by Christa Miller
In the second half of 2019, a set of hirings made some waves in the digital forensics community. First, in July, Cellebrite hired well-known SANS Senior Instructor Heather Mahalik. Then in August, Mike Williamson joined Jessica Hyde, Christopher Vance, and others at Magnet Forensics. In December, the set completed when BlackBag Technologies hired likewise well-known SANS Senior Instructor Sarah Edwards.
“Name” researchers going to work for vendors is nothing new, of course. Amber Schroader founded Paraben in 1999; Lee Reiber took over as Oxygen Forensics’ Chief Operations Officer in 2015, while Edwards’ transition to BlackBag put her in the already well-established research powerhouse of Vico Marziale and Joe Sylve.
Then Cellebrite acquired BlackBag, consolidating that powerhouse together with Mahalik and a formidable R&D team. With that, the talent acquisition process began to feel more like a research ring match, with Cellebrite and Magnet Forensics trying to knock each other’s blocks off. Where does that leave research itself?
The tradeoff between resources and profit
By now the industry takes it as a given that no one — neither vendors nor independent researchers — can keep up with the new devices, apps and app versions, or operating systems and their versions. Near-constant changes to these elements affect the way they store data, and in turn the way forensic tools acquire and parse that data.
Researchers need two things to attempt to keep pace: time and funding. It’s rare when research can be done for its own sake. Most is done in conjunction with casework or coursework and involves a specific device make / model, or a specific app.
Arguably, vendors are investing in research “deep work” that can ultimately make their tools stronger and serve a wider range of forensic examiners with highly relevant acquisition and analysis capabilities.
On the other hand, no private entity invests in anything without anticipating a return. Community goodwill is valuable, but only if it results in additional sales. Whereas independent research has always been about solving interesting problems and sharing the results with the community in the hopes that it will help, vendor tool development focuses on the most critical needs — identified by the community, yes, but prioritized by how frequent the feedback is.
That means the price of investing in “deep work” may be the kind of research that solves interesting problems. The concern isn’t so much that it will become the vendor’s intellectual property — Edwards’ APOLLO remains on GitHub in addition to being a BlackLight plugin, for instance — as it is the research’s focus. The really “interesting” problems may well be paywalled behind the labs that some vendors now run.
A closed, black-box competitive advantage
Again, proprietary research is undisputedly part of the business and has been for a long time. But the risks of too much concentration in the vendor realm were highlighted in 2011’s Digital Forensics with Open Source Tools, where Cory Altheide and Harlan Carvey wrote of their “experiences where proprietary forensic products have produced demonstrably erroneous results, but these tests were performed in a ‘black box’ scenario.”
This problem has persisted and accelerated, as new app or operating system versions are known to “break” both proprietary and open source tools — showing incorrectly parsed data, for example, that can lead to erroneous interpretations.
In those cases, vendors tend to patch quietly. Whether out of fear of embarrassment in a tightly competitive market, or out of broader admissibility implications, it’s difficult to say. (Imagine that a judge, misunderstanding how easy these kinds of errors are, could call into question every result from that brand, as if all the variables were monolithic.)
It isn’t as if researchers’ efforts will disappear behind a veil of secrecy, as numerous blogs, presentations, podcast episodes, and the like already show. On the other hand, their research, written up for official vendor blogs, wouldn’t necessarily include what a vendor wanted to hold back. Often, what goes unsaid is as important as what goes on the record.
One other risk of more competitive research: collaboration. Researchers who might once have freely shared with one another and built on each other’s research are less at liberty to do so now. “Coopetition” might allow a kind of uneasy truce-forging between vendors in the name of, say, a webinar or topical lecture at a conference. However, just as monopolies limit innovation by limiting competition, researchers may be less willing to share the results of their work if transparency means limiting their employers’ competitive advantage.
It might be compared to a vendor’s outright purchase of intellectual property that leaves no open source alternative. By trading source code for scale and an easy-to-use interface, the tool developer limits its visibility. The work that went into the original research could conceivably be replicated, but it would be unnecessarily duplicative — and besides, limiting examiners’ options for testing and validation when they are already pressed for time doesn’t serve justice.
Of course, just because the admissibility of digital evidence isn’t frequently challenged doesn’t mean it won’t be. While it’s understood that proprietary methods are protected during court proceedings, worth noting is that one of the foundations of admissibility is whether a theory or tool has been tested. Another is whether the results are reproducible and repeatable.
Experienced professional forensic examiners like Mahalik, Edwards, and others know this. That’s why it’s encouraging to see Mahalik, in her recent post, call for additional research to be shared with the community — a springboard of sorts. By using her platform to encourage this kind of work, she’s accomplishing two things:
- Promoting independent research and tool development ultimately enables examiners to validate the results of tools like UFED Physical Analyzer.
- Actually highlighting the research and independent analysts who conduct it.
The commoditization of relationships and the community
Part of the reason researchers got to where they are is their strong, consistently shared research. Blog posts, Twitter feeds, podcasts, and other media offer a transparent means of showcasing digital forensic research.
Open-source community projects notwithstanding, however, the concentration of so much top talent behind vendors’ closed doors effectively plays off one against another — and commoditizes the relationships they have with community members.
Certainly, researchers who have strong relationships with the community, as well as strong reputations for being hitherto vendor-neutral, stand a better chance than, say, an average product manager in asking for suggestions or feedback on trends and the tools themselves.
But communication is part speaking, part listening. Vendors are driven by business strategy, and their viewpoints can be affected by business goals and needs. Just as the bottom line drives R&D, these filters might inadvertently result in key insights or trends going unrealized, key content never being written or recorded, and so forth.
Certainly, responses to polls and questions on social media can benefit more than one vendor, as well as independent researchers. Likewise, examiners who request research from one vendor aren’t placed under an NDA that would stop them from asking the same of another vendor.
In fact, this might be considered a duty, particularly when using more than one tool. Asking multiple vendors for the same feature can only improve examiners’ ability to test and validate its results — assuming, again, that vendors choose to put their resources into that particular feature.
Towards stronger community-based research
It might be wise to redefine “research” to encourage more people to conduct it. Not everyone can write their own parsing scripts — or enjoys writing blog posts — but Edwards has stated that basic verification can be performed in as little as five minutes, and screenshots can accompany tweets or messages posted to the Forensic Focus forums, the digital forensics Discord server, and other venues.
Meanwhile, researchers like Josh Hickman are posting test images that the community — as well as vendors — can use to validate their tools, and populating test data for given apps can be gamified between researchers or even as a student project.
Another good-faith way for vendors and researchers to build community is by replicating the APOLLO approach, in much the same way Cellebrite and Belkasoft did when they recently included the Checkm8 solution in their tools. The original Checkra1n exploit remains free and available for testing to validate extraction results — on test devices, naturally — but the tools offer a forensically sound data acquisition method. (Bonus when the vendors are willing to give credit where it’s due to the researchers who created the tools.)
As for whether enough independent blogs exist to balance proprietary research, this might be a case in which less is assuredly not more. As independent researcher and blogger Alexis Brignoni observed in a recent blog post:
“… as expected, a new OS version will break previously [known] good artifact parsers for both third party apps and native files. It is our job to figure out where the known but now lost items are as well as finding new artifacts we weren’t aware of. This is how toolmakers can focus effectively on what is needed to be done, by [us] doing the work and telling them it is important to us….
“As examiners we own the data we are tasked with processing and it is our responsibility to verify that any inferences gathered from it are exact and backed up by the source. We are uniquely positioned to identify gaps in knowledge, to work in filling them up, and sharing that knowledge with others that can automate the process to the benefit of the greater community of practitioners…. Your perspective is needed, your expertise is essential. Make it known.”