Pro Digital Forensic Consulting: best practices

Monday, March 7, 2016

Apple vs. the F.B.I: Some Forensic Implications

March 7, 2016

Apple vs. the F.B.I: Some Forensic Implications

Never one to let a good legal-tech story opportunity go to waste, I started ruminating over the multitude of implications in the Apple vs. FBI matter. There are certainly many factors which will inevitably lead to a decision. These include legal, technical, ethical, moral and philosophical factors, many of which have been (correctly or incorrectly) espoused upon by pundits, politicians and bloggers. One of the main considerations, however, deals with the practice of mobile forensics and how any evidence gained from the hacked iPhone may affect future legal proceedings.

The Problem with the Request

Most mobile forensic practitioners will tell you that mobile forensics is not true forensics. This is because data on the device is always changing and cannot be proverbially frozen in a state when it is seized due to near-constant network connectivity and instant, minor changes being made to the device. Further, in order to obtain the data off the device, we generally have to alter a minimal amount of data to allow the acquisition computer to “handshake” the device and get the data extraction. Without boring any readers with the technical aspects of what goes on in this process, suffice it to say, this is the case in virtually every single mobile forensic data extraction performed.

The problem with the FBI’s court order to Apple is it is forcing them to alter data even more than the normal procedure calls for. The request calls for several changes to be made to the iOS operating system on the device in question to allow 1) unlimited attempts at a brute-force unlock (i.e., hack) of the device without the threat of a 10-tries-and-out data wipe and 2) to alter the iOS operating system to allow successive attempts at the brute-force unlock without the hassle of the time-out feature in between attempts, which works its way up to 1 hour. Simply put, the FBI doesn’t want to have to potentially wait up to 10,000 hours or so to unlock the device. None of these alterations of the operating system have ever been performed on any other evidence device, which opens the flood-gates to many questions with regard to exactly what data is being altered if and when Apple performs this procedure on the device in question.

The Daubert Standard

In 1993, forensic science in the courtroom got a proverbial slap in the face through what is now known as the Daubert Standard (See Daubert v. Merrell Dow Pharmaceuticals, Inc., 509 U.S. 579). The case involved forensic expert procedures and testimony from a witness and dictated how forensic expert work and testimony should be judged from that point forward. The standards and issues are as follows:

What is the basic theory and has it been tested?
Are there standards controlling the technique?
Has the theory or technique been subjected to peer review and publication?
What is the known or potential error rate?
Is there general acceptance of the theory?
Has the expert adequately accounted for alternative explanations?
Has the expert unjustifiably extrapolated from an accepted premise to an unfounded conclusion?

I propose that most (or all) of the above-listed questions cannot be answered in the case of Apple vs. the FBI. The theory has not been tested (at least not that we know of). There are no standards controlling the technique because the technique has, in theory, never been attempted. Because it’s never been tested, it has not been subjected to peer review and publication. We have no idea the error rate (because it’s never been attempted). Acceptance of the theory is very much up for debate and is one big reason why the case has garnered so much attention. Whether or not the actual person performing this procedure would have to come to court in any subsequent proceeding would answer the last two points, but again, the procedure has never been done before, so how do we defend against any conclusions that are drawn as a result of the procedure?

Further, the results of the procedure need to be validated, repeatable and defensible. If the evidence the FBI gains from the phone leads to criminal charges and that criminal defendant hires an independent digital forensic analyst to perform a data extraction, analysis & reporting, how is he or she supposed to facilitate that? How is this procedure repeatable to an independent expert? Short answer, it isn’t… At least not under current circumstances.

The End is a Good Place to Start

A common theme in this blog is one coined by Stephen Covey: Begin with the end in mind. In this particular case, the FBI has a professional and ethical responsibility to begin with the end in mind and answer the questions, what do you hope to learn? What is your objective? What will you ultimately do with this data, should it present evidence of a crime?

The rules are in place for a reason. Innocent people get mixed up in investigations just like guilty people do. Everyone deserves a fair shake in the court system and the heart of forensic science is to find the truth based upon the evidence, no matter where that leads. So before we, as a society, choose sides with regard to who is the “good guy” and who is the “bad guy” in this case, perhaps we should ask the critical questions about the end-goal. Often times, that will direct you where you need to go with regard to proper procedure.

Author:

Patrick J. Siewert, SCERS, BCERT, LCE

Principal Consultant

Professional Digital Forensic Consulting, LLC

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Globally

We Find the Truth for a Living!

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia. In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history. A graduate of both SCERS, BCERT, the Reid School of Interview & Interrogation and various online investigation schools (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations.

Email: ProDigitalConsulting@gmail.com

Web: www.ProDigital4n6.com

Twitter: @ProDigital4n6

Thursday, December 17, 2015

Neutrality in Digital Forensics

December 17, 2015

Neutrality in Digital Forensics

Let’s be honest, everyone has biases about many things in life. Whether you have a bias against people’s behavior during a full moon or a bias for or against the police in an investigation, biases come in all shapes, sizes and varieties. Some are politically-motivated, some are based on upbringing, some are rooted in personal experience and some are just ill-conceived notions of behavior or situations based upon a minimal representative sampling. Regardless of the origin of personal bias, let us also be clear that it has no place in digital forensics. Period.

Neutrality in Practice

Neutrality is defined as “the state of being unaligned with or supporting any side or position in a controversy.” The “controversy” we would generally be referring to in digital forensics is the legal case or dispute in which we are analyzing digital evidence to prove or disprove a theory – That’s an important distinction to neutrality in itself – to prove or disprove the theory. You see, when a claim is made, whether it be by the government, another party involved in a divorce or a corporation, the heart of the forensic methodology is to prove whether or not that claim is valid through analysis of evidence. Unfortunately, my experience (and perhaps my own bias) is that this doesn’t always happen.

For example, an analysis by the government showing the existence of illicit images on a computer hard drive is in and of itself potential evidence of a crime. However, some examiners may stop at simply finding and reporting. But there is often much more to the story. Where did the images come from? How did they get there? Who downloaded or transferred them? Is the prime suspect the only one who had access to the computer? What is the overall number of other images (i.e., legal adult images) that exist in relation to the illicit images? All of these things have the potential to be mitigating and/or exculpatory factors.

I’ve had this discussion with my colleagues in law enforcement multiple times. The argument on their side always is, that the pictures are there so the suspect is guilty. My argument is that if you don’t do a thorough enough forensic examination, you could be missing key pieces of evidence that could prove that they are in fact not guilty, which is also your responsibility as a public servant operating under good ethical principles. I have worked these cases from both “sides” and I can say that I did not appreciate this until I left government work. I will also say that the evidence and analysis much of the time shows that the suspect was, in fact, guilty. But that doesn’t mean that we should assume they are always guilty and start cutting corners. That’s a slippery slope from which we will all have trouble recovering.

Neutrality is key in these examinations, but I also understand it’s difficult. As a law enforcement investigator, I was once charged with writing a search warrant for electronic evidence and conducting a forensic examination based upon very anecdotal information, only some of which could be substantiated. My supervisors were convinced that the suspect was guilty and I did my due diligence on the case, ensuring that I was thorough and remained neutral. In the end, I found no evidence of their guilt. Absolutely none. My supervisors were incredulous. Did I do something wrong? Not at all. I did my job the way it should be done, but unfortunately may not be all the time by everyone. I remained neutral and with an open mind. Was this a waste of time and resources? I’ll let you decide that for yourself.

Neutrality is just as important in non-criminal cases. Think about how much raw emotion encircles a divorce, especially if there are children involved, yet we must remain neutral. After all, it could be the utter lack of evidence in an infidelity claim that turns the tide and keeps that family together in the end! In corporate IP theft or fraud cases, someone’s job, livelihood or reputation is on the line. The ability to examine the evidence presented with a neutral mindset could make the difference between condemnation and vindication. So as you can see, neutrality is important to everyone in all cases, regardless of the dispute.

You Found Nothing, Now what?

Whenever we are able to prove the claim through digital forensic analysis, the client (for lack of a better term) is generally quite happy. However, more than once, I have conducted thorough, thoughtful digital forensic examinations and reported back to the client and/or attorney that I’ve found little or no evidence that supports their claim. To say that the party on the receiving end of these reports is usually quite surprised would be an understatement. So now that you didn’t find anything, what are they supposed to do? There are always alternatives.

First, is there more evidence to examine? If they are convinced that the suspected activity is ongoing, there may be evidence elsewhere that is not readily apparent and that has not been presented for analysis. Second, what other corresponding activity is taking place to support the claim and is there an alternative way to get the evidence? Cliches are cliché for a reason, and there’s usually more than one way to skin a cat. Finally, if all other avenues have been explored, it may be time to have a very honest conversation about the possibility that the suspected activity is not actually occurring. This naturally takes more people skills and less technical skills.

Cannot Be Understated

Neutrality as a standard practice and mindset in digital forensic examinations cannot be understated. I understand the human element, especially in government sectors. If you see evidentiary guilt over and over again, it’s human nature to fall into a pattern of pushing the digital forensic “easy button” and not looking at the big picture. But if you do, you are ultimately devaluing your work, your service to the public and your reputation as a forensic examiner.

In some ways, being a private-sector consultant combats this naturally. Every new client and every new case is a fresh start. We don’t assume anything, we don’t rush to judgement, we simply let the evidence point us to the facts, which most often leads all parties in the case to the truth. There’s no denying that we set out in every case to make our clients happy, but not at the expense of neutrality or credibility. Simply put, it’s not worth money to sacrifice ethics.