There are a number of current and upcoming trends on the digital forensics horizon. Here at the beginning of 2017, Forensic Focus was able to connect with Jamie McQuaid, Forensic Consultant at Magnet Forensics (or McMan on the Forensic Focus forums) to discuss some of the trends he is seeing and how technology will work to address them.
Tell us a little bit about yourself, your background and your current role at Magnet Forensics.
I’m Jamie McQuaid. I’m currently a Forensics Consultant at Magnet Forensics, where I act as a subject matter expert for the organization, helping out various teams writing blogs / hosting webinars / speaking at conferences, helping our dev team build out products. I am lucky enough to be able to spend time with our customers as well, helping them problem solve, working with them to identify useful new features, and listening to their feedback on our products.A lot of what I do at Magnet Forensics draws on my experience as a Corporate Investigator at BlackBerry. During my time there, I was involved in a number of investigations around employee investigations, IP theft, malware, intrusions, etc. I have my degree from the University of Toronto and an Advanced Diploma from Fleming College in Computer Security & Investigations.
What drew you to Magnet Forensics?
Well, first and foremost, I was a user. I was familiar with Magnet Forensics and its products. Magnet Forensics’ mission – to be a partner for law enforcement and to empower forensics professionals to find the truth – was, and still is, very compelling to me. I also knew that Magnet Forensics had a good reputation in the forensic community, so when an opportunity arose to join the organization, I was really intrigued. Being an internal resource and a subject matter expert was a very different and exciting opportunity for me.
Some of your recent talks have focused on a couple of different topics – chat apps and browsers. Why are those important areas to focus on?
A nice part about this role is that I have time to research the latest artifacts and trends that forensics professionals are encountering. I also find that a lot of examiners / investigators reach out to me about apps they are seeing in their investigations, which helps us prioritize what gets added to Magnet AXIOM.
Chat apps are always a hot topic since they almost always give good insight to the person being investigated. Lately, I have focused my talks on encrypted chat apps or ones that may cause challenges to examiners. With the rise of “privacy-focused” chat apps being used criminally, making sure examiners have the information about what to do when they encounter these apps is really important.
Browsers are in almost every investigation, so their importance and the interest in them is consistent. Any computer or phone will have some form of browsing history that might be important to an investigation. But there are so many browsers out there and a lot of valuable investigative data that can be used in many investigation types. Browsers can now sync history between devices, and examiners need to understand that just because the history is on a suspect’s computer, doesn’t mean that the suspect actually browsed there on the computer (they might have used their smartphone).
One of the recent updates to Magnet AXIOM included the ability to find and examine artifacts like Nest, Amazon Echo, Fitbit and Pebble watches. What does the world of IoT mean for Forensics?
IoT is big topic in security and we get asked quite a bit to help examiners understand what might be found on those devices.
Our research found that most of the data isn’t necessarily on the devices themselves, but on the mobile app associated to the IoT device, which often allows the user to control the IoT device remotely. The support we’ve added for those apps reflects that. Pulling the data from the phone can help correlate other information you might have about a user. Timestamps, geolocation, etc. are goldmines to examiners trying to understand what a user was doing at a particular time, or where they were. These devices help supplement your investigation with more information about a suspect’s actions or activities.
However, just like any other investigation, the biggest challenge is “putting the person behind the keyboard” and saying that they were the ones who actually performed the action, so the more information you have that can prove that, the better.
How does IoT impact people’s interest in cloud data?
Cloud data is a challenge for any investigation or artifact, not just IoT. We’re seeing a lot of chat apps starting to store data in the cloud and delete history from the device so instead of getting a year’s worth of conversations, you get only a week’s worth, but the rest is stored in the cloud and only pulled to the device when it is requested through the app.
There are also legal challenges to accessing data stored in the cloud (each country has different laws, etc.). Just because a phone can automatically log into the user’s Facebook account or Gmail, doesn’t mean that the examiner has the legal authority to look through cloud data. It may require a separate court order and / or may even be against the terms and service of the app / service.
What keeps you up at night in terms of trends in criminality that impact forensics?
Technology moves at a rapid pace. As forensic solution providers, we have to try to keep on top of constantly changing app versions, OS versions, browsers, new apps, new fads. And to be frank, the people using all of these apps and devices for criminal activity are becoming more and more tech savvy. How do we use our products and expertise to help law enforcement stay ahead of these people, or find them more effectively?
We also have to be aware that the amount of data, the amount of storage and the number of devices out there in the world is growing exponentially, which means every case has the potential to need digital forensics. Our customers are dealing with this more every day – case backlogs potentially growing, a lack of resources to get through it all, so we continually ask ourselves, “How do we help? Let’s look at these problems from new angles – where our products and future products can be effective tools and where can we be an effective partner?”
A few other trends on our minds are P2P apps, privacy versus security, and the personal privacy apps and settings that are out there now.
How do we solve those problems? How much will be solvable by tech?
I believe that Magnet Forensics can be a true ally in this with law enforcement. We are looking at ways to drive efficiency. We want our solutions to help examiners – let’s get them to the analysis stage quickly, but carefully. We know that analysis will take the longest time, so can technology handle the processing and acquisition more elegantly? I think AXIOM is an incredibly powerful way of automating that processing stage and then providing tools for deep dive analysis. Next we have to look at how standardization and repeatable processes can be handled by software with minimal effort from examiners.
I think too, we will have to look at new ways of collaboration and bringing all stakeholders together faster to move these cases through.
What are the next big apps?
We’ll continue to see new mobile chat apps become popular, as they’re always changing, same with social networking and dating apps. There may be new ways of communicating. Are youth moving to apps that have social aspects built into them, but serve another primary purpose – like Musical.ly? What about encrypted communications apps?
We spoke a bit about IoT, and as more and more “things” are connected to the internet, we have to keep an eye on the potential for stored information that could be relevant to investigations. I think the apps will be the most important component, but you may see one or two actual “things” that examiners will need access to – so how will we connect those items to forensic tools?
P2P activity on phones has come up a lot recently. The sharing of illicit images/child exploitation material has evolved to mobile devices and live streaming, so that’s another area we keep a focus on. Earlier this year, we added support for Uber and I think there are a number of shared economy apps like Uber, or AirBnB, or Lyft that could hold some interesting information.
How is Magnet Forensics addressing these issues?
With the launch of AXIOM, we now typically publish updates every month to stay on top of the latest software versions and new artifacts, as well as responding to feature requests and innovation that we are building in. The response to AXIOM and our way of keeping it robust and up-to-date has been really positive. Our users really appreciate it.
More broadly, it really is important that we constantly connect with our customers and keep our ear to the ground, learning from examiners and understanding what they’re seeing in their investigations. At that point, we need to continue to be agile and quick when it comes to reacting to those needs and the features that are important to them.
Our mission has always been to empower digital forensics professionals. We will continue to look at technology and find the right opportunities for technology to be a partner. At the same time, we are always aware that there is a line between what technology can do and what only a human (and forensics expert) can do.
This will be an interesting year for technology in the forensics space. How can we use automation to improve efficiency or to align resources? How can we simplify collaboration? How do we continue to add to our current tools to remain a trusted and credible source for our customers? I think the industry will be intrigued to see how Magnet answers those questions.
Magnet Forensics provide digital forensic solutions to law enforcement agencies and corporate clients around the world. In 2016 they launched AXIOM, an upgrade to their popular Internet Evidence Finder product. You can find out more and keep up to date with news on magnetforensics.com.