Monday, July 18, 2016

The Digital Forensic Answer: It Depends



July 18, 2016

The Digital Forensic Answer: It Depends

In life, we rarely ever get solid answers.  The same is true in many forensic disciplines.  Indeed, even when some answers are put forth as solid, after years of scrutiny, challenges and vetting, the answer can be reversed (see: FBI hair comparison “forensics”).  One of the things that really appeals to me about digital forensics as an investigator is when you are able find the answer, it’s pretty definitive… most of the time.  But with computer and mobile technology increasing in complexity and in how it intertwines in our daily lives, the universal answer in digital forensics is still “it depends”.  Think about it – when is the last time you worked a case where you had all of the answers?  Even cases where the evidence you have is solid can still have that sliver of a window for some doubt or another stone that possibly could have been turned over.  We can’t examine every bit of data in every case, so we concentrate on what is relevant, what is possible, what is valuable in our cases.  But the variables do play into our conclusions, so we conduct as thorough analysis as we can, given time and case-specific restraints, we publish our conclusions and trust in our ability, training and experience.  That’s practical digital forensics.

Routinely, we get calls from attorneys and other prospective clients asking if we can find key pieces of evidence in their case.  The answer I always give is, it depends!  Now, as a private practitioner, I know clients don’t like to pay money for a “maybe”, but sometimes that’s the nature of the beast.  Generally I tell them that the sooner you can get me the evidence and the more information you can provide, the better chance we’ll have to find and report the data you need in your case.  This is naturally true in law enforcement as well, but most governmental examiners have the benefit of what I call “time capsule evidence” – evidence that is seized under a lawful order at a specific point in time and (hopefully) is not destroyed or altered subsequent to the seizure.  In private practice, that doesn’t always happen, so the universal answer is… It depends!

Dependent Variables in Computer Evidence Analysis

Generally speaking, the “it depends” factor in computer-based (PC/Mac, etc.) cases is a little lower than in mobile cases (to be discussed next).  However, it’s still present.  Some of the factors that affect whether or not we’ll be able to find evidence include:

·       The time in between the alleged incident and the creation of the forensic image
·       The usage (if any) on the system since the alleged incident and that users behavior
·       Whether or not the evidence being sought is suspected to have been deleted or not
·       The type of data being sought in the investigation

I’ll elaborate a bit in a few “real-world” examples:  Last year, Pro Digital was retained in a corporate case involving alleged theft of intellectual property by a former employee.  Upon discovery of the potential violation, the custodian of the company’s computers immediately stopped all use on the suspect computer system and locked the system in a safe place with limited access.  He then called us and the case progressed from there.  We were able to find definitive evidence that the ex-employee transferred vital information to a thumb drive and presented this evidence in court.  That’s a textbook example of what should happen.

By contrast, we recently investigated a case involving the time-frame of a submitted document, which relied heavily on the document metadata analysis.  Unfortunately, the alleged incident happened 8 months prior.  Not only was there 8 months of potential usage, alteration and deletion on the system, but to add to the problems in recovering the evidence, the user’s system had been updated and replaced within the 8-month time frame.  And no, they couldn’t locate the old system for us to analyze.  The request – analysis if document metadata – is a fairly simple one.  However, the case was complicated by factors related to time and usage.  So as you can see, it really depends!

Dependent Factors in Mobile Device Analysis

While the “it depends” factor exists in many computer cases, that same factor is virtually always present in mobile device analysis cases.  Think about how often we use our mobile devices.  I recently attended a seminar in which the estimated times per day we even look at our mobile devices was reported to be between 150 – 250.  While we’re fortunate as examiners that mobile devices store an increasingly higher amount of data with each new generation of device, we use them so much that these user-dependent factors often affect whether or not we can get the data that is necessary to help prove or refute a claim. 


For example, I recently did some rudimentary testing with regard to how images & videos are stored on an Apple iPhone 5s, which was running iOS 9.3.2.  I was able to quickly identify the file naming convention and locate the pictures.  Most forensic tools will do that natively anyway.  But when I looked at the SQLite database table for the pictures, I found that the deleted information and metadata for older files was no longer available.  More recent deleted pictures and their associated metadata were still recoverable, but the older ones, which were taken on another device with an older operating system and transferred via iCloud backup, were not available.  So when we say “it depends” with mobile devices, we are referring to factors such as:

·       Device make/model/manufacturer
·       Operating system version
·       Age of data being sought in the investigation
·       Potential deletion of data being sought in the investigation
·       Forensic tools utilized by the investigator for extraction and analysis
·       Overall device storage capacity
·       User behavior

And that’s really just the tip of the mobile device iceberg.  When we also factor in the multitude of apps available on the market which may store valuable data, how the data is stored within those apps (i.e., encrypted or encoded) and what type of data that may be, it really starts to prove two things:  First, it really depends on many factors as to whether we can get the data that is needed in a particular case and second, the potential value of that data, if recoverable, cannot be over-stated.

Dependent Factors in Call Detail Record (CDR) Analysis

As detailed in a previous article, call detail and cell tower records can prove vital in a wide variety of cases.  However, the “it depends” factor is present here as well.  The unfortunate part is, some of the dependent factors with regard to call detail records are out of the examiner’s control in that they reside within policies of the cell provider, as well as other factors.  The most common question in this world of data analysis is, “what is the range of a cell tower?”  Well, it depends!  In most basic terms, the range of a cell tower is only as far as the next closest cell tower of the same provider.  However, other factors also play into the cell tower range including:

·       Number of mobile devices connected to the tower at the time of interest (load)
·       Geographical terrain/topography (trees, hills, buildings, etc.)
·       Tower maintenance, both scheduled & unscheduled
·       Manufacturer, age, height & type of cell tower
·       Handset-specific factors, such as antenna strength



Just as with forensic analysis of computers and mobile devices, time is of the essence in call detail record analysis.  The closer to the alleged incident you can request the data from the cell provider (via search warrant, court order, etc.), the better chance you’ll have to get more data, which could add great value to the case.

Wrapping it up

To most digital forensic examiners, the concept of “it depends” will not be a new one.  I was first taught that it really does depend while attending BCERT at the National Computer Forensics Institute by a savvy and knowledgeable attorney.  She was very correct and I’ve seen this played out in case after case ever since.

Even though the examples listed here are just a fraction of some of the dependent factors in various types of analysis, hopefully it’s clear now that there are generally not many clearly-defined answers in many areas of digital forensics and they are all case-specific.  Naturally, it bears noting that the training and experience of your examiner is a huge factor in determining whether or not you are getting all of the information you can get in your case, so choose your examiner wisely and carefully… Because success or failure can depend on that too! 


Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Globally


We Find the Truth for a Living!

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  A graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations.
Email:  ProDigitalConsulting@gmail.com
Web: www.ProDigital4n6.com
Linked In: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc 
Twitter: @ProDigital4n6
Posted by at
Labels: , , , , , ,
Location: Richmond, VA, USA

Tuesday, July 5, 2016

Link to Forensicator Podcast #103: Magnet Axiom

July 5, 2016

Pro Digital Forensic Consulting Principal Consultant, Patrick Siewert talks with Jamie McQuaid, Digital Forensic Consultant at Magnet Forensics about their new tool, Axiom.  They discuss what went into the design of Axiom, what the tool offers, what you can do to help the tool grow and more!

The podcast is linked here on Sound Cloud:
https://soundcloud.com/pro-digital-forensics/forensicator-no-103-magnet-axiom 

And may also be downloaded on iTunes.

Please check out the podcast and Magnet Axiom and let us know what you think!

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Globally
We Find the Truth for a Living!
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and various online investigation schools (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations.
 
Email:  ProDigitalConsulting@gmail.com
Web: www.ProDigital4n6.com
Twitter: @ProDigital4n6
Posted by at
Labels: , , , ,
Location: Richmond, VA, USA

Thursday, June 16, 2016

Holistic Mobile & Cellular Investigations




June 16, 2016

Holistic Mobile & Cellular Investigations

I’ve been attending a lot of training lately.  Because my training and experience initiated in law enforcement and in computer forensics and because the field of mobile device forensics has exploded so much, I have been catching up on newer methods & tools for computer analysis and getting additional formal training, education and more experience in the field mobile device forensics.  Two of the courses I’ve completed in the past couple of months are the IACIS Mobile Device Forensics (MDF) course and the Smartphone Forensics Smartphone Forensics and Cellular Technology (+SMART) course offered by PATCTech and Lead Instructor, Glenn Bard.  To be clear, many of the ideas in this blog were not originally my own, but I also haven’t seen them compiled in one place (i.e., I’ve been to multiple trainings to glean this information), so I wanted to put them forth in a concise blog entry for consideration in the greater digital forensic & investigative community. 

What Does “Holistic” Mean in Mobile Forensic Investigations?

The Scientific Working Group on Digital Evidence (SWGDE) states in their document entitled Best Practices for Mobile Phone Forensics that “Various tools at multiple levels of analysis may be required to provide a holistic view of the data contained within the mobile phone, identity module, or associated storage media.” This notion of a “holistic view of the data” is repeated in different terms in publications by NIST and other digital forensic governors.  But what does “holistic” mean with regard to mobile forensics?  It means to attempt to gain a whole picture of the evidence as much as possible and in every investigation.  This is generally thought to mean that we should invest in, validate and use multiple forensic tools in order to ensure we have all of the evidence and information we can get.  In mobile device forensics this is particularly important because mobile devices run the gamut of software versions, hardware manufacturers, network providers, natively supported and unsupported apps and so on.  Obtaining a holistic view of the data becomes especially poignant when the search may involve deleted items such as text messages, web(kit) history, app communications and other important evidence stored in the multitude of Sequel Lite database tables.

But the SWGDE document doesn’t address other areas of evidence, like wireless (wifi) routers, call detail records (CDRs) and IP connection logs.  As Glenn Bard reiterates in the +SMART course, each of these valuable sources of data, when combined with the mobile forensic examination of the device itself, can help put the pieces of the digital puzzle together to tell us virtually the entire story.  For instance, if you seize a mobile device of a suspect accused of illicit communication with a minor, they may have been using a mobile app such as Yahoo! Messenger to facilitate this communication.  When they’re communicating away from home or work, the call detail records and data logs will help corroborate the data usage and possible location at the time of communication and will provide data to compare to the Yahoo! Messenger chat logs as recovered through your mobile forensic examination.  If the device is seized at a known location (such as home or office), the wifi router can be interrogated to see when the device was connected and compare that to the gaps in cellular data connectivity.  The router will also display the external IP address, which can be compared to search warrant or court-ordered connection logs received from Yahoo! (and yes, I know that no kids use Yahoo! Messenger anymore, but just go with it).  When you put all of these pieces together, it becomes clearer what is meant by a holistic mobile forensic investigation.  Furthermore, when you research the suspect through online databases and background, even more information lends itself to the investigation.  The amount of data we can obtain in order to prove or disprove the case is staggering.   



Other Cases Investigated Holistically

Criminal cases often times bear the most available evidence because the stakes can be very high, but the hunt by no means ends there.  Consider these brief examples of where putting all of these data sets together can help paint a great picture for the judge & jury when representing clients in other types of cases as well:

Missing Persons

Whether the search is for a missing adult, endangered person or a child who, like many children in the modern era, has a smart phone, there is information available to help find them through call detail records, mobile device backups stored on computer systems and cloud data.  The key, however, is to look in ALL available areas and to keep the attempts at communication with the mobile device ongoing as long as possible.  But when we consider that the mobile device the missing person has in their position has the capability to tell us where they are or were last known to be, the power of the data in the hands of the right person to help bring them home or find them is undeniable. A case-specific example of this is located here.

Personal Injury

Insurance companies and law firms working large-claim personal injury cases can use mobile data to help prove or disprove the claim through an independent digital forensic analyst.  Even if you can’t get the claimant’s cell phone (which you should be able to), the call detail records can often put the claimant in a certain location during the time of the incident or apart from the incident location.  Are they claiming a nebulous neck or back injury that can’t be effectively diagnosed?  Do you have doubts about the veracity of their claim?  A court order to turn over all cellular connection detail records before, during and after the time of the incident can help prove or disprove the claim.  Even the lack of usage as compared to normal usage can be useful information when dealing with a potentially false claim.

On the plaintiff’s side, obtaining a court order to present the defendant’s mobile device for analysis is always a good idea.  Going further and getting their call detail records in cases such as texting-while-driving claims, negligence, malfeasance or civil claims arriving from criminal charges or an investigation could help prove the case as well.




Divorce & Child Custody

It’s a fact that many divorce claims originate from alleged infidelity on the part of one or more party, but how do you prove it?  Time & location.  We routinely work cases where one party in a divorce has filed a Motion to Compel the opposing party to produce their mobile device, which is generally great evidence.  But by also obtaining a court order for call detail records and tower location data, we can map out a timeline of locations based upon the data.  Put that information together with the known or suspected location(s) of other involved parties and it paints a pretty damning picture.  As I tell groups all the time, affairs are conducted on mobile devices.  Plain & simple. 

If the claim involves child custody and one party believes the other is engaged in some inappropriate, unwanted or even illicit behavior, these same records can help prove or disprove that as well.  It’s all about the data and the ability to put it all together for presentation to a judge or jury, which is an intangible asset that every forensic examiner must have.

Fraudulent Insurance Claims

I’m sure by now, the point is becoming clear, but it bears pointing out that when an insurance company is presented with a high-dollar claim of damage to property or loss, all of this mobile device & cellular data can be immensely helpful.  Most Special Investigative Unit (SIU) investigators probably don’t know what is available, but simply consider that there are more mobile devices on planet earth than there are people.  That means that virtually everyone has at least one and with only 5 basic cell providers in the US, the search for the data you need to help prove whether or not the claim is fraudulent becomes a bit more narrowed.  Questions that can be answered include:

·       Where was the claimant (or their device) before, after or at the time of the incident?
·       What was the level of usage before, during and after the incident?
·       To whom did the claimant send text messages, picture messages, calls, etc. around the time of the incident?
·       Were there any data connections before, during or at the time of the incident and from where?
·       If the mobile device can be analyzed, does the information contained in the above-cited records mesh with what is present on the mobile device?
·       Is spoofing a claim?  If so, call detail records can help identify the originating number(s) and/or locations.

Conclusions

Hopefully by now, law enforcement, civil attorneys and investigators can start to see the impact this mobile device data and analysis can have on their cases.  Does this take a lot of time and analysis? Absolutely!  But anything worth doing is worth doing right, and in mobile digital investigations, the right way is the holistic way – leaving no stone unturned and getting all of the available information into the hands of the people who know what to do with it. 

Some tips that can increase the likelihood of finding the evidence you need in the cited examples include:

  • If looking to use call detail and cell tower records to find someone, keep calling the phone, even if it goes to voicemail.  Cell tower location effectiveness depends on the device having communication with the towers, so even if the call doesn’t go through, it will keep the breadcrumb trail going until the device is discarded and/or the battery dies.
  •  Know the limitations of record keeping in its various forms by cell providers and submit a preservation letter as soon as practicable when cell records may be a factor in your case.  Records aren’t kept forever and different carriers keep different data sets different amounts of time.

  • Don’t forget about the not-so-obvious places evidence might be stored such as computer backup files, discarded devices from a recent upgrade and even cloud data. All of this can help a properly trained examiner and investigator get a more holistic view of the case.


We don’t use one tool.  We never look at the data from just one perspective and we discourage clients who want us to do so.  Is every piece of information always going to be available in every case?  No.  But the more information we have during the investigation, the better equipped we are to help prove or disprove the theory of the case and paint the best picture possible for the judge and/or jury.



Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Globally


We Find the Truth for a Living!

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and various online investigation schools (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations.
Email:  ProDigitalConsulting@gmail.com
Web: www.ProDigital4n6.com
Twitter: @ProDigital4n6
Posted by at
Labels: , , , , ,
Location: Richmond, VA, USA
Subscribe to: Posts (Atom)