Police are accusing a 24-year-old woman, arrested in connection with a drive-by shooting, of remote-wiping her iPhone and thereby destroying evidence – a felony offense.
Her defense: I don’t even know how to do that!
Daniel Smalls, the lawyer for the accused – 24-year-old Juelle L. Grant, of Schenectady, New York – on Monday told the local news outlet The Daily Gazette that his client wasn’t involved in the shooting, in which no one was injured; that she “didn’t access anything to remotely delete anything”; and that she “wouldn’t have any knowledge how to do that.”
His client is not a computer-savvy person, Smalls said. In fact, his staff is puzzling out this “remote wipe” thing now, he said:
We’re doing research on it ourselves.
Last week, police said that they believe that Grant may have been the driver of a vehicle involved in a drive-by shooting last month, so they seized her iPhone X as evidence at the time.
But then, according to court documents, Grant allegedly remote-wiped the device, in spite of knowing full well that the police intended to inspect it for possible evidence:
The defendant was aware of the intentions of the police department at the conclusion of the interview with her.
Police arrested Grant on 2 November and charged her with three felonies: two counts of tampering with physical evidence and one count of hindering prosecution. According to The Daily Gazette, one of the tampering charges has to do with the remotely wiped phone, while the other tampering charge and the hindering charge are concerned with her alleged actions on the day of the shooting.
She’s accused of driving the shooting suspect from the scene and concealing the shooter’s identity. By allegedly driving the suspect away, police say that she also helped remove another piece of evidence: the gun.
The case raises a few questions, firstly: Why didn’t Schenectady police store Grant’s phone in a Faraday bag? It would have blocked remote access to the device and thus made the remote wiping impossible. Anybody can buy one online.
The Daily Gazette asked, and the answer amounted to head scratching. City police spokesman Sgt. Matthew Dearing told the newspaper that he didn’t know if detectives had such technology, but he’d check. As of late Thursday, he hadn’t heard back.
Also, Grant’s lawyer said that Grant got a new phone within the days following her iPhone having been seized… could that have affected the data on her old phone?
Easy wipey presto gone-zo
Ms. Grant’s professed ignorance of how to remote-wipe her iPhone notwithstanding, it is, in fact, easy as pie. There are plenty of useful Android apps (like this one, from Sophos) that you can use to remote wipe, or you can simply use Apple’s own Find My iPhone service to erase a device.
Doing it on purpose is one thing. But what if your device is set to erase after X number of hours if you haven’t unlocked it? That’s what one Redditor pondered:
Say you set up a dead man switch on your phone. And you have to enter a code say every 24 hours or it wipes your stuff.
If you are arrested and your phone confiscated and you can’t put in your code while it’s in evidence, would that count as destroying evidence?
That’s a great question. Unfortunately, as far as I can tell, it’s a hypothetical one, given that there doesn’t seem to be any such app that will automatically wipe a phone if it hasn’t been touched in X number of hours.
Not that nobody’s ever thought to ask, mind you. This guy did, a year ago. The only thing his Reddit respondents could come up with were suggestions that were variations on the ability to consciously, purposefully remote-wipe, as opposed to set-it-and-forget-it.
Of course, set-it-forget-it would theoretically give a defendant such as Ms. Grant an excuse to avoid that felony charge of willful tampering with evidence …as in, “Oh, dear, did I forget to inform you that I have a dead-man switch on my phone? Silly me. Of course I never would have let my phone remotely, automatically purge itself of any potential evidence on purpose.”
But are there ways that somebody else could have wiped her iPhone?
Yes, if somebody else had her iCloud account credentials and managed to log in from the same IP address. Likely? Well, that’s another question entirely. It’s up to her lawyer and prosecutors to hash out the question of just how likely it is that Ms. Grant had her iCloud account hacked just in time for potential evidence to go up in smoke.
John
Is it too cynical to suspect that the police wiped the device themselves, by attempting to open it?
Lisa Vaas
Unsuccessful attempts would just lock it though, not wipe it. It’s not too cynical to wonder if the police are confused about the difference and that they could have locked it themselves, as happened with the San Bernardino iPhone.
Lisa Vaas
… and given the fact that they don’t have a Faraday cage in which to store seized electronic devices, which also leads me to think that the police in this case might not be all that computer-savvy themselves … I actually got curious about how common it is for police to have some type of Faraday bag or storage area for this purpose, but all I came up with were advertisements trying to convince police that they need one, which made me surmise that it’s certainly not a requirement for all law enforcement.
MIke
This is NOT so! You most definitely can set your iPhone to Erase ALL DATA on the iPhone after 10 failed passcode attempts.
Manually in Settings > Face ID & Passcode > Erase Data or by using Apple’s profile manager and configuration profiles.
Lisa Vaas
Sorry, I stand corrected!
Anonymous
I’m just surprised everyone liked this and has no idea how data storage works. Deleting files only tells to the computer to forget about them. A forensic investigation will retrieve them. The only way to truly delete them is rewriting over the empty file space several times.
Paul Ducklin
That’s not true for a device like your iPhone. When you trigger the “wipe data” function (e.g. by putting in the wrong code 10 times), the phone overwrites the master decryption key that’s needed to unscramble all the other data on the device. So, even if you do manage to get into the phone later, or to read out any of the original, non-overwritten data from the flash storage…
…you can’t make sense of it. That’s why a “wipe” can be achieved both reliably and quickly, because the raw data doesn’t need overwriting even once, let alone several times. Only the key needs to be destroyed.
(The thing about multiple overwrites is a bit of a myth, too. In modern flash storage devices, one overwrite is almost certainly enough… though the device itself might not write the new data over the same actual sectors of the device, so that overwriting an entire volume is both easier and harder than it was in the early days oif hard disks.)
Kyle Reis
That’s not completely true. The erase data setting could have been turned on which erases the data after 10 failed login attempts.
Anonymous
Six unsuccessful attempts will disable the device until it is attached to iTunes. After this, you are required to restore a backup or factory reset the device.
JamJulLison
I thought too many unsuccessful attempts would erase it on an iphone. Has to do with it’s encryption. The FBI made a big stink over it and got mad when Apple refused to help by creating a way to circumvent it.
J
My iPhone (older 10.3.3, don’t know about latest version) has a setting that says “Erase all data on this iPhone after 10 failed passcode attempts”. So if that was enabled on her phone, the police might be the culprit…
roleary
My guess would be that an accomplice did it. Or otherwise some acquaintance who expected her phone to contain evidence of what they were up to as well.
Probably didn’t even need to hack it if they’re shoulder-surfed her before.
Lisa Vaas
I think yours is a reasonable guess. Particularly given how many people share their passwords with their intimates.
Jim Gersetich
Apple should be able to tell who wiped it and from where the device was wiped. And, they don’t need access to the phone to do it. So, the police and/or prosecutor should get a search warrant for Apple’s logs.
David C.
Well, Apple should have a log of which iCloud account initiated the wipe and what IP address it came from. That’s not quite the same as being able to determine the person who used that account at that IP address. Especially if it’s from a home or office LAN where many people share the same externally-visible address.
Jim Gersetich
Good points. Apple should know the account (which might have been hacked, or so the defendant can claim), which isn’t a person. They also should know the IP address (which can be localized).
Together, such data could narrow the focus of their search for the culprit. (Which just might be police, as some have pointed out, or an accomplice, etc.)
Mahhn
Our company assigned iphones will wipe after 10 sequential failed login attempts. (verified with admin before typing)
Until there is evidence of a command sent to it, I’d expect it was an eager officer that doesn’t want to admin his mistake OR the sales person that provided the new phone – if she told them it was stolen…..
Mark
From my experience Faraday bags etc. aren’t widely used because they aren’t very effective, and they can cause the phone to go flat really quickly (because it’s freaking out trying to find signal). Best practice is to remove the phone’s SIM (if present) and place phone into airplane mode. If phone is locked, then generally the phone would be powered down to protect the data.
Joe
Perhaps when she got her new phone, and a store employee set it up, using her cloud account to restore her data, they wiped the old one. Maybe they asked her, and maybe they just assumed that because she (perhaps) told them it had been lost.
Max
Looks like incompetence on the side of the police to me.
BT
If that is the case could they just dispute chain of custody? There shouldn’t be a way for anybody to remotely “tamper” with evidence in the first place…
Jose
How about if the person wipe the iPhone using a VPN connection. Can the police still find out the original IP address?