Thursday, January 9, 2020

Digital Forensics: Theory vs. Practice



January 9, 2020

Digital Forensics: Theory vs. Practice

As an active digital forensic practitioner for over 10 years, I have attended many training offerings from many different companies/resources, read many white papers published by any number of scientific and academic entities and worked hundreds of active cases for plaintiffs, defendants and in law enforcement covering PC, Mac and mobile device forensics.  One aspect that crosses all of these areas that has waned slightly in the last few years, but still rears its ugly head, are the theoretical questions surrounding digital forensics.  Among these we have all heard at one point or another -- hash collisions, data cross-contamination and reverse-engineering of hash values to be made into a viewable data file.  While we can Google these theories and findings to death, their practical application in “everyday forensics” is reality-based, not theoretical. 



Hash Collisions

The topic of hash collisions generally comes up when working independent analysis in criminal defense cases.  This digital version of the “some other dude did it” (or SODDI) defense is based upon the theory that two digital files containing completely different data can be run through a hashing algorithm and obtain the same result.  Hash calculation is a big part of forensics and particularly in cases dealing with child exploitation images, the hash value is used to locate those sharing illicit images on the peer-to-peer file-sharing networks.  However, we also use hash values to validate evidence files as identical to the original, to cancel out any irrelevant/system files and to validate the authenticity of files across a system or multiple pieces of evidence.  Hashing algorithms such as MD5 and SHA-1 have been “broken” for years, but are still in ubiquitous use in digital forensics.  Why?  Because the practical application of these collisions is so minimal, it is not even worth mentioning in a court of law. But rest assured, it still gets mentioned!  The only real application these collisions have is to attempt to obfuscate the facts and/or confuse the finder of fact in a legal proceeding.  Simply put, there are no documented cases where someone accused of downloading or sharing illicit images was falsely accused because the images they downloaded/shared possessed the same hash value as some innocuous files they were attempting to download/share.  Consider the statistical likelihood that someone downloaded/shared an innocuous file which happened to share the same hash value as an illicit file and also was on a police watch list where a search warrant was executed.  All of those factors being in place at once is very unlikely.

While we are constantly testing, honing and refining our knowledge in the field of digital forensics and we may even work in a “lab”, the fact remains that at a practical level, none of us have the ability to re-create these collisions, nor have we seen them “in the wild”, so to speak.  They are reserved for a theoretical lab environment where the sole purpose is to find and publish the collision, not to find and report the truth in the evidence.

Data Cross-Contamination

Before I discuss the practicality of data cross-contamination, I’ll insert a disclaimer that I understand that using sterilized media to store forensic data and conduct analysis is mentioned as potential best practices, as detailed in the Scientific Working Group on Digital Evidence (SWDGE) Best Practices for Computer Forensic Acquisitions (v. 1.0).  One of the reasons for this to avoid data cross-contamination.  What is that?  It is a theory that if you have a piece of media upon which you store data to be analyzed in a forensically-sound environment, that if you do not sterilize the media (i.e., wipe and validate prior to placing the data to be analyzed on the media) that some data from a previous or unrelated case could become part of the current case analysis data, thus potentially contaminating the results with un-related data.  This is a viable theory when dealing with physical evidence such as DNA samples or fingerprints, but it has very little, if any practical application in digital forensics.  Consider that if you create a forensic data file such as an .e01, raw or .zip file, what is the method and/or likelihood that copying that file onto a piece of non-sterilized media will somehow mix or comingle with pre-existing data?  I’ve heard one claim of data cross-contamination from another examiner, but anecdotes are not data, nor was the claim ever validated.  We sterilize the media, not because we’ve ever seen it affect any cases, but to avoid questions about it when testifying. 



Hash Value Reverse-Engineering

Having obtained much of my initial training in law enforcement and, as such, working a majority of cases involving illicit images, I can recall being trained that catalogs of illicit image hash values are law enforcement sensitive and not to be disseminated to independent examiners or to the general public.  Why?  Because someone could potentially and theoretically reverse-engineer the hash value to re-create the file, which would be illegal.  This came up again in a case worked independently in 2019.  I thought this theory and explanation was long gone, but it is not.

The problem with the theory of reverse-engineering a hash value is I’m not sure it’s ever been done, at least not at a practical level.  It is a theory.  Scientists, academics and lab-rats may have done it, but I don’t know anyone who actively practices digital forensics that either 1) has the knowledge, skills and abilities to do it and/or 2) has the desire to do it.  So why is it still mentioned as a consideration in cases?  (Hint: see the above note about obfuscation and confusion).

Wrapping It Up

I’m not an academic or a lab-rat.  I’m just an old(ish) retired investigator with some skillsets that can often be of benefit to parties involved in litigation.  Because of that, I’m concerned with the practicality of digital forensics – What is the best way to get the case analyzed?  What evidence is relevant?  Where do I need to look for the evidence?  What am I missing that could potentially answer important questions?  Theoretical considerations like those mentioned here are not worthy of much calorie-burning when trying to answer these questions.  In the pragmatic world of digital forensics, we have to consider what is, not what could be.  Because the truth lies in the facts of the case and the data which is part of the case, not on theory of what could or may have happened… And likely did not! 

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com
Twitter: @ProDigital4n6

Monday, December 9, 2019

Digital Forensics in Sexual Assault Cases



December 9, 2019

Digital Forensics in Sexual Assault Cases

Any practicing litigators and digital forensic analysts (as well as our regular readers) appreciate the value that digital evidence can add to their cases.  Civil, criminal and administrative matters can all have a data component to them, for which forensic data acquisition, analysis & reporting may be necessary and valuable.  The challenge when putting together a case strategy is whether or not the cost of digital forensic analysis is worthwhile to the overall case.  This particular approach in the case strategy should always meet with a resounding “YES!” when working sexual assault cases.  It is reported that false claims of sexual assault are five times as common as other types of crime, and the incidents at the heart of the claim are very often precipitated by text and/or picture messaging, often to a high degree, which can serve to help reveal the truth of the claim.

From One Side: The Accused

When an accusation of sexual assault is made, there is frequently a “he said, she said” factor.  But before the alleged assault took place, there is often a build-up of text and/or picture messages in some form.  In 2018 alone, Uber reported over 3,000 sexual assaults.  All activity on Uber is facilitated via the app, including a messaging component.  Uber also frequently logs GPS coordinate location while using the app.  All of this is extremely valuable data when attempting to prove or disprove if the alleged perpetrator was at or near the incident location and in contact with the complaining witness and if any pre or post-assault messaging took place.  But Uber is just one example…

Dating apps are another frequent data medium where activity precipitating a claim of sexual assault can take place.  Apps like Tinder, Bumble, Hinge, Match, etc. all serve to match potential dates and facilitate communication prior to meeting and/or exchanging phone numbers.  Several of these apps also have the ability to send picture messages.  In the events where messages have been deleted in between the time of the contact and the alleged assault, a forensic data acquisition is critical to any recovery of those messages and should be performed as soon as possible after the report is made and legal authority is obtained.  Additionally, these apps are all location-based, so there may be data within the app that is not accessible to the user that may help prove or disprove the claim of sexual assault.



While app data is certainly valuable, the data stored within the standard text or iMessage databases should not be overlooked.  Even in cases where communication may have started on an application, very often users will transition to standard text messaging once there is a certain level of comfort.  In the past several years, we have worked multiple sexual assault cases where the deleted and recovered text messaging data led to the acquittal of criminal defendants.  In every case, this was because a false claim was made and ultimately proven to be false through acquisition, analysis and presentation of text message data from one location or another on the device.

As a brief note, certain app data may not be available through the forensic process and depending on the application, the recoverable artifacts can be more circumstantial than substantive (i.e., contact entries).  Snapchat, WhatsApp & Signal are all very challenging, depending on the device hardware and software (iPhone vs. Android).  Fortunately, mobile forensic developers are constantly working on these issues, so data that may not be available today could be available in the future.

From The Other Side:  The Complaining Witness

Despite there being five times as many false claims of sexual assault as other types of crime, there still seems to be a mental block with regard to obtaining a forensic data extraction of the device(s) belonging to the complaining witness.  As alluded to in our May 2016 article, obtaining the data from the complaining witness’ device as soon as possible after the incident is reported should be part of standard practice in any sexual assault claim.  Why?  Simply put, there are two sides to every story and as trained investigators will undoubtedly agree, the truth usually lies somewhere in the middle.

 

Aside from being able to confirm or refute the veracity of the claim, one party or the other may have deleted some of the pertinent data, which could prove invaluable in piecing the facts together.  No matter which party’s device is analyzed, it is absolutely vital to look in all potential areas for messages.  As previously stated, the accused and the complaining witness may have started communication on one medium and transitioned to another, so cross-referencing phone numbers, user ID’s/monikers and other personally identifiable information is crucial to finding and reporting all of the relevant data.

It bears noting that obtaining the data from the complaining witness’ device has not been the normal practice in cases we’ve seen.  The rationale given for this is that the investigating entity doesn’t want to “re-victimize” the complaining witness.  The job of an investigator and a digital forensic examiner is to ultimately find the truth, no matter where that leads.  With only half of the potential data and a claim of assault, we potentially only have half of the story.  This “digital PERK kit” can and will add value to the overall investigation when so much is at stake for both parties, so obtaining the data from the complaining witness’ device in the interest of truth and justice.  This should also be done with a high level of discretion and with either consent or search warrant to obtain the data.

The Civil Side

The numbers of reported sexual assaults from Uber alone make it worth mentioning how vital this evidence can be from both sides, even in civil matters.  If a criminal claim of sexual assault is made involving a company or app-based service provider, that claim will many times lead to a civil suit being filed alongside or subsequent to the criminal investigation.  While the freedom of the accused may not be at stake in a civil claim, there may be millions of dollars involved in the claim arising from alleged sexual assault.  For all of the reasons cited here, the forensic data should be acquired from both plaintiff and defendant.  If data has previously been acquired by law enforcement in an accompanying criminal investigation, the same data should be requested through discovery.



Wrapping It Up

In the era of the #metoo movement and high-profile attention on sexual assaults in America, the value of forensic data as it relates to these claims cannot be overstated.  Proper collection, analysis, reporting and effective testimony about the findings can often make or break a case.  Ultimately, the truth is at the heart of the matter.  With a universal approach to every sexual assault investigation – criminal or civil – the digital evidence can help lead the finder of fact to the truth, which means justice will have been served. 

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com
Twitter: @ProDigital4n6