Friday, January 2, 2015

Adventures in Digital Forensics

Original Post Date:  November 11, 2014

Adventures in Digital Forensics

Perhaps the title of this article could be the title of the blog page overall… Nevertheless, digital forensics is an adventure in it’s own right.  While doing some instruction at the Police Academy recently, a local Sheriff asked, quite poignantly “How do you make money?”  Well, for the sake of his question and to elaborate a bit, we’ll dive into an example of how and why we do what we do.

As we’ve detailed in previous articles, digital forensics is as much a science as it is a very specified manner of analyzing data.  The methods by which we preserve and acquire data are tried and true and we adhere to them in the spirit of best practices.  However, once the proverbial boxes have been checked, every case can take on a life of it’s own.  Indeed, there are questions that come across digital forensic list serves daily asking the group if they’ve ever encountered “X” problem or how to deal with a particular device or issue.  It certainly illustrates the point that virtually no two cases are the same.

Now, if your area of investigation is very focused – say, child exploitation – and you are an examiner who deals almost primarily with those cases, you will see less variance in the types of cases you work.  Those cases mainly deal with images (pictures and video), but can also deal with things like encryption, time stamps, user accounts and tying all of those things together to help prove or disprove the case.  One such case was undertaken by Pro Digital’s Owner, Patrick Siewert, during his time in law enforcement.  In the particular case, the suspect stored child exploitation images not only on an external hard drive, but also within a media app on his iPad.  The media was, naturally, password protected and the suspect was not willing to give up the password… or at least all of his passwords.  However, a very intriguing work-around came about that is a great learning tool for all examiners dealing with a password block of some sort. 

It became apparent through the computer forensic examination that the suspect used a program called “Roboform” on his computer and his iPad.  Roboform stores user logins and passwords for websites for ease of access.  For example, if you routinely go to your bank’s website and are don’t want to always type your login, Roboform can store the login and password information for you and perform these functions automatically upon visiting the website.  It’s a first-world solution for a first-world problem.  The logins and passwords are all stored in Roboform via a master password, but when performing a traditional “dead box” examination on the computer hard drive, all of that data is encrypted.  Furthermore, the child exploitation images the suspect indicated were on the iPad were unrecoverable through forensic examination because a full physical (complete) extraction of the data on the iPad was and is not possible by using any of the industry-standard tools available.  So in order to help prove what the suspect told us, that he copied illicit images onto his iPad (thus reproducing those images – a separate charge), we needed to come up with a work-around for the password protection on the media app.

After much discussion and advice-seeking, we decided to clone the suspect’s hard drive, insert the cloned drive into the computer that was seized and access Roboform in it’s native environment.  Why did we clone the drive?  Because we wanted to preserve the original drive in the state in which it was seized, if at all possible.  When we did this, we had access to the desktop and associated programs, including Roboform, in their native format.  The suspect did provide us with one password at the time of the search warrant and we discovered several others on the iPad in the Note app.  Lo and behold, one of these passwords gave us full access to all of the login and password information stored in Roboform.  Once we had this master list, we were able to try all of the passwords we found to access the media on the iPad and BOOM!  One of them worked.  Case solved and concluded successfully, if only a little unorthodox.

This example of how digital forensic cases evolve shows how in-depth and time-consuming some of these cases can be.  And while it uses an illustration of an illicit image case, the challenges and potential obstacles are no different for other types of investigations (embezzlement, fraud, etc.)  It further illustrates that, as every accomplished investigator knows, there’s more than one way to skin a cat.  Tenacity and critical thinking factor greatly into an effective digital forensic examination and are qualities that all competent examiners should possess.  After all, when someone’s freedom and the existence of potential additional victims may be on the line, don’t we owe it to our client(s) to give it everything we’ve got (apologies for the bad grammar)?  You’re damn right we do.

Patrick J. Siewert
Owner, Lead Forensic Examiner
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally