Sun | Jan 21, 2018

Colin Greenland: Forensic lessons from FBI vs Apple

Published:Saturday | April 16, 2016 | 12:00 AM
Collin Greenland, contributor.
AP In this March 21, 2016, Apple CEO Tim Cook speaks at an event to announce new products at Apple headquarters in Cupertino, California. Companies like Apple and Microsoft pushing back against the surveillance state in the courts, arguing that federal authorities have overstepped their legal authority to obtain your chats, email and other crucial information from phones and online services.

The current case between United States federal investigators and the mobile phone giant Apple provides not only an intriguing insight into the use of forensics, but will also offer valuable lessons to law-enforcement personnel, legal practitioners, and, indeed, the public at large.

It is this writer's opinion that the FBI, possibly the world's best-equipped crime-fighting agency with forensic resources, could acquire the methodology to access the required data from the phone in question. However, to do so, the FBI, like most experienced, proficient forensic investigators, is cognisant of the plethora of technical and legal hazards that may confront them without Apple's assistance.


Sherlock Holmes analogies

Many researchers draw analogies between modern-day forensic analysts and the legendary Sherlock Holmes, who, it is said, if alive today, would surely be a master of forensics. In the same way he sometimes used his chemistry set in the 19th century to analyse clues, he would probably use forensic software to examine digital devices today such as computers, iPhones, thumb drives and other ESI storage devices.

Important, however, Holmes would also know when not to waste his time doing so, since although forensic examination of digital devices is crucial in modern-day crime-scene investigator-type detective work, it is no panacea. Sherlock Holmes, of all people, would know that it is not a substitute for clear thinking and rational deductions and is not appropriate in every case.

Hacking into the Apple phone presents certain technical challenges for the FBI that include most being either expensive, time-consuming, and/or substantial risk that the data could be destroyed during the process.

Whereas the profession of computer forensics is still fairly new compared to more established disciplines, the forensic study of mobile devices is an even newer field, dating from just the early 2000s. The reality is that the proliferation of smartphones on the consumer market caused a demand for forensic examination of the devices, which could not easily be met by existing computer forensic techniques, requiring, instead, forensic photographic equipment such as Fernico ZRT, EDEC Eclipse, or Project-a-Phone, or a variety of others, including CellebritÈ UFEDSusteen Secure View, Micro Systemation XRY, MediaTek (MTK), Spreadtrum, MStar, CellebritÈ's CHINEX, and XRY PinPoint.

Similar to orthodox computer forensics, mobile-device forensics must incorporate a defensible process that accomplishes the objectives of collecting/preserving relevant data, and establishing a proper chain of custody. Unlike regular computer forensics, however, mobile-device forensics might find it more challenging to comply with the important forensic standard called the Heisenberg Principle, which governs working from a forensic copy of data, since the act of searching the original would itself change it.

Mobile-device forensics is also greatly challenged because to remain competitive, phone companies like Apple frequently change mobile phone form factors, operating system file structures, data storage, services, peripherals, and even PIN connectors and cables. In addition, based on demand, their storage capacity continues to grow because of not only the types of data, but also the way mobile devices are used constantly.

Smartphones these days store and transmit both personal and corporate data that may include information such as contacts, photos, calendars and notes, SMS and MMS messages, video, email, web-browsing information, location information, social networking messages/contacts, and online transactions. Another analytic challenge is the feature of hibernation behaviour in which processes are suspended when the device is powered off or idle but, at the same time, remaining active.


Major legal hazards

The legal hazards of hacking into phones are also enormous, especially in jurisdictions such as the litigious United States. Trial lawyers who do not understand the nuances between computer and mobile-device forensics are prone, during trials, to do their clients injustice by employing either expensive, time-consuming, and/or data-destroying investigative processes that may hurt their case. One must know when, for example, a kind of 'deep dive' forensic examination is required since such work should be done sparingly and is not needed in most e-discovery cases.

Even when a special case suggests it may be needed, and the appropriate methodology/tools are deployed, courts may, as in the case, Hedenburg v Aramark American Food Services, 2007 US Dist. LEXIS 3443 (W.D. Wash. January 17, 2007), deny the application for a forensic exam. In cases where the court allows the utilisation of the appropriate digital forensics, it is recommended that forensic examiners, especially those wishing to qualify as expert witnesses in court, undergo extensive training in order to understand how each tool and method acquires evidence; how it maintains standards for forensic soundness; and how it meets legal requirements such as the Daubert or Frye standard.

Whatever the technical route utilised by the FBI to hack into Apple's phone successfully, and the legal ramifications surrounding the issue, this is a case from which researchers, law-enforcement personnel, forensic investigators, digital equipment manufacturers, legal practitioners, and the public at large will benefit from innumerable lessons.

- Collin Greenland is a forensic accountant. Email feedback to and