more than a bit sexual. While litigating the Feldman case I never quite figured out how they decrypted his computer, as that information was not provided in discovery and the case concluded before the pertinent matters were fully litigated. However, the data of related articles culled from countless early morning searches remained stored in a string of mysteries which have yet to be solved.
After Apple Phone litigation hit the wires, I was engaged in one of these many such early morning searches and visited www.sans.org. Through entering a series of intuitive search terns I came upon the following citation: Decryption and Forensic System for Encrypted iPhone Backup Files Based on Parallel Random Search. Were I a computer forensic scientist and not a lawyer, I would know (a) What those purple words meant and (b) Why breaking the magic code often involves layers of searching through the ever ubiquitous section of any educational/informational website. The section I have come to know and love called: Related articles.
The San Bernardino iPhone central to this discussion contains the A6 chip (found in the iPhone 5, iPhone 5C) and based on court documentation from the case, some version of iOS 9 is installed on the device. For this particular device, we would still need the passcode and jailbreak software to get a physical dump or just the passcode to get a logical extraction or forensic backup of the file system.
These “it depends” scenarios get complicated, and sometimes a great reference document is needed to keep track of it all. Devon Ackerman, Special Agent/Forensic Examiner provided the great spreadsheet shown in the below images to us, and has given us permission to share it.
IOS Device and Current Known Forensics Capabilities iOS
I don’t know if anyone gave www.theshellowgroup.com permission to share it, but maybe next time Apple will call me. I am available 24 hours a day and, whether one’s name is Apple or Clinton, I will fly off–like a bride’s dress on her wedding night–to all parts of the globe to help. 414-263-4488.—remember to use 011 if calling from EU countries.
Read more about encryption on my Truth pages.