Original Post Date: October 15, 2014
Problem vs. Solution: Digital Forensics and the New Mobile Privacy
Policies
There’s been quite a bit of chatter in the media lately
about the implications of the new privacy policies of both Apple and Google
following announcements that they will no longer be able to assist law
enforcement with data retrieval on locked devices. So what potential impact does this have on
digital forensic capabilities?
Before we dive into this question, it bears mentioning that
for several years now (since the introduction of iPhone 4s and iPad 2), law
enforcement has been unable to get past (brute force) pass codes on locked
Apple devices with market-available mobile forensic tools. In high priority cases, this would require
these agencies to send the devices directly to Apple, with a valid search
warrant, to obtain data to help prove or disprove a case. This is not only time consuming, but
logistically difficult for agencies not
located in Northern California. Now,
both Apple and Google are saying that even with a valid search warrant or court
order, they cannot retrieve user data on mobile devices due to the level of
encryption in iOS 8 and newer devices and software being sent out onto the
Android market.
Various law enforcement leaders have been denouncing this
change as “free reign for pedophiles and predators” and indeed it does present
a stumbling block when it comes to retrieval of potentially vital data. But what other potential impacts does this
have on digital forensics? The answer
is, it depends. For private
practitioners (such as Pro Digital Consulting),
it may not have much of an impact at all.
Most of the time, the mobile devices we see are either from willing
parties, corporations with domain over the device(s) or in the defense of a
criminal case, which means we have full access to what the party or parties
involved know (i.e., pass codes). For
law enforcement, it means they may have to buckle down and get back to the basics
of police work: effective investigation,
establishing rapport with suspects and plain ole hard work. But the options don’t end there, no matter
who you work for.
Routinely, users will sync and/or backup their mobile
devices on a desktop or laptop computer.
The files transferred and newly resident on the computer are a treasure
trove of information. Recently, we
worked a case where a client wanted to recover deleted iMessages from an iPhone
5s. While the phone was not locked, the
user had recently upgraded the operating system to iOS 8, which effectively
over-wrote much of the deleted data that was being sought. To add a level of difficulty, the iMessages
in question were from roughly 6 months in the past. However, when we inquired as to whether the
iPhone was backed up on a computer, we were presented with an iTunes backup
file from 5 months previous, which revealed dozens of deleted iMessages, and
helped get a clearer picture of what may have been going in during the time
period in question.
Skills such as these go beyond the “point, click, go” nature
of mobile forensic tools and cross over into skilled computer data
recovery. It’s quite possible that the
advent of the newer encryption methods on mobile devices may signal a partial
re-birth of traditional computer forensics.
To be sure, the mobile market has dominated for several years, signaling
a transition from traditional “dead-box” computer forensics to mobile forensics
and data recovery. Several companies
have keenly observed this trend and invested millions of dollars in development
if mobile forensic tools at the expense of traditional computer forensic
development. But a competent
investigator knows that there’s always more to the breadcrumb trail than is
readily apparent.
With the advent of these new challenges to data recovery,
where the question of backup files and sync certificates on a computer may have
previously been a secondary (or later) consideration, it now becomes a primary
consideration. Questions like: How long has the user owned the device? What other devices have they owned previously
that may contain valuable data? Were any
of the devices synced and/or backed-up on a computer and, if so, when and how
often? With analysis of potentially
multiple backup files, we may not only have a clearer picture of what’s been
going on, but multiple backup files over a period of time may even serve to
validate themselves as accurate data.
Are cloud-based backups a consideration? Yes.
But again, the breadcrumbs and clues that may be left on a computer can help
identify it as a potential consideration and may even help us recover the
cloud-based backup files as those same “breadcrumbs” may come in the form of
user logins and/or recoverable passwords.
To our friends in law enforcement, all is not lost. Any veteran investigator will tell you that
real investigations take time… sometimes A
LOT of time! Perhaps part of the
digital evidence “easy button” has been removed with the software and hardware
updates on mobile devices, but that doesn’t mean the data can’t be retrieved in
another form. So go buy the geek in the
basement office a cup of coffee and see if he’s interested in putting down the
smart phone and helping out on some retrieval of some good ole computer files…
He’ll probably be happy to put all that “old” training to good use again!
Author:
Patrick J.
Siewert
Owner, Lead
Forensic Examiner
Professional
Digital Forensic Consulting, LLC
Based in
Richmond, Virginia
Available
Globally
