by Jade James
This article is a recap of some of the main highlights from the Forensics Europe Expo 2019, which took place in London, UK on the 5th and 6th of March.
The Forensics Europe Expo has now run for seven years and is co-located with the Security & Counter Terror Expo at Olympia London. The expo has truly established itself as a must-visit event, with 2,500 professionals visiting exhibitors, attending seminars and workshops, and of course networking over the course of the two days.
The Expo offers the opportunity for visitors to experience first-hand innovative and cost effective solutions in the field of digital forensics and the more traditional wet forensics, provided by over 60 international suppliers. As well as the opportunity to attend the educational features where you can watch live demonstrations, there are also workshops on topics ranging from drone forensics to digital evidence management. All seminar sessions are CPD accredited.
Key speakers included Brian Cusack (Director of the Cyber Forensic Research Centre, AUT University) talking about making sense of international standards in digital forensics; Gareth Davies (Academic & Cyber Consultant, University of South Wales) giving a talk on ‘Vehicle Data Forensics on Unsupported Systems’; Dr Gillian Tully (Forensic Science Regulator) talking about ‘Quality Standards in Forensic Science’; and Martin Parker (Chief Scientist, National Ballistic Intelligence Agency) who gave a talk entitled ‘NABIS: A Ballistic Focal Point for the UK’.
The Forensics Europe Expo is an opportunity to showcase industry developments and innovations in digital forensics.
Amped Software launched a new product at the Expo: an enhanced video player for modern policing. Replay allows users to analyse video evidence in the early stages of an investigation. A more in-depth review of Replay will be published on Forensic Focus shortly.
SecurCube Phone Log by SecurCube is software used for phone records analysis. They have launched an academic project which aims to supply SecurCube PhoneLog Technology to an existing academic partners’ labs, creating a learning and training programme.
Compelson Labs launched their MOBILedit Forensic Express PRO version, which is able to extract deleted data from phones and application including call history, contacts, SMS, MMS, photos, and video data from apps such as Facebook, WhatsApp, Viber, and Signal. This software is used by governments, police and law enforcement, the FBI and investigators worldwide and it is regularly tested by the US government’s NIST lab.
OpenText informed visitors about future updates to be included on TX1 consisting of a lock screen, with which users can apply a PIN to the TX1 to ensure that unauthorised users are unable to gain access during the imaging process. Another feature to be included is the ability for power-down drives – after a length of inactivity set by the user, the source or destination drive would power down in order to save energy and extend the life of the drive. There was also suggestion of enabling the TX1 to have more compatibility with EnCase and further enhancements with triaging, such as being able to preview documents and pictures directly from the TX1.
Magnet Forensics are now officially partnering with Grayshift, and GrayKey is now available for purchase directly through Magnet for law enforcement agencies only. Magnet maintains that they are the best solution for processing GrayKey images using Magnet AXIOM, although Cellebrite and BlackBag Technology‘s tools also have the capability of processing GrayKey images.
The Forensics Europe Expo is free to attend once you have registered, however those who pay to attend gain access to the FEE conference, which was produced by Digital Forensics Magazine this year. The conference focused strongly on artificial intelligence in digital forensics; drone data analysis; digital forensics as applied to vehicles; and the challenges presented by the introduction of digital forensics international quality standards.
Day one was dedicated to future challenges for those involved in digital forensics and digital investigations. Professor Brian Cusack delivered a talk outlining the inter-related agreements for evidence exchange and delivering a roadmap for standard information access and optimal use. Scott Zimmerman talked about the challenges of gathering evidence from multiple remote systems, including social media and the dark web, and used a couple of case studies (the Target store credit card breach and Fero v Excellus Health Plan Inc.) to demonstrate this.
Dr Raffaele Olivieri talked about the contextualisation of data collection during digital forensics analysis and overcoming the challenges of working with high amounts of heterogeneous data or ‘Big Data’. He also discussed the introduction of AI to aid the processing of such data. Zeno Geradts presented Artificial Intelligence in Digital Forensic Science, assessing the current state of AI and its role in systems from AFIS (Automated Fingerprint Identification System) to digital forensic software. Within the digital forensics community there seems to be a drive towards automation, to process large amounts of complex data using AI with minimal user intervention in order to save time and effort in manual investigations. The DigForASP group was also introduced: it aims to create networks to explore the potential for applying methods of artificial intelligence and automated reasoning in the digital forensics field. Membership in DigForASP is open to research groups from universities and other organisations working in the areas covered by the group.
Gareth Davies’ talk focused on vehicle forensics and showed attendees how to approach a vehicle from a digital forensics perspective. There was also a summation of the range of different infotainment systems from popular manufacturers and an exploration of the data extraction methods and data types that can be used as digital evidence. On a similar topic, Gabriella Ahmad-Assalemi talked about driver attribution for digital forensics investigations on connected cars. As it becomes more common to be able to extract and analyse a wealth of digital information from cars, such as recent destinations, favourite locations, routes, and personal data (e.g. call logs, contact lists, SMS messages, pictures, and videos), vehicle forensics is becoming a more prevalent branch in the field as a whole. The challenges can be attributed to the lack of tools available for extraction, that support the different file types of the proprietary infotainment systems. Manufacturers are reluctant to provide their specifications to vendors in order for them to update their tools sufficiently.
Day two set out to explore the wider forensics process, from laws and standards to new techniques and innovative technologies being developed across the world. ISO 17025 is a quality standard which has become a requirement of all UK digital forensics laboratories, in order to regulate the quality of digital evidence being submitted into the criminal justice system. Dr. Gillian Tully discussed quality standards in forensic science and offered best practices and suggestions on how practitioners can deliver the best quality of forensic science to the criminal justice system.
Throughout the day alongside the conference agenda there were workshops which were free to attend. These focused on the demonstration of tools from exhibitors.
Stuart Hutchinson from BlackBag Technologies kicked off the first day with a talk on APFS Forensic Analysis. New releases of MacQuisition and BlackLight will now be able to acquire and analyse encrypted APFS devices, including those that have encryption set by default and/or contain the new T2 hardware-assisted encryption chips.
Tanya Pankova of Oxygen Forensics discussed the use of Oxygen to extract WhatsApp data from a locked device using a WhatsApp QR token from a PC. The talk also guided attendees through the process of WhatsApp decryption on iOS and Android devices, offering the alternative method using a phone number. It was interesting to note that although WhatsApp offers end-to-end encryption, the media items on WhatsApp are not encrypted.
AccessData gave a talk on drone forensics and the investigation of unstructured data (which does not have a predefined data model) using their Quin-C laboratory platform which boasts deep machine-learning capabilities. Points to note: not all drones have the same artifacts and data is stored at various locations including onboard flash, removable storage and volatile memory.
Also on the theme of drone forensics, MSAB’s Paul Baxter gave a talk on how to extract and examine data from drones using XRY Drone and XRY XAMN, and announced the introduction of ‘The Drone Code’: UK legislation which was states the changes on the restrictions on flying drones near airfields from 13 March 2019 onwards and the new amendment which states that you will need to register as an operator of a drone. There was also mentions of multi-rotor vs fixed wing components; drone + ground control, camera (sensor/servo) and mobile device/tablet. Data extraction can be achieved through direct USB connection; camera data can be extracted from SD cards (which can sometimes be internal); and data from the mobile device linked to the operation of the drone can also be extracted.
Oleg Afonin of Elcomsoft gave a very interesting talk on iOS forensics. Visitors were presented with an overview of the entire iOS forensic workflow, including iOS 12, and how the USB Restricted Mode (RM) affects the ability to extract data. Things to consider when handling iOS devices are as follows: if you turn off an iOS device, you will lose the encryption key which is stored in RAM. Handling iOS devices incorrectly can kill your investigation (for example, attempting to guess the passcode or using Face ID will waste 1 out of 5 attempts you have to unlock the device). Since iOS 11.4.1, USB restricted mode engages after one hour since the last unlock state. From iOS 12 onwards, USB restricted mode engages immediately, and will automatically engage if a user has not connected to a trusted device for three days. It was also useful to learn about settings which are affected by USB restricted mode, such as lockdown records and passcode recovery (although Grayshift claims to bypass USB RM). Unlocking a device using biometrics is unavailable after a cold boot, therefore the passcode will be necessary. Furthermore, we were given information about what happens when you reset all settings on iOS devices. The following settings will be erased: display brightness, display battery percentage, all Wi-Fi passwords (but not any passwords or tokens which are stored in the keychain), com.apple.wifi.plist and iTunes backup password (all existing lockdown (pairing) records, data and all keychain items (except Wi-Fi) are preserved).
As well as the conference and workshops there were over 60 exhibitors to visit, of which 25 were specifically related to digital forensics. The Forensic Focus stand had a lot of visitors interested in learning more about the website and gaining access to resources, and it was nice to see familiar faces within the digital forensics community. At the end of the first day of the Expo, networking drinks were helf in the VIP and Delegation lounge, where many visitors gathered and discussed events from the first day.
The Forensics Europe Expo is a good opportunity to gain information about the latest in trends and innovations within digital forensics. It was also the perfect opportunity to reach out to vendors and have live demonstrations of tools which are used in investigations (and pick up some goodies, including free trials of software). I was given live demonstrations of BlackBag’s Blacklight and Amped’s Replay. There is definitely a lot to see and experience even as a free visitor.
The next Forensic Europe Expo 2020 will be held at the London Excel on the 19th to 21st May 2020. Keep an eye on the official website for details.