Apple Unlocking iPhones vs US Government

Lavabit resurfaced and commented on the subject also ..

Yep ) , and as a side note at the time the delivery of the 11 printed pages in a four-point font was one of the nicest ideas I can remember.
http//www.thewire.com/technology/2013/10/lavabit-used-unreadable-fonts-delay-order-access-snowdens-email/70137/

jaclaz

Yep ) , and as a side note at the time the delivery of the 11 printed pages in a four-point font was one of the nicest ideas I can remember.
http//www.thewire.com/technology/2013/10/lavabit-used-unreadable-fonts-delay-order-access-snowdens-email/70137/

jaclaz

hahaha lol very clever! (I missed that part with the fonts)

Actually, no, it is not a "big joke".

However forensic software is written, there are legal consequences for making forensic software. Most commercial forensic tool vendors have an expert on standby to appear in court to attest to the tools functionality. (Do you remember John Dennis Bradley)

Many forensic tools are tested, and many investigative organization do not use tools unless they are tested by a sufficiently weighty organization (like NIST).

In court, if the other side detects some tool weaknesses, misuse, or version issues or similar - in my experience they will be on it like flies. (Remember Casey Anthony case again?)

The Federal Rules of Evidence has requirements both for the expert and the tools used.

So, yes there is magic validation procedures, hunting bugs, and similar.

As a pet peeve, indeed this facet has been slighted in my opinion when it comes to commercial tools. I have published bugs that in my opinion are significant, but both the commercial vendor and CERT thought I was wrong. I am planning to release a new finding that takes advantage of my previous findings and can pwn (I always wanted to use that) the forensic workstation…

In a follow-up e-mail, Zdziarski added "This reads as an amicus designed to mislead the courts into acting irrationally in an attempt to manipulate a decision in the FB'Is favor…

I can also add that Zdziarski did write a blog post and did sign an amicus curiae brief apparently designed to mislead the court too. He tries to convince the public and the court that forensic software is developed in a more pedantic way than any other software, that there are some magic validation procedures to hunt bugs in forensic software, and that these magic procedures work, and then he concludes that Apple developers can't write forensic tools. Is this a big joke?

Apart from - to backdoor/not to backdoor; who can create software/who can't create software; etc.

What should also be interesting to read and might come out of all of this debacle is any amendments to "EXAMINATION PROCEDURES IN EMERGENCY CASES".

Apple says the FBI screwed up its investigation and now it can’t access the shooter’s iPhone

The fact that the password was reset means that Apple was unable to retrieve info from the iPhone's unencrypted iCloud backup like it has for past investigations, according to reporters Apple spoke with. If the password hadn't somehow been reset while in law enforcement custody, the FBI likely wouldn't need Apple to create a tool that lets it brute force hack the iPhone's lock screen passcode and gain access to the device's encrypted contents.

http//www.techinsider.io/apple-the-fbi-screwed-up-san-bernardino-investigation-2016-2

Apple says the FBI screwed up its investigation and now it can’t access the shooter’s iPhone

The fact that the password was reset means that Apple was unable to retrieve info from the iPhone's unencrypted iCloud backup like it has for past investigations, according to reporters Apple spoke with. If the password hadn't somehow been reset while in law enforcement custody, the FBI likely wouldn't need Apple to create a tool that lets it brute force hack the iPhone's lock screen passcode and gain access to the device's encrypted contents.

http//www.techinsider.io/apple-the-fbi-screwed-up-san-bernardino-investigation-2016-2

Not exactly-exactly.

The Apple guys say three things
1) IF the iCloud backup password had not been changed the device would sync to iCloud
AND
2) then it would have been possible to retrieve all the data from the iCloud backup
AND
3) no more info can be extracted from the physical phone than what can be retrieved from the iCloud backup.

In other words Apple says (correctly) that the FBI initiated change of password for the iCloud inhibited the automatic sync and thus blocked the "easy way" to get all the information.

The FBI contends that anyway the info on the phone is not exactly the same as what is included in the backup (on the phone there is according to them more information available).

jaclaz

Apple says the FBI screwed up its investigation and now it can’t access the shooter’s iPhone

The fact that the password was reset means that Apple was unable to retrieve info from the iPhone's unencrypted iCloud backup like it has for past investigations, according to reporters Apple spoke with. If the password hadn't somehow been reset while in law enforcement custody, the FBI likely wouldn't need Apple to create a tool that lets it brute force hack the iPhone's lock screen passcode and gain access to the device's encrypted contents.

http//www.techinsider.io/apple-the-fbi-screwed-up-san-bernardino-investigation-2016-2

Not exactly-exactly.

The Apple guys say three things
1) IF the iCloud backup password had not been changed the device would sync to iCloud
AND
2) then it would have been possible to retrieve all the data from the iCloud backup
AND
3) no more info can be extracted from the physical phone than what can be retrieved from the iCloud backup.

In other words Apple says (correctly) that the FBI initiated change of password for the iCloud inhibited the automatic sync and thus blocked the "easy way" to get all the information.

The FBI contends that anyway the info on the phone is not exactly the same as what is included in the backup (on the phone there is according to them more information available).

jaclaz

Jaclaz, you pre-empted my next post as there have been numerous posts about this matter and dissecting those comments against the facts was going to my next reply. But thanks for raising it. The focus is on "EXAMINATION PROCEDURES IN EMERGENCY CASES" and whether those procedures need to be updated for all cases.

Many forensic tools are tested, and many investigative organization do not use tools unless they are tested by a sufficiently weighty organization (like NIST).

In court, if the other side detects some tool weaknesses, misuse, or version issues or similar - in my experience they will be on it like flies. (Remember Casey Anthony case again?)

NIST tests miss important issues. As I already wrote several times on this forum, NIST tested SMART Linux and SUMURI PALADIN, and didn't find many automatic data alteration and arbitrary code execution issues.

So, yes there is magic validation procedures, hunting bugs, and similar.

No, there aren't. Current procedures aren't magic, as they obviously don't work properly. Or, in fact, they are magic, as magic doesn't work too -)

There are many examples when a person or an organization used yet another black box approach in testing a forensic tool, and failed. A black box testing is a big no-no therefore. For example, one vendor did include a software write blocker in his product, and this write blocker passed all my tests; but after I looked at the disassembled code, I found that memory card readers, as well as some storage controllers, were not write blocked.

As a pet peeve, indeed this facet has been slighted in my opinion when it comes to commercial tools. I have published bugs that in my opinion are significant, but both the commercial vendor and CERT thought I was wrong. I am planning to release a new finding that takes advantage of my previous findings and can pwn (I always wanted to use that) the forensic workstation…

I released information about automatic arbitrary code execution issues in forensic Live CDs in 2009, and even today many forensic Live CDs still have these issues. And I have more examples to tell.

The focus is on "EXAMINATION PROCEDURES IN EMERGENCY CASES" and whether those procedures need to be updated for all cases.

I beg your pardon, but the focus of what exactly? ?

jaclaz

I beg your pardon, but the focus of what exactly? ?
jaclaz

"EXAMINATION PROCEDURES IN EMERGENCY CASES"

I beg your pardon, but the focus of what exactly? ?
jaclaz

"EXAMINATION PROCEDURES IN EMERGENCY CASES"

We can continue on this ad libitum.

You are very welcome to avoid providing a few lines to let other people understand what you mean and simply repost, over and over

"EXAMINATION PROCEDURES IN EMERGENCY CASES"

of course, but the conversation will be somewhat stale.

Anyway, just to create a nice, symmetrical situation, the focus was earlier on

"DECRYPTION METHODS AND DATA COLLECTION IN POST-EMERGENCY CASES"

jaclaz