Monday, November 21, 2016
November 21, 2016
Problem Solving Digital Forensics
For those of you who are involved in (and can tell people about) active digital forensic casework, you probably get the same response when you tell others about your job – “Wow! That sounds really cool!”. Yes, it sounds cool and can often be very interesting, but many cases are mundane and repetitive. Often times, the most challenging part of digital forensics is getting to the data. That is to say, acquiring the data so we may conduct our analysis fully and appropriately. It is then when the life skill of problem solving comes in very handy. Problem solving is an evolving issue in both computer and mobile device forensics and will continue to be as the industry progresses. It’s also not a skill that is taught so much as ingrained and acquired over time with experience.
Problem Solving Computer Forensics
The methodology in computer forensics is virtually unchanged throughout the years. Yes, the technology changes and there are additional considerations along with that, but at the core, we are trained and practice to create a forensic disk image, verify the image and conduct our analysis on the exact copy of the media. However, the integration of newer technology such as solid state drives in various forms and memory storage that is hard-wired into the logic board of some computers presents a problem that needs to be solved. With items like this, we can’t always simply remove the media and create our forensic image, we need to work-around the problem while still maintaining the integrity of the evidence. I’m often asked how to acquire the main memory on items such as newer Mac computers. For this particular subset of technology, we generally find Paladin by Sumuri to be a great resource. The Linux-based bootable tool (which is also free) provides a non-intrusive forensic solution to acquire this data simply and easily without tearing the complex hardware apart. There are other tools for trouble-shooting this as well.
But what about issues like encryption? Network storage? RAID arrays? Generally speaking, there are solutions available to deal with these circumstances, but when it comes down to the specific hardware, software and environment in a given case, you can almost always be guaranteed that there will be some case-specific problem solving that will need to take place. For instance, a case we worked in 2015 required acquisition of network folders from an exchange 2003 server. Not only was the server slow, but the process overall was painfully slow because of the outdated technology. The data connections were out of date (SCSI), the transfer rates were slow (USB 2.0) and the acquisition took much longer than we would have preferred. When working cases of varying type and technology, sometimes the most important questions are the ones you ask (or forget to ask) prior to getting on-scene.
Problem Solving Mobile Device Forensics
As mentioned in previous articles, my personal forensic experience did not start out in the mobile device space, rather basic and more advanced training was gained on the computer/dead box forensic side first, then evolved into the mobile space within the past 3 years or so. To say that acquiring the data in mobile forensic cases involves some problem solving is an understatement. Consider that the security on devices such as the iPhone (and other associated iDevices) has consistently given digital forensic examiners problems throughout the past few years to the point of frustration. Then add into the mix the multitude of manufacturers and software versions for Android-based devices and the water gets further muddied. Now, throw the “feature phones” with proprietary operating systems and almost countless manufacturers from all over the globe and we have a problem-solving mess on our hands.
This is why companies like Cellebrite, Oxygen, Magnet Forensics, XRY and others exist. Yes, they all do an adequate job parsing, presenting and reporting the data post-analysis, but before we even get to that point, we need to acquire the data. This has emerged as the biggest challenge in mobile device forensics. This is why we pay so much for those licenses and renewals every year.
Techniques such as ISP, JTAG and chip-off have emerged as commonly accepted methods for bypassing this security and accessing the data as well. These methods have given rise to a newer form of problem-solving where we access the physical memory storage on the device to be able to obtain a data extraction. However, these methods likely won’t be viable indefinitely and the problem-solving part of the mobile forensics industry will need to keep evolving to work-around acquiring the data for years to come.
Wrapping it up
Problem solving is a tangible skill. If digital forensic examiners think that “push-button forensics” is the norm or even the wave of the future, it is not. Quite the opposite. Sometimes, what separates a decent examiner from a plug-and-play examiner is the ability to size up the problem(s) in the case and devise ways to work around or solve them. The fundamentals of forensics can be taught, but only experience working cases of varying type and degree can serve to separate those who can solve problems from those who cannot.
Patrick J. Siewert
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
We Find the Truth for a Living!