Difficult Times for iOS Investigations

Ken Mizota

A recent CNet story “Apple deluged by police demands to decrypt iPhones” was recently picked up by slashdot.org. The original article is a good read of one of the pain points in today’s iOS investigations, but the comments on the Slashdot.org post are downright illuminating. A veteran digital investigator probably already knows: iPhone 4S, iPhone 5 and iPad version 2+ passcode and encryption have been virtually impossible to bypass. Even built-for-purpose mobile device forensic companies plainly admit, iOS forensics has been advancing slowly.


While it may be convenient to point the finger squarely at Apple and cry “foul!” for the pace they work the backlog of law enforcement requests, I think the situation is quite a bit more complex.

First, for those that think Apple maintains a “back door” into their iOS software, and can simply bypass their own decryption, the evidence shows that this is simply not the case. Like it or not, Apple has built a relatively secure computing platform, that can theoretically, only be compromised in very specific circumstances. An astute member of the slashdot.org community provides an overview of the intricacies of the security mechanisms in play:
“A suitably advanced attacker code probably also obtain the SoC keys by decapping the chip, dying it, and looking at the fuses with a scanning electron microscope, but I generally don't worry about an attacker with sorts of resources; they would probably just beat my PIN out of me...” (http://slashdot.org/~blaster)
Essentially, the reasonable speculation boils down to: Apple, as owners of the iOS source code and hardware design, has sufficient skills to perform reasonable brute force attacks on PIN codes. Practically speaking, they’re the only organization on the planet that has this combination of skills and access, at least for now.

Second, even if the technical challenge were not complex, the matter of maintaining the chain of custody would still take time and effort. How does Apple maintain evidentiary integrity? How does Apple confirm a valid request, versus someone impersonating law enforcement? These things take time, and resources. While one could argue that Apple, being one of the largest corporations in the world, could easily expend the legal, administrative, and technology resources to crack this nut, can we assume they are not already doing so? All of this work is PRIOR to the actual technical challenge of unlocking the phone. While a 4-digit PIN code might be brute forced in seconds, what if a password is set? The complexity just got a LOT worse. It would be interesting to see the length of the backlog that constitutes a 4 month delay. My guess is it represents a fairly lengthy line of suspect devices.

Now what?

At best, this view of the state of iOS forensics is troubling for digital investigators. Time passes in forensics a lot like dog years: one year in reality is equivalent to multiple years in forensics; The iPhone 4S has been in the wild since 2011: a virtual eternity. Knowing all of this, what does the digital investigations community do?

I think there are a few vectors that need to be pursued and promoted. Apple, and other tech titans, should be persuaded, with appropriate business cases, to call them to action. Large organizations don’t turn on a dime, no matter how technically savvy they are. How do we do this?

As law enforcement: Contribute to Apple’s back log. Law enforcement agencies whenever remotely possible should be submitting iPhones and iPads to Apple. Maintaining a 4 month backlog may seem to be a long time today, but what about when the backlog is one year? More than a year? That might cause a PR problem for Apple, which in turn, might divert some of the really smart people at Apple to solve this difficult problem.

As a corporate digital investigator: Stay current and familiar with the architecture of iOS security mechanisms. At a minimum, when exploits or tools are made available for modern iOS devices, investigators will be well versed in the costs and limitations.

As a technology provider: Guidance Software and our technology partners will continue lobby on behalf of the digital investigation community. Digital investigation market driving forces inform Guidance Software and mobile device manufacturer’s actions. Unfortunately, general mobile device market forces inform Apple and other device manufacturer’s actions, which have not been aligned with the needs of digital investigators. Nonetheless, in this case, the tide isn’t likely to turn without continued vigilance and investment from technology providers.

No comments :

Post a Comment