Sunday, May 04, 2014

iPhone factory reset bars access to revevlation

It has been known for sometime there is no general release that can handle the deleted encrypted data on iPhone 4s onwards.  The latest article in the The Register ( ) rehearses discussion the forensic community has already had about deleted keys and deleted encrypted data. The factory reset point merely reconfirms another method how a user can select an iPhone process to cause the data to no longer be available for access by the user.

These are just my own observations but I would find it highly surprising if the 'clever department' at Apple had not prepared for the day when National Security walks through the door with a grade 'X-level' warrant to decrypt, no matter the state of the smartphone. Germane and relevant to this type of discussion is that 'keys' are not so randomly generated that Apple couldn't predetermine access-doors or decryption methods based upon the smartphones IMEI, manufacturing batch, core processor, chip/s, board layout, country of supply and iOS etc being one side of the coin **. We are of course all being induced into talking about the other side of that same coin, the iPhone encrypted data made inert such that the data having no inherent power of action, motion, resistance or having little or no ability to react.

Fig.1 Example of a hacker's study for accessing an iPhone memory chip 

History has shown that due to necessity or hacking revelation can always be possible. Such an example of gaining access where the manufacturer failed to correct a security flaw inspite of being advised about it is not new ( ). Maybe a solution isn't too far off whether introduced by the manufacturer (vertical revenue stream) or another source divulges a method to reveal. However, we do need to be clear though where we stand. Forensics provides a particular 'defined approach' to examine and analyse a 'thing'. The process and procedures applied to the examination and analysis of a 'thing' takes into account various paths of enquiry including the producer/manufacturer spec of the thing; any inter/national and industry standards and legal requirements applicable to it; any academic and non-academic studies and materials that may be applicable; the skill, knowledge and experience of the individual involved with the examination and analysis. What we don't do or shouldn't do during the forensics process and procedures is 'hack' in the way hacking is commonly understood to be carried out or reverse engineer. The reason for that is by hacking/reverse engineering a thing a potential pitfall that arises is that the individual may cause or induce an event to occur on or in e.g. a smartphone that would have been impossible or unknown to the user of the smartphone and potentially create a suggestion of culpability that wasn't or didn't exist previously (add/loss data etc).

** Update 09/05/2014

"These Guidelines are provided for use by law enforcement or other government entities in the U.S. when seeking information from Apple Inc. (“Apple”) about users of Apple’s products and services, or from Apple devices. Apple will update these Guidelines as necessary. This version was released on May 7th, 2014."

" I. Extracting Data from Passcode Locked iOS Devices

Upon receipt of a valid search warrant, Apple can extract certain categories of active data from passcode locked iOS devices. Specifically, the user generated active files on an iOS device that are contained in Apple’s native apps and for which the data is not encrypted using the passcode (“user generated active files”), can be extracted and provided to law enforcement on external media.   Apple can perform this data extraction process on iOS devices running iOS 4 or more recent versions of iOS. Please note the only categories of user generated active files that can be provided to law enforcement, pursuant to a valid search warrant, are: SMS, photos, videos, contacts, audio recording, and call history. Apple cannot provide: email, calendar entries, or any third-party App data.

The data extraction process can only be performed at Apple’s Cupertino, CA headquarters for devices that are in good working order. For Apple to assist in this process, the language outlined below must be included in a search warrant, and the search warrant must include the serial or IMEI number of the device. For more information on locating the IMEI and serial number of an iOS device, refer to

Please make sure that the name of the judge on the search warrant is printed clearly and legibly in order for the paperwork to be completed." 

No comments: