clock menu more-arrow no yes

FBI Says Resetting San Bernardino Shooter's Apple ID Password Not a Screw-Up

The FBI said it worked with San Bernardino County to quickly obtain the phone's iCloud backups.

chronicleleader.com

Look, it wasn’t a f*ck-up, okay?

That’s the message from the Federal Bureau of Investigation, which fired back this weekend at reports suggesting that rogue elements within San Bernardino county had reset the Apple ID password on the suspected shooter’s phone without consulting law enforcement.

Federal investigators said they were working in cooperation with San Bernardino county to obtain information stored in the iCloud account of Syed Rizwan Farook, a county employee suspected of killing 14 people and wounding 22 others in the Dec. 2 attack.

The FBI said it discovered Farook’s government-issued iPhone 5c on Dec. 3 and worked with the county’s information technology staff “to obtain evidence related to the investigation in the days following the attack.” The county reset the iCloud password on the account — which gave the FBI immediate access to all backups (it also served Apple with a warrant for the same info).

The trouble is, the last backup occurred on Oct. 19 — weeks before Farook and his wife, Tashfeen Malik, allegedly launched the attack, then died in a shootout with law enforcement. The password reset foreclosed the possibility of retrieving another backup following the incident, both Apple and the Justice Department agree.

“It is unknown whether an additional iCloud backup of the phone after that date — if one had been technically possible — would have yielded any data,” the FBI said in its statement.

The FBI argues that the backups aren’t enough, and that it still needs access to the iPhone to further its investigation of the mass killing.

“There might be information on the phone that would not be accessible without Apple’s assistance … since the iCloud backup does not contain everything on an iPhone,” the FBI said in a statement. “As the government’s pleadings state, the government’s objective was, and still is, to extract as much evidence as possible from the phone.”

A federal court judge ordered Apple to develop software to disable one of the security features on the iPhone, the “auto erase” feature that renders the device inaccessible after 10 failed password attempts. Doing this would allow federal investigators to guess the device’s password after multiple tries.

Apple Chief Executive Tim Cook has maintained that such a request is both unprecedented and dangerous, and said the company would fight the court order.

Here’s the full statement from the FBI:

STATEMENT TO ADDRESS MISLEADING REPORTS THAT THE COUNTY OF SAN BERNARDINO RESET TERROR SUSPECT’S IPHONE WITHOUT CONSENT OF THE FBI

Recent media reports have suggested that technicians in the county of San Bernardino independently conducted analysis and took steps to reset the iCloud account password associated with the iPhone 5C that was recovered during a federal search following the attack in San Bernardino that killed 14 people and wounded 22 others on December 2, 2015. This is not true. FBI investigators worked cooperatively with the county of San Bernardino in order to exploit crucial data contained in the iCloud account associated with a county-issued iPhone that was assigned to the suspected terror suspect, Syed Rizwan Farook.

Since the iPhone 5C was locked when investigators seized it during the lawful search on December 3rd, a logical next step was to obtain access to iCloud backups for the phone in order to obtain evidence related to the investigation in the days following the attack. The FBI worked with San Bernardino County to reset the iCloud password on December 6th, as the county owned the account and was able to reset the password in order to provide immediate access to the iCloud backup data. The reset of the iCloud account password does not impact Apple’s ability to assist with the the court order under the All Writs Act.

The last iCloud data backup of the iPhone 5C was 10/19 and, based on other evidence, investigators know that Syed Rizwan Farook had been using the phone after 10/19. It is unknown whether an additional iCloud backup of the phone after that date — if one had been technically possible — would have yielded any data.

Through previous testing, we know that direct data extraction from an iOS device often provides more data than an iCloud backup contains. Even if the password had not been changed and Apple could have turned on the auto-backup and loaded it to the cloud, there might be information on the phone that would not be accessible without Apple’s assistance as required by the All Writs Act order, since the iCloud backup does not contain everything on an iPhone. As the government’s pleadings state, the government’s objective was, and still is, to extract as much evidence as possible from the phone.

This article originally appeared on Recode.net.