Wylie, Texas
lee@forensic4cast.com

The Long and Winding Road to Nowhere

For those of you that know me personally, I try very hard to not minimize other people’s work and accomplishments. In fact, I revel in others’ joy when they achieve things. So, this post will be somewhat out of character for me.

I’ve been conducting forensic investigations for around fourteen years. During that time I’ve conducted hundreds of my own investigations, written many reports, and testified in court on multiple occasions. Now, don’t take this for boasting, that is not my intent. My sole purpose here is to show you that I’m backing up my opinions with more than just a pie plate.

Many times during my career I’ve been asked to draw conclusions based on the existence of evidence. I’ve also been asked to provide my opinion as to the lack of evidence. In each of these situations I’ve always carefully considered everything available to me. If I can’t say something happened, due to the lack of evidence, I don’t say it. This has frustrated clients at times and I’m certain that I’ve lost work as a result, but I will not compromise my integrity. I will not provide opinions on something where insufficient evidence exists.

Last week there were numerous articles about how Jeff Bezos’ iPhone X was allegedly exploited by an element employed by members of the Saudi royal family. As a result of this news the rumor mill has been buzzing and there have even been calls for a UN investigation. At the beginning of the week I was intrigued. What evidence had been found on Bezos’ phone that implicated the Saudi royal family? It must have been pretty damning if the report caused such uproar, right? You can read the complete report here: https://www.documentcloud.org/documents/6668313-FTI-Report-into-Jeff-Bezos-Phone-Hack.html

If you’re going to publish a forensic report you need to make sure of two things, 1) everything is accurate and defensible, 2) be ready for everyone to offer a critique.

The report starts by saying that Bezos’ phone was marked as having potentially been compromised due to some anomalous activity. As such a consulting firm, FTI, was employed. The report continues by stating the qualifications of the chief investigator, one Anthony Ferrante.

Ferrante served as Chief of Staff of the Federal Bureau of Investigation’s (FBI) Cyber Division. More recently, he was Director for Cyber Incident Response at The White House, assigned to the National Security Council (2015 – 2017).

Project Cato, Ferrante, 2019

Quite an impressive CV, I’m sure you’ll agree. Having said that, I’ve learned that positions of authority don’t necessarily equate to practical knowledge.

Extensive forensic study of Bezos’ phone was undertaken in a well-equipped and secure lab environment. including forensic imaging of Bezos’ phone and analysis of phone behavior in a sandboxed network

Ibid

Sounds promising so far.

The digital forensic results, combined with investigation, interviews, research, and expert intelligence information, lead FTI to assess Bezos’ phone was compromised, possibly via tools procured by Saud al Qahtani.

Ibid

This starts off promising. However, when a forensics expert uses the word, “possibly” I start to get that feeling in the pit of my stomach. Words that are ambiguous or suggest the author is uncertain have no place in a forensics report. If you can’t say something with assurance (and evidence to back it up) then don’t. This same rule should be applied for testifying in court. Don’t guess. Don’t make it up. Don’t make assumptions.

Now, having made such a statement about the involvement of a member of the Saudi royal family, surely the report would contain enough evidence to support such claims. Let’s read on…

The report goes on to state that Bezos and Saudi Crown Prince Mohamed bin Salman (MBS) exchanged Whatsapp messages in April of 2018. Then, in May 2018, Bezos received an unexpected message from MBS with a video attachment. The report states:

The downloader that delivered the 4.22MB video was encrypted, delaying or preventing further study of the code delivered along with the video. It should be noted that the WhatsApp file sent from account was larger than the video itself.

Ibid

Further:

Due to end-to-end encryption employed by WhatsApp, it is virtually impossible to decrypt the contents of the downloader to determine if it contained any malicious code in addition to the delivered video.

Ibid

What was I saying about having an impressive CV not telling the whole story? Well, check out this post by Robert Graham about how to decrypt Whatsapp media files https://blog.erratasec.com/2020/01/how-to-decrypt-whatsapp-end-to-end.html

Robert provides a means to do this and it may seem difficult, but it really is pretty straight forward. I’d highly recommend reading his article for more technical details.

Next, we read that soon after the Whatsapp message with the embedded video Bezos’ phone starts “egressing” data at an accelerated rate. This increased from around 430KB per day to around 101MB per day. This is unusual and may well coincide with the receiving of the video file, but it is circumstantial.

They reviewed the captured network packets from the phone and identified potential indicators of compromise (IOCs) but subsequently dismissed them. Even then, the report states:

It should be noted that the lack of identified malicious traffic does not disprove the existence of current or previous compromise on a device.

Ibid

The lack of evidence can never prove a positive, but it can sure lean heavily towards exoneration.

FTI also conducted an in-depth investigation of the artifacts related to the iPhone X’s logical file system from the redacted Cellebrite report, and audited 274,515 directories, subdirectories, and filenames. Special care was taken to identify evidence of jailbreaking tools and known iOS exploits tools. After a comprehensive review of the logical file system and a validation of all false positives, FTI assesses with medium confidence that no evidence of these types of tools were identified on Bezos’ iPhone to date. As previously stated, lack of evidence of malicious tools of this nature does not refute their existence since sophisticated malware often contains self-destruction capabilities that may activate if certain conditions or objectives are met.

Ibid

Two things here, the first is that they found nothing and still cling to this notion of malware. Second is the comment, “FTI assesses with medium confidence that no evidence of these types of tools were identified.” What on Earth is “medium confidence?” Does FTI have malware analysts on staff? I could ask my 7-year-old daughter if she knew if there was malware on a phone and she could tell me there’s a chance with 50% certainty or :medium confidence.”

There’s more to the report, obviously, but this is the majority of the evidence for this report. The conclusion states:

Following a full forensic examination of the logical file system, network analysis. and an in-depth investigation of all available artifacts to date, FTI assesses with medium to high confidence that Bezos’ iPhone was compromised via a WhatsApp video attachment that was sent from an account utilized by Saudi Crown Prince Mohamed bin Salman (MBS). A review of external events, including apparent awareness of, and action upon, otherwise private information and events, supports these digital forensic conclusions.

Ibid

This is where I have to draw a line. You’ve examined the phone’s network activity. You’ve examined the phone. None of that analysis shows ANY evidence (at least with “medium confidence”) that any malware exists on the phone. But you’ve then, in a truly WTF moment, decided, “let’s just draw the conclusion anyway based on a video file we can’t even examine,” and put the blame on the Saudi Royal family.

I’m honestly aghast. You’ve found no evidence, provided no explanation as to how you’re able to reach those conclusions, and yet jumped in and made accusations. You’ve then decided to make the report public, as if to lend any credence to your accusations. If I had written a report such as this, I’d try to bury it, not throw it out for the public to review. This is truly shocking and shoddy work. FTI and Mr. Ferrante should be disgusted and embarrassed.

One Response

  1. Al says:

    Has there been any response to your criticism? Have others said similar things? (I happened upon your blog while researching APFS; am not a forensics guy at all but was interested in reading what you had to say about the report. Strong critique!)

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.