For years, mobile devices have introduced a slew of new challenges into e-discovery and digital forensics investigations, from data encryption and proliferating hardware to rapidly changing third-party applications. Debates continue between law enforcement agencies and technology companies about mobile device encryption and whether criminal investigators should be given back-door access to suspects’ phones. Just last week the U.S. Deputy Attorney General spoke out against Apple on this very issue, saying law enforcement should have access to investigate the communications of the shooter in the recent tragic Texas shooting.
Cracking or obtaining the numeric passcode to unlock a device is only one of multiple issues digital forensics investigators face when collecting data from iPhones. When an iPhone is backed-up to a computer through iTunes, the user is given the option to encrypt the back-up and protect it with a passcode, and because this is set using the computer’s full keyboard, it may be more complex than the device’s numeric-only unlock passcode. For years, this lesser-known passcode has been a major challenge for digital forensics investigators looking to copy data from an iPhone for an investigation or legal matter. As time has passed, Apple has implemented various other alternatives to unlocking the device including fingerprint and facial recognition.
In most of our clients’ matters, we are working with cooperative custodians who provide their phone’s unlock passcode or corporate IT that has mobile device management software allowing them to reset the device passcode and giving us access to see everything on the device. However, we often find that these phones have been previously backed-up to a computer, and assigned an encryption passcode, making it difficult for us to obtain any readable data from the device. As most people do not regularly use their encryption passcode – it isn’t needed unless a user is restoring the backed-up data or removing the encryption setting – they often forget it and even when cooperative, are unable to provide access to the legal team and investigators. This function offers no passcode recovery option without restoring the device to factory settings and fully removing all existing data. While there are tools capable of performing brute-force decryption of these backups, complex passwords often require a prohibitive amount of time to succeed (i.e. months or years). Our team is involved in a handful of active cases where these encryption passcodes have been showstoppers and hindered the ability to take key information viewed on a device and transfer it for use as evidence.
But before pulling the trigger, it is important to understand the potential risks involved, including if spoliation is a possible result of taking this step. We can copy the data once a phone is updated, but that data might not look the same as the back-up on the older operating system. Counsel must know what might be lost, and changes to the data that may occur when a device is updated. To better understand the possible implications of taking this approach, our team has conducted some preliminary testing to compare information collected from iOS 10 and older against information collected once the same devices were upgraded to iOS 11.
The testing revealed that there is a marked difference between the datasets from older and the new versions of iOS. In our testing, some information was either lost, categorized differently, or moved to a place where the forensic software was no longer able to detect it. The lost or missing information included some historical call logs, the iPhone recent log, which is a cache of some communications information, and some Wi-Fi logs and location data. We also noticed differences in how contacts were categorized and counted, so while contacts generally appeared to be similar, the different iOS versions handled contact duplication and contacts extracted from other sources, such as emails, differently.
Ultimately, without removing the passcode in iOS 11, there are limited options to extract a readable copy of a phone’s encrypted data, which may be critical to an investigation. While some loss of data may occur, most of the information that would be used as evidence remains intact, and this approach allows investigators to gain access to that information without damaging the device. Understanding the possible risks, counsel can obtain consent to do the upgrade from all parties involved, remove the encryption passcode and move an investigation or litigation forward to fair resolution.
While Apple has alleviated one major e-discovery challenge with this change, it could easily reverse it under pressure from consumers and watchdogs concerned about security. And more challenges are always emerging. Many third-party applications such as WhatsApp and Facebook Messenger are bolstering their security and encryption features and storing less data locally on devices, making it increasingly difficult to access information from them for e-discovery. The growing variety of devices that are independent of mobile phones will also further complicate data collection. As this space continues to evolve, our team will remain dedicated to understanding the challenges and possible solutions, and the implications of various new approaches for dealing with mobile device investigations.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.