by John Burchfield
Thanks to well-publicized breaches of data security, mobile operating system updates are enhancing user privacy. While this may ease users’ minds about their data security, it presents new challenges in criminal and civil litigation.
For example, before the latest update of Apple’s iOS operating system, we could access data like text messages, emails and location data without having the device’s password. However, after the update, this kind of data is stored in an encrypted area, no longer in the readily accessible non-encrypted area. As a result, only photos, media, third party apps and other things users want to access without unlocking their device are available.
The next option is to bypass the passwords, which we could do fairly easily before the recent iOS update. For example, we could use a file from a computer connected to the device to unlock it. Or, we could try many password possibilities until we were in, which was doable within a reasonable period of time, as most passwords were only four digits. There were only so many combinations to try. Now, Apple has added encryption to make that more secure as well. The backup passwords are often long strings of characters that include lower case letters, upper case letters, numbers and symbols. With that many possibilities, it is much harder to bypass the password.
The good news is that in 75 percent of our cases, we have the device’s password because the collection is done with permission from both sides. These changes to the operating system have been a much bigger problem for law enforcement in criminal cases, where the password is usually not available.
Developers of collection software are currently trying to find backdoors to get around these new privacy controls, but in the meantime, we are forced to just collect what we can get from devices if we do not have a password. We are also making sure we know what type of device (including operating system) we are dealing with ahead of time. If we know that we are going to need to collect from a new iPhone, we can contact someone to get the password – or at least a hint. With a few keywords like kids’ names or pets’ names, we can use a program to guess a likely password much faster than if we had no clues. Usually, this speeds up the process from three weeks to just one or two days. Since we very rarely have three weeks to complete collection, these clues are critical to success.
The other new collection challenge is with solid state hard drives. Solid state drives function differently than traditional spinning hard drives, but we have done analysis on them before with no issues. Recently, we had a case where a setting was enabled to prevent the drive from writing to the same area of the chip every time, which extends the hard drive’s lifespan. To do this, the drive removes data from one area by electronic flash and shoots it to a new area (this is where the term flash memory comes from). The flash clears everything that was in the old area.
When this setting is disabled on solid state drives (and on all traditional hard drives), we can easily access old data on the drive, including remnants of old files and deleted files. When this feature is enabled, though, the drive does not have any of those remnants, so we can only access the documents on the drive at that moment. There is no way to combat this, meaning if a document was deleted by the user with this setting enabled, it is truly wiped from the drive.
Almost all computers, especially laptops, have solid state drives now. We expect to encounter this more often because, as noted above, the setting does increase the lifespan of the hard drive.
We also expect the other mobile device makers to follow Apple’s lead with their new operating systems. Google has announced that privacy will be a key part of their new operating system, and Microsoft will likely suit. No doubt the collection and digital forensic software producers are hard at work to overcome these new settings. We’ll let you know if they are successful.