Skip to main content

Mobile forensics company assisting FBI effectively argues that forcing Apple to create ‘GovtOS’ wouldn’t stand up in court

forensics

Cellebrite, the mobile forensics company reportedly assisting the FBI to extract data from the iPhone in the San Bernardino case, has written a white paper noting that extracting the data is only part of the challenge. If law enforcement agencies are to be able to obtain convictions on the basis of that data, there are a lot of questions that have to be answered.

Just as it is for physical evidence, the admissibility of digital evidence depends on good handling procedures throughout the entire chain of custody. Each link on the chain is responsible for the proper preservation, collection, and documentation practices that demonstrate the evidence is as close as possible to its original state.

When evaluating whether a tool is forensically sound – whether its use can certify that evidence remains unchanged and that the resulting report is a true and accurate representation of what exists on the evidence device – here are four questions to ask:

  1. Is it a tested theory or tool?
  2. Has it been independently peer reviewed?
  3. Will its use support both fact and expert witness trial testimony?
  4. Is it generally accepted within the forensic community?

At face value, it would seem that any compromised version of iOS that Apple was forced to create for the FBI would fail at least three of the four tests …

The company lists on its website a far longer list of questions defence attorneys are likely to ask when they cross-examine state witnesses presenting the findings from hacked devices. One example given is whether it can be proven that the tool used to extract data is unable to write data to the device – another test that GovtOS would seem bound to fail since the entire approach would require uploading compromised firmware to the iPhone in question.

The fact that Cellebrite is asking these tough questions does, though, suggest a great deal of confidence in the integrity and robustness of its own methods.

It’s not known at this stage how long we may have to wait to find out whether Cellebrite is able to extract the desired data from the iPhone held by the FBI, though some have suggested that weeks or months may be more likely than days. It may well be some considerable time before any court hearings resume.

FTC: We use income earning auto affiliate links. More.

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

Comments

  1. viciosodiego - 8 years ago

    Israel, a US government puppet.
    I’m not surprised.

  2. iSRS - 8 years ago

    What is also missed in this route the FBI is going is a very key part.

    This method (assuming they have it) requires physical access to the device. This is now being treated as the safe, door lock, etc scenarios out there. Physical Access, and the change being made to physically getting what you are looking for.

    Not some piece of code that could, in theory, get into the wild and maliciously used.

    For govtOS to work, it is possible my iPhone in my pocket could get infected somehow and become vulnerable by someone wishing to get information off of it. With this rumored method, it requires physical access, meaning my iPhone in my pocket isn’t at risk because they don’t have it

  3. thedingohasmybaby - 8 years ago

    Without dwelling upon some of the more egregious examples, it’s fairly clear that the government sometimes prefers routes that obtain it some information — no matter how questionable the veracity or means — rather than none. It also has the power indefinitely to detain based on mere suspicion, without the suspect having any recourse.

    Therefore something that could stand up in court may be better than something that couldn’t, but it’s optional.

  4. quitesharp - 8 years ago

    Wouldn’t it be funny if the passcode was “0000” and no one dared try it? Or try one of the other five most common passcodes: “1234”, “2580”, “1111” and “5555”. If all those five fail, you still have five more to go before risking erasing the content.

    • I was thinking about that today. It would be funnier if there’s nothing on the phone but selfies of him smiling at the camera. Like a giant f you.

      • John Smith - 8 years ago

        Yes, really funny – you should tell it to the families of the 14 dead people, I’m sure they would have a big laugh.

      • Obviously, my humor was in bad taste. I apologize.

      • Doug Aalseth - 8 years ago

        The FBI and the iPhone has nothing to do with the 14. It’s an excuse for a power play by the FBI. They are the ones doing and saying unconscionable things. There was nothing wrong with the original joke.

    • Robert Wilson - 8 years ago

      I’ve noticed something interesting messing with my phone. I don’t have the self destruct turned on but your device will still lock up for a short time if you enter wrong passcode too many times. Well for laughs keep hitting 0000 or any other digit such as 1111 2222 3333 and so on it doesn’t triger the event. I just sit it plenty of times and it didn’t do the time out.

      Yes time out works I tried some Radom codes and it locked me out for a minut.

  5. //jason (@CyberWingman) - 8 years ago

    If the FBI succeeds, are they required to inform Apple of the flaw or method they used?

    • ag80911 - 8 years ago

      Unlikely – the feds are going to claim they obtained the data and drop their case against apple – otherwise, they will drag this 3rd party firm to this mess.

    • 89p13 - 8 years ago

      IMO – IF the FBI succeeds – they are going to find nothing on this device and will slink away, back to their burrow and awiat the “next” terrorist event and then trot their whole straw man argument out again!

      Nothing guarantees success more than learning from your past failures . . . . Unless you’re a Government Agency!

      YMMV

    • John Smith - 8 years ago

      Normally the principle of ‘responsible disclosure’ would mean that if someone finds a security weakness should they inform the company first, then make it public second – ‘responsible’

      In the case of Apple, the FBI are no longer dealing with a ‘responsible’ company, they are dealing with a company which deliberately obstructs law enforcement, thereby assisting terrorists and criminals. In this case the FBI needs to look at it in the same way as if they find some new way to catch bank robbers and obviously don’t tell the bank robbers.

      Apple is now part of the problem, not part of the solution and has to be treated on that basis.

      • vpndev - 8 years ago

        Sorry, John. Your statement is not correct. Apple is NOT deliberately obstructing law enforcement, it’s just declining to break its own products. There is a world of difference. As has been pointed out time and again, encryption is here to stay. The genie is not going to be stuffed back into the bottle.

        The FBI and police already have the call records etc for the phone – they know who he talked to. And likewise for the personal phones the pair had (and destroyed).

        By way of contrast, I believe that Apple’s refusal to break its own products is completely responsible – for the millions and millions of people who own them and rely upon their security. You disagree – fair enough. I believe you’re wrong.

      • Doug Aalseth - 8 years ago

        On the contrary, the FBI is the problem. If they succeed, it will do nothing to stop the bad guys but will harm the industry, activists, and freedom loving people the world over. Apple is fighting the good fight.

  6. John Smith - 8 years ago

    As with a guy who posted on here, this analysis misses a key point.

    Exploiting a seized device in a terrorism case isn’t just about about evidence for a court conviction – this guy is dead so they aren’t going to be prosecuting HIM.

    Information recovered is also used to locate other terrorists, increase knowledge of networks and methods and mainly to prevent future incidents. For many years MI5/GCHQ in the UK have commonly held back intercept and surveillance material and NOT used it as court evidence, specifically because using it in evidence tells the terrorists how they are being caught and they avoid making the same mistake a second time. The cops use the sensitive information to find the terrorists and then hunt out other evidence to use in court.

    • transamken - 8 years ago

      They used burner phones, this was his work phone, you really think this “terrorist” used his work phone to conduct criminal activity when they had all those burner phones on them? I don’t think so. Not to mention the FBI has been trying to get a backdoor into the iPhone since 2013 all of which you can research yourself.

  7. James Gray - 8 years ago

    San Bernardino — Surveillance Video
    Does the video Match the FBI’s story??

    IT Deparment, SB Regional Center

  8. James Gray - 8 years ago

    Surveillance Video — San Bernardino
    Does the video Match the FBI’s story??

    IT Deparment, SB Regional Center

Author

Avatar for Ben Lovejoy Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!


Ben Lovejoy's favorite gear