This blogging will be quite interesting and I think might help express the ideas and theories I always yell at students about in class (sorry students but passion is passion). I think I will start a series on process. Let’s go for the first bullet:
DONT FALL INTO THE TRAP
First and foremost let’s wrap your head around the fact that TOOLS used to extract data do a disservice to the community by using the term “forensic”. Using this term actually lolls a new examiner (or old) into thinking that there is some magic write blocking mechanism built into the cable (don’t laugh there are some sales people selling that quote) or software. Understanding that there is no way to write protect a phone seen by the OS as a serial port or modem is the first step to understanding a TOOL does not put the FORENSICS in your exam but your PROCESS will! Yes, your process during the extraction is ultimately what will be called into question.
HAVE A SOLID PROCESS
As a cellphone examiner you often have to use multiple tools during an exam. If you are not, then how are you conducting any validation? Ok, that is a blog in it’s self, moving on..Back to what to do if you have to use one tool or multiple tools during a single exam.
First, you should attempt to obtain a backup of the cellphone filesystem (logically and/or physically) or as many user files as possible. These files should then be hashed by a software capable of creating a known hash list. For example, AccessData’s FTK allows you to bring a cellphone filesystem into the application and you can easily create a Known File Filter based on the files on the filesystem.
After this known set of hashes are created you can go about continuing your exam using as many tools as needed to extract the maximum amount of data. The last thing you should do in the exam is to re-acquire the filesystem or conduct the same initial extraction you did that was taken into FTK and hashed. Once this extraction is completed you can bring the POST filesystem into FTK and run the known file filter against the new data to identify if any files changed during your examination and extraction. You will notice every time that some files change over and over. As you look closer you will recognize the files changing are SYSTEM files and not user files. You can now say with 100% certainty that no user data was altered during the examination. Can you do that in your current methodology?
Unfortunately, most rely on their software of choice just using the word forensic in the literature to coin their exams forensic. Don’t be one of them, use a forensic process!