Hi, I’m Jaehyeok Han from South Korea. I’m going to talk about data acquisition from web based service, without password, and I used credential attack. Before presentation, I’d like to appreciate this opportunity to show our study, following contents I’ve prepared.
So first for the motivation for the detailed forensic investigation. Essentially the data was acquired from the data device, for all the data should have stored in the internal storage of these two devices, but with the growing interest of the privacy, we are commonly using the online service. So we used [it] to unload and save our files on the cloud. It means that client centric aspect is now stored on server side.
Mostly we use both an ID and a password to login for service. But in this study for the bypassing this process we use the credential attack such as cloning attack or a cookie replay attack. As a contribution of this study, first we tested 14 popular services and the measures we’ll have to acquire more user data as much as possible.
Secondly, we discussed the security measures and features. For the credential attack, we wrote something modelled as follows.
As a first step, we collect available credentials from given data visit and then tested security measures. We found some weak points in each service after several, several trial and error. In the end, we did bypass and acquire data, as we intended.
We tested all these services. They are categorized by cloud storage, messenger and phone as an experimental measure to be acquired on lots of files uploaded by user, and here’s her history. As a example, there are documents, pictures, chat logs, etc, etc.
In this slide about discussions, frankly speaking, I need to talk a lot while I’m just going to mention the first listed thing. Multi-factor authentication: this methodology grants access to a service only after perfectly presenting other factors, but in our results, even if MFA had the set, our effect was warped so we could have access to the target users’ data. Others also support for security.
However, there was no problem to get data on server side. Conclusion we thought collected only from data device was one of limitation of traditional investigation. So we try to get a more model, more and more cloud native aspect and we did it, but as you know, the world is changing, thus it is necessary to identify online services’ security measures and features continuously.
Since I have only five minutes for presentation. So I presented briefly, more about because for the official paper, I couldn’t show enough material of ours, but if you were having, if you have any questions, please contact my email. Thank you for listening.
Hello, this is Keith Lockhart from Oxygen Training, and this video is going to discuss the KeyScout application.
The KeyScout application is one of the tools available in the tool suite concept of the Forensic Detective product. KeyScout is a standalone application that can be run locally or on the go, we’ll look at use cases of those last two bullets there, and we’ll discuss both those use cases.
But to talk about what KeyScout is and does, we have to venture down the road we do in the boot camp course, about using your powers for good. So KeyScout allows a user the power to search through and collect information that might possibly be information that could be protected in some shape or fashion by the operating system; by legality in the jurisdiction of use; by morals; by anything.
And when I show you how the KeyScout works, especially in the use case of On The Go – meaning we’ll take a on-the-go device and put the KeyScot application on that device so it can walk around with us and collect data wherever we might be and bring it back to the lab, you really need to start thinking about what you’re doing, and what you might be collecting, and how that might or might not be a good thing.
So, it’s a tool. I certainly don’t want to deprive anybody of the capability to do this, but I will say: use your powers for good. Don’t get yourself in trouble. This could do some scope creep, in terms of what you have access to or not.
However, when you’re in the position to need this information, it is a vital tool for the toolkit. I mean, this could be a time-sensitive, life-saving, “Wow, we need to get some data from this account right now, we don’t know the credentials, however the percentage of success of what we can do goes up greatly if we can get to a machine, run KeyScout against it, and possibly get the credentials back that we need.”
Or maybe some email information, or browser information, or iTunes backups if we can get to the box where we might not have the phone but we have a backup of it. KeyScout allows all kinds of data collection, and we’ll explore that as we move on.
So we’ve sort of already touched on the information gathering component. When we use KeyScout, its whole job is to search. We can configure how that search is going to go; provide different parameters; different depths of search – maybe we don’t have a lot of time; things we save from the search, we can limit that and maybe just doing a smash and grab, so we need credentials really quickly. Or maybe we’re digging through all the media hooked up to a particular machine, to try to go find backups or artifacts or mail, or things that KeyScout will gather for us whilst running.
Important for us to know: the OPCK file, the Oxygen credential package. This is one of KeyScout’s primary functionalities, is to feed the Cloud Extractor. Now what I mean by that is: when you’re trying to access cloud-based data, and need credentials to supply the cloud account, KeyScount is what gathers that data for you from a machine.
Or, as you’ll see inside Detective when you finally pull extracted data into a case, the accounts and passwords section is the same information that would be contained in an OCPK file. You’ll see a button in the tool called ‘Export to OCPK.’ We’ll talk about the way you’d do that and what that means. But this is the literal ability to grab the account data to feed the Cloud Extractor.
Or if you’re gathering lots of other data in a grander fashion, with much more space to be taken up, the Oxygen Desktop Backup might contain email archives; iTunes backups; browser artifacts; there’s a whole plethora – there’s our big word for the day – of tools, or areas that KeyScout can collect from.
And this ability, these options to collect from all these different areas, is a 12X version of KeyScout and higher. So if that’s new to you, pay particular attention as we go through this video, and know what you have in front of you when you upgrade to the new Detective.
OK, so to round this conversation out, listen, you can run KeyScout in the lab, which means the use case would be: if you have a target drive that you could mount virtually – you know, a VHD or a VM session, something like that – assign a drive letter to it, you can launch KeyScout against it like it’s a running machine.
Or if you’re out in the field – in a cave, I don’t know where you are – you need the ability to run against the machine right in front of you, whip out that USB drive with KeyScout on it, collect all kinds of things back to that USB and get back to the lab.
OK. Let’s see how this works.
We’ll access KeyScout from the Tools menu of our homescreen in Oxygen Forensic Detective. You’ll see you’ve got two options here: Launch KeyScout, and Add KeyScout to removable media. Let’s just discuss those quickly, because each one is relevant to use cases we just talked about.
Launching KeyScout from here almost seems nonsensical, because you really wouldn’t want to go install Detective on your target machine, just so you could run KeyScout. So it’s great for a demonstrative purpose, it’s fantastic. However, the reality use case is, mount that target drive on the same box as your Detective box and you can hit it as a drive letter and collect just like from before.
Or you can add it to removable media, like an on-the-go device or a USB drive that we talked about, you can have in your pocket or your go kit. And that’s as simple as hitting the link, navigating to the drive that you want to save KeyScout to.
OK, I’m just going to go ahead and run it from here, like we talked about, from a demonstrable perspective.
OK, so when the interface starts you can see we’ve got a couple of options off the bat. One is in our Settings. It could be that we want to add particular passwords to help us break other password things open, like a keychain; or tell the tool to search different places or exclude different places than are the defaults.
And, specifically new to the 12 version, is all these selectable tools, replications that we can collect data from or not. Again, depending on your situation. If you’ve got a lot of time, got a lot of space on your USB drive: OK. Or you’re in smash-and-grab mode, and you only need Skype. Or only Firefox. These are all selectable boxes.
And then we can read the About and the Help. And I just want to show you in Help for a second, an early quick synopsis of credential and application data that we can go after, including operating systems we can do, and then a couple of command line options if you want to get crazy during your KeyScout implementation. That’s accessible from the Help.
OK, let’s have a look at the Search. So if we click on ‘Search’ you can see we’ve got several options available to us. ‘Custom’, where you could enact some of those settings that I talked about a minute ago; but there are some defaults: Fast, Optimal, and Full. And you can see a little description of what those are doing underneath.
Let’s see how this works. I’ll click ‘Fast’ and start the search.
KeyScout takes off against the live drives on this machine, and we’ll fast-forward a little bit in time to get to the end of it, and we’ll see what KeyScout comes out with on the other side.
OK. My results are done: three minutes and fourteen seconds checking 96 directories by default. I didn’t make any changes to the settings.
And what did we get? Oh boy. 133 passwords and four tokens. That’s bad all by itself. Out of five different applications, 261MB of data – we’ll have a look. One backup found, that’s 12.5GB. Huh.
Well, let’s look here: Passwords and tokens. Wow. Well if we just have a bad look at all of the autocomplete passwords and account information on here, this is probably… yeah. Let’s just not spend a lot of time here.
OK. But if we look at the applications – hmm. I’m not a big Internet Explorer guy; it stands to reason there’s nothing there. I am a Chrome guy, which is why there’s 50MB of data there. I do some Mozilla stuff; there’s 31MB of data there. I’m a Skype guy – lots of data there. And Windows Mail. Well, this is just crazy. Hmm.
If I have a look… well, I’ve got FTKJedi account information for Skype; Slylock account information for Skype; that’s in my Google. Yeah, all kinds of internet browser based data.
Let’s see: Internet Explorer, nothing there. But the ability for KeyScout to go out and grab artifact data from all these locations – including, in this case, Windows Mail – we’ve got a Unistore database out there, there could be PSTs; who knows what we’re going to find?
From a backup perspective: that’s my backup of my iPhone 10, 12.5GB. Notice, though: tickbox. Alright? All of these are boxes, available for ticking or not. What are you trying to export or save out, or not? Again, all selectable. If you’re in smash-and-grab mode I probably would not take the iPhone backup, and I probably – well, it depends on what you’re after – if you don’t do all this and just take their credentials, you’ll have that OCPK file, that credential package, that lets you take this autocomplete username, password, or if we have token recovery, and feed it to the Cloud Extractor.
But if you’ve got time – maybe, who knows what you’re doing? Select it all.
Put the backups out there, get it out there, and you’ll have that Oxygen Desktop Backup. Takes a minute to save because of all the size, but again, up to you, based on your preference and what you’re trying to get done.
You can see a log of everything that was searched through.
And that’s it: my search is over. I could go back and run another version of the search if I wanted to do it; I could save information out, again depending on your size, space and time – I’m not going to save anything right now.
But let’s look at what happens with our results. Let me cancel that. And I’m just going to close KeyScout altogether at this point and hit my extractions, and let’s see where I have some data that would be OCPK relative. How about… Alison’s phone’s a good one. Accounts and passwords.
And all I did was take the Accounts and passwords section, just to refresh. All I’m doing is going to Alison’s phone and using the Accounts and passwords section, where we go and aggregate by account, by password, and then by token capability, everything we can get.
And if you see the cloud icon, that indicates that credentials or tokens could be used to access that data. Look: Extract with Cloud Extractor will send that information straight to the Cloud Extractor; or Save accounts data. And look what it says: Save accounts data to Oxygen credentials package.
A large chunk of analysts’ machines are not hooked up to the internet as a practice. However, somebody is, so if you can’t use this information in conjunction with a Cloud Extractor online, save it out to an OCPK file and give it to someone else who can. And what I mean by that is, just so we have an idea, I’ll just go back to the home screen really quick where I can grab the Cloud Extractor.
And on the main menu of the Cloud Extractor we’ll see the option right there: “Feed me an OCPK file.” Well, it’s probably not that direct as “Feed me,” but it is “Import credentials package.” It’s very straightforward.
And it says “Import credentials file generated by Oxygen Forensic Detective, which we just saw, or KeyScout, which we just saw. If you click that, it’s looking for that OCPK file.
So you kind of get a 360-degree idea of why KeyScout’s here, what it can do, and how it circles back to: listen, if we don’t get it from a target machine, we’re going to get it from a handset. Or a device we pull on Detective. And if we don’t get it from Detective, we’re going to get it from the target machine.
And I think one of the most relevant, or important, use cases we can talk about with this is: a young adult’s missing; their phone is missing with them; we can’t get that. But this is a cooperative recovery effort, so we are given credentials to get into the cloud accounts, where we can go find geolocation that’s real-time for that missing device, which is probably, hopefully, with that missing person.
That’s tried and true. This is a great tool. I know people get leery about scope creep when it comes to the cloud. However, exigent circumstance is not a bad situation. Articulation is not a bad concept. You have the tool available, whether it’s against a mapped drive, or Detective pulling the same information from a handset as far as extraction information. KeyScout capability to acquire that account information, or those web artifacts, or those mails, or those backups: we can’t leave that out of the toolbox.
OK, thanks for spending the time. Hope that’s been helpful. Let us know how it turns out for you. I’ll speak to you later.
Learn more about the Oxygen Forensic KeyScout and many other tools, tips, and workflows with Oxygen Forensic Detective by attending an in-person or online training course. Check the Oxygen Forensics website for course dates, locations and descriptions.
In part one we discussed the importance that data from password managers could play in an investigation. In part two we then looked at what aspects an investigation may include from a digital forensics perspective. We now discuss some of the potential issues that can arise in such investigations and some areas where early consideration may help ease or avoid these issues.
The Computer Misuse Act
In the UK, if you access a computer without the authority to do so, this would likely constitute a breach of the Computer Misuse Act. This means that if credentials such as an email address and password are identified, while it would be possible to use those credentials to collect the relevant data, it still may not be possible to do so legally without additional steps seeking the relevant authorisation.
Court Orders and Other Agreements
Accessing the content of password managers will usually require the use of a master password. When preparing court orders or agreements between parties, consideration should be given to including specific wording requesting the master password to any and all password management programs used. It may also be wise to consider ensuring that cooperation is required with respect to multifactor authentication, as this can be used to protect password managers (and is discussed further below).
Ensuring that such agreements are in writing could become important, if evidence from forensic investigation later identifies usage of a password manager, but it was claimed that none were in use.
Acceptable Use Policies
With the previously noted use of password managers at work, businesses may consider looking to update their acceptable use policies to cover password managers and their content. For example, stating that if password managers are used on company devices, the business has the right to access the data stored by the password manager.
Privacy and the Impact of GDPR
One of the concerns that could be raised with regard to the content of data from password management systems is in respect of privacy.
The information contained within such programs could be considered to contain personal information. Further, it could contain information defined as “special categories of personal data” under the GDPR, which gather additional protections. Such categories of data include racial or ethnic origin, political opinions, religious or philosophical beliefs, genetic or biometric data, health data, or data relating to an individual’s sex life or sexual orientation.
This means that when looking to collect such data, or when looking to word acceptable use policies, agreements between parties or court orders, the relevant legal basis for processing should be specifically considered to avoid the potential of falling foul of the GDPR.
Multi-Factor Authentication
It is worth noting that some password managers have the capability to implement multi-factor authentication.
This means that an additional piece of information is required to access the system in addition to the master password. Typically this is through a message sent to a mobile device.
If multi-factor authentication is set up, and there is no way to access the relevant additional information (such as the code on a mobile device), then it will likely not be possible to access the content. This should be a consideration if the individual concerned is not available, or may not be cooperative.
Summary
In summary the content of password managers can be hugely helpful – whether it be finding additional data sources in investigations, identifying further assets and bank accounts to be checked in an asset tracing case, or identifying bitcoin and cryptocurrency wallets that may need to be considered for a freezing order.
While they may not be of interest in most litigation cases, there are scenarios where their content could be absolutely vital to an investigation.
About The Author
Dr Tristan Jenkinson is a Director in the eDiscovery Consulting team at Consilio. He is an expert witness with over twelve years of experience in the digital forensics and electronic disclosure field and has been appointed as an expert directly by parties, as well as being appointed as a single joint expert. Tristan advises clients with regard to forensic data collections, digital forensic investigations and issues related to electronic discovery.
There have recently been a number of articles discussing the use of common passwords and encouraging better password practices. Most guidance includes the recommendation not to use the same password for different accounts. This makes sense – it limits risk of further exposure in the event that one set of details is compromised. To do this we have to remember an increasing number of (potentially complex) passwords. This is not something that comes naturally to most of us.
One way to cope with having many passwords is to use a password manager. This is a program which you access with a “master password” and it stores all of your passwords for you. The idea being that you only need to remember your master password.
In this series of articles we will explore:
how data from password managers can be important to investigations;
methods that can be used to investigate password managers; and
important considerations when looking to investigate data from password managers.
In this first article we cover the importance that data from password managers can have to an investigation.
Why Data from Password Managers Can Be Vitally Important
There are many different scenarios in which the content of password manager databases could be useful during an investigation. We discuss some of these below.
Passwords
One of the more obvious benefits of password managers is that they contain passwords. Therefore they may provide access to data that has been identified but could not previously be accessed because they were password protected.
Research shows that individuals tend to reuse passwords, or use variants on other passwords, rather than using unique passwords all the time. This means that an investigator could take an export of all of the known passwords from the password manager and create a new dictionary of passwords built from these (and their variants), to try against any known password protected data.
Data Sources and New Lines of Inquiry
Password managers could contain data sources that were previously unknown. These could be diverse in nature, such as additional email addresses or different cloud storage solutions. Just knowing the additional information exists may be useful. If, in addition, these data sources can subsequently be preserved and investigated, they could be hugely useful to the investigation.
New data sources could also give rise to entirely new lines of inquiry – for example an email address may provide an entirely new identity that was used for fraudulent activity. In this case, other data could then be searched for that alias to identify potential evidence of additional wrongdoing. Alternatively this could be used to tie a specific alias or identify to an individual, since they had the password for accounts in that name, or in corruption cases this could identify web-based email used to communicate with co-conspirators involved in the alleged corruption.
An important point to raise (and one that will be revisited in part three) is that although the accounts and passwords are available, this does not mean that the relevant data can automatically be collected. In the UK, accessing data such as email or cloud storage without authorisation to do so could be a breach of the Computer Misuse Act.
Bitcoin Wallets, Cryptocurrencies, and Other Financial Services
If credentials for bitcoin wallets and other cryptocurrency assets are lost, the value of the asset may no longer be accessible. Therefore it is important to ensure that such details are saved in a secure manner – for example within a password manager. This also applies to online banking details for conventional bank accounts.
While other sources (such as internet history and installed applications) may indicate the relevant banks or cryptocurrencies in use, a password manager could provide full account details. This could be key in asset tracing cases, allowing for requests to be made for information from relevant financial institutions, or to identify and investigate the content of cryptocurrency wallets.
There may also be information with regard to other financial institutions, such as loan companies, stockbrokers, trading platforms, foreign exchange and wire transfer services. This information could be important in asset tracing or anti money laundering cases where information about the movement of funds may be key.
Not Just Passwords
Many password management tools provide additional storage for “important documents”. This could hold, for example, scans of passports and other key information, in case they were urgently needed and the original documents were not available.
Such “important documents” may also hold significant value for investigators. Passport information could be helpful to link an alias to an individual, or to connect the content of the password manager to a specific individual.
Other “important documents” could include property deeds, purchase agreements, shareholdings or important contracts or valuations. These may be of interest in cases where the value of goods under control may be of importance. Alternatively, information on assets could inform an enforcement strategy or an approach to freezing orders to ensure that assets cannot be disposed of or dissipated.
Coming Up
In part two, we will discuss some of the ways in which password managers can be investigated and then in part three, we will look at some issues to bear in mind during such investigations.
About The Author
Dr Tristan Jenkinson is a Director in the eDiscovery Consulting team at Consilio. He is an expert witness with over twelve years of experience in the digital forensics and electronic disclosure field and has been appointed as an expert directly by parties, as well as being appointed as a single joint expert. Tristan advises clients with regard to forensic data collections, digital forensic investigations and issues related to electronic discovery.
There is a fascinating constitutional showdown brewing in the U.S. that will have significant implications for how our law enforcement agencies are able to conduct digital investigations. The fundamental question at issue is whether the Fifth Amendment protection against self-incrimination can be lawfully asserted by a criminal defendant as a justification for refusing to provide a law enforcement professional with the password needed to access a personal technology device.
The most common example of how this issue manifests itself is when a police officer wants to search a cell phone or a notebook device as part of a criminal investigation, such as a child pornography investigation. The officer presents a search warrant to a judge to search the content of the device for the contraband, or evidence of an offense. The judge issues the warrant, commanding the officer to search the device, but the device cannot be opened without the person providing the password. The defendant refuses to provide the password so the content of the device can be searched, so the officer can’t execute the lawful search warrant issued by the judge. Can the defendant “beat the search warrant” by refusing to provide the password to open the device and perform the search?
To this point, there has been a difference of opinion in various state courts regarding whether the Fifth Amendment can be cited by a defendant who refuses to divulge the password. For example, a Pennsylvania court has ruled that it’s acceptable for defendants to refuse to provide the password to a device because the password is personal in nature — and producing it would require the individuals to speak or testify against themselves.
However, a Florida court held that simply divulging a passcode does not betray any knowledge a defendant may have about the circumstances surrounding his alleged offenses—so compelling a suspect to produce a passcode does not offend the Fifth Amendment privilege.
As we all know, any time we have a controversial social issue that is interpreted differently by state courts, it’s likely that the Supreme Court of the United States will eventually be called upon to resolve that conflict. I suspect this question of whether the Fifth Amendment applies to digital investigations by law enforcement professionals will be adjudicated sooner rather than later.
As of the writing of this article, the only Supreme Court case that may suggest how the Court rules on passwords to enter digital devices is U.S. v. Patane, 542 U.S. 630 (2004). In this case, the defendant was under arrest but had not been fully “Mirandized” when he was asked if he had a pistol in his house. He pointed to a drawer and the officer found the pistol in the drawer. Patane was convicted of being a felon in possession of a firearm. The defendant tried to suppress the gun, saying that it was found in violation of the 5th Amendment, because he was not fully Mirandized.
The Supreme Court held in this case that admission of non-testimonial physical fruits (the pistol here) does not run the risk of admitting into trial an accused’s coerced incriminating statements against himself. In light of reliable physical evidence’s important probative value, it is doubtful that exclusion can be justified by a deterrence rationale sensitive to both law enforcement interests and a suspect’s rights during an in-custody interrogation. Again, this is not directly on-point with the issue that we are facing with digital devices — but I believe that the 5th Amendment will not prevent the execution of a valid search warrant for contraband or evidence that is inside of a digital device, simply because the defendant refuses to provide the password to open the device so the warrant can be executed.
In the meantime, it’s a good idea for law enforcement agencies to reassess their practices for conducting digital investigations and think about how they approach digital searches. Here are a few key questions to address.
1. What is the rule for searching a cell phone?
Like it or not, the United States Supreme Court made a fairly “bright line” rule regarding the search of cell phones. In Riley v. California, together with U. S. v. Wurie, the Court held that the police generally cannot, without a warrant, search digital information on a cell phone seized from an individual who has been arrested.
There is a limited exception to this rule based on exigent circumstances, but the Court ruling is clear: you’re going to need a warrant to search that phone.
2. Can we use data found in a cell phone as probable cause to get another search warrant?
If you are able to lawfully search a cell phone, you may want to try to develop probable cause to search a location based on what was found within that phone (e.g., a “trophy photo” of the suspect standing next to what appears to be the cocaine found in his vehicle). If the photo was taken at the suspect’s home, GPS coordinates and other metadata available in the image file may be used to justify a search of the residence for additional physical evidence.
While there may not be probable cause that the drugs in the picture taken in the house are in fact still in the house, it may be evidence — coupled with what the defendant was arrested with when the phone was seized — that provides probable cause that he is a drug dealer. Drug dealers, even when they are out of drugs, typically keep scales, packaging materials, names and contact information of people from whom they buy drugs and to whom they sell drugs, as well as “pay-owe” sheets showing monies owed to the dealer. I have drafted search warrants before, under similar circumstances, for those items. Coupled with the drugs that the defendant was arrested with when his phone was seized, they paint a very clear picture to a jury that he is a drug dealer and not just a one-time offender.
3. How do we deal with password-protected cell phones or devices that require fingerprints to open?
Most cell phones and computers have passwords that are required in order to open and operate the device. A lot of these passwords can be “broken” by experienced computer forensics examiners, but the newest generation of mobile devices have taken the level of security up a notch. The new “blocking devices” — which can now require the individual to press their finger on the screen to open the phone for usage — present such challenges that even the FBI was forced to go to court for assistance from a manufacturer to unlock devices. The best source of a solution to these challenges will be the computer forensics examiner.
I have the great privilege of exploring these and other issues as a keynote speaker at the 2018 AccessData User Summit. This event is regarded as a premier gathering for computer and mobile device forensics professionals — as well as e-discovery and litigation support professionals. In addition to various sessions designed to help attendees learn how they can lead the way for their organization’s success with digital investigations, the agenda also includes various opportunities to learn more about specific software tools that will equip all of us with the best technology available.
The 2018 AccessData User Summit will take place June 19 – 22, 2018, at the beautiful St. Anthony Hotel in San Antonio, Texas. For more information, please visit http://www.adusersummit.com. I hope to see you in San Antonio!
About The Author
L.E. “Ted” Wilson is a retired Assistant District Attorney from the Harris County District Attorney’s Office, a police instructor and consultant to law enforcement agencies nationwide, and is a nationally recognized expert in writing search warrants. Mr. Wilson is co-author of Warrants Manual for Arrest, Search and Seizure, a treatise focused on drafting affidavits and warrants for all types of arrests and searches, which contains a new section regarding how to obtain digital evidence and access cell phones.
When most people think of digital forensics they think of CSI Miami: hackers in hoodies and Mission Impossible type biometrics. But under the superficial exterior, there is a framework of laws, regulations, best practices, guidelines, and standards surrounding digital forensics which holds the field together.
This framework has never been under as much scrutiny as it is today, with the UK government mandating of the worldwide ISO 17025 standard [1] for all labs dealing with evidence for the courts, the ongoing battles between large Silicon Valley companies with law enforcement over their use of encrypted messaging, and the recent announcements from Apple regarding the security features of their latest operating system and iPhone X.
Digital forensic legislation can be split into two distinct areas: those which are pertinent to the law (such as PACE, Human Rights Act and Regulation of Investigatory Powers Act) and those which are created as guidelines for us to follow (such as ACPO and ENFSI guidelines) [2]. The sanctioning of ISO 17025 has created a blurred line between these worlds.
Seizure
As seizure of evidence is often the most important “legal” aspect since it is the first step in creating a chain of custody and has crossover into many aspects of policing, there is a lot of legislation surrounding it. The most well-known act is that of PACE 1984 (Police and Criminal Evidence Act) [3], which unifies all of the police powers under one act and balances out the powers of the police with the powers of the general public. It includes rulings which allow data on a seized device owned by an individual suspected of committing an offence to be examined. This encompasses devices like computers, mobile phones, fit-bits, and cameras.
But what if the device is password protected? This is where the Regulation of Investigatory Powers Act 2000 (RIPA) [4], comes into effect. Part 3 gives the UK authorities powers to compel the disclosure of encryption keys (e.g. computer passwords and mobile PIN-codes) or face up to 2 years in prison, or 5 years if the case involves national security or child indecency.
But what about the arrival of Apple’s Facial Recognition unlocking with regard to disclosure? As the system is another form of encryption key, individuals will be compelled to look into their phone, opening the system, or face the same punishment as if they were not to give the pin-code. While this gives an advantage to one side, the new iOS will feature a pin code at the computer end, rather than the “Trust / Do not Trust this phone” of the past. As viewing information in an SQL database on a computer provides much faster and more focused investigations as compared to manually scrolling through a phone, this could provide problems for examiners. So that’s 1 for each side. The feature to completely lock the phone if the lock button is pressed 5 times [5] is another plus for the criminal, so the game finishes 2-1 to the bad guys.
Ensuring that the devices obtained from the seizure are relevant to the investigation is essential, as directed by the Human Rights Act [6] and the Data Protection Act [7], both from 1998. These incorporate rights from within the European Convention on Human Rights into UK law and deem evidence to be used only for limited and specific purposes (i.e. the investigation at hand). The information must also be kept in a secure location and discretion used at all times.
Analysis
Once data has been collected it must then be analyzed. Although maintaining the chain of custody through documentation is important throughout the investigation, from seizure of evidence to the final report, the analysis stage is often overlooked in that regard due to the sometimes experimental nature of the work. Since the evidence is now in a static, safe, stored state, analysts may feel it is less necessary to maintain the chain of custody.
The reasoning for documentation at this stage is not so much chain of custody, but more scientific repeatability. For every method used, another expert performing the same examination should be able to get the exact same results. This involves documenting such things as all searches performed, as well as the software and settings used.
Screenshots are a quick and efficient way of providing clear documentation, but these must be organized accordingly and notated. CPIA (Criminal Procedure and Investigations Act) 1996 [8] regulates the recording and retention of evidence during an investigation. Any evidence which was seized but wasn’t used during the investigation must also be disclosed.
Until now, there has been no real crossover between the scientific aspects of forensics, the best practices, and the law. The mandating of ISO 17025 is where this has all changed, and although other forensic disciplines have been compelled to obtain it, only now is digital forensics coming under their watchful gaze. Achieving the standard shows general competence for testing laboratories through the control of data, validation of methods, quality assurance, proper documentation, stated limitations of tests and more. Recent surveys have shown that the digital forensic community is split on their thoughts regarding the implementation and effectiveness of such a standard [9].
Guidelines
And finally, guidelines. These are like the glue holding the framework of legislation together. Although not applicable by law, they fill in the gaps which standards and laws leave and are one of the most important aspects of proper practice in digital forensics.
The most respected within the UK is the ACPO Best Practices for Digital Evidence (the latest edition was released in 2012) [10] as it highlights every stage of an investigation. As the document is designed with the police in mind, if followed correctly, the document encompasses all of the laws and standards discussed and is created by individuals who understand the field and is specific to digital forensics, rather than a one size fits all approach.
For device or technique specific cases, there are many scientific working groups which provide guidelines created by, and for, those working within the field. Some of the most respected include the Scientific Working Group for Digital Evidence (SWGDE), the National Institute of Standards and Technology (NIST) and the European Network of Forensic Science Institutes (ENFSI).
So if we finally return to the framework analogy set out at the beginning of the article, the UK laws form solid bars which cannot be moved, replaced or broken. The ACPO Best Practices document provides the cement to hold these bars in place, and the technique specific guidelines set out by other organisations are the superglue which fills in any cracks or holes in the cement.
Although the future holds many challenges for practitioners due to changing legislation and emerging technology, If we stick to these guidelines, we will not stray far from the road.
[1] Forensic Access, “Digital Forensics: Accreditation Required by October 2017,” Sep-2017.
[2] Anthony T.S Ho and Shujun Li, Handbook of Digital Forensics and Multimedia Data Devices. UK: John Wiley & Sons, Ltd, 2015.
[3] UK Government, “Police and Criminal Evidence Act.” 1984.
[4] UK Government, Regulation of Investigatory Powers Act. 2000.
[5] BGR, “iOS 11 will make it impossible for cops to force you to unlock your phone.”
[6] UK Government, Human Rights Act. 1998.
[7] UK Government, Data Protection Act. 1998. [8]UK Government, Criminal Procedure and Investigations Act. 1996. [9]Scar, “Challenges of ISO 17025 Accreditation Survey Results.”
[10] ACPO, “Good Practice Guide for Digital Evidence.” 2012.
About The Author
James Zjalic is a Media Forensics Analyst and partner at Verden Forensics in the UK. Education includes a 1st Class Bachelors Degree in Audio Engineering and an expected Masters Degree in Media Forensics from the National Centre for Media Forensics in Denver, Colorado. Research includes work on image authentication for The Pentagon’s Defense & Advanced Research Project Agency (DARPA) and peer-reviewed publications on subjects including forensic acoustics and audio authentication.