Pro Digital Forensic Consulting

May 13, 2016

Don’t Forget the Victim (And Their Device)!

Regardless if your case involves computers, tablets, iPhones, Android devices or all of the above, one thing the investigative community can agree on is, every case is different. Sure, certain cases will follow a workflow pattern, but the circumstances of every case, the suspects/targets, investigators and victims all take on different faces, which can alter your approach to conducting digital forensic analysis in the case slightly or dramatically. We’ve all seen a surge in criminal (and civil) cases involving smart phones and other mobile devices and with that comes the mountain of evidence that is contained on a those powerful pocket computers that store up to 128 GB of data (or more, depending on when you’re reading this). But consider this: You may only be getting half of the story if the only device you seize and analyze is that belonging to the target of your investigation.

Case Application

The best case example we can use to illustrate this point is the investigation of a rape allegation. Rape doesn’t happen in a bubble, it takes two people (or more) for a rape to occur. And virtually everyone involved in these incidents owns & uses a smart phone on a daily basis. Frequently, rape occurs when the alleged perpetrator knows the victim, either in some sort of early-stage relationship, a family friend, relative, etc. Because experienced investigators know this to be true and many reports will validate this, it is your investigative responsibility to prove or disprove the claim. In order to help do that, you need to seize not only the target’s phone data, but also the alleged victim’s phone data – all as soon as possible.

The best (and sometimes worst) thing about mobile device forensics is, once we have the data extraction, it’s ours. It is a digital snapshot of whatever was present on the device at the time the extraction took place and, depending on the device, may also give us access to deleted information. So in the interest of conducting a thorough investigation, I put forth that when an alleged rape victim makes the report, investigators should make it a regular and common practice to ask for consent to perform a data extraction on his/her phone. It is simply the easiest way to get a 360-degree view of the case.

A More Holistic View of the Data

Consider also what happens in the mind of the target after they know they may have committed a crime. Text and chat messages are deleted. Pictures of the alleged victim get erased from the device. They may even dispose of the device altogether and replace it with a new, fresh phone that has virtually no useful evidence contained on it. Wouldn’t it be nice if the other side of those conversations still existed on another device? What’s more, by grabbing the data from the alleged victim’s phone, you work toward a more complete investigation of the allegation. It is an unfortunate reality that there are often false reports of serious crimes. This certainly doesn’t mean that we automatically assume the victim may be lying, but it is our responsibility to fully investigate the case to determine what actually happened. Victims and eye witnesses are notoriously unreliable for different reasons. When victims are subjected to trauma, their accurate recollection of the incident can suffer to a degree, so that puts even more oneness on the investigator to try and piece the puzzle together.

The best part about the data is, it doesn’t lie. It has a perfect memory and it’s all documented, complete with date and time stamps, exif metadata, GPS coordinates, network activity and other great pieces of evidence that are very hard to spoof or fake, if not nearly impossible for most mobile device users.

Spoofing is a Thing

While the data doesn’t lie, it can be manipulated somewhat by either or both parties. As demonstrated in this news piece we helped out with, one can simply download a free app, assign a desired number to it and send text messages to themselves as if they were someone else, perhaps an ex-boyfriend or some other acquaintance. Then, if the messaging app is deleted, to the untrained investigator, this evidence looks legitimate on its face. But it’s only part of the story.

In the somewhat rare instance where this happens, it is absolutely vital to get the alleged victim’s cell phone dump. Getting even a logical extraction from the device might show what happened, but it’s always advisable to get as much data as you can in the form of a physical extraction, SIM card data, SD card image, etc. I realize these things may take time, but remember, the victim came to you for help. If they back off on wanting that help, don’t ignore your instincts. That could be a warning sign that you’re dealing with a false claim.

A Brief Note About Encryption

Encryption is the big bugaboo in forensics. More and more devices are coming to the consumer out-of-the-box with some sort of encryption already in place. Heck, this is the whole rub between Apple and the FBI…

But consider that if your suspect or target has a device with encryption in place, the alleged victim may be much more willing to hand over their device for extraction, whether their device is encrypted or not. From a law enforcement investigative perspective, the victim is generally much more cooperative and, in theory, would be willing to provide you with a passcode (as well as other potential credentials) in furtherance of the investigation on their behalf. It could be the only digital evidence you get!

Conclusion

Never forget there is always more than one person involved in the investigation. Grabbing the alleged victim’s cell phone data in this circumstance could mean the difference between an innocent person being convicted of a serious crime or being exonerated fully. When all the facts have been completely uncovered, the truth must remain and will have to hold up in a court of law.

Author:

Patrick J. Siewert, SCERS, BCERT, LCE

Principal Consultant

Professional Digital Forensic Consulting, LLC

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Globally

We Find the Truth for a Living!

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia. In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history. A graduate of both SCERS, BCERT, the Reid School of Interview & Interrogation and various online investigation schools (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations.

Email: ProDigitalConsulting@gmail.com

Web: www.ProDigital4n6.com

Twitter: @ProDigital4n6

April 15, 2016

Training Review: X-Ways Forensics

I’ve been involved in computer/digital forensics since 2009, starting off my first training with Basic Data Recovery & Acquisition (BDRA) given by the National White Collar Crime Center (NW3C) in Fairmont, WV. Many of you have probably started your forensic training at NW3C or any of the other governmental or non-governmental entities that offer basic training. Starting with BDRA and progressing through my forensic training, I’ve observed one (mostly) universal characteristic about the trainings: No matter the host/vendor, no matter the tool-specific application(s), no matter the level of complexity of the subject matter, it’s very hard to make computer forensics training ultimately compelling and engaging. Maybe it’s because we sit in a chair for 3-7 days and stare at a computer screen all day long. Maybe it’s because there’s some overlap with training we’ve received previously. Maybe it’s just because we don’t want to be there (everyone loves to be “voluntold” to go to training), but the fact remains, it can often be dry and sometimes even boring.

When I left the public sector and launched Pro Digital Forensic Consulting, I did my research about which tools to invest in initially. Without question, there is a different mindset when you’re paying for the tools and licensing yourself as opposed to your department or company paying for them, so I was very discriminating about what I wanted, what I needed, what I thought might best serve my clients in the future. With the ever-growing need for dedicated tools for both computer and mobile forensics, I decided to invest in tools with a dedicated purpose. Having been a previous user of a very popular and widely-used tool, I reached out to them first. Their salesperson was less than knowledgeable and even told me “I don’t do forensics myself, so maybe tech support could answer your question”. This turned me off. And being a self-admitted non-conformist, I decided to go in a different direction for several reasons: 1) from my perspective, the “heavy hitters” in the computer forensic industry were trying to take on too much re: mobile devices, eDiscovery, etc., 2) the same “heavy hitters” were forcing users to use tools that were less than stellar by way of newer versions & updates that were not as effective as previous versions and 3) I kept hearing great things from real-world computer forensic practitioners about the German-based tool, X-Ways Forensics. With all that in mind, I made a leap of faith toward X-Ways as my primary computer analysis tool in 2014 and haven’t looked back.

Training in the Use of X-Ways Forensics

As every experienced examiner knows, computer forensic tools all try to do the same things, but some have strengths over others. They also have their own terminology which is sometimes tool-specific. Having only used X-Ways Forensics (XWF) very seldom during my time in law enforcement, I opted to partake in an online course of study that was created by Brett Shavers. The course was good because it gave a very basic overview of how to set up XWF and use XWF to work cases effectively. Brett and former FBI Special Agent Eric Zimmerman also wrote a book that I would recommend to all users of XWF because it’s great for a quick-reference to intermediate guide. The book is entitled X-Ways Forensics Practitioner’s Guide. It got me to a functional level, but I knew I needed more.

Unfortunately, I also knew that XWF doesn’t offer open training in the US quite as often as some of the “heavy hitters”, nor are the locations always convenient. For instance, there are only four open classes scheduled so far in 2016 in the US. However, because I’m an XWF customer and user, I received an email late in 2015 about the 2016 training dates and, lo & behold, one was offered in April, 2016 in Manassas, VA… Very convenient for Pro Digital! The cost of the training was very reasonable ($1,799.00 USD) especially in comparison to other vendor-sponsored training, whether online or classroom-based. The list of what is included in the X-Ways Forensics I course may be found at this link: http://www.x-ways.net/training/index.html

Course Content & Delivery

The XWF basic course is not for beginners in the field of computer forensics. If you have no forensic experience, I highly suggest taking the NW3C courses (BDRA & IDRA) or their equivalent before attending any vendor-specific training. You must have prior knowledge of basic forensic terminology and a basic to intermediate understanding of how files are allocated in different formats, how different operating system versions work, how file carving works, disk partitioning and a number of other concepts that are considered basic computer forensic knowledge. Simply put, if you don’t have this knowledge, you will be lost and you won’t get anything out of the training. I would also suggest that it may be beneficial to have some knowledge of how forensic tools work generally. You don’t need to purchase one of the expensive tools to do this. Consider downloading Autopsy from SleuthKit and some training disk images and experiment with it. Naturally, I’d suspect most of you reading this are very familiar with tools such as EnCase, FTK, Nuix, IEF etc.

Our instructor for the week was Fotis Mouratidis. As mentioned previously, XWF is a German-based company and, as such, their instructors are European. If you’re in the US and weary about language problems, don’t. Fotis was very fluent in English, as well as 3 other languages. He was also very knowledgeable about the tool itself. While that should be a “no-brainer” for a vendor-instructor, it’s not always a given that they know (almost) everything they need to know about the tool. Fotis walked us through such tool-specific topics as initial set-up of the tool, the multitude of case and user-specific options that XWF provides, the benefits of XWF over other tools (like disk imaging speed and compression rate) and how to use XWF in a very efficient manner.

X-Ways Forensics training is somewhat no-frills, but I don’t need frills. I need good information that I can use to work cases better, and I got that. You’ll need to bring your own laptop. Fotis didn’t come with Pelican cases full of freshly-imaged computers for us to work on, but he didn’t have to and honestly, I appreciate the ability to use the tool on my equipment to see how well they work together. X-Ways provides a number of training disk images on which to practice and complete practical exercises as well as training licenses for the duration of the class. The handout materials follow the PowerPoint presentation, but in keeping with good presentation practice, they only have a snippet of information so you are forced to concentrate on the instructor’s presentation where the real knowledge base resides. I highly recommend bringing a notebook and taking frequent notes on items that may be of particular interest to you. Throughout the 4-day course, I took a dozen pages worth of notes… and I still feel like that wasn’t enough.

One definite observation that I noted several times is that the instructions and the tool itself are very precise and specific. Remember, XWF is a German-based company. Throughout history, Germans have always been thorough and precise in their engineering of anything of quality, so it helps to keep that in mind during the training, practical exercises and when using XWF. The tool will do exactly what you tell it to do. Fotis reminded us of this several times with regard to the tool-specific X-Pert Certification test and process that is available through X-Ways Forensics.

Brief Notes About the Tool

Of particular note about XWF are a few points: First is the filtering features in XWF. There are a multitude of filtering options in XWF that can help narrow the focus of your investigation. Not only can you filter by file type, size, dates, etc., but you can filter by metadata information, child objects, file attributes and a number of other categories. What is even better is that XWF does a good job at telling you those filters are in place. In using other tools, I’ve often fallen into the trap of trying to search for evidence while a filter is on, only to waste time (and frustration) because the tool didn’t have enough “idiot icons” telling me there was a filter in place. XWF tells you in at least 3 different places that there is one or more filter activated. It’s a small, but nice feature and it can save aggravation and wasted time.

XWF is also very easy to install, customizable and portable. Once set up, the tool stores all of your options in a configuration file that can be easily copied and transferred upon installation of a new version (versions are updated every 3-4 months). If you have a particular type of file header that isn’t included in the search list, all you need to do is add it and save and it can be searched for from that point forward. One of the big reasons I invested in XWF is because it is lightweight and portable. By that, I mean that it is not a resource hog like some of the other tools. There is no external database that needs to be run on a separate disk for optimization. XWF doesn’t eat up a ton of resources on your machine to simply examine the evidence. It can be run from a thumb-drive if necessary, which can also make it an ideal tool for live response and/or advanced triage on-scene. The GUI can be intimidating to some who prefer lots of fancy icons and colors, but it too can be customized to highlight certain types of files that may be of interest in your case. It’s not going to dazzle you if you like the shiny, pretty things, but at the end of the day when you need to get the job done, XWF does it very, very well. As with all other tools, the more robust hardware you incorporate, the faster XWF will work. This is particularly true if you’re trying to work and process more than one case at a time, which XWF allows for as a user option.

If you are used to features like the picture gallery, file preview, timeline (calendar) and details/metadata, XWF also incorporates those and they don’t take forever to load or view. If you are investigating a potential security breach and your investigation has narrowed to a particular day (or set of days), then a simple click on that time frame highlights the activity for the period(s) in which you are interested. For all of the tool-specific symbols and icons, XWF offers a full-time “legend” button, just in case you get mixed up between using three different tools and need a refresher as to what the XWF icons mean. It’s a nice, functional feature.

Conclusions

Having attended a multitude of different training offerings including instructor-led, online and webinar-based, I would rank the XWF training among the best. Fotis kept the class moving along and knew how to demonstrate everything we covered effectively and simply and because of how it was presented, we had to pay attention to learn what he was presenting. He was patient and easy-going and, as his car-pool partner for most of the training, I can say he’s a genuinely nice person. But the true measure of the quality of training is 1) how much you get out of it and 2) does the instructor compliment the subject matter and vice-versa? As one who has used XWF for a couple of years, I learned how to do things better, faster and more efficiently. I also learned many new features I didn’t know were part of the tool. As for the instructor-tool synergy, they complimented each other very well. The instructor was able to flow with the tool demonstration and instruction and the tool flowed right along with him.

Most of the time, I come away from a week-long computer forensic training drained, knowing that it was necessary, but not looking forward to the next one. This time, when the training was over, I found myself almost immediately researching when and where the XWF Advanced course was offered and how to make it work with my budget and schedule. Sadly, it appears there may not be an open advanced course scheduled in the first part of 2016, but I’ll be keeping my eye on the 2^nd half of the year and beyond to see when I can take advantage of this great training again. If you’re impressed with the simple elegance of how your computer forensic tool functions and can help you work cases better, I highly recommend signing up for the next X-Ways Forensics training in your area!

**NOTE**: Special thanks to the Virginia Department of Forensic Science for hosting this valuable training and making it available to the wider digital forensic community!