Migrated from eDJGroupInc.com. Author: Greg Buckles. Published: 2016-03-29 20:00:00Format, images and links may no longer function correctly.
Well, so did I in my last post. Thanks to a friend, I can at least give you a method that a forensics provider could have used to determine the 4-6 digit pass code on that phone. It is not pretty or elegant, but it is a practical solution with the right infrastructure. We all know that the forensic image of the phone will wipe itself if you put in the wrong passcode 10 times. The first five tries can be made without delay and tries 6-10 have increasing wait times up to 60 minutes. They could just make LOTS of copies of the iPhone image and make 6 attempts on each before deleting that image and moving to the next. With enterprise class storage, connectivity, virtual machines and some scripting software it would just take time to run through the 1,000-10,000 code combinations. If you think that making copies of the large forensic image would be impractical, a 64 GB file should take roughly 93 seconds on a SATA III drive pushing 6 Gbit/s. This kind of brute force hack takes resources, time and a certain level of scripting expertise, but it only works if the phone has not deleted the encryption keys already. This method is burdensome enough to put it outside the normal proportionality/reasonableness limits in typical civil discovery. It requires either a very long time or the resources of a global service provider/governmental actor. This reinforces the need for proper mobile device termination/upgrade policies and procedures to protect sensitive data when devices leave the company.
Greg Buckles wants your feedback, questions or project inquiries at Greg@eDJGroupInc.com. Contact him directly for a ‘Good Karma’ call. His active research topics include analytics, SMB eDiscovery, mobile device discovery, the discovery impact of the cloud, Microsoft’s Office 365/2013 eDiscovery Center and multi-matter discovery. Recent consulting engagements include managing preservation during enterprise migrations, legacy tape eliminations, retention enablement and many more.
Blog perspectives are personal opinions and should not be interpreted as a professional judgment. eDJ consultants are not journalists and perspectives are based on public information. Blog content is neither approved nor reviewed by any providers prior to being posted. Do you want to share your own perspective? eDJ Group is looking for practical, professional informative perspectives free of marketing fluff, hidden agendas or personal/product bias. Outside blogs will clearly indicate the author, company and any relevant affiliations.