Friday, January 2, 2015

You Get What You Pay For

Original Post Date:  October 30, 2014

You Get What You Pay For

Recently at Pro Digital Consulting, we’ve been fortunate enough to work several cases where the content, timing and veracity of text messages (or iMessages) have been the focal point of the case.  Invariably, clients will ask about cut-rate, commercially available tools that may meet their needs.  One of these tools was used in two recent cases and caused us to take a step back and look at what our digital forensic tools and expertise offer over and above what the $20.00, one-time, push-button programs offer… and you may be surprised what we learned!

In the spirit of self-preservation and in hopes of stopping the spread of cheap, cut-rate data extraction tools, we will not mention the specific tool by name in this article.  However, we will say that the tool in question is marketed toward iPhone users and extracting text messages, as was necessary in the cases we worked.  In case #1, the tool was used by the opposing party to extract text messages from their own phone to help bolster their case.  This presents several problems.  First, many of the best practices and methodologies put into place in digital forensics cannot have been adhered to.  Second, and most importantly, it was very obvious to our team that the data presented by the cheaper tool was manipulated.  Date and time stamps were out of chronology, posing a serious validation issue for this particular set of data.  Third, it is very easy to manipulate the data on one’s own device just before performing an extraction.  How do our tools do it better?  Well, it’s not just our tools, but the examiner who may be performing the extraction.  You see, the key in any examination is not just to get the data.  Yes, the data is important and will ultimately help prove or disprove your theory of the case, but the methods by which we obtain the data are also very important.  As I’ve stated repeatedly in previous articles, the integrity of the data is very much at issue as well.  Can the data be validated?  Can it be manipulated?  In what state was it obtained and what was the training and experience of the examiner who performed the extraction?  All of these factors come into play when we deal with presentation of data in a formal legal proceeding and that’s even before we get to the content of the data.  Our tools have not only been validated and authenticated, but their work-flows and setup are such that 1) the data extraction has to take place in a specified manner in conjunction with best practices and 2) the data itself cannot be manipulated, it can only be extracted, analyzed and reported.  This means that, even if I wanted to, I couldn’t change the date and time stamps on a string of messages to suit my client’s needs.  That’s an extremely important distinction between our validated tools and other, cut-rate tools.  A final note about this particular case is that our tools were also able to recover deleted messages which helped a great deal.  Other, less sophisticated tools do not.

For case #2, the client previously used the same cut-rate program to perform his own data extraction for a deposition.  When we responded to do the on-site extraction, we first used our primary iOS tool, Lantern.  Lantern showed us something different than the client’s tool, which was interesting to us, but very unnerving to the client.  We could see his reaction was not very favorable, so we performed a second extraction using Cellebrite UFED.  Cellebrite validated what Lantern initially reported, which further dismayed our client.  You see, the cheap tool showed him what he wanted to see… showed him what best served his case. But was it accurate?  The client then asked us to perform an examination using the cut-rate tool.  We refused.  Because, as forensic examiners, we cannot put our integrity on the line to suit the client.  As we already had prior knowledge that the data extraction with this tool could be easily manipulated, we could not in good conscience use it to report anything as accurate, especially considering that two very well-respected and validated tools were telling us otherwise.  Fortunately, the client understood our position and we were able to find a middle-ground which allowed us to report the data accurately, while still helping the client accomplish his goals in the case.

So what’s my point?  If you’re looking to obtain data for your own personal use, there are tools out there that will allow you to do that without having to pay a formal consultant to come in and perform a data extraction and analysis.  But you need to ask yourself, what is the purpose of the extraction?  What’s the end-game?  Could this potentially end up in court or a formal legal proceeding?  How accurate do I want the data to be and do I want to avoid questions about veracity later down the road?  It’s been stated in previous articles, but it bears repeating:  An ounce of prevention is worth a pound of cure.  You can save some money now and get data that probably isn’t accurate or that can be manipulated or you can pay a little more and have the peace of mind that your data extraction was done correctly, the data hasn’t been manipulated and the analysis and reporting will be accurate and validated.  The bottom line is, you get what you pay for.

Patrick J. Siewert
Owner, Lead Forensic Examiner
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally