Feedback
Tech
San Bernardino Shooting

San Bernardino Shooter's iCloud Backup Likely Disabled, DOJ Says

In new court documents, FBI details the days after it seized the iPhone used by San Bernardino shooter Syed Farook now at the center of a contentious court battle — including the decision to change the password on an iCloud account associated with the device.

Apple has argued that if the password had not been changed, it is possible that the current case unfolding in California might have been avoided. Farook's device last updated to the iCloud about six weeks before the attacks.

But in a reply filed on Thursday, lawyers for the government defended the FBI's decision and said an iCloud backup would not have yielded more information.

"The evidence on Farook's iCloud account suggests that he had already changed his iCloud password himself on October 22, 2015 — shortly after the last backup — and that the auto-backup feature was disabled," lawyers for the government wrote.

FBI: We Want Apple to Remove Guard Dog, Not Open Back Door 1:22

"A forced backup of Farook's iPhone was never going to be successful, and the decision to obtain whatever iCloud evidence was immediately available via the password change was the reasoned decision of experienced FBI agents investigating a deadly terrorist conspiracy."

Related: DOJ Calls Apple Arguments 'Corrosive' in San Bernardino iPhone Case

The FBI supervisory special agent involved in that decision said in a supplemental declaration that he spoke with the San Bernardino County Department of Public Health — which owns the phone — as well as an attorney for Apple, who said that existing iCloud data had already been saved at the request of the FBI. It is unclear from the document whether or not the FBI specifically asked Apple about changing the iCloud password.

The FBI special agent says in the documents that the "iForgot" password change function was used on Oct. 22. The FBI also discovered through reverse-engineering earlier iCloud back-ups onto copy iPhones that the back-up functions for "Mail," "Photos" and "Notes" had all been turned off.

The FBI agent goes on to say that, no matter what, data could be taken from the physical device that cannot be accessed through an iCloud backup.

The agent directed the health department's IT team to change the iCloud password on Dec. 6.

FBI Director James Comey said at a congressional hearing on March 1 that an action had been taken at the FBI's request, and that it was a "mistake" that prevented any further backups to the iCloud.

An attorney for Apple expressed surprise on a conference call with reporters on Thursday, saying that the government's apparent new stance regarding the iCloud password change was unexpected after Comey's comments.

Related: Apple Plans Event for March 21, Day Before Facing FBI in Court

Apple said in its motion to vacate the court order that the FBI did not consult with the company about the decision to change the iCloud password, and that a backup might still have been possible.

"Unfortunately, the FBI, without consulting Apple or reviewing its public guidance regarding iOS, changed the iCloud password associated with one of the attackers' accounts," Apple said in its motion to vacate, "foreclosing the possibility of the phone initiating an automatic iCloud back-up of its data to a known Wi-Fi network."

The agent says in his supplemental declaration filed Thursday that the FBI spoke with Apple before the government filed asking the court to compel the company's help.

Apple suggested alternative ways to get information from the device, but investigators said none would produce "the full set of data" on the phone. At that point, Apple stopped discussing whether it could help provide what the government wanted.