Join Us!

Report on analysis ...
 
Notifications
Clear all

Report on analysis of Jeff Bezos' iPhone  

  RSS
jaclaz
(@jaclaz)
Community Legend

Maybe interesting, maybe not

https://assets.documentcloud.org/documents/6668313/FTI-Report-into-Jeff-Bezos-Phone-Hack.pdf

From what I can understand, once removed the totally irrelevant trivia (I am pretty sure that normally no forensic report includes stills of security cams of the investigators room 😯 not - as a mean of proving *anything* a comparison graph with usage from 5 random iPhones trafic histories), and some technical mumble-jumble, results are far from being conclusive, and the "evidence" provided is fairly "thin".

The "woman resembling" seems to me like pure bullshit.

The second text message does seem a bit too much targeted to be a coincidence, still it is far from resembling a smoking gun.

jaclaz

Quote
Posted : 26/01/2020 4:08 pm
the_Grinch
(@the_grinch)
Active Member

Pretty clear this firm doesn't normally do mobile forensics. Had to purchase UFED4PC and Physical Analyzer for this case and used UFED4PC to extract an iPhone.

ReplyQuote
Posted : 26/01/2020 7:14 pm
jaclaz
(@jaclaz)
Community Legend

Pretty clear this firm doesn't normally do mobile forensics. Had to purchase UFED4PC and Physical Analyzer for this case and used UFED4PC to extract an iPhone.

Yep, though it is to be understood if by "acquired" (the verb used in the report for those and other hardware) they meant "bought" (like "gone shopping for") or "procured" (like "taken from the lab warehouse") , and of course if it is the first case, a lot of questions come from that

1) maybe Jeff Bezos and his cyberintellgence team couldn't find (or could not afford wink or couldn't trust 😯 ) specialized mobile forensics investigators (possibly people sub-specialized on iPhones) already in possession of the appropriate tools[1] and already expert in their usage?

2) if these guys here actually bought UFED4PC and Physical Analyzer for this specific case, which kind of previous experience did they have in the digital forensics field related to phones and namely to iPhones?

3) or - seen from another angle - if they managed to learn how to use the above tools properly in a short time, how difficult can it be to become a professional digital forensic investigator? roll

jaclaz

[1] Which might not be UFED4PC and Physical Analyzer

ReplyQuote
Posted : 26/01/2020 7:47 pm
keydet89
(@keydet89)
Community Legend

One of the numerous things I found interesting about the report was the statement regarding the "second text" at the top of page 6.

In the early '00s, I worked in an FTE position at a telecommunications company, and there were some pretty big lay-offs on the horizon. HR staff in the building came to the security team and said that their computers had been "hacked", because word of the lay-offs was getting to the targeted staff *before* anything official was announced. The HR staff swore up and down that someone had hacked their computers.

We found out that what had *really* happened is that one of the HR staff had printed the lists, and left them sitting on the printer before they went to lunch. Apparently, someone found the printed documents, copied them, and put the originals back in the pile.

Just because Bezos didn't say anything to anyone doesn't mean that it was "non-public". After all

https://www.cnn.com/2020/01/24/tech/jeff-bezos-lauren-sanchez-text-messages/index.html

"US prosecutors have obtained evidence indicating that Jeff Bezos' girlfriend, Lauren Sanchez, sent her brother text messages that were later published in the National Enquirer in its story about their affair, according to the Wall Street Journal."

Michael Sanchez denies leaking the pictures, but still, Bezos's sharing of intimate pictures with his girlfriend didn't stay just between them.

ReplyQuote
Posted : 26/01/2020 9:01 pm
the_Grinch
(@the_grinch)
Active Member

My only thought is that this particular firm might be skilled when it comes to exploitation. So they don't do or know mobile forensics, but they do know how nation states go about exploiting devices/networks. All that said, I have to agree with keydet, the likely scenario is his girlfriend is at the center of it. Whether she knowingly or unknowingly provided the texts in question is what it comes down to. Easy enough for her to talk about seeing Bezo to her brother and him getting the texts from her device without her knowing.

ReplyQuote
Posted : 27/01/2020 12:03 am
BytesDigger
(@bytesdigger)
New Member

Page 16

FTI assesses with medium to high confidence that Bezos's iPhone X was compromised via a WhatsApp video attachement that was sent from an account utilized by Saudi Crown Prince Mohamed bin Salman (MBS)

This is a bold statement, considering that the evidence is merely circumstantial (if that). Also a surface laptop would probably my last choice for a forensic station. Sounds like they bought the 1st shinny thing out of a store that runs Windows and decided to call that a forensic station.

ReplyQuote
Posted : 27/01/2020 2:31 am
armresl
(@armresl)
Senior Member

LOL ya think.

I've been preaching since I joined the site that no one is an expert in everything, yet people hang their shingle as such and until they are checked will continue to do so.

My only thought is that this particular firm might be skilled when it comes to exploitation. So they don't do or know mobile forensics, but they do know how nation states go about exploiting devices/networks. All that said, I have to agree with keydet, the likely scenario is his girlfriend is at the center of it. Whether she knowingly or unknowingly provided the texts in question is what it comes down to. Easy enough for her to talk about seeing Bezo to her brother and him getting the texts from her device without her knowing.

ReplyQuote
Posted : 27/01/2020 3:49 am
randomaccess
(@randomaccess)
Active Member

Based on the wording and paragraph 5 it appears that they just bought everything new. Not that they didn't have access to them previously, just that the billionaire was happy to drop like $30k on equipment without blinking.

Also re acq with ufed 4pxc, doesn't cellebrite say you should get the same data as in an adv logical?

ReplyQuote
Posted : 27/01/2020 11:11 am
jaclaz
(@jaclaz)
Community Legend

Based on the wording and paragraph 5 it appears that they just bought everything new. Not that they didn't have access to them previously, just that the billionaire was happy to drop like $30k on equipment without blinking.

Well, besides personally being cheap, I would have preferred to use something that was already tested and proved working on more than a few cases.

How could they validate the tools if new and not previously used and tested?

Hey, wait idea , we found the first ever case where compulsory ISO 172025 doesn't sound like the bad idea it is. wink

jaclaz

ReplyQuote
Posted : 27/01/2020 11:59 am
randomaccess
(@randomaccess)
Active Member

Well they had various other iPhones so they easily could have validated it against one of those before they performed the extraction on bezos' phone.
The report doesn't cover it so it's just speculation either way.

30k for a guy that has 115.5 billion is a drop in the bucket
I'm more interested if he stopped using the phone as soon as he suspected something dodgy or did he keep using it. Considering they only has access to it for 2 days whilst they acquired it I'm guessing it was still in use (but hard to know).
Based on that, they probably wouldn't have been able to get a FFS acquisition because the JB required didn't come out until July I think.

I'd be interested to know if they recommended it to LE and what the response to that was.

ReplyQuote
Posted : 27/01/2020 6:51 pm
the_Grinch
(@the_grinch)
Active Member

They didn't say if they referred it to law enforcement, but I'd suspect they'd do as others had and when the time came turned the image(s) over to law enforcement.

I agree they have an uphill battle if they truly are saying Saudi Arabia did this. Nothing in this report would have me confident enough to say that. Also, I definitely wouldn't continue to utilize the device.

ReplyQuote
Posted : 27/01/2020 9:40 pm
keydet89
(@keydet89)
Community Legend

While I agree that the owner should not continue to utilize the device for normal usage, I'd recommend having someone in the lab use the phone, just so that they could determine what data was leaving the phone (i.e., the uptick in data leaving the phone after the video was received).

ReplyQuote
Posted : 27/01/2020 10:54 pm
jaclaz
(@jaclaz)
Community Legend

An interesting supplement on the (missing) decryption of the WhatsApp video

https://blog.erratasec.com/2020/01/how-to-decrypt-whatsapp-end-to-end.html

Particularly worth of note (IMHO) is the conclusion

Conclusion

The report from FTI doesn't find evidence. Instead, it finds the unknown. It can't decrypt the .enc file from WhatsApp. It therefore concludes that it must contains some sort of evil malware hidden on that that encryption – encryption which they can't break.

But this is nonsense. They can easily decrypt the file, and prove conclusively whether it contains malware or exploits.

They are reluctant to do this because then their entire report would fall apart. Their conclusion is based upon Bezos's phone acting strange after receiving that video. If that video is decrypted and shown not to contain a hack of some sort, then the rest of the reasoning is invalid. Even if they find other evidence that Bezos's phone was hacked, there would no longer anything linking to the Saudis.

jaclaz

ReplyQuote
Posted : 03/02/2020 11:03 am
Share: