Skip to content
  • About Me
  • Books
  • Photography
  • Papers
  • Security
  • Forensics
  • Essays
  • Christianity

Calendar

May 2023
M T W T F S S
1234567
891011121314
15161718192021
22232425262728
293031  
« Feb    

Archives

  • May 2023
  • February 2023
  • December 2022
  • November 2022
  • July 2022
  • March 2022
  • January 2022
  • December 2021
  • November 2021
  • September 2021
  • July 2021
  • December 2020
  • November 2020
  • March 2020
  • September 2019
  • August 2019
  • November 2018
  • August 2018
  • March 2018
  • March 2017
  • February 2017
  • January 2017
  • November 2016
  • October 2016
  • July 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • June 2015
  • March 2015
  • February 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • January 2014
  • October 2013
  • September 2013
  • June 2013
  • May 2013
  • April 2013
  • December 2012
  • May 2012
  • September 2011
  • June 2011
  • August 2010
  • July 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • July 2009
  • May 2008
  • March 2008
  • January 2008
  • June 2007
  • August 2006
  • February 2006

Categories

  • Apple
  • Christianity
  • Essays
  • Forensics
  • General
  • Machine Learning
  • Music
  • Opinion
  • Photography
  • Politics
  • Security











ZdziarskiDFIR, security, reverse engineering, photography, theology, funky bass guitar. All opinions are my own.
  • About Me
  • Books
  • Photography
  • Papers
  • Security
  • Forensics
  • Essays
  • Christianity
Apple . Forensics . Politics . Security

Shoot First, Ask Siri Later

On February 26, 2016 by Jonathan Zdziarski

You know the old saying, “shoot first, ask questions later”. It refers to the notion that careless law enforcement officers can often be short sighted in solving the problem at hand. It’s impossible to ask questions to a dead person, and if you need answers, that really makes it hard for you if you’ve just shot them. They’ve just blown their only chance of questioning the suspect by failing to take their training and good judgment into account. This same scenario applies to digital evidence. Many law enforcement agencies do not know how to properly handle digital evidence, and end up making mistakes that cause them to effectively kill their one shot of getting the answers they need.

In the case involving Farook’s iPhone, two things went wrong that could have resulted in evidence being lifted off the device.

First, changing the iCloud password prevented the device from being able to push an iCloud backup. As Apple’s engineers were walking FBI through the process of getting the device to start sending data again, it became apparent that the password had been changed (suggesting they may have even seen the device try to authorize on iCloud). If the backup had succeeded, there would be very little, if anything, that could have been gotten off the phone that wouldn’t be in the iCloud backup.

Secondly, and equally damaging to the evidence, was that the device was apparently either shut down or allowed to drain after it was seized. Shutting the device down is a common – but outdated – practice in field operations. Modern device seizure not only requires that the device should be kept powered up, but also to tune all of the protocols leading up to the search and seizure so that it’s done quickly enough to prevent the battery from draining before you even arrive on scene. Letting the device power down effectively shot the suspect dead by removing any chances of doing the following:

  • Talking directly to Siri, and asking her to display call records, contacts, email, and other information.
  • Capturing the network traffic traveling between the device and any providers of third party applications on the device, which could have not only yielded valuable data, but also information about which providers Farook’s phone stored data on (for subpoena).
  • As Farook’s laptop is being reconstructed, should a pair record be recovered, could have been used to unlock the phone or download the data on it through a backup.
  • If the iOS was 9.0.1 or lower, a known lock screen bypass bug would have potentially allowed them access to a significant amount of data on the device (data that is unlocked “after first user authentication”)
  • Dozens of known vulnerabilities exist for older firmware that may have been able to penetrate the device with a PoC, that otherwise couldn’t be used if the encryption is locked. Simply reading Apple’s release notes would have provided contact information for a number of researchers and universities who likely had PoC exploit code they would have loaned to FBI.

Just like good tactical training prevents law enforcement from unnecessarily shooting and killing suspects, poor device seizure practices is like an “accidental discharge” to a device. Apple shouldn’t be forced to undo this mess just as you wouldn’t expect a doctor to be able to raise someone from the dead after you’ve shot and killed them.

What law enforcement needs more of is training; specifically training in digital evidence collection and seizure. Best practices have changed with iOS 8, and devices are best left charged and in a faraday bag so that the encryption remains unlocked and mechanisms such as background refresh and Siri remain active. Seizure protocol should also include any desktop machines that may contain pair records, dusting the device for latent prints, and even collecting or compelling a usable fingerprint before the fingerprint timer runs out. If a subject is shot dead at the scene, there may even be a chance of authenticating the device with their own finger (as morbid as that sounds), but only if the field agents have been trained with and are following such protocols. Even response time and a streamlined warrant process is critical when battery life is at stake. These and other important protocols need to be implemented in agencies; and I don’t see evidence that any of today’s modern best practices were used here.

Many have suggested that Apple locking their device down will compromise national security. Quite the contrary, other agencies, such as the NSA, aren’t concerned about this case at all. Ex-NSA Chief Gen. Michael Hayden has recently supported encryption as “good for America”. NSA isn’t worried about this case because they’re used to compromising targets before someone goes in and shoots the witness. They plan ops so that they can extract the data they need while devices are still accessible and authenticated; the smart way to do it. The elusive exploits, such as the one needed here, are saved for those one-off cases when that’s not possible; they’re certainly not going to burn their exploits on a case that’s been turned into a media circus, where their capabilities on this phone (and likely newer ones) would become made known.

The “necessity” prong of the AWA should clearly not apply when an agency has demonstrated that the capability to obtain the needed data was possible, but was not acquired before the fact through training, hiring, or procurement. That’s at least part of what seems to be happening here. FBI could have had these capabilities, and it would not have exceeded their mandate, however chose not to invest in them. Maybe this is why they have just slated another $85 million in funding to cyber this week.

Archives

  • May 2023
  • February 2023
  • December 2022
  • November 2022
  • July 2022
  • March 2022
  • January 2022
  • December 2021
  • November 2021
  • September 2021
  • July 2021
  • December 2020
  • November 2020
  • March 2020
  • September 2019
  • August 2019
  • November 2018
  • August 2018
  • March 2018
  • March 2017
  • February 2017
  • January 2017
  • November 2016
  • October 2016
  • July 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • June 2015
  • March 2015
  • February 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • January 2014
  • October 2013
  • September 2013
  • June 2013
  • May 2013
  • April 2013
  • December 2012
  • May 2012
  • September 2011
  • June 2011
  • August 2010
  • July 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • July 2009
  • May 2008
  • March 2008
  • January 2008
  • June 2007
  • August 2006
  • February 2006

Calendar

May 2023
M T W T F S S
1234567
891011121314
15161718192021
22232425262728
293031  
« Feb    

Categories

  • Apple
  • Christianity
  • Essays
  • Forensics
  • General
  • Machine Learning
  • Music
  • Opinion
  • Photography
  • Politics
  • Security

All Content Copyright (c) 2000-2023 by Jonathan Zdziarski, All Rights Reserved