April 16, 2015
Digital Forensics vs. Data Extraction
I was having lunch the other day with a good friend who is a
very well-trained & accomplished Digital Forensic Examiner for the Virginia
State Police. He and I often get
together and talk about trends in the industry, past cases, tools that work and
tools that don’t among other things (we’re both avid motorcyclists). He mentioned something again to me recently
that I’ve heard him mentioned in the past.
“Forensics is all but dead”, he says. “Almost everyone now is just doing data
extraction & reporting, not forensics.”
This comment spawned some more thought from me on the
topic. Is forensics almost dead? There are several factors at play, not the
least of which is the ubiquitous nature of digital forensics practices within
government sectors. These factors
encompass personnel, practice, cost & overall expertise, to name a
few. I, for one, would like to think
that forensics is not dead, rather going through an evolution of sorts, as most
technology-oriented fields do over time.
So what’s the difference between digital forensics and data
extraction? Plenty!
Data Extraction & Reporting
I propose a hypothetical case: Agent Smith is an investigative field agent. He works child exploitation crimes for the
Mayberry Police Department. He receives
an anonymous cybertip from the National Center for Missing & Exploited
Children (NCMEC) that John Jones, who lives in Mayberry, has numerous images of
child pornography on his smart phone.
Agent Smith does his due diligence in background case work and goes to
visit Mr. Jones at his home for a knock-and-talk.
Jones consents to talking to Agent Smith and further
consents to have his phone examined, but refuses to let Agent Smith take the
phone with him. Smith pulls out his
field kit, hooks up the phone to his laptop and starts the extraction. Jones admits to nothing, the extraction is
complete and a brief review on-scene of the images on the phone indicates there
is illegal material, so Smith seizes the phone and arrests Jones based upon the
images he found on-scene. Now Agent
Smith needs to dig further into the evidence to prove the case, but does
he?
Part of the problem and delicate balance with easy-to-use
forensic tools (especially mobile forensic tools) is that they’re easy to use. Point, click, extract, view, report,
done! This is simple data extraction, not digital forensics. While some of the methods employed to acquire
the data may be mostly forensically sound and/or within best practices, that’s
about where the forensics ends. The
practice of data extraction simply pulls out the data Agent Smith needs to
prove his case, not necessarily the whole story. How did the images get on the device? Who put them there? When were they created? Who else may have had access to the device
(the anonymous tipster, perhaps)? What
additional inculpatory or exculpatory evidence may be present on the
device? In short, what does the whole
picture look like? These are questions
that go mostly unanswered by simple data extraction & reporting. This practice makes the evidence look very
damning and very simple, where it may not be either.
The Forensic Difference
Digital Forensics in the simplest definition goes far beyond
simple data extraction. Forensics looks
at all of the available evidence with an open mind, objectively looking to
prove or disprove the case from the start and looking to recover whatever relevant
evidence that may be present. The practice
of forensics also looks much deeper than what can be found on the surface level. Forensics seeks to answer questions like:
- Are there old partitions on the disk that can be recovered? If so, what evidence might they contain to help prove or disprove the theory of the case?
- Are there deleted items in unallocated and/or file slack space that may provide proof of an attempt to cover up evidence?
- Are there file fragments that could be recovered and/or pieced together to provide a clearer picture of what may have been going on at the time of the incident?
- Are there logs of network connections, operating system journal entries, registry artifacts, encrypted or other data that needs to be examined at the hexadecimal level to put the pieces of the puzzle together?
All of these questions and more encompass just the basic
differences between simple data extraction and digital forensics, which is much
more complex. It also requires much more
training and hands-on experience. I can
honestly say that I don’t think I’ve ever conducted a true digital forensic
examination where I didn’t have the need to research file types, headers,
footers, applications and any number of other assorted case-specific items to
help figure out what activity may have been going on with regard to the
submitted device(s) and report those findings accurately & intelligently. Indeed, digital forensics is true
investigative work, not simply a point-and-click approach to recovering
evidence.
Rationale
So why do so many field and some lab practitioners do data
extraction rather than forensics? There
are several reasons. The first, and
easiest to explain, is laziness. This
may shock you, but some people are just plain lazy. They can take a test, pass a certification
and have all the on-paper credentials, but if they’re lazy and simply don’t
want to do the work, none of that really matters. The next factor is time, which can be closely
related to laziness. In the government
sectors especially, examiners are pressured to turn over more cases in less
time, especially when it comes to mobile devices. A true digital forensic examination takes
time and, oddly enough, some governmental supervisors don’t understand
that. It is entirely possible that a 64
GB smart phone or tablet full of valuable evidence could take much longer to
examine than a 1TB hard drive that doesn’t really have much evidence at all. Ask the bean-counters to wrap their heads
around that one!
Along with extensive time goes money, but with digital
forensics, it goes beyond that. It takes
not only an extensive investment in money, but time as well to get an examiner
to a competent state. In order to train
a digital forensic examiner to be proficient, knowledgeable and effective
requires a huge commitment. Point-and-click
classes take less time and are cheaper than weeks or months of in-depth digital
forensic training and hands-on experience.
To add insult to injury, consider this:
I have a friend with whom I attended BCERT – a 5-week computer forensic “boot
camp” of sorts. He works at a local law
enforcement agency at the level of Sergeant conducting digital forensic
examinations. He’s been at it for years
and is a go-to resource for me whenever I have a question. If he chooses to advance his career in law
enforcement to the next rank (Lieutenant), he would have to quit doing
forensics, go back in uniform on patrol and essentially give up that investment
he and his department have made, thus starting all over again with a new, green
examiner. This practice is not limited
to my friend’s department and is in fact commonplace in law enforcement and
other government sectors. What sense
does that make? Good question. But the ultimate outcome is departments don’t
want to spend that mountain of money to train somebody to my friend’s level
again (and again), so they take the easy route:
Train them to get just what we need, i.e., data extraction.
Conclusions
It seems to be a no-brainer - Trained, equipped, effective
examiners are in the best interest of conducting thorough investigations and
thus proving or disproving a case, which is in the best interest of
justice. Unfortunately, the general
reality doesn’t reflect that. Since I
started in digital forensics in 2008, I’ve seen several cycles of examiners at
the government level. The highly-trained
ones get cycled out and the newer ones have less and less training &
experience at actually performing any forensics. Conversely, the gap is widening between those
who stick with the practice of digital forensics, whether it be in private or
government practice, and those who are constantly in the refresh cycle of digital
forensics. The smart get smarter & better and the newer ones keep doing
data extraction, often not even submitting evidence to the lab unless it’s a “high-profile”
case.
This gap will undoubtedly get larger and the numbers of
practitioners conducting data extractions will grow, while a few of us are
continually staying up-to-date & trying to hone our skills. At some point, the house of cards has to
fall, but until it does, I really wish those doing simple data extraction would
stop using the F-word: Forensics.
Author:
Patrick J.
Siewert, SCERS, BCERT, LCE
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Based in
Richmond, Virginia
Available
Globally
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
cases in Virginia court history. A
graduate of both SCERS and BCERT (among others), Siewert continues to hone his
digital forensic expertise in the private sector while growing his consulting
business marketed toward litigators, professional investigators and
corporations.
Twitter: ProDigital4n6
