Original Post Date: November 11, 2014
Adventures in Digital Forensics
Perhaps the title of this article could be the title of the
blog page overall… Nevertheless, digital forensics is an adventure in it’s own
right. While doing some instruction at
the Police Academy recently, a local Sheriff asked, quite poignantly “How do
you make money?” Well, for the sake of
his question and to elaborate a bit, we’ll dive into an example of how and why we do what we do.
As we’ve detailed in previous articles, digital forensics is
as much a science as it is a very specified manner of analyzing data. The methods by which we preserve and acquire
data are tried and true and we adhere to them in the spirit of best practices. However, once the proverbial boxes have been
checked, every case can take on a life of it’s own. Indeed, there are questions that come across
digital forensic list serves daily asking the group if they’ve ever encountered
“X” problem or how to deal with a particular device or issue. It certainly illustrates the point that virtually
no two cases are the same.
Now, if your area of investigation is very focused – say,
child exploitation – and you are an examiner who deals almost primarily with
those cases, you will see less variance in the types of cases you work. Those cases mainly deal with images (pictures
and video), but can also deal with things like encryption, time stamps, user
accounts and tying all of those things together to help prove or disprove the
case. One such case was undertaken by
Pro Digital’s Owner, Patrick Siewert, during his time in law enforcement. In the particular case, the suspect stored
child exploitation images not only on an external hard drive, but also within a
media app on his iPad. The media was,
naturally, password protected and the suspect was not willing to give up the
password… or at least all of his passwords.
However, a very intriguing work-around came about that is a great
learning tool for all examiners dealing with a password block of some
sort.
It became apparent through the computer forensic examination
that the suspect used a program called “Roboform” on his computer and his
iPad. Roboform stores user logins and
passwords for websites for ease of access.
For example, if you routinely go to your bank’s website and are don’t
want to always type your login, Roboform can store the login and password
information for you and perform these functions automatically upon visiting the
website. It’s a first-world solution for
a first-world problem. The logins and
passwords are all stored in Roboform via a master password, but when performing
a traditional “dead box” examination on the computer hard drive, all of that
data is encrypted. Furthermore, the
child exploitation images the suspect indicated were on the iPad were
unrecoverable through forensic examination because a full physical (complete)
extraction of the data on the iPad was and is not possible by using any of the
industry-standard tools available. So in
order to help prove what the suspect told us, that he copied illicit images
onto his iPad (thus reproducing those images – a separate charge), we needed to
come up with a work-around for the password protection on the media app.
After much discussion and advice-seeking, we decided to
clone the suspect’s hard drive, insert the cloned drive into the computer that
was seized and access Roboform in it’s native environment. Why did we clone the drive? Because we wanted to preserve the original
drive in the state in which it was seized, if at all possible. When we did this, we had access to the
desktop and associated programs, including Roboform, in their native
format. The suspect did provide us with
one password at the time of the search warrant and we discovered several others
on the iPad in the Note app. Lo and
behold, one of these passwords gave us full
access to all of the login and password information stored in
Roboform. Once we had this master list,
we were able to try all of the passwords we found to access the media on the
iPad and BOOM! One of them
worked. Case solved and concluded
successfully, if only a little unorthodox.
This example of how digital forensic cases evolve shows how
in-depth and time-consuming some of these cases can be. And while it uses an illustration of an
illicit image case, the challenges and potential obstacles are no different for
other types of investigations (embezzlement, fraud, etc.) It further illustrates that, as every
accomplished investigator knows, there’s more than one way to skin a cat. Tenacity and critical thinking factor greatly
into an effective digital forensic examination and are qualities that all
competent examiners should possess.
After all, when someone’s freedom and the existence of potential additional
victims may be on the line, don’t we owe it to our client(s) to give it
everything we’ve got (apologies for the bad grammar)? You’re damn right we do.
Author:
Patrick J.
Siewert
Owner, Lead
Forensic Examiner
Professional
Digital Forensic Consulting, LLC
Based in
Richmond, Virginia
Available
Globally
