Interviews

Apple privacy restrictions

by Mark Rowe

In late 2015, Apple was in the headlines for its privacy policies, writes Joanna Ward, Computer Forensics Consultant at the data recovery, data destruction and document review company Kroll Ontrack.

As part of a recent court case in the United States, a federal judge in New York had requested that the company step in to decrypt a phone containing evidence required by the Department of Justice. However, during proceedings, lawyers representing Apple told the federal judge that it is “impossible” for the company to help unlock an iOS 8 iPhone.

Ken Dreifach, one of the lawyers involved in the case stated: “As a general matter, however, certain user-generated active files on an iOS device that are contained in Apple’s native apps can be extracted. Apple cannot, however, extract e-mail, calendar entries, or any third-party app data.”

Little else is known about the case but this is not the first time Apple has stood its ground in matters of privacy whether in individual criminal cases or opposing surveillance from intelligence agencies and from other law enforcement agencies. Whilst this is undoubtedly a popular stance for privacy concerned customers, this latest refusal or inability to cooperate with the authorities’ requests will be disappointing to law enforcers, lawyers and at times their clients.

Many civil and criminal cases hinge upon data stored on Apple devices and for lawyers and their clients, Apple’s stance can be frustrating. However, although inconvenient, expert computer forensics investigators still have many alternatives to track down the required data. These solutions are not perfect and do require imagination, as well as technical expertise.

Time to play data detective

The approach needed to work around Apple’s restrictions is akin to solving a jigsaw puzzle with a key piece missing; you can still make out the bigger picture but it would be more satisfying and convenient to have every piece. Below are a few of the methods and techniques used by investigators to side-step the need to extract data from iPhones:

Think beyond the phone

When faced with the challenge of accessing an iPhone, digital forensics investigators will think beyond the phone itself and as such, the first step in many digital investigations is collecting other electronic devices owned by the custodian such as laptops, desktop computers and external hard disks. As devices become more connected, it can be possible to access the required data from another device. In many cases, the owner of the iPhone in question will have plugged their phone into one of these devices to charge it and either deliberately or inadvertently backed up their phone, meaning evidence from the original phone will have transferred to the second device.

Investigators are then able to recover this data using forensics methods to search within the back up. This approach can often yield the following data types:

•Emails
•Photographs
•Chat transcripts from apps such as Whatsapp
•Notes

Look to the cloud

Similar to looking at other devices used by the subject, in some cases the same data can exist within the Cloud. Many iPhone users will have settings that automatically back up emails, photographs, WhatsApp conversations and other data to the Cloud. However, this option does require the permission from the custodian and so has limitations and is perhaps more suited to cases where the custodian is willing to cooperate but has perhaps lost or damaged the phone in question.

Take advantage of ediscovery techniques

If the case would benefit from evidence such as emails or chat records, lawyers should consider casting a wider net by collecting data from devices used by the other correspondents in the email or chat. This is particularly true in internal investigations, where access to devices is easier to obtain.

Ediscovery searching technology can sift through huge sets of unstructured data such as emails, instant messenger. Techniques such as predictive coding can be used to automatically review documents meaning what could be a very time consuming exercise can be completed more efficiently.

By looking at the iPhone owner’s network of contacts, any incriminating evidence could be gained from data owned by the receiver of a communication rather than the original sender or data custodian. Ediscovery technology is especially suited to this kind of exercise as trained users can run searches for keywords and suspected code words which may be missed if someone simply reads the emails sequentially.

Isolate patterns using structured data analytics

For suspected fraud, it may be possible to isolate patterns from available financial data using data visualisation tools. Data analytics specialists can take large sets of structured data (e.g. spreadsheets, and data held in relational data bases) and find previously unseen abnormalities indicative of wrongdoing which can pinpoint specific individuals. This evidence can then be used alongside other data to build a case.

Unless Apple changes policy (or is forced to by legislative changes) and develops the technology to decrypt iPhones, lawyers and clients involved in cases requiring data from iPhones will have to embrace these alternative methods of accessing electronic evidence. Whilst this may result in cases taking longer to build, law firms and their clients should not despair because forensics methods are evolving quickly, allowing cases to proceed without costly court cases against Apple.

Related News

Newsletter

Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing