As a loyal and proud member of the International Associationof Computer Investigative Specialists (IACIS), I am fortunate enough to have a virtual plethora of digital forensic professionals who offer advice, tips, tricks and explore current trends in digital forensics via the IACIS List Serve. A hot topic the past few months going around the list serve has been the use of the IP box to bypass a passcode locked i-device (iPhone, iPod touch, iPad, etc.). It occurred to me (and perhaps to others) today that there are some serious considerations to take into account when employing this device. We’ll explore them here:
In the latter part of 2014, Apple announced with the release of iOS 8 and the iPhone 6 family, they will no longer be able to assist law enforcement agencies who send devices to them for bypass of a passcode or thumb print lock to obtain data from the device, even with appropriate legal service (search warrant, etc.). This understandably caused quite a negative reaction from those in law enforcement who had previously relied upon this option as a last resort to access data on iOS devices.
Enter the IP box. Very shortly thereafter, the IP box became a possible alternative option for law enforcement to get past the passcode locked iOS devices. The IP box is a no-frills Chinese tool with leads which physically attach to the exterior of the iOS device and electronically attempt every possible code from 0000 to 9999 to gain access to user portion of the device. It’s a brute-force bypass tool. If you search on YouTube, you’ll find any number of (mostly foreign) videos demonstrating how this tool works – and it does work… sort of.
Concerns With the Use of the IP Box
There are several concerns with the use of the IP box for digital forensic practitioners. Many of these have been voiced on the IACIS list serve and other online forums, but I fear one has not. The more technical issues lie in that the IP box is not a forensic tool, it’s a hacker tool. In Digital forensics, we need to be able to articulate, validate & replicate all of our steps, otherwise they are not scientifically valid. Hacker tools by their very nature do not fall anywhere close to these categories, but the IP box is a simple tool, so it may have a slight exception to this rule. That is up for debate.
The second concern with the IP box is that an iOS user has to option to set their device to automatically wipe the data after 10 unsuccessful attempts at the passcode. This is an obvious problem because you may have no clue what your subject used for a passcode and now you only have 10 chances to figure it out or POOF! Your data is gone. This leads us right into what is probably the larger, and certainly less articulated concern with the potential use of the IP box and these are especially poignant for digital forensic professionals in the law enforcement community…
If you seize an i-device with a passcode lock and your subject/suspect refuses to turn over the passcode, your options are now limited to attempt using the IP box. However, the subject may have turned on the 10-and-out wipe option on the device and may or may not tell you if he/she did. So in your attempt to get the data, you hook up the evidence to the IP box and try 10 times and POOF! The device auto-wipes after your 10 unsuccessful attempts.
Guess what you just did? Destroyed evidence.
Having been in law enforcement for 15 years and still clinging very closely to many of the ideals that drove my career for that time, I understand the need to want to “get the data” at all costs. You may be working a child abduction or exploitation case or a homicide or rape and that data is vital to your investigation. However, now having been in private practice, I also have the fortunate ability to step back a bit from the law enforcement world and take a look at some practices and audit them with a somewhat dispassionate view. Toward that end, I submit that the use of the IP box by anyone in law enforcement charged with the collection, preservation & analysis of evidence is not only ill-advised, but woefully negligent.
Think about it – you know what could potentially happen to your seized data if you use the IP box, up to and including destruction of that evidence. What possible justification can you place on that? The bottom line is, there is evidence on that device. The fact that you can’t access it doesn’t mean it’s not there. And that evidence may have value to someone else besides you, like the defense. Perhaps there’s exculpatory evidence on that device and you just wiped it. I submit that the use of the IP box is in direct violation of our charge as responsible handlers of evidence. I further submit, as one who caters to both government and private clients, that there is potential liability in law enforcement’s use of the IP box – both civilly and criminally. Destruction of evidence, especially when you are fully aware that the potential destruction may occur AND you continue to take actions in furtherance of that potential destruction, is criminal – whether you’re in law enforcement or not.
Finally and given these facts, I can unequivocally say that if I were in law enforcement and were on the witness stand in a major trial and a savvy defense attorney was cross-examining me about the steps I took, I would have a hard time explaining my use of this device, especially given the fact that I know it could erase all the data. The ends do not justify the means.
There’s no doubt that in virtually every case the potential for solid evidence to exist on a mobile device is real. However, when we start to sacrifice our responsibility to protect that evidence in order to “get the data” at all costs, we start to devalue the forensic methodologies and best practices that we have dedicated ourselves to as digital forensic professionals.
Look at it as the digital forensic equivalent of the Hippocratic Oath – Above all, do no harm… and protect the evidence.Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Owner, Lead Forensic Examiner
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
UPDATE Jan 31, 2015: I have received a wide array of responses to this article, but one was a question from a BCERT classmate who asked if the iPhone gives a countdown to wipe if the 10-and-out feature is enabled. Having not employed his feature on my device, I decided to check and see. Without going into the long explanation, the device does give a countdown and disables for increasing amounts of time in between attempts. However, as an examiner flying blind, we still don’t know if the wipe feature is enabled and, through 9 incorrect attempts, there is no warning of impending wipe. I am choosing not to attempt a tenth because I don’t want to wipe my iPhone.
Det. Cindy Murphy of the Madison, WI Police Department performed some tests on the IP Box and published a white paper with results. It may be found here: