Have you ever accid...
 
Notifications
Clear all

Have you ever accidentally wiped data from a device?

13 Posts
7 Users
0 Likes
839 Views
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

This question is directed more at those working in a law enforcement environment, but equally applies to all.

Many phones and tablets for recent years have come with an easily enabled wipe mode after 10 failed passcode attempts. Many people have this feature enabled and there is often no way of knowing if indeed the feature is enabled on or not. All iPhones, iPads and Blackberrys for the last 5 years are just one example. (I know some people may be picky and say it doesn't actually wipe the data but rather destroys the encryption keys, but either way the effect is the same)

Has anyone themselves or work in a department where they accidentally wiped data in this way for example by attempting a brute force on such a device? Is it a common and necessary risk people working in this sector take or is it something to be avoided at all costs?

What are the consequences both forensically and legally if you do cause the data to be wiped? Does it open you to civil claims for loss of people's valuable data? Does it potentially ruin the whole case against the suspect?

 
Posted : 20/01/2016 8:47 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

What are the consequences both forensically and legally if you do cause the data to be wiped?

http//www.imdb.com/title/tt0079470/quotes?item=qt0471984
wink

jaclaz

 
Posted : 20/01/2016 4:05 pm
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

What are the consequences both forensically and legally if you do cause the data to be wiped?

http//www.imdb.com/title/tt0079470/quotes?item=qt0471984
wink

jaclaz

jaclaz, I appreciate that you always try to make a post in every thread. Sometimes your posts have been highly informative and I'm grateful for some of your comments.

In this case I'm asking a serious question that is becoming an increasing reality in technology today.

What is most commonly the standard operating procedure? Would you avoid attempting to brute force or hack into something if there's a possibility it could be wiped, or do you try anything and everything until failure and if data is lost then that's collateral damage?

 
Posted : 25/01/2016 5:46 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

In this case I'm asking a serious question that is becoming an increasing reality in technology today.

I know ) , and I posted a non-serious (and hopefully funny) reply, my bad oops , and sorry if you didn't appreciate it ( , sometimes I find allowable to make a quick laugh together, but of course not everyone likes my attempts at humour.

Seriously, the question is a long-standing one, but it is very "vast" one, I believe that there will be several different takes on the matter, depending on the specific circumstances of the investigation, the scope of it, who (meaning private/LE/Government) is carrying it on, the relevance of timing, etc., etc.

jaclaz

 
Posted : 25/01/2016 11:09 pm
(@cotem)
Posts: 14
Active Member
 

I did erase an iPhone after using the IP-Box to brute force the code.

Nothing came of it yet regarding claims.

I think that you better try something to get the data. If you do nothing, you will get nothing.
It's a risk that i'm aware and ready to take.

Same thing with chip-off. You essentially break the whole thing by tampering with its flash memory. The device can't be used again afterwards. You could find nothing in the phone but it's broken anyway. The chipoof may not even work!

You have a warrant signed by the judge to get the data, you have the authority to do anything to do it. I always compare computer forensics cases like something people are more used to see.

Ex You have a safe containing potential papers. You need to get into it and have a warrant to do so.
You tried all reasonnable means but everything failed. You resort to break the whole thing open to see inside.
There is nothing in there.
You broke it because you had to and the right to do.

That's my 2cents.

 
Posted : 26/01/2016 12:42 am
(@thepm)
Posts: 253
Reputable Member
 

Cotem, I have to respectfully disagree with some of your comments.

I don't think the "try to get the data at any cost" is the right approach. It's not because hou can't access it today that, because of technological improvements, you won't be able to access it in a couple of weeks/months. Also, while we may have a warrant to get the data, this warrant also makes us the guardian of the data. So, we must be extra careful when using tools or techniques that may destroy the data we are responsible for.

Another thing to consider is that while we may not have access to the phone or device that is locked, the suspect/defense probably has the lock code. They could then use the content of the phone for their defense if it has disculpatory evidence. It the phone content is wiped while in your possession, the defense could argue that they don't have access to their disculpatory evidence anymore, and argue that you did willingly put the data in danger.

About the chip-off comparison, I think the risks of using the IP-Box is greater than using a chipoff technique. You are right about the fact that with a chip-off, the phone is all broken up and wont ever work again. But, the data will still be on the chip! In comparison, with the IP-box, if a wipe is initiated, the data is gone for good. Same thing with your safe contaning paper analogy. Unless you try breaking the safe with explosives that will destroy the papers inside of it, breaking the safe should not compromise the data inside the safe.

In my view, breaking the container is one thing. Risking breaking or destroying the content requires a much deeper evaluation.

As you said, it's a risk and you must decide if you are ready to take it.

 
Posted : 26/01/2016 8:55 am
 dega
(@dega)
Posts: 261
Reputable Member
 

as PM_SQ said we are also guardian of the data. Usually when I need to do brute force, rooting, jailbreak, working both for LE or private I ask a written authorization for the operation.

 
Posted : 26/01/2016 2:03 pm
(@cotem)
Posts: 14
Active Member
 

The only way i brute force into a device is an iOS 7. Which we almost don't see anymore.
If the device is something that UFED could potentially support( ie samsung), i wait because a lot of updates comes and solve the problems!

 
Posted : 26/01/2016 5:27 pm
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

cotem - in what jurisdiction do you operate and are you in a law enforcement or private sector capacity?

Your approach does seem a bit heavy handed. But I thought the IP Box was not 'forensically sound'?

I'm wondering how people handle devices that they cannot access? Are these things kept under review periodically to check if technology has moved to enable it being unlocked or is the case usually moved on by then?

 
Posted : 26/01/2016 8:51 pm
(@cotem)
Posts: 14
Active Member
 

cotem - in what jurisdiction do you operate and are you in a law enforcement or private sector capacity?

Your approach does seem a bit heavy handed. But I thought the IP Box was not 'forensically sound'?

I'm wondering how people handle devices that they cannot access? Are these things kept under review periodically to check if technology has moved to enable it being unlocked or is the case usually moved on by then?

Law enforcement Canada.

I handle devices that i cannot access by checking later and if the case is done, well it's gone.

The IP-Box is not forensically sound but it's the only way, if you don't have the suspect's computer, to get into the phone. Just have to document everything that you do!

 
Posted : 26/01/2016 8:55 pm
Page 1 / 2
Share: