Carving the artifacts

Recently, I spoke at length to a trainer of MFI that stirred up some great feelings when it comes to searching. And when I talk about feelings don’t get freaked out, but moreover they are the kind of emotions only found when discovering that piece of data that has never been documented. Few and far between does one run into an examiner that wants to look past the push button and into the hard stuff; artifacts that must be manually carved from the existent data. And when this occurs it is sorta like the feeling Yoda had in the swamp. (what a poor reference, but those who get it are as old as me)

To bring you up to speed I have been conversing with an examiner who is not only a MFI instructor but a MFI graduate. Here is the skinny:

Text messages had been sent using an iDEN device but deleted. He needed to not only recover the data, but to obtain additional meta data in the message if possible. Using Cellebrite UFED with the additional physical module an extraction was completed and subsequently a possible deleted text message was located. The problem he found was the ascii was displayed but the metadata he was looking for (dates and times) was not. Using techniques learned in our MFI courses he compare the known values located and carved with the Cellebrite Physical Analyzer with the area surrounding the target message. Several hexadecimal values were located and thrown into the MFI Hex Assistant; selecting iDEN format. BAM! (my word not his) the date was converted.

The examiner could have given up when the tool did not yield the results for him, but he of course he did not. Tenacious is a term I like to describe not only this examiner but a lot of the MFI graduates. They are truth seekers. They understand that there is not one tool that can get all the data, but they continue to look, carve and unfold the evidence, using sound methodologies and techniques.

This is not a bash on any tool as some may read into this. No current tool on the market could have located the date and time in that format. What it is though is a testimony to the hard work and dedication of examiners seeking to break the mold of a “tool jockey”.

What was the outcome of this hard work? Another serious felony was solved with cellular evidence.

Thanks for listening and keep up the great work. Data does not lie.

Lee Reiber

Lee Reiber

About Lee Reiber

Pioneering mobile device forensic examiner, consultant and trainer, software development innovator and former LE officer with the Boise Police Department

This entry was posted in Training and tagged , , , , , , , , , . Bookmark the permalink.