2020 Key Influencers in DFIR

October 6, 2020

2020 Key Influencers in DFIR

One of the things I enjoy most about the field of digital forensics is that it’s a community of people who all generally have one set of goals in mind:  Find the truth, get to the facts, uncover the evidence using tried & true methods and present those findings to an ultimate finder-of-fact, whether it be a corporate CEO, an attorney/client, a prosecutor/judge/jury or whatever the case may be.  We encounter daily challenges in our work and we collaborate relatively well because as the technology evolves, so do our approaches to the various challenges need to evolve. 

 
Like many industries, there are influencers – those who contribute to the profession in ways that go far above-and-beyond typical members of the community, whether it be by sheer volume of notable work, publications, time & effort put forth, etc.  In digital forensics, those influencers may stand out even more because of the exclusive and specialized nature of the work we do and the relatively small community in which we work.  Some are daily contributors while some share their knowledge and experience with a measure of humility or quiet dignity.  I’ve chosen to highlight five such personalities in our industry for this article.  They have not paid me, I don’t know all of them personally and I may never have even spoken to one or more of them, but their contributions to our field are valuable and deserve recognition.  In compiling this list, I attempted to run the DFIR gambit of key computer forensic influencers, mobile device forensic influencers, incident response influencers and those who may influence all of the above and/or a different specialty that is more on the periphery of our industry.  So, at the risk of spawning much heated debate, let’s go!

Key Influencer #1:  Eric Zimmerman

If you don’t know Eric Zimmerman and his contributions to our community, you’re at a decided disadvantage.  A former FBI Special Agent and government forensicator, Eric has been contributing his vast knowledge and expertise to the DFIR community for many years.  I was first introduced to his wealth of knowledge and generosity when he released OS Triage, a free tool for law enforcement examiners to quickly triage and identify evidence on-scene that may (or may not) contain illicit images.  The tool was simple, effective and really useful to those of us who 1) didn’t want to spend time analyzing evidence that wasn’t relevant and 2) had limited physical space in which to store such evidence.  Since then, Eric has developed other free tools such as Shellbags Explorer and Timeline Explorer, all of which most of us have used in one case or another (or a few dozen).  I personally love Shellbags Explorer for, well… Exploring Shellbags!  It does a great job at graphically representing the folders that have been touched by the user to help belay any argument that someone else did it.  Among the offerings on Zimmerman’s Github are Link File Parser, MFT Parser, Volume Shadow Copy Mounter and more.

Now with Kroll, Zimmerman continues to create and share tools with the community that are exceptionally useful in conducting varying types of analysis (oh, and they’re free).  The Kroll Artifact Parser & Extractor (KAPE) is a fast, flexible way to find, extract and analyze artifacts in your case.  Simply put, it’s the next generation of free tools from Zimmerman and it is being used daily to help examiners save time and find the evidence they need.

  
As an X-Ways Forensics user for the past several years, I’ve also found the book X-Ways Forensics Practitioner’s Guide -- which Zimmerman co-wrote with another awesome influencer, Brett Shavers -- to be an invaluable resource.  Sure, I’ve been through the XWF Level 1 & 2 training, but sometimes I don’t remember every single tidbit of the 56 hours or so of those courses, so this book is a super helpful reference guide for both new and experienced XWF users.  I think both Zimmerman and Shavers would tell you that if you’re not using X-Ways Forensics in your PC analysis, you’re wrong :).

I’d also be remiss if I didn’t mention Eric’s participation in the IACIS list serve.  If anyone has a question, Eric frequently chimes in with a pointed, yet helpful response.  Heck, sometimes he even makes me laugh!  We are truly a better community for Eric being a part of it and sharing his vast knowledge, skills & abilities with us all.  

Key Influencer #2:  Heather Mahalik

I’ve never met Eric Zimmerman in person, but I have met Heather Mahalik in person and we’ve had a few email exchanges over the years, including one surrounding this exchange with Shark Mark Cuban.  A former government examiner, Heather now works with mainly with Cellebrite as a consultant and SANS instructing their mobile forensics courses.  A virtual bottomless well of knowledge about mobile device forensics, Heather has also co-written the book Practical Mobile Forensics, which is another must-have in your reference library if you’re going to be conducting analysis on mobile devices.

As far as helpfulness, willingness to share their knowledge, ability to test theories and publish the findings we need to know in the ever-changing landscape of mobile forensics -- and just plain giving back to the community -- I’m not sure any influencer in our industry is as generous as Heather.  Heather’s ongoing blog, Smarter Forensics frequently jumps on the most current issues with testing of new operating systems and/or applications, validating the findings and putting the initial impressions and impact on our industry in a simple, concise, easy-to-understand format (example, see her blog on iOS 14 here).  

Also very active on the IACIS list serve, Heather always seems willing to answer any questions members may pose, particularly with regard to the functionality of Cellebrite and the tool’s ability (or lack thereof) in decoding, parsing, searching, etc.  Anyone who does mobile device analysis can see why Cellebrite hired her – In addition to being a virtual walking encyclopedia of mobile forensic knowledge, she’s a terrific ambassador for the company and vocal proponent of all the great things we can analyze, report and testify upon with regard to mobile device evidence.  She also hosts a regular webinar, discussing current trends in forensics.  She truly gives of herself, her time and her knowledge to help us all out consistently and is clearly passionate about our field.

Key Influencer #3:  Harlan Carvey

Harlan Carvey is sadly another influencer I’ve never met -- which is odd because he lives about a half an hour from me – but I digress.  Harlan has been in the DFIR game virtually since leaving the USMC.  Included in his resume are heavy-hitters like IBM, Nuix, SecureWorks and Crowdstrike, to whom he’s referred me and my clients several times. Harlan is probably best known for his books and his contribution to the community with free/open source tools like RegRipper.  Another walking encyclopedia of incident response knowledge, Harlan has penned the books Windows Forensic Analysis, Investigating Windows Systems, Windows Registry Forensics, Perl Scripting for Windows Security and Digital Forensics With Open Source Tools (to name a few).  Basically, go on Amazon and type in Harlan Carvey.  Correction:  he’s not a walking encyclopedia of Windows Forensics, he wrote the encyclopedia!  

Harlan has also contributed to our community with his free, open source toll, RegRipper, which does exactly that – rips through your (exported) suspect system registry files to present a clear, concise view of the artifacts contained therein.  While many of us don’t, it’s true that you can perform forensic analysis on PC (and Mac) systems with mainly open-source tools and if you’re going to do that, I suggest that RegRipper be one of your main, go-to tools in the toolbox.  It’s a fantastic contribution to our community.  Also on Harlan’s Github are presentations that he’s given and other tools/tips that he has shared for the benefit of everyone.  

Keeping in line with the “giving of self” theme that is a large component of a contributor to our community, I recall reading a proverbial “tip of the hat” about Harlan, which I believe was written by the aforementioned Brett Shavers.  He stated that Harlan never hesitated to answer his questions and give him guidance.  He was always open, willing and gracious (paraphrased).  I have also seen a bit of this from Harlan myself.  He frequently contributes substantively to conversations on LinkedIn and provided some welcomed guidance to me personally with regard to launching into the incident response realm.  Many of our colleagues simply ignore requests or don’t have the desire to take the time.  Harlan is not one of them.  He is thoughtful and generous… And he’s forgotten more about incident response than I’ll probably ever know.  Harlan also wants you to contribute.  He truly recognizes DFIR as a collaborative community, so if you can pitch in to make RegRipper a better tool, Harlan wants to hear from you!

Key Influencer(s) #4:  The Hawk Analytics Team

Ok, I recognize that a for-profit company may come with a bit of an asterisk on this list, but stick with me…
I’ve been acquainted with the folks at Hawk Analytics for several years and have attended their training. In case you’re not familiar, Hawk Analytics makes a tool for cellular records analysis called CellHawk, which helps analysts map and display cellular and other location records. The tool also helps identify known associates by phone number, frequent locations, patterns of usage, incorporates an animated timeline of usage and more.  If you are involved in the analysis and mapping of any records with date, time and GPS coordinates – like records for ankle monitors for sex offenders or those out on bail or parole – CellHawk is a must-have tool.  It’s robust, flexible and keeps improving.

  
But what separates the Hawk Analytics team from others in the industry is their passion and dedication to getting to the facts.  They do not speculate about things which they are either not trained in or the tool isn’t equipped to handle.  Many analysts who are involved in these types of cases erroneously attempt to estimate radio frequency range of cell sites.  This is bad practice without specialized equipment and the team at Hawk Analytics knows this.  Founded by former cellular engineer Mike Melson, Hawk Analytics and their team genuinely have a desire to do good.  Many times behind the scenes, Mike and his team will assist agencies with search & rescue to help find missing and/or endangered persons, despite having families of their own and the obligations of running a company.  Even if you’re not a CellHawk user, their team will be more than willing to discuss quirks or anomalies in your record returns or assist with interpretation based upon their vast experience.  Even though I may do independent CDR analysis for criminal defendants, they’re always willing to help because they are guided by the truth and don’t engage in conjecture or speculation.  

In the spirit of giving to the community, Hawk Analytics also has a free toolbox, which will help you identify the cellular carrier for phone numbers in your case and even compile a preservation letter or search warrant template for you at the click of a button.  Did I mention it’s all free?  Mike and his team truly epitomize professionalism and seek to make a positive difference in their own little corner of the world (i.e., their expertise).  If you value integrity in your vendors, Hawk Analytics is definitely the way to go.

Key Influencer #5:  Larry Daniel

Lastly, in a departure (and perhaps surprise to some), I’d like to give recognition to Larry Daniel of Envista Forensics as being a key influencer in our field.  Having transitioned from law enforcement to the private sector, I have known Larry both in my former life and my current one.  Some of you may not know Larry while some of you may have gone up against him in court.  To be clear, Larry and his company are essentially business competitors of ours, but that’s sort of like saying your local corner convenience store is a competitor with WalMart, as Envista is a much larger operation than Pro Digital and they conduct all manner of forensic analysis, not just digital forensics.  Regardless, I’ve come to know Larry as a savvy businessman and a very knowledgeable and formidable forensic and cellular records analyst.  I respect Larry not only for his business acumen, but for his tenacity.  Larry didn’t have the advantage of the government or a huge corporation sending him through digital forensic training – he did it all himself and learned it from the ground up.  He is, as his son and co-worker described to me once – a “serial entrepreneur”, but one that has had a great deal of success in the private sector side of our industry.  
 

Larry founded and grew Guardian Digital Forensics in Raleigh, NC and several years ago sold the company to Envista Forensics and took over as Principal Consultant of their digital practice.  Since diving head-first into the DFIR pool, Larry has published numerous articles, presented at EnFuse and multiple litigator’s conferences and authored two books – Digital Forensics For Legal Professionals and Cell Phone Location Evidence for Legal Professionals.  These books are fairly basic, but in writing them, Larry tapped into a previously uneducated audience that was severely lacking in knowledge about digital forensics and cellular analysis – criminal and civil litigators and paralegals.   I think it’s safe to say that Larry has written the book(s) on digital forensics for the private sector legal professional.

Practitioners like Larry make everyone better.  They challenge us to cover all the digital bases and make sure we know the evidence when so much is at stake, whether it be child custody, a large sum of money or someone’s freedom.  Quiet professionals like Larry are no different from the quiet professionals that work in DFIR roles in law enforcement, for government contractors and big corporations.  We all strive to get to the truth, analyzing the available evidence and utilizing our training, experience and wisdom.  

Wrapping It Up

This list of DFIR influencers isn’t all-encompassing.  For every person on this list, there are probably hundreds behind the scenes working hard to prove or disprove the incident or allegation.  We all know there are blowhards and charlatans in every industry and digital forensics is no exception.  But by the contributions of the people on this list, we are all benefitted.  It’s my hope that one day, someone can point to an article or a book that I’ve written or a major case that I’ve worked and say that I’ve contributed to the community in a positive way.  Even though all of the people on this list are still active practitioners, their legacy in our field is already carved out.  

It’s my hope that this list will continue to evolve over the next year (and beyond) and we can re-visit and tip our hats to five (or so) more influencers that make our industry great and help make us all better at what we do.  Thanks to everyone on this list for all that you do to help us improve and grow… and keep up the great work!

Author: 
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC 
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!

We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:
Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia USA.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst and Instructor, as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com
Web: www.ProDigital4n6.com
Pro Digital LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc
Patrick Siewert LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  

So You Want To Start A Digital Forensic Business

May 13, 2020

So You Want To Start A Digital Forensic Business

Pro Digital Forensic Consulting is about to embark on it’s 7^th year in full-time operation.  It’s hard to believe that when I made the decision to transition from law enforcement to the private sector, my little company would have come this far, servicing hundreds of clients through the years.  Because of my background and the contact I have with the DF community via this blog and professional associations, I usually receive inquiries about starting up a digital forensic consultancy/business several times a year.  In fact, I got another one just the other day via Linked In.  And with the current state-of-affairs (Covid-19 shut down) and people’s livelihoods being somewhat in question, it seems natural that some might consider taking on a new venture.  So, in the spirit of answering some of the frequently asked questions about what to expect if and when someone starts a digital forensic business, it seems a good idea to write down my thoughts and experience for future similar inquiries.  To be clear, I could (and may) write a book about this topic, but this blog is fairly well-established, so it seems the appropriate vehicle for sharing these lessons learned.  As a slight disclaimer, this article and the tips to follow are geared mainly toward sole-proprietor and small consulting firms.  I’m pretty sure Kroll and KPMG have this figured out J.

Tip #1:  Have A Supplemental Income Plan

Virtually no business starts off day 1 churning revenue and making a profit.  When Pro Digital was launched full-time in June of 2014, we billed a whopping $7,800 for the from that point to the end of 2014.  It would have been much less were it not for one large computer forensic case which accounted for nearly 85% of the billings for 2014.  Alongside the work that went into opening a business, I was also fortunate to have some things to fall back on personally, such as part-time and/or contract work, some of which had nothing to do with forensics.  The take-away here is that it’s important to have a supplemental income source that you can use to help keep your newly-formed lights on while the business is growing and you’re working on creating awareness and “buzz” for the business.  The downside is the marketing and awareness campaigns for your new shingle are a full-time business in themselves, so it can be double the work.  I’ll touch on marketing more in Tip #6.

Tip #2:  Keep Abreast of Trends

Most of my notable work in law enforcement was working for a full-service agency on the Internet Crimes Against Children (ICAC) Task Force.  Accordingly, all of my training and equipment was paid for by grants and other funding.  My last year in law enforcement was in an administrative role for a small campus police department, which had no use for any digital forensic expertise, so the skill sets that I’d worked on for the previous 5+ years sat on a shelf and collected dust.  When the business was launched full-time, I quickly realized how much things had evolved, changed and blown past me for the year I was not doing forensics.  This is a field driven by current events and evolving technology.  Try explaining the differences between and HFS+ and APFS file systems to someone who hasn’t been doing Mac forensics for a year or more.  It’s a vast change and the changes don’t stop.  I was amazed at how much I’d forgotten in that year and the learning curve was much steeper than I would have liked.  It’s imperative to keep up to date with the field.  Blogs, webinars, free training, list serves and colleagues are all great resources to keep current with what’s going on in the world of digital forensics. 

Tip #3:  Invest In GOOD Tools & Equipment

The start-up investment capital for Pro Digital was not a lot of money and was all self-funded.  Accordingly, I did some research on tools and cost/benefit analysis on the investment in those tools and/or training.  Initially, I purchased tools and equipment that wouldn’t break the bank and would get the job done.  It wasn’t long before I realized that certain things will save me time and therefore, money.  Along with that, it’s hard to work cases using tools no one has ever heard of before, particularly when the more tech-savvy attorneys with whom I work know the difference between one tool and another.  Some of these tools I still use.  Some of the software companies have basically gone belly-up and some I’ve gotten rid of over the years for one reason or another.  Additionally, some tools have been purchased for case-specific needs.  But the point remains that you need to invest in these things as if you were working a case for a loved-one.  Would you want the analyst on your father’s case using sub-par tools that no one really uses?  Probably not.  Spend the money and get the good stuff.  You’ll make your money back many times over.  The adage is true, you have to spend money to make money.

Tip #4:  Be Picky About Your Clients

When you’re hungry, everything looks like filet mignon.  The problem is, if you eat everything you’re “fed”, you’ll have a host of side-effects that will be hard to manage.  We used to work any and all cases that caused the phone to ring.  The most notable and frequent of these are the “I’ve been hacked” cases.  It is an unfortunate truth that there are many mentally ill people in the world and the internet gives them free reign to research to their hearts content and contact those whom they feel may be able to assist them in whatever issues they believe they are having, many of them tech-related.  But these cases are a forensic and business quagmire.  If you’re fortunate enough to get a client who will actually pay for your services, they will never be happy with the results.  This could eventually have an adverse effect on your professional reputation as well.  This is a reputation and referral-based business, so if you have clients that are in a position to ruin your reputation or malign you publicly, you will likely see fewer referrals over time. 

As a matter of policy, Pro Digital has transitioned to a purely litigation support model.  If you are not actively involved in litigation or a representative of a corporation that needs digital forensic services, we likely will not take your case.  If you’ve hired a PI to work your case, we may take it as a referral from a trusted source.  We don’t need anybody’s money *that* badly to work a case for someone who is obviously suffering from some form of mental illness or someone who wants to spy on their spouse to dig up enough dirt to file for divorce.  This is an ethical decision, but can also lead to legal issues if you’re not careful, i.e., theft of property, theft of data, unauthorized access to personal information, etc..  Also consider that if you are the digital forensic equivalent of an ambulance chaser, eventually you’ll devalue these services for everyone, including yourself.  Be picky.  It’s worth it.  You’ll get the clients you want and you’ll preserve your professional reputation, this much I know and have seen first-hand.  The big take-away here is always ensure you have written consent from the owner and/or an order from the court to access whatever you’re acquiring and analyzing.

Tip #5:  YOU Are Your Brand

Digital Forensics is a small community.  Whether you are in law enforcement, have transitioned out of law enforcement or have branched into digital forensics as an arm of your IT or infosec training, we generally know each other and recognize names and faces.  We also recognize when someone is either a charlatan or is pushing an obvious agenda to try and attract clients.  Everything you put out for public consumption (including blog articles) is subject to scrutiny, whether it be by the DF community, potential attorney-clients, opposing counsel, referral sources and/or other professional contacts.  If you have an opinion about something, make sure you’re on solid footing before getting into public discourse about it.  Take this recent example from a public post on Linked In from a professional contact (name and ID redacted):

I’ve worked many independent analysis cases for criminal defense attorneys and have been appointed by the court dozens of times.  I don’t know what this person is referring to, nor do I agree with their approach to putting this comment out publicly.  Business is relationships and everything that you put in writing can come back to haunt you.  I’ve received more referrals from my former law enforcement colleagues than I can remember over the years.  Do you know why?  Because I don’t take a public stand with an obvious agenda which maligns professionals.  Not only would I never call out the law enforcement community as essentially being crooked and/or liars, I don’t believe that they are because I haven’t seen it in my 7 years working full time in the private sector.  I have seen errors.  I have seen mistakes.  I have seen over-zealous investigators.  But I have not seen liars. There’s also nothing “science” about this post.  It’s an opinion and it’s part of an agenda to market specifically toward the criminal defense bar.

The reality of our industry is that the majority of who it serves is law enforcement and government, including government contractors.  The government is generally not on the cutting edge of anything, but they’ve certainly been on the cutting edge of digital forensics.  Can private practitioners access tools like Gray Key?  No.  But I have almost never had a need for Gray Key.  Why is that?  Refer back to tip #4.  I virtually always get a pass code and any necessary passwords either by consent or court order.  The only exception to this has been when the owner doesn’t remember the password, usually on an older device.  And to be clear, about 70% of the cases we work deal with mobile devices.

When in business, it may be beneficial to remember the wise words of Michael Jordan, who still has his own shoe brand, despite being out of basketball for over 15 years.  When asked at a press conference why he stays out of politics, his reply was simple:  “Both Republicans and Democrats buy shoes!”  Discretion is the better part of valor.

As a final point to this tip, I was in a discussion with a colleague in law enforcement recently while at a conference.  They said to me very confidently “The customer is always right, so you have to do what the client says no matter what!”  My reply:  “No I don’t!”  What’s the point?  Your professional integrity and reputation is your most valuable asset in this business.  Lose it and you’re done.  We will not alter any facts or data in any report or testimony to counsel or their clients, period.  I’m sorry if the data doesn’t support your case.  The data stands on its own and is irrefutable.  Truth is not fungible.

Tip #6:  Market Yourself (Because No One Else Will)

When I was a member of the ICAC Task Force, I was a fairly big fish in a pretty small pond.  The agency for whom I worked had less than 60 sworn officers and was in a rural area.  I did all of the tech-based investigation, search warrant planning & execution, evidence collection and as time progressed and casework grew, the forensic analysis.  And because many of these cases garnered a lot of public interest, the command staff frequently put me as the media relations person with these cases.  I never liked it.  As a cop, I considered myself a modest personality.  Others nominated me for awards and I was never comfortable in the spotlight.  When I launched the business, I quickly realized all of that had to change.

Because I had media contacts already in place, I offered my knowledge and experience as a local media resource for tech-related stories.  For a while, I was getting multiple calls every week from local media.  Because I had a lot of time (i.e., no clients) in the beginning, I also churned out blog articles virtually once a week.  I issued self-written press releases and worked hard on SEO for the company’s website.  I also began sponsoring several associations for litigators in my area because, as previously noted, this is a referral-based business.  In short, I had to become my own cheerleader because no one else was going to do it.  Furthermore, I learned VERY quickly that just having a good professional reputation and a business does not make the phone ring.  If you build it, they will not come – at least not like they did in Field Of Dreams.

If you want the business, you have to go get it.  And you have to keep on going out there to get it.  The minute you lapse on marketing, the phone will stop ringing.  This is why I’m constantly trying to add fresh content to the Pro Digital website.  Having a website is great.  Paying for Google ads is fine, but content is key.  I had to learn this and be taught what works and what doesn’t over time.  And I still make mistakes and spend money where I probably shouldn’t, but no one gave me a blueprint for running this business.  Tips, advice, counsel & support?  Yes.  But this is such a niche business, it requires a special marketing skill set.  If you don’t have it, you will likely fail.  This is the biggest area I think many ex-law enforcement are not comfortable with and probably what turns many of them off to launching their own business.  Quiet professionals don’t normally like the public spotlight.

Wrapping It Up

Some may read this article and wonder why on earth I would tell potential competitors how to run a successful digital forensic business?  One last tip I’ve learned over the years:  There’s plenty of work to go around.  I find it silly that a competitor of mine seemingly reported the Pro Digital Twitter as “spam”, which caused Twitter to shut it down.  I don’t want their clients.  I have my own and I am fortunate to bring on new ones every month.  If any of these tips can help someone be successful, I’m happy to share what I’ve learned.  No one taught me these things when I started out.  Hopefully by sharing some of these tips, I can pay it forward to the next old cop who wants to try his hand at something new(ish).  Until then, I’m off to work the next case and hopefully clear out my backlog queue.  Good luck!

Author:

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!

We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: www.ProDigital4n6.com

Linked In: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Digital Forensics: Theory vs. Practice

January 9, 2020

Digital Forensics: Theory vs. Practice

As an active digital forensic practitioner for over 10 years, I have attended many training offerings from many different companies/resources, read many white papers published by any number of scientific and academic entities and worked hundreds of active cases for plaintiffs, defendants and in law enforcement covering PC, Mac and mobile device forensics.  One aspect that crosses all of these areas that has waned slightly in the last few years, but still rears its ugly head, are the theoretical questions surrounding digital forensics.  Among these we have all heard at one point or another -- hash collisions, data cross-contamination and reverse-engineering of hash values to be made into a viewable data file.  While we can Google these theories and findings to death, their practical application in “everyday forensics” is reality-based, not theoretical. 

Hash Collisions

The topic of hash collisions generally comes up when working independent analysis in criminal defense cases.  This digital version of the “some other dude did it” (or SODDI) defense is based upon the theory that two digital files containing completely different data can be run through a hashing algorithm and obtain the same result.  Hash calculation is a big part of forensics and particularly in cases dealing with child exploitation images, the hash value is used to locate those sharing illicit images on the peer-to-peer file-sharing networks.  However, we also use hash values to validate evidence files as identical to the original, to cancel out any irrelevant/system files and to validate the authenticity of files across a system or multiple pieces of evidence.  Hashing algorithms such as MD5 and SHA-1 have been “broken” for years, but are still in ubiquitous use in digital forensics.  Why?  Because the practical application of these collisions is so minimal, it is not even worth mentioning in a court of law. But rest assured, it still gets mentioned!  The only real application these collisions have is to attempt to obfuscate the facts and/or confuse the finder of fact in a legal proceeding.  Simply put, there are no documented cases where someone accused of downloading or sharing illicit images was falsely accused because the images they downloaded/shared possessed the same hash value as some innocuous files they were attempting to download/share.  Consider the statistical likelihood that someone downloaded/shared an innocuous file which happened to share the same hash value as an illicit file and also was on a police watch list where a search warrant was executed.  All of those factors being in place at once is very unlikely.

While we are constantly testing, honing and refining our knowledge in the field of digital forensics and we may even work in a “lab”, the fact remains that at a practical level, none of us have the ability to re-create these collisions, nor have we seen them “in the wild”, so to speak.  They are reserved for a theoretical lab environment where the sole purpose is to find and publish the collision, not to find and report the truth in the evidence.

Data Cross-Contamination

Before I discuss the practicality of data cross-contamination, I’ll insert a disclaimer that I understand that using sterilized media to store forensic data and conduct analysis is mentioned as potential best practices, as detailed in the Scientific Working Group on Digital Evidence (SWDGE) Best Practices for Computer Forensic Acquisitions (v. 1.0).  One of the reasons for this to avoid data cross-contamination.  What is that?  It is a theory that if you have a piece of media upon which you store data to be analyzed in a forensically-sound environment, that if you do not sterilize the media (i.e., wipe and validate prior to placing the data to be analyzed on the media) that some data from a previous or unrelated case could become part of the current case analysis data, thus potentially contaminating the results with un-related data.  This is a viable theory when dealing with physical evidence such as DNA samples or fingerprints, but it has very little, if any practical application in digital forensics.  Consider that if you create a forensic data file such as an .e01, raw or .zip file, what is the method and/or likelihood that copying that file onto a piece of non-sterilized media will somehow mix or comingle with pre-existing data?  I’ve heard one claim of data cross-contamination from another examiner, but anecdotes are not data, nor was the claim ever validated.  We sterilize the media, not because we’ve ever seen it affect any cases, but to avoid questions about it when testifying. 

Hash Value Reverse-Engineering

Having obtained much of my initial training in law enforcement and, as such, working a majority of cases involving illicit images, I can recall being trained that catalogs of illicit image hash values are law enforcement sensitive and not to be disseminated to independent examiners or to the general public.  Why?  Because someone could potentially and theoretically reverse-engineer the hash value to re-create the file, which would be illegal.  This came up again in a case worked independently in 2019.  I thought this theory and explanation was long gone, but it is not.

The problem with the theory of reverse-engineering a hash value is I’m not sure it’s ever been done, at least not at a practical level.  It is a theory.  Scientists, academics and lab-rats may have done it, but I don’t know anyone who actively practices digital forensics that either 1) has the knowledge, skills and abilities to do it and/or 2) has the desire to do it.  So why is it still mentioned as a consideration in cases?  (Hint: see the above note about obfuscation and confusion).

Wrapping It Up

I’m not an academic or a lab-rat.  I’m just an old(ish) retired investigator with some skillsets that can often be of benefit to parties involved in litigation.  Because of that, I’m concerned with the practicality of digital forensics – What is the best way to get the case analyzed?  What evidence is relevant?  Where do I need to look for the evidence?  What am I missing that could potentially answer important questions?  Theoretical considerations like those mentioned here are not worthy of much calorie-burning when trying to answer these questions.  In the pragmatic world of digital forensics, we have to consider what is, not what could be.  Because the truth lies in the facts of the case and the data which is part of the case, not on theory of what could or may have happened… And likely did not! 

Author:

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!

We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: www.ProDigital4n6.com

Linked In: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Twitter: @ProDigital4n6