The Failing “Find Evidence Button”

It has been quite evident during my R&D to develop a better solution to combat the rapidly changing dynamic of smart device collections one critical observation. The days of quick and dirty forensics is over. This theme resonated at this years LegalTech New York.

Data in today’s company environment cannot be watered down and honestly acceptable when given only half the story. “We support 50 of the most current applications and deliver the application data quickly” is the common mantra. What happens when your critical incident involves an application outside of the 50 most current applications? What happens when the mission critical data is within the supported application, but the solutions’ whambam incorrectly displays or misses the critical information? The kicker is that you can clearly see the data sitting within the database! There lies the thorn in automation. Automation leads to straight lines, no deviation, no human interaction. You get what you get, so don’t throw a fit. You are a victim of the then, but we live in the now.

With over 70% of smart device users using alternative forms of chat applications to communicate it takes a very different tool that the whambam – gotta-get-it-done-with-no-questions-asked solution can deliver. A tool is needed that can be steered and customized by an examiner; one that with the changing times can immediately be altered as needed. What if an application database schema changes, updates or a new application releases that is the next SnapChat? One cannot wait for the software to update, this information is needed now. We need a tool that can be molded in a way, programmed if you will, to be a chameleon. A mobile device collection tool that allows you to process data, assign data types and immediately publish the results. Results are what our customers demand and with the MPE+ SQL Builder the results you can obtain from any application are tremendous.

During the presentation in New York last week I presented the audience with a problem (there were of course several) during the application analysis session. A device comes into your practice missing SMS/MMS, but your information says the custodian chatted every second they could.  Understanding that in today’s dynamic there are many different ways to “chat” and using the standard SMS platform on the Android device is not the most common. So, using MPE+ SQL Builder we created our own queries to conform to the needed data and recovered chats from facebook, facebook messenger, pinterest and even images from snapchat. What is interesting to note. Some of these applications are “supported” by other solutions which all failed to recover the data we were looking for.

Using MPE+ we customized with surgical precision the data we wanted and what was requested by our customer; we even saved the query for later use if we run into the same request for that application data.

I want to put a new face on the collection of this data from smart devices. I want to put the examination in the hands of the examiner, to arm them with the tools necessary to adapt and overcome data in real time. Our cases cannot wait for an update or maintenance release.

If data/upgrades/updates are not going to wait for us why should we wait for them. Use a tool that takes a new approach to mobile device forensics.

Lee Reiber

About Lee Reiber

Pioneering mobile device forensic examiner, consultant and trainer, software development innovator and former LE officer with the Boise Police Department

This entry was posted in Information, Products and tagged , , , , , , . Bookmark the permalink.