County officials changed the Apple ID password in the crucial days after the attack, senior Apple executives said today on a call with reporters. Had the Apple ID not changed, executives said, the data on the phone could potentially have been retrieved through the iPhone's auto-backup feature, which would have transmitted the data to the county-controlled iCloud system. Still, it's unclear whether such a tactic would have worked if the password had not been reset. Farook's phone had not backed up to iCloud since October, although it's unclear what caused the backups to discontinue.
The county later defended itself via a tweet, claiming that the iCloud password was reset under guidance of the FBI. Officials appeared to contradict the sequence of events put forward by a Department of Justice filing which implied that auto-backups were unavailable because the county "reset the password remotely ... in an attempt to gain access to some information."
The County was working cooperatively with the FBI when it reset the iCloud password at the FBI's request.— CountyWire (@CountyWire) February 20, 2016
Apple executives also said they provided FBI investigators with four separate options for retrieving data from the account. Ultimately, the investigators were not successful with those options, and opted to to compel Apple to construct a more exhaustive retrieval system in the court order made public on Tuesday. Notably, this matches up with the Department of Justice's description of events in a filing earlier today:
Farook's phone had been making backups to iCloud through October, logging data that has already been provided to investigators. Backups can cease for a number of reasons, but it seems unlikely that the phone went two months without being plugged in within range of a trusted Wi-Fi connection. If the backups stopped because the account had reached its iCloud storage limit, then Apple could theoretically restore backups by raising the limits. It's also possible the halted backups are the result of a recently reported iOS backup bug, which could potentially be fixed through a direct, signed update. Neither process would require unlocking the phone.
Investigators have implied in a number of legal documents that Farook disabled the backup intentionally, but no concrete evidence has been provided to that effect. By the same token, Apple declined to say whether Farook's account had hit its storage limit or if the company had any information to that effect. For now, it's still a mystery why Farook's backups cut off two months before the attack.
Update February 20th, 4:17PM ET: Added Tweet from San Bernardino county claiming that iCloud password was reset on FBI's request.