Wednesday, November 18, 2015

Sometimes, The Data Isn’t There (anymore)



November 18, 2015

Sometimes, the Data Isn’t There (anymore)

Being a digital forensic services provider in the private sector, we service a wide array of client’s needs.  It is fairly common for our clients to be involved in litigation and investigations ranging from divorce to employment disputes and other criminal and civil matters.  Many times, the evidence they’re looking for may have once resided on a mobile device, but upon performing the data extraction and analysis, we have to regrettably inform them that we cannot recover the data they are looking for.  Why does this happen, especially with mobile devices?  Let’s talk about it…


The first thing to realize is that deletion of data doesn’t get rid of the data, at least not completely.  Deletion simply tells the operating system that the data may be over-written when the operating system needs the space.  However, accessing the deleted data can be the problematic part.  Areas of particular interest to many of our clients are text and picture messages.  As I often tell attorneys when they call with these inquiries, the deleted data may or may not be there.  It really just depends on several factors.  They include:

1)      The type of device.  This goes back to the fight of the geeks: Apple or Android.  Apple is particularly popular and particularly secure with regard to deleted data.  Can we recover deleted text messages off an Apple iDevice.  Probably.  But several of these other factors also come into play.  Android devices are generally a little easier to recover deleted data because industry standard forensic tools will many times perform a full physical data extraction from the device, which means we get all deleted and non-deleted data.  Because Apple maintains propriety over the chipsets and algorithms on all devices newer than an iPhone 4, a full physical extraction is not currently possible… So whether or not we can get the deleted data on your Apple device is a big question that we won’t fully know the answer to until we perform an extraction and start our analysis.

2)      The capacity of the device.  The text (SMS) and picture (MMS) databases on mobile devices are somewhat flexible in size.  They will expand and contract, depending on the usage (see point 3).  However, if you buy a 16 GB iPhone or Android device, the overall memory capacity does become an issue, especially when taking point #3 into account.  We’ve had clients submit devices with over 44,000 text & picture messages in the database.  That’s a lot of space for text messages and if the database on your device is growing to a point where the operating system has to figure out where to store all of it, the likelihood that deleted messages will be over-written increases greatly.

3)      The level of usage of the device.  If you are seeking deleted messages from a user who doesn’t actually use the phone feature on their device and rather texts all of their communications, the likelihood that deleted messages will be over-written in time increases as well.  If the level of text database usage on the device is high, the priority of those deleted messages goes way down.

4)      The time in between the sending/receiving of the alleged messages of interest and when the mobile data extraction takes place.  If you’re interested in messages that have been deleted 8 months or a year prior to retaining a digital forensic consultant and the level of usage has been high on the device, the likelihood that we’ll recover those messages goes way down.  Again, it’s not impossible, but it does become less likely when combined with the other factors.  This is why we advise you to engage the services of a digital forensic consultant sooner rather than later.  The staleness of the data and potential spoliation becomes a greater concern as time goes on.



All Is Not Always Lost
One of the things we routinely have to do is come up with work-arounds for any number of problems that present themselves in cases.  In the case of lost deleted messages, we utilized one work-around that turned out great for our client.  

The client presented us with his iPhone 5s, which he claimed contained text messages from and ex-girlfriend who was claiming that he assaulted her.  His contention was that the content of the text messages exonerated him of this claim.  But when we went to examine the extraction, these messages, which were 5-6 months old and had been deleted, were not on the device.  However, in digital forensics, there’s more than one way to skin the proverbial cat. (don’t worry, we don’t actually skin cats in our lab)

The client indicated he backed up his iPhone on his computer at a time period much closer to the alleged incident.  So we incorporated our computer and mobile forensic skills to acquire that backup file and import it into the mobile forensic tools and voila!  There were the text messages that helped get him acquitted in the case.  Sometimes, it’s just that simple.  Sometimes, we need to try to access cloud data, synced data on a Mac or PC computer or other backup data to try and retrieve what we need, but just bear in mind that deleted is often combatted by archived.

What About Computers?

Computers are a different animal much of the time.  Most computers have greater memory capacity and more robust operating systems than mobile devices such as smart phones and tablets, so their potential data retention is much higher.  Just bear in mind that when something is deleted on a computer, just like on a mobile device, it is tagged for over-writing whenever the operating system needs it.  True deletion also removes much of the file-specific information like creation, modification and access dates & times.  Also consider that on a Mac or Windows computer, your files are still be recoverable if all you (or someone else) did was put it in the trash or recycle bin.  More & more, manufacturers are socially engineering users to put encryption into place by default, which will also have a greater impact on our ability to recover the data over time.  Even recovered deleted data, if it’s encrypted, doesn’t do anyone any good.



So at the risk of being overly repetitive, please call your digital forensic consultant sooner rather than later.  Once we have the extraction or forensic image (copy), the data is preserved and we can do all the analysis you need on it, even if it’s months down the road.  But having that proverbial ‘time capsule’ of your device could mean the difference between getting you what you need and not being able to access the data at all!


Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
(Virginia DCJS #11-14869)
Based in Richmond, Virginia
Available Globally

We Find the Truth for a Living!

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS, BCERT, the Reid School of Interview & Interrogation and various online investigation schools (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations.
Twitter: @ProDigital4n6

Monday, November 9, 2015

Pro Digital: Investigative Solutions



November 9, 2015

Pro Digital: Investigative Solutions

Regular readers of this blog know that my professional experience and expertise started in the investigative realm.  Ever since I first got interested in law enforcement, I wanted to be an investigator and I’ve been fortunate enough to not only see that goal to fruition, but to do so in a way that allowed me to be recognized by other investigators and prosecutors repeatedly for high output and excellence in work product.

Regular readers also know that I tend to emphasize the importance of investigative training, experience and ability when conducting digital forensic examinations.  No matter the case, people are behind the devices we examine and analyze, so knowing people’s patterns and how they behave can often times be the ‘X-factor’ in digital forensics.  Sure, you can get certified in this or that, but if you don’t have any experience investigating how people behave in certain circumstances, the technical expertise can only get you so far.



Because I’m an investigator at heart (who happens to be a trained digital forensic examiner), we have chosen to add to the suite of offerings by Pro Digital Forensic Consulting a series of “Specialized Investigative Services.”  These specialized services are designed to go beyond your normal private investigative work and highlight the vast investigative training and experience that we have been able to participate in throughout a career in law enforcement spanning 15 years.  These specialized investigative services will include:

·      Employee and/or personal background checks
·      Employee fraud, misconduct, theft, waste and abuse
·      Missing persons
·      Online & social media investigations
·      Interview & Interrogation
·      Police procedure assessments
·      Criminal Defense Investigations
·      Wrongful Conviction Investigations
·       Investigations as directed by litigators involved in civil or criminal litigation (litigation support)

By utilizing our training, experience, technical tools and investigative know-how, we hope to raise the bar of private sector investigations to be a go-to resource for litigators, companies and other parties that may have need for these services.  And while some of these services may involve surveillance or people-tracking from time to time, it is our goal to get you the information you need in a timely manner without running up a large bill for surveillance time.  We will not get involved in insurance fraud or marital infidelity cases, there are already many other private investigative resources for that.  However, we will incorporate our investigative training and suite of digital forensic services where appropriate to help better serve clients and get even more thorough answers to your questions.  Rest assured, digital forensics is our ‘bread & butter’ and will always be our primary line of business to serve clients.

We welcome any inquiries about these services and our ability to deliver them to meet the needs of your case(s).  This new line of business has given rise to a new slogan at Pro Digital Forensic Consulting…

We Find the Truth for a Living!


Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC 
(Virginia DCJS #11-14869)
Based in Richmond, Virginia
Available Globally

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS, BCERT, the Reid School of Interview & Interrogation and various online investigation schools (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations.

Twitter: @ProDigital4n6