Original Post Date: October 30, 2014
You Get What You Pay For
Recently at Pro Digital Consulting, we’ve been fortunate
enough to work several cases where the content, timing and veracity of text
messages (or iMessages) have been the focal point of the case. Invariably, clients will ask about cut-rate,
commercially available tools that may meet their needs. One of these tools was used in two recent
cases and caused us to take a step back and look at what our digital forensic
tools and expertise offer over and above what the $20.00, one-time, push-button
programs offer… and you may be surprised what we learned!
In the spirit of self-preservation and in hopes of stopping
the spread of cheap, cut-rate data extraction tools, we will not mention the
specific tool by name in this article.
However, we will say that the tool in question is marketed toward iPhone
users and extracting text messages, as was necessary in the cases we worked. In case #1, the tool was used by the opposing
party to extract text messages from their own phone to help bolster their
case. This presents several
problems. First, many of the best
practices and methodologies put into place in digital forensics cannot have
been adhered to. Second, and most
importantly, it was very obvious to our team that the data presented by the
cheaper tool was manipulated. Date and
time stamps were out of chronology, posing a serious validation issue for this
particular set of data. Third, it is
very easy to manipulate the data on one’s own device just before performing an
extraction. How do our tools do it
better? Well, it’s not just our tools,
but the examiner who may be performing the extraction. You see, the key in any examination is not
just to get the data. Yes, the data is
important and will ultimately help prove or disprove your theory of the case,
but the methods by which we obtain the data are also very important. As I’ve stated repeatedly in previous
articles, the integrity of the data is very much at issue as well. Can the data be validated? Can it be manipulated? In what state was it obtained and what was
the training and experience of the examiner who performed the extraction? All of these factors come into play when we
deal with presentation of data in a formal legal proceeding and that’s even before we get to the content of the
data. Our tools have not only been
validated and authenticated, but their work-flows and setup are such that 1)
the data extraction has to take place in a specified manner in conjunction with
best practices and 2) the data itself cannot be manipulated, it can only be
extracted, analyzed and reported. This
means that, even if I wanted to, I couldn’t change the date and time stamps on
a string of messages to suit my client’s needs.
That’s an extremely important distinction between our validated
tools and other, cut-rate tools. A final
note about this particular case is that our tools were also able to recover
deleted messages which helped a great deal.
Other, less sophisticated tools do not.
For case #2, the client previously used the same cut-rate
program to perform his own data extraction for a deposition. When we responded to do the on-site
extraction, we first used our primary iOS tool, Lantern. Lantern showed us something different than
the client’s tool, which was interesting to us, but very unnerving to the
client. We could see his reaction was
not very favorable, so we performed a second extraction using Cellebrite
UFED. Cellebrite validated what
Lantern initially reported, which further dismayed our client. You see, the cheap tool showed him what he
wanted to see… showed him what best served his case. But was it accurate? The client then asked us to perform an
examination using the cut-rate tool. We
refused. Because, as forensic examiners,
we cannot put our integrity on the line to suit the client. As we already had prior knowledge that the
data extraction with this tool could be easily manipulated, we could not in
good conscience use it to report anything as accurate, especially considering
that two very well-respected and validated tools were telling us
otherwise. Fortunately, the client
understood our position and we were able to find a middle-ground which allowed
us to report the data accurately, while still helping the client accomplish his
goals in the case.
So what’s my point? If
you’re looking to obtain data for your own personal use, there are tools out
there that will allow you to do that without having to pay a formal consultant
to come in and perform a data extraction and analysis. But you need to ask yourself, what is the
purpose of the extraction? What’s the
end-game? Could this potentially end up
in court or a formal legal proceeding?
How accurate do I want the data to be and do I want to avoid questions
about veracity later down the road? It’s
been stated in previous articles, but it bears repeating: An ounce of prevention is worth a pound of
cure. You can save some money now and
get data that probably isn’t accurate or that can be manipulated or you can pay
a little more and have the peace of mind that your data extraction was done
correctly, the data hasn’t been manipulated and the analysis and reporting will
be accurate and validated. The bottom
line is, you get what you pay for.
Author:
Patrick J.
Siewert
Owner, Lead
Forensic Examiner
Professional
Digital Forensic Consulting, LLC
Based in
Richmond, Virginia
Available
Globally
