Hello to everyone at Mobile Forensics World 2015 in Myrtle Beach, SC! 

Last week, I decided to do some experimenting with my Apple Watch. I wanted to see if the watch could contain data independent of its paired iPhone.  The answer to this is – YES.  Not only could it contain data, but it can also be used as an independent communication device.

For this to work, Apple Watch must have been paired with an iPhone at some point.  In addition, that iPhone must have had authenticated itself to the WiFi network on which Apple Watch will communicate on.  After the authentication information is passed over to the Apple Watch, the phone can basically be put into airplane mode, or completely turned off.

Depending on the user’s settings, Apple Watch will mimic being put into airplane mode when the iPhone is.  After ensuring the iPhone was in airplane mode, I proceeded to open the Messages application on Apple Watch.  I was able to look at old messages (text and iMessage) that reside on the watch.  I located a contact which I knew had iMessage and dictated a message.

Indication #1 that there was still a connection to the internet was that dictation still worked.  I selected to send the text version of the message rather than the audio version and it showed “delivered”.  A brief moment later, I received a reply directly on the watch from the other party. 

To ensure this was definitely happening, I turned my phone completely off, as well as my iMac, MacBook Pro, and iPad (just for good measure).  Again, I was able to send and receive messages in both text and voice memo format.  I allowed one voice memo to expire and disappear, while another was “kept” on the watch before the 2 minute expiration.  I also did a few screen captures on the watch, attempted to make a phone call, and attempted to send a regular SMS (non-iMessage).  As expected, the phone call and SMS failed.  Lastly, I attempted to launch a few apps like Twitter, Instagram and Skype.  All of these failed, but gave a visual indication that they required the phone to work properly.

Next, with the phone rebooted, but still in airplane mode, I conducted an advanced logical acquisition of my phone using UFED Physical Analyzer  Almost immediately after the acquisition was done, I powered up the phone (approximately 12:31pm EDT).  I continued using the phone and watch, then ran a second advanced logical acquisition at 2:10pm EDT.

With both acquisitions loaded up, I ran a few searches for keywords from the messages I dictated solely on the watch – again, never having typed them into the phone itself.  The hits came up only in the second acquisition – as expected.  I have given up on looking for whatever keychain may exist that contains the SSID and PW for now, but I can only assume it is in there somewhere. I was able to play around with today would not work at a wifi hotspot which requires a user to enter a password in a browser window.  However, it is something that I will be testing nonetheless.

So, theoretically, if a subject wished to pair his/her watch to an iPhone, which has authenticated to a particular wifi network in the past, and that authentication is still valid (SSID and PW), the Apple Watch can be used as a standalone device for iMessage communications.   I know this is not what most (if any) person will do if they are buying Apple Watch.  But, pending further testing, it appears that a person could establish an anonymous iTunes account on a prepaid SIM and put it into an iPhone.  The user can then pair Apple Watch to that iPhone and subsequently authenticate to several WiFi access points they wish to use.  At this point, the user can basically dump the phone they used to get the watch going, and use that Apple Watch independently of the phone to communicate via iMessage with others using wifi.  Add to that the complexity of a free or pre-paid cell-based hotspot and tracking down that individual becomes more problematic – thinking gangs, drug rings, etc...  Granted, the message data may still be available on iCloud, but until we have the ability to connect directly to the Apple Watch and extract data (YES – there is a hidden service/diagnostic port connection on it), it may be challenging to identify the user’s email address on that iTunes account.  Even then, if we did connect to the watch directly, the question remains – can we extract actionable data?

Many theories… Many possibilities… I can only imagine we will soon be able to look at the health tracking information a bit closer. Imagine having access to heart rate logs and using data to narrow down a window of time related to someone's death.

What is best practice to deal with the Apple Watch?

Until we know what to do as best practice, we may want to NOT take the watch off of someone’s wrist!  IF they have set it to lock upon taking the watch off, you won’t have much luck getting back in there. The unlocking function is either done manually by the user on the watch itself, or, depending on the setting, will unlock when the iPhone is unlocked.  This also leads me to another question to attempt to answer.  Does the iPhone log when the watch is taken off, put back on, and even unlocked?  

Below are some things that are definitely interesting to look at using Physical Analyzer regarding my “offline” activity with Apple Watch.

Here are my outbound messages from the watch with no phone actively linked to it end up being parsed all together, by themselves as shown here from chat #577.

Click image for larger view.

Replies, although they came into the watch, end up put together with my prior conversations as shown here in row 254.  Remember, you are now looking at the post-sync advanced logical acquisition of my iPhone.

Click image for larger view.

Next, screen captures on the watch… here is a thumbnail (5003.jpg - from IMG_7049.PNG).  Notice the discrepancy in the time shown in the screen capture versus the file dates/times reported – the sync time is the time reflected as MAC times.

Click image for larger view.

A closer look at IMG_7049.PNG

Click image for larger view.

A closer look at the File Info tab on IMG_7049.PNG

Click image for larger view.

A closer look at the Hex View on IMG_7049.PNG

Click image for larger view.

More indications that the screen capture date/time is the sync time – you will see they are all within seconds of each other, most at the same time of course.

Click image for larger view.

Phone Call from Apple Watch

I attempted to call out via the watch. Apple Watch does not support wifi calling or Facetime calling at this point.  Of interest here is that although this is a “failed call” it did not log anywhere on the handset in the recent calls list.  It was not logged in the call logs within Physical Analyzer.  The only area I still need to look at is within all the binary plist files I have exported to see if there is anything in there about calls which have failed.

Click image for larger view.

Exploring the File System

I wanted to get this out and there is a lot more to explore within the file system of the iPhone which has been paired to the Apple Watch.  For example, here is a pre-written reply messages located within a file named com.apple.MobileSMS under /Lbrary/DeviceRegistry/<GUID>/NanoPreferencesSync/NanoDomains

Click image for larger view.

Apple Pay stuff is there... Still have to look closer at it all, but it is there. I don't suspect to find any surprises.

Click image for larger view.

As I had previously mentioned in my post from April 29, 2014, I totally expected the Supreme Court to rule that a search warrant would be required to search cell phones.  I had also mentioned that SCOTUS should stipulate the due to the advancements in technology, they should consider that seizure of volatile data should be available without a warrant.  Unfortunately, the hope for this second portion did not happen. 

On the subject of remote wiping of cell phones, i
t is sad to see that the SCOTUS used a source referred to in the opinion that they viewed as "anecdotal examples of remote wiping triggered by an arrest.
"  Perhaps they should have had staffers consult with real practitioners who have seen actual remote wiping happen on real cases.  During a recent consultation with a local law enforcement agency in South Florida, I was informed that not only was an iPhone remotely wiped after arrest, but a message of "F the police" was displayed on it as well - how anecdotal is that?

As a solution to the remote wiping threat, SCOTUS mentioned that officers can either power off the device or pull the battery - sure, this works.  They also mention the use of faraday bags to secure mobile devices from the network.  Although this may work in some situations, they are not foolproof.  In every class I teach regarding mobile forensics, I talk about these faraday bags and also demonstrate how, depending on a variety of environmental factors, they do not work properly - yes, I carry one with me to every class.

Speaking of anecdotal, I have to point out another part of this opinion which is quite interesting on how it was used.  The opinion states:

Remote wiping occurs when a phone, connected to a wireless network, receives a signal that erases stored data. This can happen when a third party sends a remote signal or when a phone is preprogrammed to delete data upon entering or leaving certain geographic areas (so-called “geofencing”)

Hmmm... I have not found many references to this other than an enterprise solution for policy administration on iOS devices.  According to the Citrix site I found with reference to this, it states: "
Geo-fencing in Device Manager allows you to define a geographic perimeter for an iOS device. You can then perform a selective or full wipe upon the breach of the perimeter you set. The policy also notifies Device Manager and the device user when the device has moved beyond the defined radius of the policy. You have the option of setting a delay before the device is wiped, which can give the user time to return to the allowed GPS location perimeter."  Please tell me SCOTUS, just how is an average user that gets arrested going to have this ability?

Again, the search warrant requirement was not a surprise in the least.  I fully expected it.  However, I wished that the justices would have considered how technology has, and will always be ahead of the law of the land.  A forward-thinking decision to enable law enforcement to seize the contents of the device, much like what is done using a mere preservation letter to a cell phone carrier or internet service provider, would have been extraordinary.  Unfortunately, we must live with what
Chief Justice John Roberts stated in the opinion, "It is true that this decision will have some impact on the ability of law enforcement to combat crime." - what an understatement!

PS... SCOTUS referred to a DRAFT document by NIST instead of the final version which was available to them since last month at http://dx.doi.org/10.6028/NIST.SP.800-101r1.

The full opinion can be downloaded at http://www.supremecourt.gov/opinions/13pdf/13-132_8l9c.pdf

RE: U.S. v. Wurie (13-212) and Riley v. California (13-132)

There are arguments on both sides of the issue of search of a cell phone incident to arrest. In the next 60 days or so, we will finally have a US Supreme Court decision on this issue.  The two cases being reviewed are U.S. v. Wurie (13-212) and Riley v. California (13-132).  I am not an attorney nor pretend to be one, but my opinion is that absent exigent circumstances, like computers, a search warrant will be required.  However, I would be pleased to see the justices define that seizure of volatile data can be done without a warrant.  Let me explain...

Technically speaking, there are numerous well known methods to keep a phone off the network upon seizure. I have talked about these methods in the majority of my training courses. Today, most mobile devices can effectively be isolated from the network to preserve the data on the device. This simple, yet crucial step in crime scene investigation procedures, gives the arresting officer or investigator the time to apply for, and obtain proper search authority (search warrant). Although many of these techniques have been known to law enforcement agencies as best practices when dealing with mobile devices, the fact remains that savvy users (suspects or defendants) have been known to remotely wipe their phones before the device data can be acquired, much less searched.

By now, everyone has heard about the different ways to "find your phone" if it is lost or stolen.  The average user also has the ability to remotely destroy the data on that device to protect it from prying eyes. Wouldn't you think it is reasonable to believe that someone under investigation (or even arrested), who has the opportunity to destroy incriminating evidence, might do that? 

In the spirit of preserving evidence, which can be (and is known to have been) remotely wiped prior to police seizing and searching that data, the justices would serve the people, and law enforcement alike, with an acknowledgement of the technical challenges and dynamic nature of data in mobile devices. A forward thinking court could define that it is reasonable to allow seizure of dynamic and volatile data contained within a cell phone, tablet, etc. (the container) without a warrant. At the same time, they can reiterate the protection of the Fourth Amendment protecting the actual review (search) of the that data until the issuance of a properly executed search warrant.

I am guessing the court will probably mention the existence of exigent circumstances to search cell phones. This can be easily addressed by simply reiterating that a search by a law enforcement officer without warrant may take place if exigent circumstances exists.

As the CNN article here states, "the Constitution's Fourth Amendment protects against unreasonable searches and seizures." In addition, it also states "the high court has repeatedly affirmed the government's discretion to conduct warrantless initial pat-downs and searches of people and vehicles -- to ensure officers' safety and prevent destruction of evidence."

With proper training, officers can be instructed how to keep a device off the network.  Keeping a device off the network, can preserve data until proper search authority is obtained for the search and recovery of cell phone data. However, since technology advances so quickly and due to the dynamic nature of data on mobile devices, I am certainly hoping for a forward-thinking decision by the justices which will not impede current investigative procedures.

Your comments are welcome!
I will be teaching the Cellebrite 5-Day Mobile Device Examiner Course at the North Miami Beach Police Department May 19-23, 2014 (registration link below).

The Cellebrite Certified Mobile Examiners Course is designed for the intermediate and advanced investigator / digital forensic examiner. This 5 day course combines the curriculum from the Cellebrite Certified Logical Operator (CCLO) and the Cellebrite Certified Physical Analyst (CCPA) Courses providing the participant with an intense exposure to Cellebrite UFED, Physical Analyzer Software and all of the core competencies associated with examination of mobile devices using Cellebrite’s Tools and methodology.  During the course two optional written exams and two optional practical skill challenges are administered and students may earn the Cellebrite Certified Logical Operator Certificate (CCLO) and the Cellebrite Certified Physical Analyst (CCPA), both of which are prerequisites for entering the Cellebrite Certified Mobile Examiner Process.

Back in January of this year, Cellebrite published an iOS application to help examiners identify phones in the field.  UFED Phone Detective is a simple tool for investigators to identify mobile devices, and determine what capabilities exist for extracting data from those devices.

The application is available for both iPhones and iPads with a graphical user interface which works very similar to the UFED Touch and UFED4PC device.  It allows you to search for vendors and mobile device names and even find out if Cellebrite can acquire the data even if the device is locked.

If you already have access to the Cellebrite portal, you will need to use your same credentials to access and use the application.  This is a nice and free tool to have for anyone involved in digital evidence investigations!

Here is a direct link to the iTunes store to get the app!