ALM Properties, Inc.
Page printed from: Corporate Counsel
Select 'Print' in your browser menu to print this document.
Apple iPhone, iPad Forensics Advancing Slowly
Law Technology News
When mobile forensic investigators and e-discovery experts work with the latest generation of Apple Inc. mobile devices, they remain stumped about how to view password-protected emails.
In many cases, passwords and pass-phrases are handed over during discovery proceedings to unlock encrypted content. But when passwords aren't available, investigators can only see encrypted data instead of email contents. That's true on the iPhone 5, iPad 4, and iPad Mini. Even the most common forensic products, such as Cellebrite Mobile Synchronization's Universal Forensic Extraction Device (UFED) system and Micro Systemation's XRY, cannot cross that chasm. Progress has been slow.
"We continue to monitor that very closely. I wish I could tell you that the industry as a whole is going to crack this nut very soon," Cellebrite USA CEO James Grady said. Glen Rock, N.J.-based Cellebrite officials explained that their products access data on other phones and on older i-devices by intervening in the device's memory before it reaches the booting stage, but that technique doesn't help on the newer iOS 6 devices running on Apple's A5X and A6 chipsets such as the iPhone 5 and iPad 4 devices. "It's an ongoing piece of research for us though. We're not giving up by any means," Grady said.
Micro Systemation also acknowledges the challenge. "I would say it's an obstacle for all the companies," said CEO Joel Bollö noted, in Stockholm, Sweden. Both companies' products are used by the majority of cellular carriers and by myriad law enforcement agencies and militaries.
Security researchers are making slight progress toward viewing i-device emails. The process is advancing slowly because Apple focuses on protecting data, and legitimate forensic techniques often have technical similarities to malicious attacks.
A special class of computer hackers known as "jailbreakers" are developing software that forensic companies can use as foundations to make e-discovery products capable of extracting unencrypted email messages from iOS 6 devices. Jailbreaking is slang, referring to programs that circumvent manufacturer restrictions on the device's file system. The software is meant for consumers and, despite its name, is not ominous. Jailbreaking one's phone has useful implications for ordinary users, such as being able to install software from any source rather than just from Apple's App Store. American law, as of Oct. 28, 2012, allows jailbreaking on smartphones but not on tablets. Laws in other countries vary.
Progress arrived on Feb. 4 when a hacker community called "evad3rs" -- pronounced "evaders" -- released what's believed to be the first jailbreak for the current-generation of Apple mobile devices. The software, " evasi0n", successfully lets users install third-party software. By having that capability, companies that make forensic software have a new arrow in their quiver for developing forensics software, because a jailbreak is often the first step toward accessing protected or encrypted data.
Apple and groups such as evad3rs compete in the cat-and-mouse game of jailbreaks vs. iOS updates designed to thwart them. "Jailbreaks can be the only mechanism to get access to that physical image," said Guidance Software Inc.'s Ken Mizota, product manager for EnCase products. "But we also see jailbreaks as an inherently risky exercise… any jailbreak introduces a risk to the device itself. While that risk may be minute, if performed inexpertly, it can have an unintended consequence of the loss of evidence," Mizota observed.
"Our main approach as a product company is that jailbreaking is temporary. For the cases where you can't get any evidence at all, like where you have a password that you can't break, then it's a valuable means," Mizota said. Pasadena, Calif-based Guidance has an update to its EnCase software for iOS devices due this spring, but that won't include any major advancements toward viewing protected messages, he said.
Other approaches to accessing protected iOS messages passwords including using brute-force methods, independent password applications, or memory alteration techniques. Each method has limited usefulness. Brute-force methods can take days, weeks, or even years to work, depending on a password's complexity. Companies such as Passware Inc. have modest iOS functions, such as recovering passwords for backup files. For actual device passwords, "We understand the importance of mobile forensics and plan to add this feature in the future," spokeswoman Nataly Koukoushkina said, without elaborating. Memory alteration, similar to Cellebrite's method, puts user-controlled software into a device's memory ahead of the standard boot sequence. It worked as a password circumvention method on iOS 5 and older devices but doesn't apply to iOS 6.
Messages also can't be accessed by exploiting a recently discovered iOS 6.1 design bug. The bug, which Apple pledged to fix, lets users perform an obscure sequence of device actions to view phone numbers and pictures. Apple has not released a patch as of Wednesday.
Forensic companies are much farther along with Google Android devices. Android is built on the open-source Linux operating system, for which there are many documented ways to take control of device memory. Conversely, with Research In Motion's BlackBerry devices, security can be even tougher to crack than on the iPhone, experts have said.
This article originally appeared in Law Technology News.