Tuesday, March 14, 2017

Digital Forensic Discussion: So You Fired An Associate



March 14, 2017

Digital Forensic Discussion: So You Fired An Associate

Every company at every level has had to perform the unenviable task of forcefully off-boarding an associate or employee.  Usually, this is initiated by management and executed by Human Resources.  Somewhere in this process, the associate is informed of the decision, sometimes placed on suspension pending adjudication and often terminated when the final decision is made.  It is at that point when company property, such as computers and cell phones, is often collected from the newly-former employee and generally recycled to be used by a successor or other company representative. 

Terminations can be executed for a variety of reasons.  Violations of non-compete clauses, intellectual property theft, gross violation of company policy or breach of contract are just a few reasons why a company may decide they no longer need the services of an associate.  However, several crucial elements should enter into this timeline of events, particularly surrounding the collection, preservation and use of company electronic devices.

Timing is Crucial

When an internal investigation is conducted, corporate and/or H.R. representatives often don’t have the luxury of acquiring the company’s assigned digital devices as part of the investigation prior to suspension or termination.   This makes the timing of collection of these items crucial.  If you wait too long, valuable information could be destroyed.  If you collect too soon, the subject of the inquiry could be tipped off about what is going on and that could jeopardize the integrity of the investigation.  So when should you acquire the company’s digital assets for analysis?  We suggest doing it at the time the target of the investigation is made aware that they are being investigated, which is generally at the time of initial suspension.  Unless union or other policy dictates targets be made aware of the investigation as soon as it is initiated, there is no better time than notification to the target that you have compiled enough information to act upon to seize the digital devices.  



After the devices have been collected, they should be locked away in a safe place with limited access until a digital forensic expert -- not information technology staff -- can be called, consulted and respond as appropriate.  Cell phones should be placed in airplane mode and disconnected from all networks immediately.   The question has been asked, why not use IT staff, they know all about the computers, right?   Suppose the person whom you have been investigating and are potentially going to terminate works in the IT department.  You would then be putting their friends and/or co-workers in a difficult position taking part in an investigation against their soon-to-be-former co-worker.  Beyond that, most IT staff do not have the requisite training and experience in forensic data acquisition and analysis.  It is analogous to consulting a general practice urgent care doctor to treat your cancer.  A specialist is recommended always for best results.

What Does the Forensicator Need to Know?

Digital forensic investigation and analysis is not unlike standard types of investigation in that we need to know the facts.  Helpful information such as:

  • Who is the target of the investigation and were they the only ones with access to the device(s)?
  • What devices are relevant and what data might we be looking for?

  • Where have the devices been in use before they were re-possessed and where have they been since

  • When is the time frame of any suspected/alleged malfeasance

  • How did they access the data on the devices?  Passcodes to mobile devices and passwords for any encrypted hard drives and/or mobile devices are very important

  • Why do you think evidence exists to support the allegation?



Whenever possible, human resources, management and IT staff should refrain from “fishing” through devices to find evidence to support the investigation.  It’s understandable that investigations like this can sometimes be salacious and everyone is curious to find out what was going on, but this violates the integrity of the evidence and opens the door to claims of unfair treatment in its various forms as the case progresses.

Information is important for a few different reasons.  First, detailed information helps us develop a strategy for the analysis that will best serve finding the truth in the case.  Second, it helps us whittle down the facts of the case and only spend time looking for what is relevant.  Finally, providing your digital forensic consultant detailed information will save the company money and time in the long run.

Why is All of This Necessary?

Why do you need to keep appropriate timing & collection of company devices always in mind?  Why do you need to call an outside forensic consultant to conduct the analysis & forensic investigation?  Because in our litigious society, when someone is terminated from a company – be it a large, medium or small company – it is the corporation’s responsibility to prepare for the worst and hope for the best.  By that we mean, always approach the case as if it will go to litigation.  Litigation will require discovery, production of documentation, depositions and yes, forensic data analysis in a legally defensible manner.  You cannot assume the terminated associate will simply find a new job and go away.  Even if they find a new job, there is no guarantee they won’t file suit.  Always remember, anyone can sue anyone else for anything.  It’s the American way.  So as remaining corporate representatives, it is your responsibility to prepare for the eventuality that you’ll have to defend the company’s position.  The data on the corporate digital devices doesn’t lie, so what better position to be in as a company than to have the digital forensic ace-in-the-hole when and if the case comes to litigation?


Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Globally


We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Twitter: @ProDigital4n6

Friday, January 13, 2017

Mobile Forensics Monkey Wrench: iOS 10.2 and Encryption




January 13, 2017

Mobile Forensics Monkey Wrench: iOS 10.2 and Encryption

It’s not secret to those involved in the study and practice of mobile forensics that Apple likes to throw us curve balls with almost every new iteration of the iOS operating system.  It turns out, iOS 10.2 is no different (released December 12, 2016).  A conversation began recently on the IACIS list serve and got me thinking about trying to problem solve and figure out a work-around, so I spent the past day or so trying to do just that.  (For those interested, I also wrote an article about the problem-solving aspect of digital forensics and you can read it here.)

The background is as follows:  When an i-Device user running iOS 10.2 connects the device to a computer, they are automatically prompted by iTunes for an encryption password:



When the option to encrypt is selected, a prompt is displayed for an encryption password, which may be entirely different from the device passcode or the iTunes account password:



This default encryption prompt becomes an issue for examiners due to the fact that users often don’t remember these passwords because in the age of cloud-driven storage and wireless *everything*, users don’t routinely connect their devices to a computer and therefore, don’t remember the encryption password.  This was the issue raised by another examiner on the list serve and it prompted many replies and potential work-arounds because when examiners attempt to analyze the extractions from these devices, they’re encrypted.  Pretty much game over.
(For additional background on this issue as was introduced in iOS 10.0.1, please refer to Heather Mahalik’s blog on the topic located here.)

Before iOS 10, I ran across this problem a few times with iOS devices.  My work-around then was to simply connect the device to a foreign computer (i.e., one that it had not been connected to previously) and de-select the encryption option and create another unencrypted backup, then pull the new backup into any number of commercial tools for analysis.  This doesn’t work any longer because when the device is connected to a foreign computer and encryption is de-selected, iTunes prompts for the encryption password for verification.  Darn the luck!

Methodology

For this testing, I used an iPhone 6, which we have on-hand for testing purposes.  The phone has a handful of iMessages, pictures, videos, Kik messages and some other data on it.  I updated the phone to iOS 10.2 and encrypted the backup on the Mac side of my forensic machine.  I then switched to the Windows side and attempted to create another backup by de-selecting the “Encrypt iPhone Backup” option, which is when I quickly learned that in all updated versions of iOS and iTunes, the encryption password is needed to complete this action:



Being that I know the encryption password, I entered it and created a new backup via iTunes on my local machine.  To be sure, unless you want to use a tool such as Elcomsoft to brute-force the password or attempt a dictionary attack based upon investigation and/or social engineering, you’ll need the encryption password to make this work.  But even having the password doesn’t get us too far with Cellebrite under the current version.

How Does UFED Handle This?

Cellebrite Universal Forensic Extraction Device (UFED) Physical Analyzer (PA) has heretofore been one of the best commercial tools for acquiring and analyzing iOS devices.  Indeed, you can use UFED PA to attempt a brute-force dictionary attack on these extractions if you have decent intelligence through additional investigation or social engineering by pointing UFED PA at a text file containing case-specific dictionary words:




In conducting this test and comparison, I used the latest version (as of this publication) of UFED PA, 5.4.7.5, which was released just 24 hours prior.  As you can see from the below image, even when the proper password is entered after an advanced logical extraction directly from the device, UFED PA still doesn’t parse the “analyzed data” into chats, web history, etc. like it used to with older versions of iOS:



That’s it.  That’s pretty much all we get.  When the “Backup” folder is expanded, we are presented with this:


The red arrow is used to illustrate that the listing of files keeps going.  Further inspection of these files indicates it would be a very lengthy, tedious process to try and located you sms.db, let alone DBs from many third-party apps which can be crucial in many cases.

My next step was to create an unencrypted backup through iTunes to see if that could be pulled into UFED PA and parsed a bit nicer.  It wasn’t.  We are presented with a file structure identical to that which is created by iTunes, with one folder with a long alphanumeric name and dozens of sub-folders, each with a shorter alphanumeric designation.  The only data that was automatically parsed in the backup was images, videos and device locations.  Again, combing through all of this for your crucial evidence and databases can be a time-waster, so what else can we do?  Try to use another tool!

How About IEF?

So now we have an advanced logical image in UFED PA (that is all but useless) and a backup through iTunes that is only slightly better when viewed through UFED PA.  Now, I profess that push-button tools are the end of true forensics.  Anyone who reads this blog knows that I firmly believe that you have to know and articulate where the data is located and how it got there.  But sometimes, certain tools can help point us in the right direction.  Enter Magnet Forensics’ Internet Evidence Finder (IEF, v. 6.8.4.3639).  IEF is widely accepted as one of the best and easiest tools on the market to use.  I love it for helping me out, for getting me a leg up on where I need to look, perhaps even with another tool.  So I decided to try and pull the iTunes backup into IEF, just to see what would happen. 

First, I selected the Mobile and iOS options in IEF:



Then, I selected “File Dump” to point IEF where I wanted it to look.   



The next decision is probably the most crucial to the process.  I selected the Windows file browser, then navigated to the (now exported) iTunes backup folder - the one with the very long alphanumeric name.  But then I drilled down to the sub-folders and files immediately under the parent file and selected all of them, including all of the .plist and .db files:



Next, I had to tell IEF what I wanted it to look for.  The data set isn’t large and I’d rather have too much data to sift through than not enough, so I just chose everything and selected “next”:



It’s important to note here that I conducted a subsequent test selecting “iOS Backups” ONLY and did not receive a favorable outcome.  Also, if the backup or device is encrypted, IEF will prompt for a password.
The processing took about 15 minutes.  Once it was finished, the data was parsed out as you would have expected pre-iOS 10.2:



I have highlighted the file path of the location of the sms.db in the above image because now, IEF has told us where to look in UFED PA or other tools.  Consequently, we can now switch back to UFED to examine and export the .DB files as necessary.  The below image shows what we find in UFED PA when we follow the file path indicated through IEF in the iTunes backup of the iPhone:



So to wrap it up, get your encryption password, create a backup using iTunes on a foreign machine and bring the backup into IEF to point in you the right direction.  From there, you can expand to UFED PA or another tool of your choosing, if necessary. 

Take-Aways

There are several important things to take-away from this experiment.  First, it has become vital in mobile forensics to have more than one tool at your disposal.  Having access to two or more tools can actually save you time and effort.  Imagine how tedious it would have been to sift through all of those folders (none of which contained a .db file extension by the way) to find the text messages or other pertinent data. 

Second, the problem-solving aspect of “boots on the ground” forensics, especially mobile forensics, cannot be ignored.  To make problem-solving a little easier, start to ask about encryption FIRST and save yourself some grief down the road. It’s also becoming apparent that we simply cannot rely on the pretty push-button features of many tools in the coming years, especially with regard to Apple and their iOS… and it’s only going to get more prevalent.

Finally, things are always changing.  Never forget that.  When I was conducting this testing and writing this article, I did so knowing full well that Cellebrite may push out a solution in the next week or two.  But until those updates happen, we all need to collaborate to find solutions to these issues, because just like no one tool can do it all, no single examiner can always do it all.

UPDATE: February 13, 2017

After this article was originally published, I was contacted by Ron Serber at Cellebrite.  We discussed the issues presented by UFED and it's parsing of the data in this test case and I happily sent him a copy of the UFED file and all extraction data.  He indicated at that time that UFED PA v. 6.0 would likely solve the issue(s).

UFED for PC and Physical Analyzer v. 6.0 was released on February 7th, 2017.  Shown below is the original, unencrypted extraction that was performed in UFED, nicely parsed out in v. 6.0.


While we all know that we still need to dive into the sqlite dbs and all the other relevant files in any given case, this update to UFED for PC and UFED PA has made the job a little bit easier.  Thanks to the great folks at Cellebrite for always working hard to solve problems that practitioners may encounter in the field!

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Globally


We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Twitter: @ProDigital4n6