Monday, September 22, 2014

Encryption as evidence of obstruction of justice?

This just in from "Silicon Valley’s smartphone snitching has come to an end. Apple and Google have promised that the latest versions of their mobile operating systems make it impossible for them to unlock encrypted phones, even when compelled to do so by the government. But if the Department of Justice can’t demand that its corporate friends unlock your phone, it may have another option: Politely asking that you unlock it yourself, and letting you rot in a cell until you do.

In many cases, the American judicial system doesn’t view an encrypted phone as an insurmountable privacy protection for those accused of a crime. Instead, it’s seen as an obstruction of the evidence-gathering process, and a stubborn defendant or witness can be held in contempt of court and jailed for failing to unlock a phone to provide that evidence. With Apple and Google no longer giving law enforcement access to customers’ devices, those standoffs may now become far more common ..."

This will get messy. Using the 5th Amendment has had mixed results. My guess is that this will eventually end up at the supreme court. In the mean time, Apple and Google get a bit of free advertising.

Friday, September 19, 2014

Digital forensics method validation: draft guidance

The UK Government Forensic Science Regulator has released a new draft document for comment. The document, Digital forensics method validation: draft guidance, is a rather interesting read. Comments should be sent on the feedback form provided to and should be submitted by 31 October 2014.

It's more concerned with areas known in the US as computer forensics, but it does have a section for audio analysis and speech recognition. It does not concern itself with DME analysis or authentication.


Thursday, September 18, 2014

Apple will no longer unlock most iPhones, iPads for police, even with search warrants

This just in from the Washington Post, "Apple said Wednesday night that it is making it impossible for the company to turn over data from most iPhones or iPads to police — even when they have a search warrant — taking a hard new line as tech companies attempt to blunt allegations that they have too readily participated in government efforts to collect user information.

The move, announced with the publication of a new privacy policy tied to the release of Apple’s latest mobile operating system, iOS 8, amounts to an engineering solution to a legal quandary: Rather than comply with binding court orders, Apple has reworked its latest encryption in a way that prevents the company — or anyone but the device’s owner — from gaining access to the vast troves of user data typically stored on smartphones or tablet computers.

The key is the encryption that Apple mobile devices automatically put in place when a user selects a passcode, making it difficult for anyone who lacks that passcode to access the information within, including photos, e-mails and recordings. Apple once maintained the ability to unlock some content on devices for legally binding police requests but will no longer do so for iOS 8, it said in the new privacy policy.

“Unlike our competitors, Apple cannot bypass your passcode and therefore cannot access this data,” Apple said on its Web site. “So it’s not technically feasible for us to respond to government warrants for the extraction of this data from devices in their possession running iOS 8.”

As the new operating system becomes widely deployed over the next several weeks, the number of iPhones and iPads that Apple is capable of breaking into for police will steadily dwindle to the point where only devices several years old — and incapable of running iOS 8 — can be unlocked by Apple.

Apple will still have the ability — and the legal responsibility — to turn over user data stored elsewhere, such as in its iCloud service, which typically includes backups of photos, videos, e-mail communications, music collections and more. Users who want to prevent all forms of police access to their information will have to adjust settings in a way that blocks data from flowing to iCloud.

Apple’s new privacy policy comes less than five months after the Supreme Court ruled that police in most circumstances need a search warrant to collect information stored on phones. Apple’s action makes that distinction largely moot by depriving itself of the power to comply with search warrants for the contents of many of the phones it sells.

The move is the latest in a series in which Apple has sought to distinguish itself from competitors through more rigorous security, especially in the aftermath of revelations about government spying made by former National Security Agency contractor Edward Snowden last year.

Although the company’s security took a publicity hit with the leak of intimate photos of celebrities from their Apple accounts in recent weeks, the move to block police access to the latest iPhones and iPads will thrill privacy activists and frustrate law enforcement officials, who have come to rely on the extensive evidence often found on personal electronic devices.

“This is a great move,” said Christopher Soghoian, principal technologist for the American Civil Liberties Union. “Particularly after the Snowden disclosures, Apple seems to understand that consumers want companies to put their privacy first. However, I suspect there are going to be a lot of unhappy law enforcement officials.”

Continue reading the story by clicking here.

Wednesday, September 17, 2014

Is DME "digital evidence"

There's a bit of a fight between the "digital forensics" crowd and the "forensic DME analysis" crowd as to what constitutes "digital evidence." We have the red Flip Book that states clearly that it does not concern itself with computer forensics. The Electronic Crime Scene Investigation: A Guide for First Responders states clearly, in Chapter 1, Section 5:

Section 5 — Other Potential Sources of Digital Evidence
First responders should be aware of and consider as potential evidence other elements of the crime scene that are related to digital information, such as electronic devices, equipment, software, hardware, or other technology that can function independently, in conjunction with, or attached to computer systems. These items may be used to enhance the user’s access of and expand the functionality of the computer system, the device itself, or other equipment.

Remember, it is recommended by the NIJ that protocols for how to handle electronic crime scenes and digital evidence be developed in compliance with agency policies and prevailing Federal, State, and local laws and regulations - and common sense. Your properly trained and equipped CF technician should work side-by-side with your properly trained and equipped DME technician.

Tuesday, September 16, 2014

Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition

Recently, the NIJ released it's Second Edition of Electronic Crime Scene Investigation: A Guide for First Responders.

Here's some highlights:

When dealing with digital evidence, general forensic and procedural principles should be applied:

  • The process of collecting, securing, and transporting digital evidence should not change the evidence.
  • Digital evidence should be examined only by those trained specifically for that purpose.
  • Everything done during the seizure, transportation, and storage of digital evidence should be fully documented, preserved, and available for review.

First responders must use caution when they seize electronic devices. Improperly accessing data stored on electronic devices may violate Federal laws, including the Electronic Communications Privacy Act of 1986 and the Privacy Protection Act of 1980. First responders may need to obtain additional legal authority before they proceed. They should consult the prosecuting attorney for the appropriate jurisdiction to ensure that they have proper legal authority to seize the digital evidence at the scene.

In addition to the legal ramifications of improperly accessing data that is stored on a computer, first responders must understand that computer data and other digital evidence are fragile. Only properly trained personnel should attempt to examine and analyze digital evidence.

Remember, DME is digital evidence and should be treated as such. Many agencies have the "it's just video" mentality. Not respecting the evidence and the procedures necessary to properly collect the evidence will eventually get you in trouble. Thankfully, the NIJ provides this valuable piece of guidance.