March 7,
2016
Apple vs. the F.B.I: Some Forensic Implications
Never one to let a good legal-tech story opportunity go to
waste, I started ruminating over the multitude of implications in the Apple vs.
FBI matter. There are certainly many
factors which will inevitably lead to a decision. These include legal, technical, ethical,
moral and philosophical factors, many of which have been (correctly or
incorrectly) espoused upon by pundits, politicians and bloggers. One of the
main considerations, however, deals with the practice of mobile forensics and
how any evidence gained from the hacked iPhone may affect future legal
proceedings.
The Problem with the Request
Most mobile forensic practitioners will tell you that mobile
forensics is not true forensics. This is because data on the device is always
changing and cannot be proverbially frozen in a state when it is seized due to
near-constant network connectivity and instant, minor changes being made to the
device. Further, in order to obtain the
data off the device, we generally have to alter a minimal amount of data to
allow the acquisition computer to “handshake” the device and get the data
extraction. Without boring any readers
with the technical aspects of what goes on in this process, suffice it to say,
this is the case in virtually every single mobile forensic data extraction
performed.
The problem with the FBI’s court order to Apple is it is
forcing them to alter data even more than the normal procedure calls for. The request calls for several changes to be
made to the iOS operating system on the device in question to allow 1)
unlimited attempts at a brute-force unlock (i.e., hack) of the device without
the threat of a 10-tries-and-out data wipe and 2) to alter the iOS operating
system to allow successive attempts at the brute-force unlock without the
hassle of the time-out feature in between attempts, which works its way up to 1
hour. Simply put, the FBI doesn’t want
to have to potentially wait up to 10,000 hours or so to unlock the device. None of these alterations of the operating
system have ever been performed on any other evidence device, which opens the
flood-gates to many questions with regard to exactly what data is being altered
if and when Apple performs this procedure on the device in question.
The Daubert Standard
In 1993, forensic science in the courtroom got a proverbial
slap in the face through what is now known as the Daubert Standard (See
Daubert v. Merrell
Dow Pharmaceuticals, Inc., 509 U.S. 579). The case involved forensic expert procedures
and testimony from a witness and dictated how forensic expert work and
testimony should be judged from that point forward. The standards and issues are as follows:
- What is the basic theory and has it been tested?
- Are there standards controlling the technique?
- Has the theory or technique been subjected to peer review and publication?
- What is the known or potential error rate?
- Is there general acceptance of the theory?
- Has the expert adequately accounted for alternative explanations?
- Has the expert unjustifiably extrapolated from an accepted premise to an unfounded conclusion?
I propose that most (or all) of the above-listed questions
cannot be answered in the case of Apple vs. the FBI. The theory has not been tested (at least not
that we know of). There are no standards
controlling the technique because the technique has, in theory, never been
attempted. Because it’s never been
tested, it has not been subjected to peer review and publication. We have no idea the error rate (because it’s
never been attempted). Acceptance of the
theory is very much up for debate and is one big reason why the case has
garnered so much attention. Whether or
not the actual person performing this procedure would have to come to court in
any subsequent proceeding would answer the last two points, but again, the
procedure has never been done before, so how do we defend against any
conclusions that are drawn as a result of the procedure?
Further, the results of the procedure need to be validated,
repeatable and defensible. If the
evidence the FBI gains from the phone leads to criminal charges and that
criminal defendant hires an independent digital forensic analyst to perform a
data extraction, analysis & reporting, how is he or she supposed to
facilitate that? How is this procedure
repeatable to an independent expert?
Short answer, it isn’t… At least not under current circumstances.
The End is a Good Place to Start
A common theme in this blog is one coined by Stephen Covey:
Begin with the end in mind. In this
particular case, the FBI has a professional and ethical responsibility to begin
with the end in mind and answer the questions, what do you hope to learn? What is your objective? What will you ultimately do with this data,
should it present evidence of a crime?
The rules are in place for a reason. Innocent people get mixed up in
investigations just like guilty people do.
Everyone deserves a fair shake in the court system and the heart of
forensic science is to find the truth
based upon the evidence, no matter where that leads. So before we, as a society, choose sides with
regard to who is the “good guy” and who is the “bad guy” in this case, perhaps
we should ask the critical questions about the end-goal. Often times, that will direct you where you
need to go with regard to proper procedure.
Author:
Patrick J.
Siewert, SCERS, BCERT, LCE
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Virginia
DCJS #11-14869
Based in
Richmond, Virginia
Available
Globally
We Find the Truth for a
Living!
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
cases in Virginia court history. A
graduate of both SCERS, BCERT, the Reid School of Interview & Interrogation
and various online investigation schools (among others), Siewert continues to
hone his digital forensic expertise in the private sector while growing his
consulting & investigation business marketed toward litigators,
professional investigators and corporations.
