Jessica, can you introduce yourself and tell us a little about what you do?
Sure. My name is Jessica Hyde. I’m the Director of Forensics at Magnet Forensics, USA. I also am an adjunct professor at George Mason University, where I teach mobile device forensics in the Computer Forensics program.
My background is I started off in the Marine Corps, and I served six years there, discovered that I really liked engineering, went after an engineering degree, and then when I went into the workforce I actually started doing work in a reverse engineering lab, which led to doing mobile forensics, which led to me deciding to study computer forensics and get a Master’s in computer forensics. While I was working in mobile forensics, I was specializing in devices that were damaged, so I was doing chip off and JTAG on almost everything I saw every day. So I really got to do a lot of low-level forensics – parsing, raw hex, and proprietary file systems in the beginning.Then, I wanted to get a little more well-rounded, and I began working in the corporate sector, worked for Ernst & Young, and did traditional computer and mobile device forensics there, as well as some incident response. And then, from there, went on to go back into the contracting world, where I led a team that did mobile device forensics, and my specialty there was in parsing data in applications that weren’t supported by commercial tools. So I spent most of my time recovering new types of apps and finding new data that the nefarious actors were using.
And then, from there I came to Magnet Forensics a year ago, where I’m now the Director of Forensics. It’s a great position, because I get the opportunity to work with the product and development teams as well as the customers, and try to deep-dive into some of the problems that we have as forensics examiners, to try to come up with unique solutions to them. And I also get to still help customers with cases and their issues that they see, so I still get to feel relevant. And at the same time, I get to do a lot of research into new artefacts, which is really where a lot of my passion lies. And I still try to keep current on the mobile side through teaching and always updating the curriculum for the mobile device program in the Masters program at GMU.
So you have a background in pretty much every aspect of forensics, and what’s very interesting is that you did case work and then went and got your degree. I think that’s actually a really interesting pathway – a lot of people are doing the opposite thing right now.
Well, it’s interesting, because at the time I came into forensics, there weren’t really computer forensics programs, so you had a variety of backgrounds. You had people who were coming from engineering, and then you had people who were coming from traditional law enforcement and traditional forensics, and all converging on the field, which I thought was great, because it was such a wealth of perspectives – which are still there – and it’s interesting to see how those different skillsets attack problems from different methods. And I think having diverse teams with diverse skillsets actually leads us to the most novel forensics solutions. And I think it’s great now that, to add to that same mix of those different backgrounds, we now have people who are coming into the field that are actually going to school specifically for computer forensics and learning this as their core curriculum.
You talked a little bit about specific applications and artefacts in your talk here at Techno Security. Is there any more of that information that you could share?
Sure. The presentation that you’re referring to had to do with vault apps and security apps. These are apps that are oftentimes downloading images, media etc. to a secondary vault on the mobile device, and in many instances, we’re still able to recover the artefacts from this. Even some instances where the data may be encrypted, a lot of times, we can still get the metadata or proof or the path that the items were downloaded to the vault.
But there are also some concerns for investigators and first responders as they handle the devices, because oftentimes, these vault apps have the ability to put a passcode on the application, or on the device itself, a security lock. And when the wrong passcode is entered, they can do several things, including sending pictures back to a specified email address or text, notifying somebody of a “intruder selfie”. Alternatively, some of them actually turn on recording and broadcast what’s going on in the space, or save that to the device, or send it out over email and text. And some of the apps will actually send you to a decoy vault that uses non-nefarious images and pictures, such that it seems like it’s normal content. But then the real vault is hidden under a secondary passcode.
How prevalent are these apps in some of the case work and investigation you’re doing?
We’ve gotten several customers who have reached out to ask us where images that we were carving were coming from. They weren’t jpegs, they weren’t standard image formats. They were things like .cms files, which actually come from Cheetah Mobile, and the images were still being carved from within them.
For Cheetah Mobile specifically, there’s 22 million downloads of this application. So while it has completely benign uses, such as advertising itself as a piece of software that can be used for security and for reducing viruses through a virus scanner, but it also has this app vault where it can actually send back intruder selfies and store images, so that when they’re downloaded directly from the internet, they go to the vault instead of the regular gallery.
I think it’s incredibly important for people in the community to know that they too need to be careful about their own security.
There’s nothing potentially worse than going to court and explaining why your own picture, as a forensics examiner, is in the evidence.
Can you tell me a little bit more about other challenges that you see that we’re facing as a digital forensics community?
Well, there’s the two big ones that I think everyone would point to, which is both increased use of encryption and different types of encryption, as well as the storage of data on cloud. Specifically in the mobile world, we’re getting less and less data stored on devices and more stored on cloud, and in some ways, cloud is accessible, because depending on your jurisdiction, you may be able to use a warrant to get information. However, different jurisdictions have different rules, and there’s not really good case law everywhere about if you have the tokens and the credentials, are you authorized to download that data from the cloud to analyze it?
So, a lot of times, we’re being stopped by not knowing or by the differences in legal precedent that does not yet exist in different jurisdictions. So beyond even the technical aspect of dealing with cloud data is the legal aspect of who can look at it and who can obtain it, and is there a difference between if we use username and password to pull down the data or if we use the token that was recovered from device? Is the token that was recovered from the device at issue, or less of an issue because we’re not impersonating the person, we’re impersonating the device? Is there an issue when we use the username and password, about impersonating the person? And then, for cloud-stored data, we may have jurisdictional issues when we try to get the data from the cloud vendor based on where they may be geographically worldwide as compared to where the case took place. So because of those challenges that aren’t even technical, I think cloud is a big issue.
We also have more Internet of Things-type devices. I’ve been working with Brian Moran this year doing a lot of research into the Amazon ecosystem. I’m excited about a presentation we’re giving at SANS DFIR on that. [This presentation has now taken place and can be found on YouTube and as a PDF.] And finding the different places where data resides. And what is the difference between the data that resides in the cloud versus on the application on the phone, versus on the actual hardware of the IoT device. So we’ve actually gone into all three levels to see what we could recover there.
From the technical perspective, do you think we’ve moved from the server room to the boardroom? Will this help us to move forward in the future?
Well, one of the great things that I’m seeing is – years ago, doing mobile forensics, we dealt with a wide variety of proprietary file systems. Now that’s what we’re seeing in IoT in vehicular forensics, in infotainment systems, but when we’re looking at mobile, we’re now coming back down to common denominators, most devices you’re going to run into in the field are iOS or Android devices, and in most cases now, we’re getting to the point where we need to be accepting of a backup as our type of data over full physicals.
What winds up being great about that is that we begin to have a little more knowledge about what is stored and how it’s stored, and we become more proficient in these, as these are the most used devices, so we no longer have as much segmentation amongst the market, and it becomes a little more similar in that respect to traditional computer forensics, where we have major operating systems and there’s less changeover. Although apps become the issue then in the mobile world, because apps are constantly updating and operating systems are updating as well more regularly.
For your customers or the people that you’re dealing with in your cases, what are some of the most urgent needs that they’re coming to you with?
Well, I work at Magnet, so a lot of our focus in Axiom and throughout IEF has always been parsing of specific artefacts. So a lot of the challenges that I hear from customers are for support for new and changing apps – “This app was supported yesterday, it just got updated. When will you have support out for the new version?” The same thing with changes to things like iTunes backups, because we also do recovery. But one of the questions that I get is “How was this data recovered and how was it stored?” So a lot of times it feeds back to the validation piece.
And there’s also lots of opportunity for examiners to do things like write their own artefacts and do manual parsing to figure out everything that the commercial tools are missing. Because a lot of questions about “I believe that this was in use,” or “I have evidence that this is what was being used to communicate, and I ran it through tools x, y, and z, and I’m not seeing the results for the application I expect.”
So it’s getting down and doing that deeper forensics, looking and seeing what was actually installed on the device, and then finding the applicable files, creating test data, doing the testing, figure out how the data is stored, and doing that deep dive forensic work. And a lot of the questions come from the “I suspect this and I don’t see it,” and then helping them find, and then writing the tools to be able to parse those applications.
Magnet as well as the other vendors tend to be really good at supporting the most popular and the most prolific apps. But we don’t necessarily know what app or program a specific nefarious actor or group of nefarious actors is going to turn to. And it’s possible that they’re turning to these applications to evade law enforcement.
For you personally, what’s your favorite stuff to work on?
Right now I’m really enjoying getting into hardware attacks to get onto devices that are unsupported through software attacks. So I’m really into trying to come up with methods of using ISP and JTAG to get data off of devices when the other methods don’t work. One of the problems with this is going to be encryption as we go forward, because chip-off is not going to help you with disc-encrypted devices. But when you do have pin code and passcode locks and you can get power on a device, and there isn’t an alternative boot or recovery mode, or boot loader mode to get in, there are opportunities through hardware attacks, and I don’t think we should take those off the table. So I like researching those, because they’re not as prolific. Getting a new soldering iron is a fun way for me to spend the week.
And finally, when you’re not working, what do you like to do in your spare time?
I do try to spend time with my family and enjoy time with my children and my husband. But when I’m not with them, this really is my hobby as well. I enjoy what I do. So if I’m working on one type of thing for Magnet and I’m working on one type of thing for the university, sometimes I just have something else that I have a little bit of passion for that I want to do on the outside. And sometimes that’s a little more of the hardware attack type work to try to recover data from other devices. That’s fun for me, because it’s not necessarily what I’m doing day in and day out, even though it’s still in forensics.
Jessica Hyde is Director of Forensics at Magnet, who work on cases from child protection to counter terror and everything in between. Their products and solutions use AI, automation, advanced searching techniques, modern data visualization and more to help investigative teams find digital evidence and understand the story it is telling. Find out more on their website.
Forensic Focus interviewed Jessica Hyde at the Techno Security & Digital Forensics Conference in Myrtle Beach, SC.