Joanna Ward, digital forensics consultant, Kroll Ontrack Legal Technologies
Joanna Ward, digital forensics consultant, Kroll Ontrack Legal Technologies

Years of exposure to police shows can give the general public the impression that computer forensics is both all-powerful and an incredibly quick method of gathering evidence. Hollywood would have you believe that all it takes is one nerd savant extraordinaire and a few lines of code to access almost any digital information. As a result, the general public expressed surprise when an enforcement behemoth such as the FBI took Apple to court following the tech giant's refusal to decrypt phones thought to contain evidence for both a drugs case[1] and for the investigation into the terrorist attack at San Bernardino[2].

Why did the FBI need help? 

iPhones require a passcode to gain entry to the data. Although the FBI can use brute force techniques to crack a password, iPhones have an inbuilt mechanism to lock the phone if an incorrect password is entered too many times. As brute force cracking involves a computer programme running through thousands of combinations, it is likely that the phone would become locked before entry is gained.

Setting a new legal precedence?

Many commentators have been sceptical that the FBI needed to take Apple to court. In particular, the evidence thought to exist on the phone in the San Bernardino case was not an essential to the case where the culprits had been already been caught. Indeed, there is a belief from privacy advocacy groups that San Bernardino was chosen as a means of establishing a legal precedence for wider access/surveillance.

The FBI calls in reinforcements

During the San Bernardino case, the FBI requested that Apple allow access by building a ‘backdoor' that would enable unlimited password guesses[3].  ‘Backdoors' are unpopular and in cases like this, the stakes are high. Essentially, Apple believes that being legally compelled to breach the security of their own software is akin to hacking their own customers and will cause far-reaching security consequences.  

When Apple refused, the FBI eventually dropped its case against Apple and instead turned to an anonymous third party who, for an undisclosed sum of money, provided the FBI with a tool that exploits a security flaw to allow access to the phone.

Using a third party has caused waves throughout the tech world. Although the tool only works for the iPhone 5C, Apple and other providers fear that the third party's methods may be leaked and cause widespread security issues. As a result, there has been mounting pressure from both Apple and privacy campaigners to disclose the technique so that flaw can be rectified. However, the FBI has stated that it cannot reveal the methods. Amy Hess, executive assistant director, Science and Technology, stated the bureau confirmed it wouldn't do this because it couldn't.

“Currently we do not have enough technical information about any vulnerability that would permit any meaningful review.”[4]

Tech providers respond 

Other providers have started to make moves to improve privacy for their customers. Shortly after the FBI opted to use a third party, messaging service WhatsApp introduced end-to-end encryption for its billion-plus users. Data encrypted means even WhatsApp staff will be unable to access messages sent via the app. Furthermore, should the FBI turn its attention to WhatsApp, the company will not be able to comply with a court order demanding access to data transmitted via its service. It is likely that other providers will follow suit to both protect customer privacy and prevent the need for expensive security solutions should surveillance techniques be leaked.

Computer forensics providers enter the fray

As the FBI and messaging providers battle, another force is mustering on the sidelines in the form of computer forensics providers. At the time of writing, Cellebrite have released an update to decrypt WhatsApp messages, which in turn will likely result in WhatsApp countering with another encryption update. This essentially results in a Mexican standoff between messaging providers, the FBI and forensics companies as they continually fight to stay ahead of one another. Whenever one acts, another will retaliate.

Is there another way to get data from an iPhone that does not involve backdoors or hacking?

As the battle rages, thinking outside the box could lead the way to the evidence. In particular, as devices become more connected, it might be possible to obtain the same data from another source- for example, if an iPhone owner has backed up their phone onto a laptop, investigators could recover this data using forensic methods to search within the back up. This approach can often result in high quality evidence such as emails, photographs and notes.

Investigators could also look to the iPhone owner's personal and professional networks.  By sifting through the communications of a receiver rather than the original sender, it may be possible to find the required evidence. This may seem like an arduous and convoluted method but ediscovery searching technology is a long-established method of quickly and accurately sifting through can sift through huge sets of unstructured data such as emails and unencrypted instant messages. Predictive coding can also be used to automatically review documents meaning what could be a very time consuming exercise can be completed more efficiently.

Who will win the war?

At the moment, there is no clear winner between enforcement agencies and technology companies. The FBI was able to get what it wanted but in a way that has caused retaliation in terms of increased encryption. Apple and others have been able to maintain their commitment to privacy but as more evidence is contained on devices, it is likely that the FBI and other enforcement agencies will continue to fight.

Contributed by Joanna Ward, digital forensics consultant, Kroll Ontrack Legal Technologies