With in-person events making a cautious comeback this year in a pandemic-strained environment, attendance at the Forensic Europe Expo in June was perhaps a bit lower than might otherwise have been expected of a free event.
Still, the vendors who showed up provided numerous insights into their products and the way they’re used across various levels of digital forensic practice. Independent consultant Simon Biles and lecturer Jade James attended and offer their observations below.
The talks: Video evidence, IoT chip-off extractions, and enriched mobile extractions
Jade had this to say about the talks she attended:
“[Amped* CEO] Martino [Jerian] gave an excellent talk about video evidence, in which he emphasized the importance of the initial stages of an investigation – collection [and] preservation of digital video evidence. It is important to get it right in the initial stages of an investigation, so that evidence does not become inadmissible in the Criminal Justice System and to lessen the risk of miscarriages of justice occurring.
“It wasn’t the usual vendor presentation in which you are given the usual ‘here is how to use our tool to conduct your investigation’, attendees were actually given useful advice, such as not to make a video of a video needed for an investigation, which obviously affects the quality of the evidence. Which is pretty obvious when you think about it, but it is a common mistake made by practitioners, when trying to collect video evidence.”
To this, Si added: “My absolute favourite part of [Amped FIVE] was its report writing – when summarising all of the operations carried out, it cites the relevant academic papers and explanations (in full Harvard style) in a way that allows for verification later – very, very slick… a joy to behold as they give all of that context from the forensic sausage machine rather than just the results.”
In “a different type of Digital Forensics investigation, which is not widely seen,” said Jade, RuSolut’s Mykhailo Rybkin provided “examples of how it would be possible to extract digital data from IoT devices using the chip-off technique, which is the removal of NAND memory for the purposes of data extraction, in cases when it is not possible to access the memory through standard interfaces built into the IoT device.”
RuSolut focuses its efforts on the extraction of data from vehicle infotainment systems and IoT devices, said Jade, producing their own data recovery hardware and software solutions and “currently in the process of producing an analysis tool, which can be used to analyse the data, once it has been extracted from the NAND memory.” This talk, she added, focused more on chip-off’s benefits rather than its well-known risks of irrevocably damaging data.
Jade also attended Grayshift’s* case study, “Leveraging an Enriched Phone Data Extraction,” in which Stephen Coates offered a road traffic collision scenario to demonstrate digital data’s relevance to that type of investigation.
“In this scenario, one vehicle had driven into the back of another vehicle and the collision caused two people to die at the scene,” James explained. “The person who caused the accident had admitted to using his iPhone at the time of the collision, but maintained that he was using the phone with handsfree commands.
“Using GrayKey and parsing the KnowledgeC database, it was possible to demonstrate beyond a reasonable doubt, that the person was in fact handling his phone at the time of the collision. The KnowledgeC.db database can be found on macOS and iOS devices and can not be found using traditional iOS imaging techniques and it is not found in an iTunes backup.
“Parsing this database can provide valuable information, such as Application usage, Safari Browser History, Lock status etc. It was surprising to many attendees of the talk that it is possible for law enforcement to find out these types of facts during an investigation and people may now think twice about using their phones whilst driving!”
The Expo Hall
Collocated alongside the Counter Terrorism Expo at a small hall within the massive ExCeL venue – which hosts some of the largest shows on the calendar, including both InfoSec and ComicCon – FEE saw both digital and physical forensic science vendors showcasing their wares, with some new vendors joining the exhibition.
The show’s most significant announcement: Exterro’s* launch of its Azure cloud-based evidence analysis and management platform. Together with West Midlands Police, Si said: “They’re allowing interfaces from assorted locations and are – admittedly still in a proof of concept way processing cases through the full lifecycle. It seems that this has been signed off by the Home Office as an acceptable risk (I’m promised that a white-paper supporting this will be issued in future, which I look forward to reading), and it seems to be saving money for the police, although as some of that cost saving is from allowing the use of “less skilled examiners”, I have all the same reservations that have been voiced already.”
“[I]t was nice to see the usual contenders of digital forensics (ExTerro, Cellebrite, Magnet, Oxygen etc)… it was a good opportunity to catch up with colleagues and professionals within the field,” said Jade, and “a nice change of pace to see other newer organisations, providing a much-needed choice in the selection of digital forensics service providers and tools.”
Among these new entrants:
- South Wales-based EX1-Forensics, founded in 2019. “This company is made up of digital forensics practitioners and consultants, specialising in mobile forensics,” said Jade. “As a company, they also focus on the recovery of data from drones and do restorations of mobile devices [and] have been working towards becoming accredited to ISO17025.”
- Insig2, which has specialized in reselling integrated security and digital forensics solutions, vendor-neutral training, and global services since 2004. “The training is completely customisable to the requirements of your organisation and completing the training allows you to become certified by Insig2,” said Jade. “Insig2, alongside consortium partners, organize OLAF Digital Forensic & Analysis Training (DFAT) for staff working in Law Enforcement agencies.”
- Semantics21, formed in 2015 and approved by the U.K.’s Home Office. “It was made noticeably clear that the company cares about helping the victims of crime,” said James, “providing free trials, training and solutions to those in need, not necessarily for financial remuneration.” Semantics 21 also offers the Global Alliance Database, which is mainly used for victim identification in indecent images of children (IIOC) cases. Comparable to the likes of GriffEye, said Jade, “with the use of state-of-the-art AI, S21 provides unrivalled functionality and performs far more advanced than other similar tools. Data can be imported from multiple disk images to form connections within a case, motion detection within videos in which you can highlight key areas to focus on and advance facial recognition.”
Software demonstrations were readily available on the show floor. However, Si observed mainly “incremental” improvements in most of the products and raised concerns around “the prevalence of the hideous term ‘AI’,” noting its “promise of streamlined workflows and the requirements for skilled examiners reduced in preference of an assisted process.”
“As an examiner (and hopefully a skilled one !) I do have reservations about this,” Si said, “some as a Luddite fearing that I’ll be replaced with a machine, others to do with the fact that – contrary to the protestations of the vendors that such results will be ‘passed up the chain for review’ — staffing level may well prevent any skilled review of such results and they will be produced in court as an indubitable fait accompli by people who have no real understanding of the content.”
*Editorial note: Amped, Grayshift, Magnet Forensics, Oxygen Forensics, and Exterro are advertising sponsors of Forensic Focus.
For Future Reference
“Overall, from a Lecturer’s perspective, I believe that FEE 2022 is a beneficial conference to attend,” said Jade, “as it is a good opportunity to see live demos of digital forensics tools, to meet with vendors and explore the possibility of purchasing tools for the use within academia and to keep abreast of current trends within the field.”
Students, she added, would benefit in particular from attending this free event to “see firsthand how digital forensics investigations are conducted and the challenges faced within the field,” said Jade. Other opportunities include professional networking, “which may be valuable when looking at placements or job opportunities in the future. [FEE] would also be a good place to learn about current trends or challenges faced, to maybe then incorporate them into student projects.”
