Skip to content
  • About Me
  • Books
  • Photography
  • Papers
  • Security
  • Forensics
  • Essays
  • Christianity

Calendar

January 2023
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
3031  
« Dec    

Archives

  • December 2022
  • November 2022
  • July 2022
  • March 2022
  • January 2022
  • December 2021
  • November 2021
  • September 2021
  • July 2021
  • December 2020
  • November 2020
  • March 2020
  • September 2019
  • August 2019
  • November 2018
  • August 2018
  • March 2018
  • March 2017
  • February 2017
  • January 2017
  • November 2016
  • October 2016
  • July 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • June 2015
  • March 2015
  • February 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • January 2014
  • October 2013
  • September 2013
  • June 2013
  • May 2013
  • April 2013
  • December 2012
  • May 2012
  • September 2011
  • June 2011
  • August 2010
  • July 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • July 2009
  • May 2008
  • March 2008
  • January 2008
  • June 2007
  • August 2006
  • February 2006

Categories

  • Apple
  • Christianity
  • Essays
  • Forensics
  • General
  • Machine Learning
  • Music
  • Opinion
  • Photography
  • Politics
  • Security











ZdziarskiDFIR, security, reverse engineering, photography, theology, funky bass guitar. All opinions are my own.
  • About Me
  • Books
  • Photography
  • Papers
  • Security
  • Forensics
  • Essays
  • Christianity
Apple . Forensics . Politics . Security

Dumpster Diving in Forensic Science

On February 22, 2016 by Jonathan Zdziarski

Recent speculation has been made about a plan to unlock Farook’s iPhone simply so that they can walk through the evidence right on the device, rather than to forensically image the device, which would provide no information beyond what is already in an iCloud backup. Going through the applications by hand on an iPhone is along the dumpster level of forensic science, and let me explain why.

The device in question appears to have been powered down already, which has frozen the crypto as well as a number of processes on the device. While in this state, the data is inaccessible – but at least it’s in suspended animation. At the moment, the device is incapable of connecting to a WiFi network, running background tasks, or giving third party applications access to their own data for housekeeping. This all changes once the device is unlocked. Now when a pin code is brute forced, the task is actually running from a separate copy of the operating system booted into memory. This creates a sterile environment where the tasks on the device itself don’t start, but allows a platform to break into the device. This is how my own forensics tools used to work on the iPhone, as well as some commercial solutions that later followed my design. The device can be safely brute forced without putting data at risk. Using the phone is a different story.

After the device’s pin is deduced, if the agency were to boot the device and use that pin, several things will unlock on it along with the encryption. The most forensically risky thing is that background tasks in applications will start. In iOS 9, applications can run in the background for various tasks, such as background refresh, VoIP, or even basic housekeeping. The mere act of unlocking the device could cause some of the third party applications on the device to run and potentially clean themselves up, destroying old cached data, and even downloading new data. The simplest example would be a social networking application that might refresh its feed, but also remove older feed content that it doesn’t think it needs anymore. This could be disastrous for any evidence sitting on the device.

If an agency walks through the applications on the screen, they run an even stronger risk of completely destroying the evidence contained within these apps. For example, the Wickr and Telegram applications (along with many others) support self-destructing messages. The self-destruct mechanism can kick in by simply launching the app, which would result in the data being wiped from its internal database. This is not only possible, but likely, on any good secure messaging application – which would be the exact kinds of applications you would be interested in.

It is much more forensically sound to create a file system image of the device once it has been unlocked, while the operating system is still dark. This is why I hypothesized in another blog post that FBI would eventually get a court order to force Apple to do this. There is presently no forensic tool on the market capable of imaging the file system of an iOS 8 or 9 device, therefore all anyone would get if they imaged it themselves would be the same data they already have access to via an iCloud backup.

An agency would have to really crawl into the dumpster to think that using the device’s user interface is a viable solution to analyze evidence. Not only does it run the strong risk of destroying the only copy of evidence they might have, but any smart judge would throw out any case using such sloppy techniques.

Sadly, I would not put it past certain arms of law enforcement to do just this. For a year, we tolerated the use of crappy Chinese hardware, such as IP-BOX, which has zero forensic credibility and is literally a black box, to brute force the PINs on iOS 8 devices. In spite of the best practices I teach in my forensics training classes, many departments still practice unsafe methods for seizing iOS devices that includes trying a bunch of PINs, shutting down the device, or even worse – leaving the device on without proper shielding. Some years ago, I listened to an FBI agent publicly discuss how they allowed a suspect to make a phone call, and watched the remote wipe kick in on the evidence as they were holding it in their hand.

Terrorism cases are serious business, but at some point it seems that forensic science has decided to go dumpster diving to solve cases that could otherwise be solved with a little more patience and better methodology. That’s part of what’s going on here in seeing the number of wrong turns this case has already seen.

Archives

  • December 2022
  • November 2022
  • July 2022
  • March 2022
  • January 2022
  • December 2021
  • November 2021
  • September 2021
  • July 2021
  • December 2020
  • November 2020
  • March 2020
  • September 2019
  • August 2019
  • November 2018
  • August 2018
  • March 2018
  • March 2017
  • February 2017
  • January 2017
  • November 2016
  • October 2016
  • July 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • June 2015
  • March 2015
  • February 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • January 2014
  • October 2013
  • September 2013
  • June 2013
  • May 2013
  • April 2013
  • December 2012
  • May 2012
  • September 2011
  • June 2011
  • August 2010
  • July 2010
  • May 2010
  • April 2010
  • March 2010
  • February 2010
  • July 2009
  • May 2008
  • March 2008
  • January 2008
  • June 2007
  • August 2006
  • February 2006

Calendar

January 2023
M T W T F S S
 1
2345678
9101112131415
16171819202122
23242526272829
3031  
« Dec    

Categories

  • Apple
  • Christianity
  • Essays
  • Forensics
  • General
  • Machine Learning
  • Music
  • Opinion
  • Photography
  • Politics
  • Security

All Content Copyright (c) 2000-2022 by Jonathan Zdziarski, All Rights Reserved