One truism about digital forensics is that every case is different. As the technology has evolved, we have had to come up with new and inventive ways to problem-solve and work around issues in both the mobile and computer forensic arenas. The majority of cases we work likely only incorporate a handful of pieces of evidence, but with the increasing nature of continuity in device usage, annual upgrades of mobile devices for consumers, and flow between work and leisure usage of devices, the likelihood that we will encounter cases with many pieces of evidence increases with each new generation of electronics. So how do we manage this proverbial mountain of evidence? What steps can be taken to streamline the analysis and get to the truth faster and more efficiently?
Evolution of Technology
As an investigator and forensic examiner on the Internet Crimes Against Children (ICAC) Task Force in 2011, I worked my first such case with mountains of evidence. Our suspect had a current residence and former residence, which both had hundreds of CDs, DVDs, dozens of old computer hard drives and other assorted storage medium. The case brought to the forefront the importance of evidence triage, organization, storage concerns and resource management. While the below picture of the on-site triage in this case doesn’t look particularly organized, it was the best we could do on-scene on a hot summer day in Virginia.
Fast forward to 2020, the lessons learned and approaches employed came to the forefront again working a case for a client who was accused of creating and possessing CSAM and other unlawful images. The differences in the two cases insofar as the technology were stark. The 2011 case involved smaller capacity hard drives (by current standards) and hundreds of CDs and DVDs. The 2020 case involved multiple Mac computers with SSDs, multiple iPhones, media storage such as SD cards and several external hard drives used on Windows & Mac systems. Both cases required the same skill sets.
There’s an old military adage of the “Seven P’s”: Proper Prior Planning Prevents Piss-Poor Performance. This blunt phrase is true in law enforcement and in business. The first step in approaching mountains of evidence is to plan how you will address it and what is required to address it. Consider such factors as:
- What equipment will you require?
- How much time will triage, collection and analysis take?
- What workspace is available on-scene for triage or cataloging of evidence?
- What tools will you need to analyze the evidence?
- What types of evidence require analysis (i.e., mobile, PC, Mac, etc.)
All of these considerations and more are at play when dealing with more items of evidence than typical day-to-day cases. As an example, in the 2020 case, it was necessary to get a listing of what was seized, what was analyzed and a report detailing what was found during the analysis. From an efficiency standpoint, there is no purpose in analyzing items that contain no relevant evidence. Review of the available documentation through discovery was crucial in planning what equipment would be required for the on-site analysis. A total of three computers were used in the evidence review, at times with all three processing or decoding simultaneously. The investigating agency also put different evidence files on two different pieces of media, one formatted in NTFS and another formatted in APFS due to the existence of Apple computer devices in this case. The analysis approach was determined by careful review of the documentation and consultation with Counsel in the case.
Was it a lot of equipment to haul around? You bet! But beyond planning for what equipment to bring, there also needed to be a workflow plan. Organizing which pieces of evidence were 1) most crucial and 2) would require more time to process was vital. A one or two terabyte external hard drive will take more time to process than a 64 GB SD card. Therefore, planning which items could be analyzed in a short amount of time and/or while other items were processing/decoding was key to efficiently executing all phases of the analysis.
It bears noting that the planning of your approach to cases with mountains of evidence depends greatly on your knowledge of the evidence involved and the tools available to you. As this case involved Mac computers, a Mac forensic computer and Mac-based tools were used to conduct the analysis on them. Is this necessary? No. But it is a factor about which you should be knowledgeable and have a plan in place for. Having access to a Mac forensic computer and a Windows forensic computer also helped with efficiency as we could be simultaneously processing or decoding multiple pieces of evidence. Another key to effectively approaching the planning phase of cases like this is your knowledge of the file systems at play. In this example, we had evidence stored in NTFS, FAT32, ExFat, HFS+ and APFS file systems on the computer and peripheral items alone. Knowing the limitations and capabilities of these file systems can help plan your approach to their analysis. Metadata is virtually always at play in most cases. The available metadata on APFS or HFS+ media is vastly different than that on FAT32 media. Knowing your evidence, your tools, and the capabilities they have to work together will lead to more successful planning and execution of cases like this.
In the 2011 case cited, triage was absolutely critical. Triage of the computer systems was conducted with Eric Zimmerman’s OSTriage tool, but triage of the CDs and DVDs was much more tedious and difficult. Why do we triage? Because physical space is limited and cases are back-logged enough without having to dive into potentially irrelevant pieces of evidence. Spending a little more time on-scene (which is not always a palatable proposition) can save more time later in the analysis phase. Tools like Magnet Outrider for Windows or Recon ITR for Mac systems are fantastic for getting a quick look at the evidence on-site without leaving a large footprint. As with anything having to deal with live evidence, document your use of any of these tools. Someone else may be coming behind you to review the images at a later time.
By triaging evidence on-scene whenever possible, we are taking measures to lighten our workload on the back end. Unfortunately, this is more problematic when dealing with mobile devices. Because apps and artifacts on mobile devices need to be decoded and processed, triage becomes a little more difficult. We try not to hand-scroll the device too much because that can also alter the evidence to a degree. The other factors that generally exist with mobile devices more often than computers is the presences of older/unused devices, damaged devices and devices that are locked and may require alternative acquisition methods. There may also be legal considerations, depending on the wording of your search warrant or court order. The possibility of network connectivity can also add to the urgency in seizure over triage of mobile devices. The positive thing about seizing multiple mobile devices is that they don’t take up as much physical space as does computer evidence.
Analysis of your evidence in most cases comes down to finding what you need, documenting it and moving on. The trap with cases that involve mountains of evidence is the tendency to look at the evidence at face value and not much further because there are so many pieces to analyze. The number of pieces of evidence becomes almost overwhelming to the point where the analysis can be tertiary at best. As professionals in this field, we must recognize and avoid this whenever possible. Thoughtful analysis includes not just finding the evidence, but attempting to identify it’s source and other associated data points about it, such as creation/access/modification times, EXIF data, location data and other key components that may be at play in the case.
When presented with a daunting number of items, the natural tendency is to scan, document and move on. But we must always look deeper. For those in law enforcement, the approach should be that the suspect is innocent and will hire their own expert to assist in determining that from a digital forensic perspective. For those in the private sector conducting independent analysis for criminal defense matters, the analysis approach should be that the client is guilty and the government is going to do everything they can to prove that fact. If you can prove or disprove their guilt, your analysis will have a solid foundation. In either realm, knowledge of the law, education of counsel about the evidence and close consultation with counsel is of utmost importance. For those working other digital forensic analysis matters in corporate investigations or incident response, the mindset should be that litigation will ensue after you present your findings. All of these reasons are why proper planning, procedure and documentation are so important.
Revisiting the Evidence
In nearly every large-scale case I’ve worked, there has been a necessity to revisit the evidence. The notion that we can conduct a full, thorough analysis in one sitting (which may take days or longer) is largely not feasible. Whether in law enforcement or the private sector, there are always additional questions that arise after the initial analysis of the evidence. Furthermore, when dealing with mountains of evidence, it’s never a bad idea to take a break for a bit and come back at the evidence with a fresh perspective. These cases can be physically and mentally draining. Consider also having another examiner look at the evidence if you have the resources to do so, or if working in a group setting, a peer-review of the analysis is also very beneficial. At the heart of every digital forensic analysis is a person and people are not perfect, no matter the degrees hanging on the wall, the certification letters after their name or the years of experience. Our charge is to try to get it right every time because so much can be at stake. Our flaw is thinking we know everything there is to know and we don’t need any help.