All occupations face daily challenges. Many of these challenges come from dealing with the public, while some are more problem-solving challenges. In digital forensics, we face challenges on both ends of this spectrum because ultimately our jobs affect lives. Whether you’re a law enforcement examiner whose findings could put someone in prison for a significant period of time, or working for a corporation dealing with sensitive data, breaches and potential insider threats, the challenges are real and very often unique to the case or incident we’re working on. These challenges have evolved and grown in the field over the course of decades to include network architecture, mobile device architecture & data acquisition and encryption, as well as those challenges that we may encounter that are one-offs. So, what are the main challenges and how do we deal with them?
Daily Challenge #1: Imaging Modern Computers
Acquiring the data in computer forensic cases used to be an easy matter. Photograph everything, pull the plug, yank the hard drive and hook it up to a write blocker/imager and check the hash values match for verification when completed. Nowadays, this is not always the case. In fact, it is probably the exception rather than the norm. With more portable technologies like notebook computers and stand-alone tablets that run full operating systems, we’re having to spend more time assessing what the hardware/software architecture is before developing an approach to acquiring the data in a forensically sound manner. Some questions we consider include:
- Is encryption in use and if so, what type?
- Is the on-board memory removable? If it is, what type of connection is needed to commence the imaging process?
- Does the device accept any external media that would allow a bootable tool to be used for imaging?
- Does the device have constant network connection via cellular, aside from wi-fi or Bluetooth?
- Is the device running a one-off operating system (i.e., not Windows or Mac)?
- For Macs:
- What generation is the device?
- Is FileVault in place and if so, do we have the password?
- Is this a device with a T2 chipset that will require a special tool and/or work-around for imaging?
- Can we even get a full physical image or will we have to settle for a logical image?
- Should we try to capture the volatile memory? Is it even an option with this device?
All of these considerations need to be identified and documented before we can even start the imaging process. The days of “one and done” imaging of many devices is over and it’s only going to keep evolving and presenting analysts and technicians with increasing challenges as time goes on.
Daily Challenge #2: Forensic Data Acquisition of Mobile Devices
One of the larger evolutions we’ve seen in digital forensics in the past 15 years or so is the ubiquitous and pervasive use of mobile devices in virtually every case we work. And as a side note, if you’re not considering mobile data in most (if not all) of your cases, you may be missing crucial evidence. That aside, the evolution has gone from simply plugging the phone into a stand-alone tool that would gather calls, contacts and texts to having to acquire as much data as possible. Modern smartphones store very large amounts of data, probably more than many of us ever expected when we started in mobile forensic analysis, and many times the key to the case lies in gathering as much data as possible.
For Apple devices, this has been a challenge for multiple generations of devices. Even with the recent developments of GrayKey (law enforcement) and Checkm8 exploits, we still cannot acquire a full physical dump of a modern iPhone or iPad. And the game of cat-and-mouse between Apple’s hardware & software developers and particularly law enforcement seems neverending. What we are able to acquire today may not be available to us with the next iOS upgrade or iteration of the iPhone or iPad. For private sector examiners, the challenges increase with only moderate access to some means to acquire the best and most complete amount of data and only with a passcode to the device. These challenges are ever-evolving. The “side-challenge” to many field practitioners is to stay abreast of the changes and developments to best serve the stakeholders in the case.
Android devices, while somewhat slower to develop the same data security methods as Apple, are catching up in waves. The days of acquiring a full physical dump from a non-rooted Android device are fading with each new generation of phone or tablet. So then the challenge becomes one of decision-making and workarounds. Do we choose to root the device in the hopes of obtaining a full physical dump? What is the process involved with doing that with the specific device and software version? What are the risks involved with rooting the device? Are there any legal challenges that could be brought through undertaking such means?
All of these considerations and more are not only vital to your success when attempting to get as much data as possible, but could potentially lead to failure to a degree that may be unrecoverable. The risk vs. reward debate is one that has been around a long time in digital forensics and will only continue to pervade our industry.
Daily Challenge #3: Explaining Everything
Ultimately, our job as forensic examiners is to be able to whittle down very technical terms and processes and explain them to the stakeholders in our cases. For law enforcement, this is usually first a prosecuting attorney, then a judge and/or jury. Many times, similar explanations need to be provided to opposing counsel so they can be better informed as to the appropriate defense of their client. For private sector litigation support examiners, these stakeholders are generally the same people, just in a different order. For incident responders, the stakeholder is usually someone at a C-suite level and potentially corporate counsel.
What do all of these stakeholders have in common? None of them are digital forensic examiners and none of them know (or care, much of the time) about the nuances of our work. Regardless, the nuances and the details are vitally important. Might we have to explain how and where we found a particular piece of evidence? Absolutely! But that explanation cannot be filed with jargon or overly technical terms. Nothing loses the attention and interest of the people you’re ultimately accountable to more than drowning them in jargon. If no one knows what you’re talking about, how are they supposed to care and make an informed decision based upon your findings?
The skill of effective, simple communication of complex technical matters cannot be taught. It is learned, and generally learned through failure, along with some coaching from peers. This particular daily challenge in our work is also where the rubber meets the road. Many examiners are fantastic at what they do, but they cannot communicate their findings effectively to the non-technical people involved in the case. And even as you read this, you can probably identify someone you know who falls into this category.
The challenges in digital forensics are by and large unique to our field. This is why the field draws such a varying array of people’s interest, both as practitioners and observers. But the work, while interesting and engaging, isn’t for everyone. Every examiner has their strengths and weaknesses, but the common thread to the challenges listed here is the ability to problem solve and communicate effectively. Without that base of traits, an examiner is going to face even more challenges than these, which could have dire consequences. Ultimately, we all just want to find out what happened, so at the heart of every examiner is their desire to find the truth, no matter what that may mean, for the particular case or incident. These challenges will continue to evolve and grow in number as time goes on, but as a community, we’ve met them very well so far and no doubt will continue!
About the Author
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia. In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history. Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools. He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.