Saturday, November 3, 2018

FAQ Video Series: Mobile Forensics

What is mobile forensics and how can you use it for your case? In this edition of our Frequently Asked Questions videos, we provide an overview and answers questions about deleted and recovered text messages and more. Apple and Android are different and it's important that your mobile forensic analyst knows the proper approach to the specific device(s) in your case.

 

For more information, visit prodigital4n6.com, call 804-588-9877 or email: inquiries@prodigital4n6.com

FAQ Video Series: Cellular Call Detail Records - Analysis and Mapping

In this video, Pro Digital Principal Consultant Patrick Siewert talks about cellular provider call detail records analysis and mapping. He describes what it is, how the records are obtained, which types of cases can utilize the records, examples of what may be shown in court, and what's required to obtain the information. This type of data can commonly be used in Insurance Fraud investigations, divorce cases/custody disputes and validation of an opposing analysts findings in criminal or civil litigation.

Pro Digital also offers these services to prosecutors offices working major crimes who may not have access to analysts with the expertise to interpret and map these records.


 

Cellular Provider Record Retention Periods: prodigital4n6.com/cellular-record-retention-periods/ For more information, visit prodigital4n6.com, call us at 804-588-9877 or email: inquiries@prodigital4n6.com

Monday, October 8, 2018

FAQ Video Series: PC/Windows Computer Forensics



October 8, 2018

FAQ Video: PC/Windows Computer Forensics

In this video, we cover some over our FAQ about Windows-based computer forensics, including Metadata.  Simply put, metadata is data about data, such as authorship/ownership, dates & times of file creation/modification/access and a plethora of other valuable information. 


A majority of our computer forensic cases are for Windows-based PCs and certain processes are different for PCs than for Mac (Apple) computer.  When researching a forensic examiner, be sure to ask the questions to determine which analyst possesses the right knowledge, experience, training and tools for your specific needs.  There nuances that affect every case which relate to the specific hardware and software involved.

Do you have a case that might be helped by a digital forensic analysis?  Visit our website, call or email for a free consultation:

Pro Digital Forensic Consulting
804-588-9877

  

Thursday, September 27, 2018

FAQ Video Series: Mac Computer Forensics


September 24, 2018

We’ve all heard the phrase “you don’t know what you don’t know”; and when it comes to hiring a Digital Forensic Specialist, that popular phrase is often applicable.  You’re hiring an expert because your field of expertise is in Criminal Law, Civil Law, Human Resources, or maybe even Information Technology.  So, how do you know what questions to ask to qualify potential investigators? 

In this video, our Principal Consultant, Patrick Siewert, gives a brief idea of how Apple Mac products differ from PCs and other devices and the importance of the forensic analyst using the right equipment to find and extract the necessary evidence.  Want to know more?  Give us a call or send an email for a free consultation to determine if we are the right fit for your case.
Pro Digital Forensic Consulting
804-588-9877

Monday, August 27, 2018

I Lost My Data!


 August 27, 2018

I Lost My Data!

Recently I was invited to attend an Instructor Development Course (IDC) for a well-known, global digital forensics company, for which training is a component of their business.  The IDC was run by two of the managers of training and, having attended other IDC’s (or train-the-trainer classes) in the past, I knew the rough format would be a review of the material to be taught and some sort of teach-back or presentation. Turns out, I was right!

On day one of the IDC, the 6 participants in the class were chosen by lottery to pick a random topic upon which to present on the afternoon of day three of the class.  I drew topic #3 of 6, so my randomly drawn topic was “File Headers and Signatures.”  Not bad.  Far better than numbering systems or 7-bit PDU encoding, if you ask me!  So I got to work on my presentation that evening.  The length was to be 20-25 minutes. We could use whatever resources we need and they had to facilitate the presentation.  No biggie, but I wanted to be prepared and well-versed because having given dozens of presentations in the past and having it reinforced during the first two days of the IDC, I know that’s what makes a good presentation – Preparation!

So I spent a few hours putting together what I thought was a clever presentation on File Signatures & Headers.  What they are, what they look like, how they can be utilized, how automated tools find files using them, how we can manually search using them within a particular tool and how to validate our findings.  It was pretty good.  By the time afternoon of the final day came around, I tweaked and adjusted and walked through the presentation multiple times.  After all, I didn’t want to screw up the opportunity to teach for this company, because it’s a fantastic opportunity!  Then, Murphy paid a visit (no, not the well-known Forensicator Cindy!)…

The Wheels Come Off

When constructing the original presentation in my hotel room, I composed it on a 17” MacBook Pro with Bootcamp on the Windows partition running Windows 7 Pro in MS Power Point.  Everything went smoothly.  The presentation was saved on an 8 GB USB 2.0 thumb drive formatted in FAT 32, which was a marketing freebie (first clue, perhaps?) and previously unused.  When I refined, tweaked and updated the presentation, I did so on a MacBook Pro 15” retina on Mac OS High Sierra, also in MS Power Point.  There were no issues reading or saving the presentation, or so I thought.

When it came time for me to present, I popped up out of my chair, properly ejected the thumb drive from the MacBook Pro and brought it into the presentation room along with my other necessary materials.  I plugged my thumb drive into the presentation computer and this is what I saw:



My heart sank.  I clicked “Cancel” only to be presented with this from Windows:



So I thought maybe, just maybe, I could get it to work on the MacBook Pro.  So I ejected the drive from the PC and plugged it into the Mac, which was the last computer to touch the presentation.  Here’s the message I received:



A series of expletives began to spew forth from my mouth, or at least that’s how it felt.  But I do forensics for a living, right?  I have to know SOME way to recover this presentation! 
I knew the original 17” MacBook Pro, which is my backup forensic laptop as well, was back at the hotel room with a box full of dongles.  Something in my forensic bag of tricks MUST work, right? 

I told the other two students to go ahead of me and raced back to the hotel to work my forensic data recovery magic on the thumb drive and recover my presentation.  I was sure I had my X-Ways Forensics license with me!  That’ll get it in no time!  Except I didn’t.  Any tools I brought me were either for Mac forensics or mobile devices, neither of which had the capability to recover anything off of this thumb drive, at least not quickly.  I searched for auto-saved documents on both Windows and Mac.  No dice.  I searched the extended metadata in Mac.  Nothing found.  I Googled locations of temp files and other potential sources of auto-save or system-generated copies, whether hidden or not.  No luck.  So after about 40 minutes of trying what I could with what I had, I resigned myself to the reality of the situation:  I either had to try and re-construct the presentation from memory or go without a Power Point, which would have looked horribly unprepared and unprofessional. 

Fortunately, the last student before me had about 25 minutes left to go when I got back to the training site, so I hurriedly composed what I could remember from my previous presentation and got it about 85% of the way to where it was before it was my turn to present.  I did it and it turned out very well.

But what about the original presentation?

The Recovery

I’m an investigator at heart.  I want to get to the truth of the matter, no matter what the truth may tell me.  And yes, curiosity and tenacity play a pretty big role in that.  So instead of trashing the thumb drive in frustration, I decided to see if the original presentation was on there.  Back at my office (where my X-Ways license was the whole time), I created an image of the thumb drive in X-Ways. 



Once the image was created, I used the Refined Volume Snapshot to conduct a File Header Signature search.  Hmm, this is sounding a lot like my presentation!





For the sake of time and because I already know what I’m looking for, I only searched for MS Office Documents.  It didn’t take long…



Sure enough, after a few minutes, X-Ways carved not one, but three copies of my presentation on the disk.  They are all of different size and contain slightly different data:
  




Yes, that’s page one of my presentation.  And yes, that’s a bust of Dick Butkus from the Pro Football Hall of Fame.

Being that the presentation was about file signatures and headers, I decided to double-check the header on the recovered files.  A quick Google search reveals that the file header for a .PPTX (or Power Point) file in hex is: 50 4B 03 04 14 00 06 00.  Cross-referencing that with the data of the recovered files reveals the same header, serving to further validate the findings:






Wrapping it Up

I know this example of data recovery is very basic.  Would it were that all data recovery jobs were this simple!  But the principles and procedures detailed here are the same whether we’re dealing with an 8 GB thumb drive (FAT 32) partition or a 4 TB hard drive with multiple partitions.  Hardware and software are the variables.  The constants are the procedures and methods used to acquire, analyze, carve, locate and report the lost data.  Ultimately, these methods need to be repeatable and defensible in a court of law because that’s what “Forensics” means.

Not every job is this straight-forward or simple, but with a little problem-solving, tenacity and experience, a competent examiner can put these methods to work to help recover just about any lost data!

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com
Twitter: @ProDigital4n6

Sunday, May 20, 2018

Apple iPhone “Significant Locations”



May 20, 2018

Apple iPhone “Significant Locations”

I recently attended a conference of civil litigators in Virginia.  During the cocktail hour and after a very interactive CLE presentation on “Leveraging Data in Insurance Fraud Investigations”, I was talking with a few attendees about the different types of data available to them in their investigation and litigation of insurance fraud claims.  Admittedly, I was taken aback when one of the attorneys mentioned to me the “Significant Locations” that are logged on iPhones and showed me the locations on his.  This is probably because I have most (or all) location services turned off on my personal device, so I’d never given it much thought.  However, the conversation brought up the question, are these artifacts available through forensic data extraction and analysis?  And if so or if not, how do we access them?  What value might they serve in both criminal and civil investigations?

For the extraction, testing and exhibits illustrated here, we used an iPhone 5s running iOS v. 11.2.6.  Cellebrite Physical Analyzer v. 7.5 was used for the extraction and analysis. As mentioned later, location services must be turned ON with the device in order for this information to be logged, as detailed in the UFED Device Extraction Info below:




Where & What Are “Significant Locations”

The first step is to identify where and what “Significant Locations” are.  The artifact is available to view on the device at Settings>Privacy>Location Services>System Services>Significant Locations (see below).







If location services are turned OFF, the significant locations data will not be logged and therefore unavailable.  Interestingly, to access Significant Locations on the device, the passcode or Touch ID must be entered, as shown below:




As we should all know by now, we need to obtain the passcode in some way (consent, court order, Gray Key, etc.) in order to facilitate data extraction in iOS 11 regardless, so while this may seem like an obstacle, it’s just another reason to obtain the passcode.

Upon accessing Significant Locations, a disclaimer is present, which reads the following:




The final sentence that the Significant Locations are encrypted already gives us a clue about whether or not UFED will be able to parse this data, but more on that a little later.

What’s Inside Significant Locations?


Once accessed, the Significant Locations are presented as a list, shown here:





Some interesting things of note about these particular locations:  This device doesn’t travel much.  The 13 locations logged in Henrico (Richmond/Midlothian), VA are related to the home location(s) of the device, which is already good information to have in the course of an investigation.  The device visits Williamsburg, which is the reason for the listings for that location.  All of the remaining locations are related to a trip from April, 2018 to and from Richmond, VA to Cincinnati, OH.  The device stopped in Beaver, WV and Beckley, WV.  Covington, KY is across the Ohio River from Cincinnati, where a dinner stop was made.  A stop in Fishersville, VA was made to get gas on the way back from Cincinnati.  Essentially, we have a road map of the trip to and from Cincinnati.

Further inspection of the locations where there are multiple listings reveals even more detail about where the device has been, as shown here in the Richmond, VA area:


And even more as shown here in the Cincinnati, OH area:


What’s most interesting about these artifacts is that no time was the device connected to any wireless networks in either location, save one in the Mt. Adams section of Cincinnati.  Yet in some instances, the business name and/or street address is listed in the log.



UFED Extraction & Access to “Significant Locations”

An Advanced Logical (option 1) encrypted extraction was conducted in Cellebrite UFED Physical Analyzer v. 7.5 to see if this data would be available through mobile forensic data extraction.  When the names of the locations were searched globally in the case, no results were presented.  When the term “Significant” was searched globally in the case, the following artifacts were located at var/root/library/caches/locationd:




The highlighted .plist files were exported and opened in XCode on a Mac system.  Each of these artifacts did not present any data that was readily identifiable as useful.  Is it possible that these artifacts are encoded within the extraction data and could therefore be located?  Sure, but for the purposes of this article, those measures were not undertaken.  As these artifacts are behind a double security wall (main passcode, then re-entry of the passcode to access Significant Locations on the device), it is logical to conclude that they are not accessible through mobile forensic data extraction (i.e., encrypted).

How Does This Help Your Case?

To recap, we located the Significant Locations on the device and performed a data extraction and it appears that these locations are not part of any readable portion of that data.  So how can we best incorporate this data into our investigations to add value?  Unfortunately, the best answer is the “old fashioned way”.  Access the device, navigate to “Significant Locations” and document each entry through photographs (NOT screen shots).  Depending on the level of usage of the device, this can be tedious and time-consuming, but the value of the data cannot be overlooked.

In criminal cases, this data can help put the device in locations where the suspect may have been (or not have been) during the time of the incident.  It can also help identify home locations and frequently visited locations, which can increase investigative leads, present additional accomplices, serve to impeach statements already made and more.  Naturally, accessing the device is key.  It bears noting that the “Significant Locations” data, combined with cellular provider call detail records could help paint a more thorough picture of the device location and/or movements than either one or the other alone.

In civil litigation, this data can be used in much the same way, but more likely to prove or disprove frequent locations, known associates (paramours, accomplices, etc.), and to help confirm or refute deposition or trial testimony.  If your case involves insurance fraud and the claimant says that he cannot travel, this data helps refute that statement without the need to obtain cellular carrier records.  But again, ideally we would couple this data with cellular location data to paint a more complete picture of the device usage patterns. 

A couple of final notes about the existence of this data.  First, it can be deleted.  Note in the image above the option to “Clear History” is present and if the user selects this, the logging will be reset.  It also appears (from checking a separate device with this logging turned on) that the data is stored for approximately 6 months.  It is unknown whether or not the data would transfer from an older device to an upgraded device as further testing would need to be conducted.  Finally, it is also unknown whether or not this data would be more readily accessible through mobile forensic data extraction on a jail-broken device.

Conclusions

This data is a proverbial gold mine, but it’s one we need to access in ways we generally don’t like to – by manipulating the device and accessing the UI.  However, this is still a valid form of analysis and documentation, especially when the access limitations on iOS devices forces us to use tools and techniques other than those that are automated.  As with most things in forensics, simply knowing where to look, how the data got there and how to best utilize the data to confirm or refute the other aspects of your case is (about) half the battle.  We all know Google, Apple and the cellular carriers are tracking us.  Let’s start using that data to help serve justice, no matter what we’re investigating!

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Twitter: @ProDigital4n6