Data Security and Computer Forensics: Part 2

compute forensics accountants

By Daniel Hains 

 forensic accounting firm brisbane

For the past decade, data security and online privacy has been a topic of much debate and scrutiny and the discussion will continue for the foreseeable future.  The use and misuse of our electronically stored information has arisen time and again.

In Part 1 of our Data Security and Computer Forensics Series we looked at the mechanism for ensuring the security of our electronically stored information (“ESI”), known as Encryption.  

In Part 2 we take a look at a case study and it’s implications, alternative sources of information and defending the security of your data… 

FBI – Apple encryption case

In 2015 and 2016, Apple Inc. has received and objected to a multitude of orders issued by United States district courts under the All Writs Act of 1789.  Most of these seek to compel Apple to cooperate with courts to provide access to encrypted data  stored on its devices, such as; contacts, photos, SMS and messages and call logs in order to assist in criminal investigations and prosecutions.

A few requests, however, involve devices with more extensive security protections, which Apple purports to have no current ability to break.  These orders would compel Apple to write new software that would let the government bypass these devices’ security and unlock the devices[1].

The most well-known instance of the latter category was a February 2016 court case in the United States District Court for the Central District of California.  The case is commonly known as FBI v Apple and is a good example of the issues presented by increasing privacy security.

In this case, a shooter in San Bernardino killed 14 people and injured 22 others.  The attacker, with his accomplice, later died in a shootout with police, having first destroyed their personal phones.  A work phone, an Apple 5C, was recovered intact but was locked with a four-digit password and was set to eliminate all its data after ten failed password attempts.

Local law enforcement needed to access information stored on the suspect’s iPhone and enlisted the help of the FBI, who in turn attempted to compel Apple to create a mechanism that bypasses the iPhones built-in security measures, whereby too many unsuccessful pin code attempts would disable the phone and render the stored data irretrievable.

The FBI successfully obtained a subpoena issued under the All Writs Act of 1789[2].  The use of the All Writs Act to compel Apple to write new software was unprecedented and, according to legal experts, it was likely to prompt “an epic fight pitting privacy against national security.”  It was also pointed out that the implications of the legal precedent that would be established by the success of this action against Apple would go far beyond issues of privacy.

The court order specified that Apple provide assistance to accomplish the following:

  • “it will bypass or disable the auto-erase function whether or not it has been enabled” (this user-configurable feature of iOS 8 automatically deletes keys needed to read encrypted data after ten consecutive incorrect attempts;
  • “it will enable the FBI to submit passcodes to the SUBJECT DEVICE for testing electronically via the physical device port, Bluetooth, Wi-Fi, or other protocol available;”
  • “it will ensure that when the FBI submits passcodes to the SUBJECT DEVICE, software running on the device will not purposefully introduce any additional delay between passcode attempts beyond what is incurred by Apple hardware”.

The order also specifies that Apple’s assistance may include providing software to the FBI that “will be coded by Apple with a unique identifier of the phone so that the [software] would only load and execute on the subject device.

Apple refused, citing the precedent it would set if they were to start removing the protections that they had built in to their products that their customers relied upon.[3]

However, a day before the hearing was supposed to happen, the government obtained a delay, saying they had found a third party able to assist in unlocking the iPhone and, on March 28, it announced that the FBI had unlocked the iPhone and withdrew its request.

Ultimately, it emerged that the FBI were able to gain access to the iPhone without Apple’s help, however the exact method was not disclosed.  Rumours suggest an Israel-based firm, Cellebrite, was able provide access to the phone, given that the request was withdrawn, however this has never been officially confirmed and other sources claim that hackers exploited hitherto unknown means to gain access.

Implications

For the average user, if you forget the PIN to unlock your phone, you have, by default, a limited number of attempts to ‘guess’ the correct one before your phone is disabled and the data stored within is lost forever.[4]  For law enforcement agencies, depending on the model of the phone being examined, it may be able to be unlocked by paying a large fee to a third-party unlocking service, or it may mean being unable to access the contents of the device at all without invoking the incoming legislation, should it be successful.

 Alternative Sources of Information

Returning to the scepticism of cloud storage mentioned in the introduction, such technology is now increasingly becoming accepted.  In fact, iPhones can back up their data to the cloud and such a feature is commonly implemented.  This means that even if you’ve forgotten your PIN, you may still have a backup of your information in iCloud that you can restore back to your phone.

Equally, law enforcement and forensic practitioners can access this information if they have access to the iCloud login details.  It is also reasonably common to take backups of an iPhone, or other branded device for that matter, using a computer.

Defending the security of your data

Now that some of the ways that your data can be compromised has been discussed, it would be prudent to consider how to reduce the risk of compromise, even if it the risk cannot be eliminated entirely.

  • If you have data you wish to protect on your mobile phone, add a PIN code or other alternative authentication method such as a fingerprint. Industry guidance suggests that passwords will soon be (or are already) obsolete to be replaced by fingerprint, voice print or biometric scan (including retina, breath and or blood sample).
  • Ransomware is often delivered through malicious email attachments or emails with links to infected websites. Do not open any email that you are not 100% certain of the source, no matter how legitimate the email may seem.  Even then, consider whether the website link or attachment itself could still be compromised.  At a minimum, keep operating systems and antivirus software patched and up to date.
  • Use complex, nonsensical passwords. Better still, don’t use the same password for more than one application or website.  In the event that one of your passwords has been compromised, that password won’t be able to be used to breach any other applications you use.
  • Best practice, use a password manager application to generate and store your passwords for you. These can typically be set up to generate a complex, lengthy password and store that along with your username so that any time you visit a site, the details can be retrieved and entered for you by the application.  It goes without saying that the password used to secure the password manager needs to be equally complex, but this is only one password you will have to remember yourself.
  • Take advantage of applications and providers that offer two-factor authentication. This works by sending you an SMS, or generating a code on your phone, with a second unique password that only works for a short time for that particular instance.  This way, even if your password was compromised, access would still be impossible without the second authentication token.

Note that an encrypted folder (or container) can often contain multiple further encrypted folders to further secure files.  This means that the top level (or parent) folder may be uncovered through analysis or even voluntarily given up by the User and, accordingly, compliance with orders is satisfied for all intents and purposes.  However, the next level files or folder(s) may be undetectable and so remain hidden until such time as they are required.

References

[1] https://theintercept.com/2016/02/23/new-court-filing-reveals-apple-faces-12-other-requests-to-break-into-locked-iphones/

[2] Titled In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203, was filed in the United States District Court for the Central District of California.

[3] https://digital-forensics.sans.org/blog/2016/02/23/iphone-forensics-separating-the-facts-from-fiction-a-technical-autopsy-of-the-apple-fbi-debate

[4] https://support.apple.com/en-gb/HT204306

Want to know more?

If you would like to know more about data security and computer forensics, please contact Forensic Services Director Dan Hains.

An Important Message

While every effort has been made to provide valuable, useful information in this publication, this firm and any related suppliers or associated companies accept no responsibility or any form of liability from reliance upon or use of its contents.  Any suggestions should be considered carefully within your own particular circumstances, as they are intended as general information only.

 

 

Related Posts
identity theft accounting firmcrowd sourced funding