July 18,
2016
The Digital Forensic Answer: It Depends
In life, we rarely ever get solid
answers. The same is true in many
forensic disciplines. Indeed, even when
some answers are put forth as solid, after years of scrutiny, challenges and
vetting, the answer can be reversed (see: FBI
hair comparison “forensics”). One of the things that really appeals to me
about digital forensics as an investigator is when you are able find the
answer, it’s pretty definitive… most of the time. But with computer and mobile technology
increasing in complexity and in how it intertwines in our daily lives, the
universal answer in digital forensics is still “it depends”. Think about it – when is the last time you
worked a case where you had all of the answers?
Even cases where the evidence you have is solid can still have that
sliver of a window for some doubt or another stone that possibly could have
been turned over. We can’t examine every
bit of data in every case, so we concentrate on what is relevant, what is
possible, what is valuable in our cases.
But the variables do play into our conclusions, so we conduct as
thorough analysis as we can, given time and case-specific restraints, we
publish our conclusions and trust in our ability, training and experience. That’s practical digital forensics.
Routinely, we get calls from attorneys
and other prospective clients asking if we can find key pieces of evidence in
their case. The answer I always give is,
it depends! Now, as a private practitioner,
I know clients don’t like to pay money for a “maybe”, but sometimes that’s the
nature of the beast. Generally I tell
them that the sooner you can get me the evidence and the more information you
can provide, the better chance we’ll have to find and report the data you need
in your case. This is naturally true in
law enforcement as well, but most governmental examiners have the benefit of
what I call “time capsule evidence” – evidence that is seized under a lawful
order at a specific point in time and (hopefully) is not destroyed or altered subsequent
to the seizure. In private practice,
that doesn’t always happen, so the universal answer is… It depends!
Dependent Variables in
Computer Evidence Analysis
Generally speaking, the “it depends”
factor in computer-based (PC/Mac, etc.) cases is a little lower than in mobile
cases (to be discussed next). However,
it’s still present. Some of the factors
that affect whether or not we’ll be able to find evidence include:
· The time in between the alleged
incident and the creation of the forensic image
· The usage (if any) on the system since
the alleged incident and that users behavior
· Whether or not the evidence being
sought is suspected to have been deleted or not
· The type of data being sought in the
investigation
I’ll elaborate a bit in a few
“real-world” examples: Last year, Pro
Digital was retained in a corporate case involving alleged theft of
intellectual property by a former employee.
Upon discovery of the potential violation, the custodian of the
company’s computers immediately stopped all use on the suspect computer system
and locked the system in a safe place with limited access. He then called us and the case progressed
from there. We were able to find
definitive evidence that the ex-employee transferred vital information to a
thumb drive and presented this evidence in court. That’s a textbook example of what should happen.
By contrast, we recently investigated
a case involving the time-frame of a submitted document, which relied heavily
on the document metadata analysis.
Unfortunately, the alleged incident happened 8 months prior. Not only was there 8 months of potential
usage, alteration and deletion on the system, but to add to the problems in recovering
the evidence, the user’s system had been updated and replaced within the
8-month time frame. And no, they
couldn’t locate the old system for us to analyze. The request – analysis if document metadata –
is a fairly simple one. However, the case
was complicated by factors related to time and usage. So as you can see, it really depends!
Dependent Factors in
Mobile Device Analysis
While the “it depends” factor exists
in many computer cases, that same factor is virtually always present in mobile device analysis cases. Think about how often we use our mobile
devices. I recently attended a seminar
in which the estimated times per day we even look at our mobile devices was
reported to be between 150 – 250. While
we’re fortunate as examiners that mobile devices store an increasingly higher
amount of data with each new generation of device, we use them so much that
these user-dependent factors often affect whether or not we can get the data
that is necessary to help prove or refute a claim.
For example, I recently did some
rudimentary testing with regard to how images & videos are stored on an
Apple iPhone 5s, which was running iOS 9.3.2.
I was able to quickly identify the file naming convention and locate the
pictures. Most forensic tools will do
that natively anyway. But when I looked
at the SQLite database table for the pictures, I found that the deleted
information and metadata for older files was no longer available. More recent deleted pictures and their
associated metadata were still recoverable, but the older ones, which were
taken on another device with an older operating system and transferred via
iCloud backup, were not available. So
when we say “it depends” with mobile devices, we are referring to factors such
as:
· Device make/model/manufacturer
· Operating system version
· Age of data being sought in the
investigation
· Potential deletion of data being
sought in the investigation
· Forensic tools utilized by the
investigator for extraction and
analysis
· Overall device storage capacity
· User behavior
And that’s really just the tip of the
mobile device iceberg. When we also
factor in the multitude of apps available on the market which may store
valuable data, how the data is stored within those apps (i.e., encrypted or
encoded) and what type of data that may be, it really starts to prove two
things: First, it really depends on many
factors as to whether we can get the data that is needed in a particular case
and second, the potential value of that data, if recoverable, cannot be
over-stated.
Dependent Factors in
Call Detail Record (CDR) Analysis
As detailed
in a previous article, call
detail and cell tower records can prove vital in a wide variety of cases. However, the “it depends” factor is present
here as well. The unfortunate part is,
some of the dependent factors with regard to call detail records are out of the
examiner’s control in that they reside within policies of the cell provider, as
well as other factors. The most common
question in this world of data analysis is, “what is the range of a cell tower?” Well, it depends! In most basic terms, the range of a cell
tower is only as far as the next closest cell tower of the same provider. However, other factors also play into the
cell tower range including:
· Number of mobile devices connected to
the tower at the time of interest (load)
· Geographical terrain/topography
(trees, hills, buildings, etc.)
· Tower maintenance, both scheduled
& unscheduled
· Manufacturer, age, height & type
of cell tower
· Handset-specific factors, such as
antenna strength
Just as with forensic analysis of
computers and mobile devices, time is of the essence in call detail record
analysis. The closer to the alleged
incident you can request the data from the cell provider (via search warrant,
court order, etc.), the better chance you’ll have to get more data, which could
add great value to the case.
Wrapping it up
To most digital
forensic examiners, the concept of “it depends” will not be a new one. I was first taught that it really does depend
while attending BCERT
at the National Computer Forensics Institute by a savvy and knowledgeable
attorney. She was very correct and I’ve
seen this played out in case after case ever since.
Even though
the examples listed here are just a fraction of some of the dependent factors
in various types of analysis, hopefully it’s clear now that there are generally
not many clearly-defined answers in many areas of digital forensics and they
are all case-specific. Naturally, it
bears noting that the training and experience of your examiner is a huge factor
in determining whether or not you are getting all of the information you can
get in your case, so choose your examiner wisely and carefully… Because success
or failure can depend on that too!
Author:
Patrick J.
Siewert
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Virginia
DCJS #11-14869
Based in
Richmond, Virginia
Available
Globally
We Find the Truth for a
Living!
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
investigations in Virginia court history.
A graduate of SCERS, BCERT, the Reid School of Interview &
Interrogation and multiple online investigation schools (among others), Siewert
continues to hone his digital forensic expertise in the private sector while
growing his consulting & investigation business marketed toward litigators,
professional investigators and corporations.
