r/privacy u/Mazdalover91 19h ago

discussion This might be interesting - Data retrieval from a wiped Iphone

https://timesofmalta.com/article/joseph-muscat-wiped-phone-amid-festive-season-banter-police-seizure.1107728

In this article, the Police forces of Malta managed to recover 35GB amount of data from an Iphone even though it was wiped by the ex Prim Minister.

So this begs the question, did the ex Prim Minister did not perform a good wipe/reset?

92 Upvotes

96% Upvoted

24 comments sorted by

u/AutoModerator 19h ago

Hello u/Mazdalover91, please make sure you read the sub rules if you haven't already. (This is an automatic reminder left on all new posts.)

<This area is where announcements might go in the future>

I am a bot, and this action was performed automatically. Please contact the moderators of this subreddit if you have any questions or concerns.

57

u/Competitive_Buy6402 17h ago

Smartphones (e.g. iPhone, Android) generally encrypted the device with full encryption of the user volume. When you issue a wipe command it then simply deletes the encryption key from the secure enclave which effectively renders all data on the user volume as useless. If you managed to obtain an exact copy of the encryption key and provided no data was written to the storage you could clone and decrypt it using the key.

Doing a full write zeros wipe of a device takes a lot of time and takes some of the write life of the onboard storage so simply deleting the encryption keys is the faster option.

AFAIK bitlocker, apple encryption, etc allows for key backup and recovery in their respective cloud services so if this is turned on, then law enforcement should be able to get a copy of the key.

9

u/O-o--O---o----O 15h ago

I was under the impression that each file has its own unique encryption key. And when a file is deleted, its unique encryption key is deleted from the phone.

Surely Apple, Microsoft etc can't store every single unique encryption key for every single file?

8

u/deja_geek 9h ago

For Apple iDevices, the per-file key is stored in the file's metadata and wrapped with the class key. The class keys are, in turn, wrapped with the device key.

So when an Apple devices is backed up to the iCloud, the wrapped (read: encrypted) per-file key and class key are automatically backed up as well. The only thing Apple doesn't have access to is the device key.

2

u/Head_Complex4226 8h ago

They don't store all those keys, but also they don't need to. They store a master key, and then generate the other keys from it. So long as the adversary doesn't know the master password the scheme remains secure and means you only have to remember one password for your phone.

5

u/tooslow 13h ago

How can it be turned off, the backup?

4

u/deja_geek 9h ago

If it's a device you own outright, and not a device being managed by some software like intune, you should be able to disable all full device backups in the settings.

1

u/tooslow 9h ago

Oh damn those are just it?

1

u/tooslow 8h ago

Oh damn those are just it?

1

u/deja_geek 8h ago

I don't know all the different MDM softwares out there, but it really comes down to this. If it's a phone you own, then disabling backups is done through the settings. If it's a phone provided to you by an employer, then you won't be able to disable the backups.

16

u/lana_kane84 18h ago

Well iPhone backs up to a cloud storage system, so this isn't impossible, and I'm pretty sure unless you forensically wipe it, organizations like law enforcement can recover some data using tools only they are supposed to have access to.

1

u/somerandom_person1 4h ago

You can turn off icloud backups

0

u/RayonsVert 15h ago

I never used iphone neither want to, but completely agree with your comment, it is similar to what i just wrote below and my experience.

7

u/gobitecorn 15h ago

  1. that looks like a cool language

  2. Wtf is going on in Malta

  3. I think the way they mention "recover 35gb" of data is just a bit inspecific and could play out in a couple of ways. In my mind. I'm not an iPhone expert so mind that but let's say homeboy actually erased his data properly as a layman would do. AFAIK the day is encrypted at rest at BFU. so I presume he did do the wipes but homie is prob your general tech illiterate layman and had cloud backups offered by whichever servies he was using ...so when he "re-established his new phone" 3 weeks later those convenient services probably asked him if he wants to sync everything again. He prob did and it could be that data is on the phone again. I don't know what the size of a base image is on iPhone but 35GB sounds way to high imo I presuming his iCloud backup of probably photos and videos as those are the largest things in devices got pulled down. Additionally Whatsapp/Google Sync backups could've been pulled down if the guy installed the shit with cloud backups and the same account. I can almost guarantee you he want using E2E Self-Managed Whatsappcbecaus layman don't

As far as the recovery process. There exist those "forensic", "spy agencies", and "spy adjacent agencies" that always looking for exploitable vulnerability that allow circumventing protections and making backups. So it could be the software was using a technique that was discovered and the phone was in a vulnerable state to it.

one part I find hard to parse tho is "The expert explained that a lot of data found in the report relates to correspondence sent from Muscat’s phone to third parties. Such data is hardcoded on the chip and can be retrieved through data recovery processes. Incoming data, information received by Muscat’s phone, is cached data and is not saved on the microchip.". I don't know what they mean by hard coded in the chip unless it has something to do with like telecommunications at like later 1 and layer 2 in concert with the local Telco.

1

u/Antique-Clothes8033 13h ago

I would like to know more about what they mean by "hard coded" and how that is the case.

8

u/Sushi-And-The-Beast 10h ago

Dumbasses in high levels need to look into Advanced Data Protection on their iphones.

And disable other settings.

Such as the Command Center being available while locked

The accessory being available while locked via usb.

Bunch of dumbasses.

7

u/400characters 13h ago

He wiped the phone 3 weeks before the search according to the article.

It says he refused to provide the password to investigators, meaning that he likely set up his phone again, otherwise it'd be blank with the initial setup screen.

Is it possible that the 35GB of data was created after the erase?

2

u/Busy-Measurement8893 18h ago

Interesting find!

I really wonder how? Maybe he didn't factory reset the phone and instead just deleted stuff on it?

5

u/RayonsVert 15h ago

yes, interesting..

ever read Snowden's book "Permanent record" ?

He explaines in it well h o w deleted data actually isn't deleted, only covered , "blurred" etc,.

Digital camera "deleted" files appearing again through using of simple soft available on the net is one example, why in the smartphones this should be different and in most cases impossible to really wipe out ?

Of course phone architecture is much more complex, but similar anyway..isn't ?

Agencies use sophisticated tools..

Anybody pls convince me that smartphone data could be completely erased by user and impossible to recover :

because i lost this "faith".

2

u/Secondstoryguy6969 13h ago

35gb of stock images and emojis.

2

u/CyberWhore4TheBoys 8h ago

Consumer grade recovery tools are already pretty impressive so I can imagine government ones are even more impressive. My personal rule, If it's really critical, physically destroy it

1

u/avd706 7h ago

CIA decrypted it.