Friday, January 2, 2015

Problem vs. Solution: Digital Forensics and the New Mobile Privacy Policies

Original Post Date:  October 15, 2014

Problem vs. Solution: Digital Forensics and the New Mobile Privacy Policies

There’s been quite a bit of chatter in the media lately about the implications of the new privacy policies of both Apple and Google following announcements that they will no longer be able to assist law enforcement with data retrieval on locked devices.  So what potential impact does this have on digital forensic capabilities?

Before we dive into this question, it bears mentioning that for several years now (since the introduction of iPhone 4s and iPad 2), law enforcement has been unable to get past (brute force) pass codes on locked Apple devices with market-available mobile forensic tools.  In high priority cases, this would require these agencies to send the devices directly to Apple, with a valid search warrant, to obtain data to help prove or disprove a case.  This is not only time consuming, but logistically difficult for agencies not located in Northern California.  Now, both Apple and Google are saying that even with a valid search warrant or court order, they cannot retrieve user data on mobile devices due to the level of encryption in iOS 8 and newer devices and software being sent out onto the Android market.

Various law enforcement leaders have been denouncing this change as “free reign for pedophiles and predators” and indeed it does present a stumbling block when it comes to retrieval of potentially vital data.  But what other potential impacts does this have on digital forensics?   The answer is, it depends.  For private practitioners (such as Pro Digital Consulting), it may not have much of an impact at all.  Most of the time, the mobile devices we see are either from willing parties, corporations with domain over the device(s) or in the defense of a criminal case, which means we have full access to what the party or parties involved know (i.e., pass codes).  For law enforcement, it means they may have to buckle down and get back to the basics of police work:  effective investigation, establishing rapport with suspects and plain ole hard work.  But the options don’t end there, no matter who you work for.
Routinely, users will sync and/or backup their mobile devices on a desktop or laptop computer.  The files transferred and newly resident on the computer are a treasure trove of information.  Recently, we worked a case where a client wanted to recover deleted iMessages from an iPhone 5s.  While the phone was not locked, the user had recently upgraded the operating system to iOS 8, which effectively over-wrote much of the deleted data that was being sought.  To add a level of difficulty, the iMessages in question were from roughly 6 months in the past.  However, when we inquired as to whether the iPhone was backed up on a computer, we were presented with an iTunes backup file from 5 months previous, which revealed dozens of deleted iMessages, and helped get a clearer picture of what may have been going in during the time period in question. 

Skills such as these go beyond the “point, click, go” nature of mobile forensic tools and cross over into skilled computer data recovery.  It’s quite possible that the advent of the newer encryption methods on mobile devices may signal a partial re-birth of traditional computer forensics.  To be sure, the mobile market has dominated for several years, signaling a transition from traditional “dead-box” computer forensics to mobile forensics and data recovery.  Several companies have keenly observed this trend and invested millions of dollars in development if mobile forensic tools at the expense of traditional computer forensic development.  But a competent investigator knows that there’s always more to the breadcrumb trail than is readily apparent. 

With the advent of these new challenges to data recovery, where the question of backup files and sync certificates on a computer may have previously been a secondary (or later) consideration, it now becomes a primary consideration.  Questions like:  How long has the user owned the device?  What other devices have they owned previously that may contain valuable data?  Were any of the devices synced and/or backed-up on a computer and, if so, when and how often?  With analysis of potentially multiple backup files, we may not only have a clearer picture of what’s been going on, but multiple backup files over a period of time may even serve to validate themselves as accurate data.
Are cloud-based backups a consideration?  Yes.  But again, the breadcrumbs and clues that may be left on a computer can help identify it as a potential consideration and may even help us recover the cloud-based backup files as those same “breadcrumbs” may come in the form of user logins and/or recoverable passwords. 

To our friends in law enforcement, all is not lost.  Any veteran investigator will tell you that real investigations take time… sometimes A LOT of time!  Perhaps part of the digital evidence “easy button” has been removed with the software and hardware updates on mobile devices, but that doesn’t mean the data can’t be retrieved in another form.  So go buy the geek in the basement office a cup of coffee and see if he’s interested in putting down the smart phone and helping out on some retrieval of some good ole computer files… He’ll probably be happy to put all that “old” training to good use again!

Patrick J. Siewert
Owner, Lead Forensic Examiner
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally