- What is the basic theory and has it been tested?
- Are there standards controlling the technique?
- Has the theory or technique been subjected to peer review and publication?
- What is the known or potential error rate?
- Is there general acceptance of the theory?
- Has the expert adequately accounted for alternative explanations?
- Has the expert unjustifiably extrapolated from an accepted premise to an unfounded conclusion?
Monday, March 7, 2016
Apple vs. the F.B.I: Some Forensic Implications
March 7, 2016
Apple vs. the F.B.I: Some Forensic Implications
Never one to let a good legal-tech story opportunity go to waste, I started ruminating over the multitude of implications in the Apple vs. FBI matter. There are certainly many factors which will inevitably lead to a decision. These include legal, technical, ethical, moral and philosophical factors, many of which have been (correctly or incorrectly) espoused upon by pundits, politicians and bloggers. One of the main considerations, however, deals with the practice of mobile forensics and how any evidence gained from the hacked iPhone may affect future legal proceedings.
The Problem with the Request
Most mobile forensic practitioners will tell you that mobile forensics is not true forensics. This is because data on the device is always changing and cannot be proverbially frozen in a state when it is seized due to near-constant network connectivity and instant, minor changes being made to the device. Further, in order to obtain the data off the device, we generally have to alter a minimal amount of data to allow the acquisition computer to “handshake” the device and get the data extraction. Without boring any readers with the technical aspects of what goes on in this process, suffice it to say, this is the case in virtually every single mobile forensic data extraction performed.
The problem with the FBI’s court order to Apple is it is forcing them to alter data even more than the normal procedure calls for. The request calls for several changes to be made to the iOS operating system on the device in question to allow 1) unlimited attempts at a brute-force unlock (i.e., hack) of the device without the threat of a 10-tries-and-out data wipe and 2) to alter the iOS operating system to allow successive attempts at the brute-force unlock without the hassle of the time-out feature in between attempts, which works its way up to 1 hour. Simply put, the FBI doesn’t want to have to potentially wait up to 10,000 hours or so to unlock the device. None of these alterations of the operating system have ever been performed on any other evidence device, which opens the flood-gates to many questions with regard to exactly what data is being altered if and when Apple performs this procedure on the device in question.
The Daubert Standard
In 1993, forensic science in the courtroom got a proverbial slap in the face through what is now known as the Daubert Standard (See Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579). The case involved forensic expert procedures and testimony from a witness and dictated how forensic expert work and testimony should be judged from that point forward. The standards and issues are as follows:
I propose that most (or all) of the above-listed questions cannot be answered in the case of Apple vs. the FBI. The theory has not been tested (at least not that we know of). There are no standards controlling the technique because the technique has, in theory, never been attempted. Because it’s never been tested, it has not been subjected to peer review and publication. We have no idea the error rate (because it’s never been attempted). Acceptance of the theory is very much up for debate and is one big reason why the case has garnered so much attention. Whether or not the actual person performing this procedure would have to come to court in any subsequent proceeding would answer the last two points, but again, the procedure has never been done before, so how do we defend against any conclusions that are drawn as a result of the procedure?
Further, the results of the procedure need to be validated, repeatable and defensible. If the evidence the FBI gains from the phone leads to criminal charges and that criminal defendant hires an independent digital forensic analyst to perform a data extraction, analysis & reporting, how is he or she supposed to facilitate that? How is this procedure repeatable to an independent expert? Short answer, it isn’t… At least not under current circumstances.
The End is a Good Place to Start
A common theme in this blog is one coined by Stephen Covey: Begin with the end in mind. In this particular case, the FBI has a professional and ethical responsibility to begin with the end in mind and answer the questions, what do you hope to learn? What is your objective? What will you ultimately do with this data, should it present evidence of a crime?
The rules are in place for a reason. Innocent people get mixed up in investigations just like guilty people do. Everyone deserves a fair shake in the court system and the heart of forensic science is to find the truth based upon the evidence, no matter where that leads. So before we, as a society, choose sides with regard to who is the “good guy” and who is the “bad guy” in this case, perhaps we should ask the critical questions about the end-goal. Often times, that will direct you where you need to go with regard to proper procedure.
Patrick J. Siewert, SCERS, BCERT, LCE
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
We Find the Truth for a Living!