November 21,
2016
Problem Solving Digital Forensics
For those of
you who are involved in (and can tell people about) active digital forensic
casework, you probably get the same response when you tell others about your
job – “Wow! That sounds really cool!”. Yes, it sounds cool and can often be very
interesting, but many cases are mundane and repetitive. Often times, the most challenging part of
digital forensics is getting to the data.
That is to say, acquiring the data so we may conduct our analysis fully
and appropriately. It is then when the
life skill of problem solving comes in very handy. Problem solving is an evolving issue in both
computer and mobile device forensics and will continue to be as the industry
progresses. It’s also not a skill that
is taught so much as ingrained and acquired over time with experience.
Problem Solving
Computer Forensics
The
methodology in computer forensics is virtually unchanged throughout the
years. Yes, the technology changes and
there are additional considerations along with that, but at the core, we are
trained and practice to create a forensic disk image, verify the image and
conduct our analysis on the exact copy of the media. However, the integration of newer technology
such as solid state drives in various forms and memory storage that is
hard-wired into the logic board of some computers presents a problem that needs
to be solved. With items like this, we
can’t always simply remove the media and create our forensic image, we need to
work-around the problem while still maintaining the integrity of the
evidence. I’m often asked how to acquire
the main memory on items such as newer Mac computers. For this particular subset of technology, we
generally find Paladin by Sumuri to be a great resource. The Linux-based bootable tool (which is also
free) provides a non-intrusive forensic solution to acquire this data simply
and easily without tearing the complex hardware apart. There are other tools for trouble-shooting
this as well.
But what
about issues like encryption? Network storage?
RAID arrays? Generally speaking,
there are solutions available to deal with these circumstances, but when it
comes down to the specific hardware, software and environment in a given case,
you can almost always be guaranteed that there will be some case-specific
problem solving that will need to take place.
For instance, a case we worked in 2015 required acquisition of network
folders from an exchange 2003 server.
Not only was the server slow, but the process overall was painfully slow
because of the outdated technology. The
data connections were out of date (SCSI), the transfer rates were slow (USB
2.0) and the acquisition took much longer than we would have preferred. When working cases of varying type and
technology, sometimes the most important questions are the ones you ask (or
forget to ask) prior to getting on-scene.
Problem Solving Mobile
Device Forensics
As mentioned
in previous articles, my personal forensic experience did not start out in the
mobile device space, rather basic and more advanced training was gained on the
computer/dead box forensic side first, then evolved into the mobile space
within the past 3 years or so. To say
that acquiring the data in mobile forensic cases involves some problem solving
is an understatement. Consider that the
security on devices such as the iPhone (and other associated iDevices) has
consistently given digital forensic examiners problems throughout the past few
years to the point of frustration. Then
add into the mix the multitude of manufacturers and software versions for
Android-based devices and the water gets further muddied. Now, throw the “feature phones” with
proprietary operating systems and almost countless manufacturers from all over
the globe and we have a problem-solving mess on our hands.
This is why
companies like Cellebrite, Oxygen, Magnet Forensics, XRY and others exist. Yes, they all do an adequate job parsing,
presenting and reporting the data post-analysis, but before we even get to that
point, we need to acquire the
data. This has emerged as the biggest
challenge in mobile device forensics.
This is why we pay so much for those licenses and renewals every year.
Techniques
such as ISP, JTAG and chip-off have emerged as commonly accepted methods for
bypassing this security and accessing the data as well. These methods have given rise to a newer form
of problem-solving where we access the physical memory storage on the device to
be able to obtain a data extraction.
However, these methods likely won’t be viable indefinitely and the
problem-solving part of the mobile forensics industry will need to keep
evolving to work-around acquiring the data for years to come.
Wrapping it up
Problem
solving is a tangible skill. If digital
forensic examiners think that “push-button forensics” is the norm or even the wave
of the future, it is not. Quite the
opposite. Sometimes, what separates a
decent examiner from a plug-and-play examiner is the ability to size up the
problem(s) in the case and devise ways to work around or solve them. The fundamentals of forensics can be taught,
but only experience working cases of varying type and degree can serve to
separate those who can solve problems from those who cannot.
Author:
Patrick J.
Siewert
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Virginia
DCJS #11-14869
Based in
Richmond, Virginia
Available
Globally
We Find the Truth for a
Living!
Computer Forensics -- Mobile Forensics -- Specialized
Investigation
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law
enforcement, he investigated hundreds of high-tech crimes, incorporating
digital forensics into the investigations, and was responsible for
investigating some of the highest jury and plea bargain child exploitation
investigations in Virginia court history. Patrick is a graduate of SCERS, BCERT, the
Reid School of Interview & Interrogation and multiple online investigation
schools (among others). He continues to hone his digital forensic expertise in
the private sector while growing his consulting & investigation business
marketed toward litigators, professional investigators and corporations, while
keeping in touch with the public safety community as a Law Enforcement
Instructor.
