[Cryptography] 10 Reasons Farook's Work Phone Likely Won't Have Any Evidence

Henry Baker hbaker1 at pipeline.com
Sun Feb 21 19:46:13 EST 2016


FYI -- This guy is an iPhone forensics expert witness.

http://www.zdziarski.com/blog/?p=5655

Zdziarski's Blog of Things
Forensic scientist, author, reverse engineer, photographer, purveyor of funky bass guitar.

10 Reasons Farook's Work Phone Likely Won't Have Any Evidence

Posted on February 18, 2016

Farook burned and destroyed two other electronic devices, going to great lengths to protect data he knew was on the devices. He also had opportunity to destroy this one if it had anything incriminating on it.

The device was making iCloud backups until a month and a half before the spree, there was absolutely nothing in them.  iCloud backups could have ceased for a number of reasons, including a software update that was released on October 21, just two days after the last backup, or due to iCloud storage filling up.

Find my iPhone is still active on the phone (search by serial number), so why would a terrorist use a phone he knew was tracking him?  Obviously he wouldn't.  The Find-my-iPhone feature is on the same settings screen as the iCloud backup feature, so if he had disabled backups, he would have definitely known the phone was being tracked.  But the argument that Farook intentionally disabled iCloud backup does not hold water, since he would have turned off Find-my-iPhone as well.

In addition to leaving Find-my-iPhone on, the option to delete all prior backups (which include iMessage history and other content) is also on the same settings screen as the option to disable iCloud backups.  If Farook was trying to cover up evidence of leads, he would have also deleted the existing backups that were there.  By leaving the iCloud backup data, we know that Farook likely did not use the device to talk to any leads prior to October 19.

FBI appears to have initially received the device still powered on, and would have had the opportunity to interrogate Siri for content on the device.  Either this has already happened, yet yielded no finding of evidence, or they didn't consider the phone important enough at the time.  There are law enforcement white papers on doing this, so the technique is rather well known.

>From what I've read, they were not recruited BY ISIS, but were indoctrinated and decided to act out, there's no evidence to suggest they ever had any contact with ISIS on any device.

The FBI would already have all call records, cellular metadata, email records, Facebook and other social media content, and text message endpoint metadata for this device; none of the court documents indicated that there was any hard evidence tying the device to a lead or suspect.  Based on this, it is a reasonable conclusion to expect that there is virtually zero metadata from any carrier to suggest that the device was used to communicate with other persons of interest.  Communication with any of the victims could be obtained from the victims' devices, at least some of which must certainly be unlocked, have a PIN for, have iCloud backup data for, or be on completely different non-Apple devices that could be accessed.

Suspect used a simple numeric passcode on the device; this was both mentioned in the DOJ filing as well as is obvious from looking at the initial court order.  In spite of his taking incredible steps to protect the evidence on his other devices, there's no reason he'd use a simple PIN if he was this security conscious.  Someone who is this concerned about covering their tracks would have used a complex passcode, as this stretches the brute force time from 22 hours (for a six digit pin) to 6 years (for a six digit alphanumeric passcode), exponentially more for longer passcodes.

As an employer-owned device, he would have been (and for good reason) paranoid that the phone could be monitored, so would have been foolish to use it in the first place.

FBI likely would have already run the device on a Stingray, to capture outgoing traffic.  Any network traffic the device, including third party applications with background tasks, would have generated would be visible by FBI.  The absence of any findings of evidence to compel a judge to grant the order demonstrates again they've found nothing coming out of the device.

This entry was posted in iPhone, Politics by Jonathan Zdziarski.



More information about the cryptography mailing list