Tuesday, September 15, 2015
September 15, 2015
The Four Factors of Mobile Forensics
As with most private-sector digital forensic practitioners in the modern market, a great majority of our cases involve mobile device forensics. These cases range from employment disputes to divorce. invariably, whenever we get an intake consult for one of these cases, we are asked any or all of the following: How long will it take? What can you recover? What tools do you use? And of course, how much will it cost? I explain to attorneys and clients alike that mobile forensics can be quite subjective and there is often no “cookie cutter” answer to these questions. The answers depend on four main factors (and a 5th factor, which we’ll touch on too).
Factor #1: The Case
If you’ve been doing forensics or investigation of any type for any appreciable amount of time, you know very well that no two cases are alike. Just because you’ve worked one contested divorce doesn’t mean the next one will be exactly the same. Your methodologies may not change much, but the needs of the particular case are almost never the same.
In homicide cases, not only are text messages and pictures likely sources of valuable data, but it can extend to Bluetooth and WiFi connections to prove time and location data. In employment cases, emails may be especially relevant as well as any data gleaned from mobile device management (MDM) apps. The device could provide valuable information to expand searches into other areas, both physical and digital, including any cloud or “hard” backups of the device(s). Regardless, the facts are never going to be the same, nor are the needs of any one case to another. Even within the same case, you may have multiple devices to be examined that will be prioritized and categorized depending on the owner’s role in the case. Knowing how to approach different cases appropriately is of paramount importance in mobile forensics. Can this be taught in a classroom? Perhaps a little, but it really comes with experience.
Factor #2: The User
While currently the mobile device market is dominated by Apple and Android devices (with some Blackberry & Windows peppered in), that has no reflection on the multitude of different types of users and user activity for these devices. For example, I use my device for social media, photography and business applications. I get bored with my wallpaper and change it frequently and I have three pages of apps in folders (most of which I don’t use, but I have them just in case). In contrast, my friend, who is a law enforcement agent has only two pages of apps (none in folders), never changes his wallpaper or ringtone and doesn’t really take too many pictures. The two devices we own are almost identical.
Users sometimes abuse their devices and sometimes take great care of them. Some users don’t know what Bluetooth is or why anyone would need it. The point is that the mobile device manufacturers make these devices versatile so they can sell as many as possible on the consumer market. With each device comes a new set of variables and those variables are almost entirely user-defined. Do you clear out text messages regularly? Do you use more than one text app? Do you use your device for banking and management of finances? Dating? Shopping? The list is endless and until we know what the user’s behavior is on the particular device in question, we’re somewhat grasping at straws when asked what types of evidence we can obtain from it.
Factor #3: The Software
Along with an innumerable amount of devices on the consumer market comes a diverse set of software platforms on which these devices operate. It’s said that Apple iOS users update their device software at a much higher percentage than Android users. The devices themselves can dictate this as well. I purchased a pre-pay Android phone last year for testing purposes and the operating system software on it cannot be upgraded. If you still have an iPhone 4 that you want to press into service, it’s software cannot be upgraded. So what’s the big deal?
Mobile forensic companies are constantly playing catch-up with the software manufacturers. How that relates to our abilities is that the older the device software, the more data we’re likely to be able to obtain from it. Reverse-engineering and testing takes time, sometimes a lot more time than mobile forensic software developers have, so this can be a huge factor in our ability to obtain valuable information from mobile devices. Factor in the constantly changing nature of mobile apps and now we’re talking about a whole new software subject area with regard to recovery and analysis of data. Many people communicate via Facebook and Twitter just like they do via regular text message, so having access to those messages might be crucial to your case.
Factor #4: The Examiner
For regular readers of this blog, you probably get tired of hearing me preach that experience is the key to a good examiner, but here I go again! I can’t stress enough how important experience is, especially when dealing with multiple devices across multiple platforms that incorporate multiple third-party apps. Along with experience at a practical level, a competent examiner has to have a basic knowledge base of how data is stored, the variations in operating systems and apps across different devices and how to effectively report that information and testify to its veracity. It’s true that mobile forensics isn’t true forensics because we need to alter the device in some way in order to obtain a successful data extraction, but does your examiner know that? Can he/she articulate that? Have they testified before as an expert?
I’ll admit that the reason I harp on experience so much is that I’ve seen examiners through the years with more letters after their name than are actually in the alphabet, but they can’t figure out that they can use a certain tool to bypass the swipe lock on a piece of evidence. Further, they’ve probably never been challenged in court or asked to explain highly technical findings to someone who isn’t very technical like a judge or jury. Yes, friends, having an experienced examiner is probably the most important factor in this whole equation. Without it, things have the potential to get very, very bad.
The “Other” Factor
As I gain more and more experience in mobile forensics and work more and more cases, I have discovered that there’s one more factor that can affect the outcome of your examination and help increase the likelihood that you’ll find what you need – the forensic tools you choose to employ. Now don’t get me wrong, you can do mobile forensics with open-source tools, but everyone I know who does that is very much smarter than I. It can also be much more time-consuming. There are some powerful forensic tools available on the market today, friends and I suggest you research them thoroughly before choosing to invest in any of them. Certain companies concentrate mainly on doing one thing and they do it quite well. Others put a mountain of work into the tools on the research and development end and, as such, they are very robust (and you pay for it, believe me!).
Regardless, I will offer one tip that I’ve heard ever since I got into this business – no one tool will always get all of the evidence. The variable nature of mobile forensics seems to prohibit this. Currently at Pro Digital, we employ three different licensed mobile forensic tools in addition to any open source tools we may use. This helps not only cover all the bases, but helps us better serve our clients. As time goes on, we’ll probably invest in more because there’s no one catch-all to mobile forensics. If anyone tells you there is, well… they’re probably just trying to sell you something!
Patrick J. Siewert, SCERS, BCERT, LCE
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Monday, September 7, 2015
September 7, 2015
How Digital Forensics Can Help: Divorce & Custody Cases
In the third of our “How Digital Forensics Can Help” Series, we’ll seek to answer some common questions about what can and cannot be available in divorce and child custody cases. These are routinely some of the most emotionally-driven cases, no doubt because of many factors involved including separation of assets, child custody negotiations and the underlying sense of betrayal that comes from sharing your life with someone and having that changed drastically and perhaps without warning. Don’t misunderstand us, digital forensic capabilities often will not alleviate any of these highly tumultuous circumstances. However, we can help answer many questions that can hopefully bring these situations to an amicable resolution faster and help both parties move on with their lives.
What evidence is relevant in a divorce?
We routinely get asked the question about how to obtain the device(s) in question in any number of cases, divorce included. Please bear in mind, I’m not an attorney, nor do I fully understand the legal nuances of what devices and/or evidence may or may not be legally available to either party in divorce proceedings. Experience has shown us where there’s a will, there’s a way. Often the competency and tenacity of your attorney will dictate what course your divorce proceedings may take, but this article is not only designed for individual parties involved in divorce cases, but also to help the attorneys know what we can do to help in these cases.
Recently, we’ve seen circumstances where a Motion to Compel has been issued by the court, which forces the opposing party in a divorce proceeding to produce their computer and/or mobile device for forensic examination. The motions are very specifically worded and admonish the respondent of the motion to refrain from deleting any data prior to turning the device(s) over to the forensic examiner. They also can include language to provide the examiner with pass codes to examine the device(s) more freely. This type of tactic is likely the best-case scenario for your digital forensic expert. By granting the Motion to Compel, the Court has given us full permission to conduct a digital forensic examination on whichever devices are named in the motion. Routinely, the examination will take the tactic of proving or disproving some sort of infidelity. So what information is potentially available and what helps us do this? We’ll break it down by device type:
· Mobile Devices (Cell phones, smart phones & tablets)
o Text message history: This can be between the opposing party and a suspected paramour or intimate conversations with close friends regarding potential infidelity or other malfeasance. Always bear in mind that text messages may be stored in more than one area of the device, such as messaging apps or games.
o Internet history: People incorporate behaviors with regard to their internet browsing history based upon individual interest. Was the opposing party engaged in some online dating activity? Did they attempt to contact others via the internet to facilitate this? All of this evidence is key to answering these questions.
o Email history: Depending on the type of device, we can recover email history dating as far back as you can imagine. Special consideration should be made, however, to restrict access to privileged material that may be contained in emails.
o Mobile Apps: Mobile devices are at virtually everyone’s fingertips in the digital age. As such, the apps they use can often help us identify behaviors and provide concrete evidence that something may be afoot. Even if we can’t examine the specific app data due to encryption or other security measures, the mere existence of some apps may indicate some questionable behavior.
· Computers (laptop, desktop, etc.)
o Internet history & emails: Think of the computer as a graduated version of the mobile device. Chances are much of the same information that may be contained on the mobile device is also on the computer, which helps with validation of this evidence. Also consider the importance of shopping history, pornography and other items that may help paint the overall picture.
o Documents: Personal documents, such as financial records, may be of particular importance in divorce cases. Is there hidden money? Do both parties know what the assets are and where they are located? Questions like these may be answered and help lead to a more equitable distribution and faster conclusion.
Obtaining the truth is at the heart of every case we investigate. Routinely, we will engage clients who have strong suspicions about activities their significant other may be engaged in and we find little to no evidence validating these suspicions. Can your questions be mostly (or completely) answered with a digital forensic examination? The answer is maybe. We have adopted a disclaimer on our engagement paperwork that states, in part, that we do not guarantee results. A client’s suspicion of what may or may not be going on with their significant other is not evidence. We acquire, analyze and report the evidence that is before us. We do not engage in conjecture or speculation, which is sometimes difficult to understand when the emotional stakes are so high.
When engaging a digital forensic expert in your divorce and/or child custody case, it is important to remember that in forensics, we seek to prove or disprove a hypothesis based upon the evidence. We may very well uncover the proverbial “smoking gun” in your case, which will settle your matter in a very cut-and-dried manner. However, it is important for both clients and attorneys alike to realize that the opposite is also possible and you may be left with more questions.
You have our guarantee that we will leave no digital “stone” unturned and we will strive to work with both clients and attorneys to ensure the most comprehensive view of the evidence is presented, no matter where that may lead. After all, when the stakes are as high as they tend to be in divorce and custody cases, you deserve to be as well-informed as you can be to help resolve the matter equitably and without any additional emotional strain.
Patrick J. Siewert, SCERS, BCERT, LCE
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia