January 30, 2015
Read This Before You Use the IP Box
As a loyal and proud member of the International Associationof Computer Investigative Specialists (IACIS), I am fortunate enough to have a
virtual plethora of digital forensic professionals who offer advice, tips,
tricks and explore current trends in digital forensics via the IACIS List
Serve. A hot topic the past few months
going around the list serve has been the use of the IP box to bypass a passcode
locked i-device (iPhone, iPod touch, iPad, etc.). It occurred to me (and perhaps to others)
today that there are some serious considerations to take into account when
employing this device. We’ll explore
them here:
Background
In the latter part of 2014, Apple announced with the release
of iOS 8 and the iPhone 6 family, they will no longer be able to assist law
enforcement agencies who send devices to them for bypass of a passcode or thumb
print lock to obtain data from the device, even with appropriate legal service
(search warrant, etc.). This
understandably caused quite a negative reaction from those in law enforcement
who had previously relied upon this option as a last resort to access data on
iOS devices.
Enter the IP box. Very
shortly thereafter, the IP box became a possible alternative option for law
enforcement to get past the passcode locked iOS devices. The IP box is a no-frills Chinese tool with
leads which physically attach to the exterior of the iOS device and electronically
attempt every possible code from 0000 to 9999 to gain access to user portion of
the device. It’s a brute-force bypass
tool. If you search on YouTube, you’ll
find any number of (mostly foreign) videos demonstrating how this tool works –
and it does work… sort of.
Concerns With the Use of the IP Box
There are several concerns with the use of the IP box for
digital forensic practitioners. Many of
these have been voiced on the IACIS list serve and other online forums, but I
fear one has not. The more technical
issues lie in that the IP box is not a forensic tool, it’s a hacker tool. In Digital forensics, we need to be able to articulate,
validate & replicate all of our steps, otherwise they are not
scientifically valid. Hacker tools by
their very nature do not fall anywhere close to these categories, but the IP
box is a simple tool, so it may have a slight exception to this rule. That is up for debate.
The second concern with the IP box is that an iOS user has
to option to set their device to automatically wipe the data after 10
unsuccessful attempts at the passcode.
This is an obvious problem because you may have no clue what your
subject used for a passcode and now you only have 10 chances to figure it out
or POOF! Your data is gone. This leads
us right into what is probably the larger, and certainly less articulated
concern with the potential use of the IP box and these are especially poignant
for digital forensic professionals in the law enforcement community…
If you seize an i-device with a passcode lock and your
subject/suspect refuses to turn over the passcode, your options are now limited
to attempt using the IP box. However,
the subject may have turned on the 10-and-out wipe option on the device and may
or may not tell you if he/she did. So in
your attempt to get the data, you hook up the evidence to the IP box and try 10
times and POOF! The device auto-wipes after your 10 unsuccessful attempts.
Guess what you just did?
Destroyed evidence.
Commentary
Having been in law enforcement for 15 years and still
clinging very closely to many of the ideals that drove my career for that time,
I understand the need to want to “get the data” at all costs. You may be working a child abduction or
exploitation case or a homicide or rape and that data is vital to your
investigation. However, now having been in
private practice, I also have the fortunate ability to step back a bit from the
law enforcement world and take a look at some practices and audit them with a
somewhat dispassionate view. Toward that
end, I submit that the use of the IP box by anyone in law enforcement charged
with the collection, preservation & analysis of evidence is not only ill-advised,
but woefully negligent.
Think about it – you know what could potentially happen to
your seized data if you use the IP box, up to and including destruction of that
evidence. What possible justification
can you place on that? The bottom line
is, there is evidence on that device. The
fact that you can’t access it doesn’t mean it’s not there. And that evidence may have value to someone
else besides you, like the defense.
Perhaps there’s exculpatory evidence on that device and you just wiped
it. I submit that the use of the IP box
is in direct violation of our charge as responsible handlers of evidence. I further submit, as one who caters to both
government and private clients, that there is potential liability in law
enforcement’s use of the IP box – both civilly and criminally. Destruction of evidence, especially when you
are fully aware that the potential destruction may occur AND you
continue to take actions in furtherance of that potential destruction, is
criminal - whether you’re in law enforcement or not.
Finally and given these facts, I can unequivocally say that
if I were in law enforcement and were on the witness stand in a major trial and
a savvy defense attorney was cross-examining me about the steps I took, I would
have a hard time explaining my use of this device, especially given the fact
that I know it could erase all the data.
The ends do not justify the means.
Conclusion
There’s no doubt that in virtually every case the potential
for solid evidence to exist on a mobile device is real. However, when we start to sacrifice our
responsibility to protect that evidence in order to “get the data” at all
costs, we start to devalue the forensic methodologies and best practices that
we have dedicated ourselves to as digital forensic professionals.
Look at it as the digital forensic equivalent of the Hippocratic
Oath – Above all, do no harm… and protect the evidence.
Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Owner, Lead Forensic Examiner
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally
Twitter: @ProDigital4n6 Det. Cindy Murphy of the Madison, WI Police Department performed some tests on the IP Box and published a white paper with results. It may be found here:
http://www.teeltech.com/wp-content/uploads/2014/11/IP-Box-documentation-rev2-1-16-2015.pdf
