Monday, July 18, 2016

The Digital Forensic Answer: It Depends



July 18, 2016

The Digital Forensic Answer: It Depends

In life, we rarely ever get solid answers.  The same is true in many forensic disciplines.  Indeed, even when some answers are put forth as solid, after years of scrutiny, challenges and vetting, the answer can be reversed (see: FBI hair comparison “forensics”).  One of the things that really appeals to me about digital forensics as an investigator is when you are able find the answer, it’s pretty definitive… most of the time.  But with computer and mobile technology increasing in complexity and in how it intertwines in our daily lives, the universal answer in digital forensics is still “it depends”.  Think about it – when is the last time you worked a case where you had all of the answers?  Even cases where the evidence you have is solid can still have that sliver of a window for some doubt or another stone that possibly could have been turned over.  We can’t examine every bit of data in every case, so we concentrate on what is relevant, what is possible, what is valuable in our cases.  But the variables do play into our conclusions, so we conduct as thorough analysis as we can, given time and case-specific restraints, we publish our conclusions and trust in our ability, training and experience.  That’s practical digital forensics.

Routinely, we get calls from attorneys and other prospective clients asking if we can find key pieces of evidence in their case.  The answer I always give is, it depends!  Now, as a private practitioner, I know clients don’t like to pay money for a “maybe”, but sometimes that’s the nature of the beast.  Generally I tell them that the sooner you can get me the evidence and the more information you can provide, the better chance we’ll have to find and report the data you need in your case.  This is naturally true in law enforcement as well, but most governmental examiners have the benefit of what I call “time capsule evidence” – evidence that is seized under a lawful order at a specific point in time and (hopefully) is not destroyed or altered subsequent to the seizure.  In private practice, that doesn’t always happen, so the universal answer is… It depends!

Dependent Variables in Computer Evidence Analysis

Generally speaking, the “it depends” factor in computer-based (PC/Mac, etc.) cases is a little lower than in mobile cases (to be discussed next).  However, it’s still present.  Some of the factors that affect whether or not we’ll be able to find evidence include:

·       The time in between the alleged incident and the creation of the forensic image
·       The usage (if any) on the system since the alleged incident and that users behavior
·       Whether or not the evidence being sought is suspected to have been deleted or not
·       The type of data being sought in the investigation

I’ll elaborate a bit in a few “real-world” examples:  Last year, Pro Digital was retained in a corporate case involving alleged theft of intellectual property by a former employee.  Upon discovery of the potential violation, the custodian of the company’s computers immediately stopped all use on the suspect computer system and locked the system in a safe place with limited access.  He then called us and the case progressed from there.  We were able to find definitive evidence that the ex-employee transferred vital information to a thumb drive and presented this evidence in court.  That’s a textbook example of what should happen.

By contrast, we recently investigated a case involving the time-frame of a submitted document, which relied heavily on the document metadata analysis.  Unfortunately, the alleged incident happened 8 months prior.  Not only was there 8 months of potential usage, alteration and deletion on the system, but to add to the problems in recovering the evidence, the user’s system had been updated and replaced within the 8-month time frame.  And no, they couldn’t locate the old system for us to analyze.  The request – analysis if document metadata – is a fairly simple one.  However, the case was complicated by factors related to time and usage.  So as you can see, it really depends!

Dependent Factors in Mobile Device Analysis

While the “it depends” factor exists in many computer cases, that same factor is virtually always present in mobile device analysis cases.  Think about how often we use our mobile devices.  I recently attended a seminar in which the estimated times per day we even look at our mobile devices was reported to be between 150 – 250.  While we’re fortunate as examiners that mobile devices store an increasingly higher amount of data with each new generation of device, we use them so much that these user-dependent factors often affect whether or not we can get the data that is necessary to help prove or refute a claim. 


For example, I recently did some rudimentary testing with regard to how images & videos are stored on an Apple iPhone 5s, which was running iOS 9.3.2.  I was able to quickly identify the file naming convention and locate the pictures.  Most forensic tools will do that natively anyway.  But when I looked at the SQLite database table for the pictures, I found that the deleted information and metadata for older files was no longer available.  More recent deleted pictures and their associated metadata were still recoverable, but the older ones, which were taken on another device with an older operating system and transferred via iCloud backup, were not available.  So when we say “it depends” with mobile devices, we are referring to factors such as:

·       Device make/model/manufacturer
·       Operating system version
·       Age of data being sought in the investigation
·       Potential deletion of data being sought in the investigation
·       Forensic tools utilized by the investigator for extraction and analysis
·       Overall device storage capacity
·       User behavior

And that’s really just the tip of the mobile device iceberg.  When we also factor in the multitude of apps available on the market which may store valuable data, how the data is stored within those apps (i.e., encrypted or encoded) and what type of data that may be, it really starts to prove two things:  First, it really depends on many factors as to whether we can get the data that is needed in a particular case and second, the potential value of that data, if recoverable, cannot be over-stated.

Dependent Factors in Call Detail Record (CDR) Analysis

As detailed in a previous article, call detail and cell tower records can prove vital in a wide variety of cases.  However, the “it depends” factor is present here as well.  The unfortunate part is, some of the dependent factors with regard to call detail records are out of the examiner’s control in that they reside within policies of the cell provider, as well as other factors.  The most common question in this world of data analysis is, “what is the range of a cell tower?”  Well, it depends!  In most basic terms, the range of a cell tower is only as far as the next closest cell tower of the same provider.  However, other factors also play into the cell tower range including:

·       Number of mobile devices connected to the tower at the time of interest (load)
·       Geographical terrain/topography (trees, hills, buildings, etc.)
·       Tower maintenance, both scheduled & unscheduled
·       Manufacturer, age, height & type of cell tower
·       Handset-specific factors, such as antenna strength



Just as with forensic analysis of computers and mobile devices, time is of the essence in call detail record analysis.  The closer to the alleged incident you can request the data from the cell provider (via search warrant, court order, etc.), the better chance you’ll have to get more data, which could add great value to the case.

Wrapping it up

To most digital forensic examiners, the concept of “it depends” will not be a new one.  I was first taught that it really does depend while attending BCERT at the National Computer Forensics Institute by a savvy and knowledgeable attorney.  She was very correct and I’ve seen this played out in case after case ever since.

Even though the examples listed here are just a fraction of some of the dependent factors in various types of analysis, hopefully it’s clear now that there are generally not many clearly-defined answers in many areas of digital forensics and they are all case-specific.  Naturally, it bears noting that the training and experience of your examiner is a huge factor in determining whether or not you are getting all of the information you can get in your case, so choose your examiner wisely and carefully… Because success or failure can depend on that too! 


Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Globally


We Find the Truth for a Living!

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  A graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations.
Twitter: @ProDigital4n6