Cellebrite, the mobile forensics company reportedly assisting the FBI to extract data from the iPhone in the San Bernardino case, has written a white paper noting that extracting the data is only part of the challenge. If law enforcement agencies are to be able to obtain convictions on the basis of that data, there are a lot of questions that have to be answered.
Just as it is for physical evidence, the admissibility of digital evidence depends on good handling procedures throughout the entire chain of custody. Each link on the chain is responsible for the proper preservation, collection, and documentation practices that demonstrate the evidence is as close as possible to its original state.
When evaluating whether a tool is forensically sound – whether its use can certify that evidence remains unchanged and that the resulting report is a true and accurate representation of what exists on the evidence device – here are four questions to ask:
- Is it a tested theory or tool?
- Has it been independently peer reviewed?
- Will its use support both fact and expert witness trial testimony?
- Is it generally accepted within the forensic community?
At face value, it would seem that any compromised version of iOS that Apple was forced to create for the FBI would fail at least three of the four tests …
The company lists on its website a far longer list of questions defence attorneys are likely to ask when they cross-examine state witnesses presenting the findings from hacked devices. One example given is whether it can be proven that the tool used to extract data is unable to write data to the device – another test that GovtOS would seem bound to fail since the entire approach would require uploading compromised firmware to the iPhone in question.
The fact that Cellebrite is asking these tough questions does, though, suggest a great deal of confidence in the integrity and robustness of its own methods.
It’s not known at this stage how long we may have to wait to find out whether Cellebrite is able to extract the desired data from the iPhone held by the FBI, though some have suggested that weeks or months may be more likely than days. It may well be some considerable time before any court hearings resume.
FTC: We use income earning auto affiliate links. More.