Ah, ya gotta love technology
BY:
Eric De Grasse
Chief Technology Officer
PROJECT COUNSEL MEDIA
5 August 2022 (Mykonos, Greece) – We were on an invite-only webinar yesterday, sponsored by a major forensic/cybersecurity vendor with whom we have worked with for years, on the U.S. Secret Service mobile phone wipe and the Pentagon mobile phone wipe. I am going to report on it but please note I had to redact a lot because (almost) everybody on the call requested “no attribution” to speak freely. But you’ll find that much of the following information has appeared in various press stories, from many of the participants on the webinar. But, I’ll keep to the rules we established.
If you are not up to speed, efforts by a congressional committee to investigate the 6 January 2021 insurrection hit a roadblock last week when it came to light that text messages the committee sought from the phones of Secret Service agents were “permanently deleted” as part of a “scheduled device migration”. That information came to light in a letter sent from the Department of Homeland Security’s inspector general to the House Select Committee, which is investigating the insurrection. When asked about the claim, the Secret Service gave vague and confusing statements about what occurred and the nature of the messages. An agency spokesman said both that data on the phones was erased during a factory reset and also that none of the erased messages are relevant to the January 6th investigation.
It was then revealed that 6 January 2021 text messages were also deleted from the mobile phones of senior Homeland Security management (all Trump appointees). And even worse: the Homeland Security watchdog (another Trump appointee) – under scrutiny for his handling those deleted Secret Service text messages – had been previously accused numerous times of misleading federal investigators and running “afoul” of different ethics regulations.
To add insult to injury? The Pentagon announced it, too, had wiped the phones of former acting Defense Secretary Chris Miller, former Army Secretary Ryan McCarthy and former Pentagon chief of staff Kash Patel (all 3 being temporary Trump appointees) in the days after the attack on the Capitol and the end of former President Trump’s term. The scrubbed Pentagon records are significant since, as the Congressional January 6th Committee said “they could have shed more light on why the National Guard was delayed approval to go to the Capitol as it was under siege”.
Huh. Remember when Team Trump delayed transition to Team Biden? Well, gee, it almost looks like they were … destroying evidence and trying to cover their tracks? Can you imagine?
Every cybersecurity specialist interviewed by the media (and everyone in our webinar) said the “update” and “routine task” of telling the Secret Service agents to “back up their own records” is not something any other organization would ever do in this situation. Nobody has ever done a “migration” without a plan for backing up data and restoring it. Every cybersecurity expert and former government data retention leader said they were “stunned” by how poorly the Secret Service and the Department of Homeland Security handled the preservation of officials’ text messages and other data from around January 6th – especially given the fact these were the top Federal agencies entrusted with fighting cybercrime.
On our web call, more frank talk. The disappearance of phone data from around the time of the insurrection was more than a sign of incompetence – it was an intentional coverup. It is impossible not to raise suspicions about the disposition of records whose preservation was mandated by federal law. And it followed a pattern. During the Trump Administration almost all of Trump’s inner circle used Telegram and WhatApp to communicate. None of those records were kept even though mandated by federal law.
Funny that. The Secret Service said it began deleting data from officials’ phones in the same month as the Capitol siege, when its agents were among the closest eyewitnesses both to Trump, now under criminal investigation for his push to overturn the election, and to Vice President Mike Pence, who had narrowly escaped the mob. The agency’s official statement was that “the deletions were part of a preplanned system migration, that agents had been instructed to back up their own phones, and that any insinuation of malicious intent is wrong”.
If the Secret Service had truly wanted to preserve agents’ messages, experts said, it should have been almost trivially easy to do so. Backups and exports are a basic feature of nearly every messaging service, and federal law requires such records to be safeguarded and submitted to the National Archives.
Here is the way it works: data migrations of these sorts are not uncommon. One of the basic rules for conducting them is that devices should be backed up with redundant copies in such a way that the process can be reversed if something goes wrong. All phone manufacturers and all manufacturers of mobile operating systems offer detailed, specific guides for how to back up devices, restore saved data and move devices onto the service without deleting their data outright.
The use of iPhones, which prioritize individual users’ privacy over organizations’ ability to centrally manage data, does create challenges for data retention that are solvable through the right practices. But relying on individual Secret Service agents to upload their iMessages, without any other backup system or way to ensure compliance, before permanently wiping their devices suggests that such practices were not in place – or worse, not even suggested. It was a program set up for failure.
One person on our call was a former Secret Service agent and he said it will remain unclear how much, if any, sensitive communication Secret Service agents would have been doing via iMessage anyway. Why? Because agents carry personal devices as well as their work devices, and rules about keeping work communications on work devices “are not diligently followed”. The Secret Service blocks its phones from using Apple’s iCloud, a popular service for automatically saving copies of phone data to the web. Using iCloud backups could have ensured that copies of the messages would have been preserved even after a phone reset. But the system has been seen as a security risk because it made agents’ digital conversations more vulnerable to hackers or spies.
NOTE: one participant on the call noted that as part of DHS, the Secret Service would have been required to use some form of “mobile device management” service even before the alleged “migration”. But the agency has not specified what MDM it migrated from, and each system works in different ways.
A few concluding points from the call. There was a boatload of detail provided but I’ll keep this general to protect sources:
• The webinar was a brilliant tutorial on forensic extraction tools for mobile by those that really know their stuff. You only get this level of detail if you attend FIC in Lille, or the MWC in Barcelona, or DIC in Zurich or the myriad RSA events.
• In the case of data storage that has been physically damaged, such as by a gun shot or burning, *some* of the data is *still* recoverable. It’s expensive, but there are companies that specialize in emergency data recovery; for example, in the case of corporate data that has been destroyed in a fire. Investigative agencies know all these facts. Some of the heavyweights in data extraction have been called in by multiple parties in the DHS/Secret Service/Pentagon mobile erase affairs so I suspect there will be more news blasts to come.
• The *migrations* and *factory resets* were totally outside normal procedure/protocols. The messages *might* still be there but not readable due to the way factory resets work on the phones in question. And, yes, a few participants had detailed inside info on the devices used by the Secret Serice and the Pentagon, and how these devises are normally managed. The consensus seemed to be that essentially this data was unrecoverable.
• Everybody agreed all the agencies involved received “some very clear technical guidance on how to erase/delete data” – and the end effects of “executing” on that guidance. But given the DHS, the Secret Service and the Pentagon are clients of several of the heavyweight companies involved with digital intelligence and mobile forensic devise tools, well … when you get caught in an insurrection and a cover-up, you only hire the best.