By: Tristan Jenkinson
For those who have been following the Jeff Bezos hacking story, a report covering the forensic investigation of his iPhone has been made available online after it was obtained by Motherboard.
The report in particular focusses on an unexpected WhatsApp message sent to Bezos, apparently from the from the WhatsApp account of Saudi Crown Prince Mohammad bin Salman. The analysis demonstrates that after the video was received there was a significant increase in the data transferred from the phone. This included one date on which the data transferred was over 100,000,000% of the typical data transfer prior to the receipt of the video.
The report does not identify any direct evidence of the malware or code that was potentially used for the data exfiltration, though it does note that there was additional work to be covered, including analysis of the root file system of the phone. This is where any likely direct evidence would likely be found, though the publically available report does not cover this aspect.
The report is dated November 2019, though the majority of the investigation described was carried out in May – July 2019. It is therefore possible that this additional work has been completed, but is not covered in this version of the report.
There are some other details and areas that the report does not cover. For example, much is made of the cause of infection being the video – providing evidence of data egress level before and after the video was received. However, there is no mention of what other activity there was around the same time, which could point to some other action or process being responsible. Alternatively, was there in fact no other activity? If so, this would have supported the video hypothesis further. That said, we have little context around the report or what other information was provided by the investigation team.
Overall, an interesting insight into what may have happened, but sadly the content that has been made publically available does not cover the investigation of areas where sophisticated malware at a state sponsored level would be expected to be found – which would have been of most interest to many investigators.