Did FBI Ask Cellebrite to Open Farook’s Phone before Getting an AWA Order?
In this post, I note that DOJ obtained a warrant to search (among other things) an iPhone 6 using Cellebrite’s assistance on the same day as it obtained an All Writs Act order to Apple to help crack Syed Rizwan Farook’s iPhone 5C. That other warrant demonstrates not only that DOJ was at least willing to try opening a late model iPhone with Cellebrite’s help during the same period it was claiming it could only do so with Apple’s help, but it also shows us what it would look like if DOJ tried to enlist Cellebrite’s help.
I’d like to look at the underlying “warrant” such as it exists for this phone. There are two dockets in this case. 5:15-mj-00451, the docket under which DOJ got a search warrant for Farook’s (actually, his mother’s) Lexus. And 5:16-cm-00010, where the fight with Apple lives. The order for an All Writs Act actually lives in the earlier docket, with the first numerical docket item in the newer one is the government’s motion to compel.
Technically, we have never seen any free-standing warrant for Farook’s phone. Rather, what got attached to the AWA order application was actually the warrant for the Lexus. That warrant includes a bunch of boilerplate language about any devices found in the car, which basically permit authorities to search a device to find out if it contains any items covered by the search warrant, but requiring further legal order to keep that information. 
Obviously, FBI hasn’t gotten to the point where they’ve found the phone includes evidence relating to the crime, because they haven’t yet been able to search the phone, so they haven’t gotten the point where they’d need this “further court order.” Moreover, the phone doesn’t belong to Farook, it belongs to San Bernardino County, and they’ve consented to any search (but you can’t get an AWA unless you have a search warrant).
But it appears DOJ covered their asses, given the following entries in the original docket.
As I understand it, this warrant docket was terminated on December 21. But then on January 26, it got active again, with the government sealing a document, then unsealing the parts of the search warrant. Then, on January 29, the government applied for and got and then sealed an extension of time on the original warrant, but noting they just needed an extension for devices related to it (that is, for Farook’s phone). Then on February 2, they submitted and got sealed another document. Finally, they got parts of the original warrant that had been unsealed in part days earlier unsealed (again?) so they could get the AWA, which they did.
I’m interested in all this for several reasons. First, if they closed this docket in December, after they had already obtained the content of Farook’s iMessage account, does that indicate they had determined the phone had no evidence relating to the crime? That’s consistent with what everyone believes. But it would also seriously undermine their claims that they do need the information (especially since the claims they made in their AWA application are inconsistent with that they’ve claimed in later documents).
I also suspect that FBI asked Cellebrite to open this phone. If I’m reading the docket correctly, the parts of the search warrant pertaining to the phone have been unsealed twice, the latter time for the AWA. I suspect the earlier activity in the docket pertained to a Cellebrite request, in which case the February 2 docket document might resemble the method of search language, naming Cellebrite, found in the February 16 warrant for the iPhone 6 in the other case.
The thing is, Judge Pym may know that, if that’s the case, because she’s the one who signed off on the January 26 and 29 activity. Which is interesting given that, in the phone hearing on whether to vacate the hearing yesterday, she suggested FBI might need to brief on what this effort was.
I’m not — to some extent I’m not sure how much difference it makes whether the order is vacated at this point or not, because if it turns out, after exploring this possibility, that the FBI believes it won’t work, you know, I would be inclined to go forward without really — and there might need to be some additional briefing, supplemental submissions, with respect to this effort, but I think the matter’s been fully briefed.
She may be less willing to decide for FBI if she knows that Cellebrite is actively working on a solution that would solve FBI’s needs, which she may already know.
In any case, given the import of this case, citizens really deserve to know what the government was asking for at the end of January, particularly if their first effort to get into the phone involved a request to Cellebrite that has now been answered.
Can you spell ‘parallel legal construction’?
http://www.zdziarski.com/blog/?p=5966
At first (two days ago), he figured that the way to break in was
to use a process of copying and restoring the NAND memory
from the iPhone5c in question, interleaving PIN attempts.
But, In a later u
UPDATE: The FBI is rumored to have classified this technique, only 24 hours after requesting a two-week window to give report. If true, FBI wouldn’t classify something that they haven’t validated, which means they validated it too. This suggests the technique *could* also be an exploit, so now we’ve two different possibilities to consider.
But here is the problem I see which leads me to my theory of
parallel legal construction. If the way in to get the PIN code is
via the NAND copy/restore method, then how can that be considered
classified? Yes, I realize that they can classify any obvious facts,
but it also suggests that the purpose of any classification may
actually be to hide something else.
I really believe it is an exploit.
But in either case, why would Cellebrite provide this method
to the FBI for only 15k? If it is an old exploit only good for 5c
and earlier, yes it’s shelf life is limited. But you know there
are bad actors that would not blink at that cost because there
are still plenty of 5c models in use.
https://www.fpds.gov/ezsearch/fpdsportal?amp;templateName=1.4.4&q=cellebrite+CONTRACTING_AGENCY_NAME%3A“FEDERAL+BUREAU+OF+INVESTIGATION”+PIID%3A”DJF161200P0004424″&sortBy=SIGNED_DATE&s=FPDSNG.COM&indexName=awardfull&desc=Y&&templateName=1.4&indexName=awardfull
So, is Cellebrite giving the FBI a cut-rate deal? Why?
Why did it only happen two days ago? Is this all
happening now because Cellebrite was told to do so?
Is this parallel legal construction so that various discussions
can be avoided in court?
I will not be surpised to hear any minute now that the FBI reports
that they got into the phone and there was nothing to see.
The $15K was, as I noted in my last post, almost certainly just to renew licenses on 7 common Cellebrite machines owned by Cook County.
There we go . . .perfect solution to a tough political problem:
Turn the freakin’ phone over to the Israelis. Nothing like FBI,
NSA, CIA, DIA nerds eating some humble pie. Everybody and
his uncle is calling them out for incompetence. Snowden
called “horseshit” (his term) on this whole cluster fuck (my term)
days ago. FBI: “Freakin’ Bureau of Incompetents — If we can’t
solve the case, we’ve got Israeli contacts who can.” ™
.
And if the Israeli company can’t bust the iPhone, send it over
to Mossad. They’ve probably already got the source code and
Apple’s “keys to the kingdom” encryption code for iOS9.3
.
My question is: If Cellebrite claims they can crack the phone
but they don’t get their price, can DoJ then get an AWA order
compelling them to do the work? How about Mossad? I mean
as long as DoJ is going off on this AWA power-trip, might as
well go whole hog. Er . . . sorry, wrong metaphor. Might as
well go whole matzah balls. Eh?
Change of subject…….
.
Marcy: “but you can’t get an AWA unless you have a search warrant”
.
I’m not sure that’s what you mean. Yes, there has to be some sort
of underlying court order or write, but the AWA is not just about
search warrants. It’s about forcing people to assist in executing
any type of federal court order or writ that is within the court’s
jurisdiction.
.
Example: One of the primary cases cited by both parties’ briefs is
about a magistrate judge’s use of AWA to try and force the US
Marshals to transport state prisoners to federal court. USSCt
said AWA could be used to force marshals to guard state prisoners
while in federal court, but AWA does not extend to forcing the
marshals to go get the prisoners from the state jail. One would
think that this sort of everyday logistical issue would have been
resolved 200 years ago, but this is a 1985 case.
.
I bring this up as one of many uses of AWA completely unrelated
to search warrants. Given the number of wacko federal judges and
magistrate judges out there, and given the breadth of the AWA,
its’ a pretty scary thing, IMO.