This blogging will be quite interesting and I think might help express the ideas and theories I always yell at students about in class (sorry students but passion is passion). I think I will start a series on process. Let’s go for the first bullet:
DONT FALL INTO THE TRAP
First and foremost let’s wrap your head around the fact that TOOLS used to extract data do a disservice to the community by using the term “forensic”. Using this term actually lolls a new examiner (or old) into thinking that there is some magic write blocking mechanism built into the cable (don’t laugh there are some sales people selling that quote) or software. Understanding that there is no way to write protect a phone seen by the OS as a serial port or modem is the first step to understanding a TOOL does not put the FORENSICS in your exam but your PROCESS will! Yes, your process during the extraction is ultimately what will be called into question.
HAVE A SOLID PROCESS
As a cellphone examiner you often have to use multiple tools during an exam. If you are not, then how are you conducting any validation? Ok, that is a blog in it’s self, moving on..Back to what to do if you have to use one tool or multiple tools during a single exam.
First, you should attempt to obtain a backup of the cellphone filesystem (logically and/or physically) or as many user files as possible. These files should then be hashed by a software capable of creating a known hash list. For example, AccessData’s FTK allows you to bring a cellphone filesystem into the application and you can easily create a Known File Filter based on the files on the filesystem.
After this known set of hashes are created you can go about continuing your exam using as many tools as needed to extract the maximum amount of data. The last thing you should do in the exam is to re-acquire the filesystem or conduct the same initial extraction you did that was taken into FTK and hashed. Once this extraction is completed you can bring the POST filesystem into FTK and run the known file filter against the new data to identify if any files changed during your examination and extraction. You will notice every time that some files change over and over. As you look closer you will recognize the files changing are SYSTEM files and not user files. You can now say with 100% certainty that no user data was altered during the examination. Can you do that in your current methodology?
Unfortunately, most rely on their software of choice just using the word forensic in the literature to coin their exams forensic. Don’t be one of them, use a forensic process!
Lee,
Let me start by saying thanks for all of the work you have done in the area of cell phone forensics. I enjoy reading your postings and I am always learning something new. Although it was a long time ago, I attended Carl Dunnagan’s (sp?) first cell phone forensics class with you in Carlsbad, CA.
That being said, I would like to make some comments about some of your statements to spark the conversation.
“As a cellphone examiner you often have to use multiple tools during an exam. If you are not, then how are you conducting any validation?”
Here in my department’s lab we generally validate every phone exam by reviewing the phone’s contents manually and comparing what we see to what is on the report. We have processed may phone’s with two or more ‘tools’ only to find that both tools reported inaccurate and / or questionable results. Just because two different tools report the same findings does not make them accurate nor does it ‘validate’ the tool. We have had several occasions where we processed the same make / model phone with the same tool and, during our review found that one phones report was correct while the other phones report was wrong. I have come to believe (at least for now) that no tool should be relied upon completely although I know of other individuals (not in my lab) who are simply running phones through what ever tool seems to work best and then burning the results to a CD without ever reviewing the report.
As for your process of; Dump the file system / obtain hash values – Process the phone – dump the file / obtain hash values and compare the results.
Are you serious? On every phone we process? I have never heard of this before and I question this process for a couple of reasons;
1. To set this up as a policy seems to be inviting problems in court. While I know that there is currently no way to dump the file systems on some phones, it seems that a good defense attorney could throw a lot of ‘mud’ if this was your policy and you processed a phone where the file system could not be dumped. I know it should be as easy as just saying that ‘it is not currently possible to dump a particular phones file system’ but it never is.
2. We frequently process phones where our detectives only want us to obtain specific items from the phone such as only text messages or only images. While the reasons for this vary they include; search warrant limitations and consent limitations. Often our detectives will only want us to document specific text messages that pertain to their case and nothing more. Why dump the file systems on these phones?
3. After reading your process, I thought I would try it on a phone that I was currently processing. The phone happened to be a Samsung SCH-R350 and Cellebrite supported a file system dump of this model. I connected the phone and everything went perfectly as the file system dump started. I then waited. I went to lunch, returned and waited some more. After waiting for more then 5 hours, I finally canceled the process. I did some quick math (not my strongest subject) and determined that processing this phone using your method would have taken me more then at least 10 and more likely 15 – 20 hours. While I realize that not every phone will take this long to process, unless we are trying to obtain deleted data, why? While I realize that some smaller departments may only process a few phones each month, here in our lab we will process about 600 phones this year and that number is constantly growing. That is in addition to the more then 200 computers we process. I have a difficult time justifying that type of time expenditure. We here in our lab estimate about 4 hours per phone examination, some phones take less time while others take longer. Doing a little more math for your method, assuming about 10 hours per phone (total processing time including two file systems dumps, processing the phone, documentation and report writing, comparing the results to the phone’s display, hashing and reviewing the file systems dump results…) equates to 6000 hours per year. Figuring that (without vacations, sick time, holidays, etc.) the average full time worker works 2080 hours per year, I would need more then 3 full time examiners just to process our cell phones.
Like I stated in the beginning, I greatly appreciate your work in the cellular phone forensics arena and I am constantly learning.
Keep up the good work,
Ritch
Awesome comments Rich and thank you very much for the kind words. I really try and get examiners to take their exams seriously and unfortunately the four letter word “time” is always on the lips of Law Enforcement as was stressed in your response. Unfortunately, this time issue has been involved in computer forensics for some time and when we try to skirt around doing faster examinations we often find ourselves cutting corners and getting caught in the process when testifying. Let me answer your points to the best of my ability understanding that many do not want to take the time but rely on one tool and one button.
1. This will be always the case with digital forensics and court. As for not obtaining the filesystem that could be compared with not being able to create a physical image of a hard drive because of a bad drive or not being able to image a server because of civil ramifications so a live image is conducted. There are always going to be issues in court, but if you do what you can if available (acquiring the filesystem) you are not going to receive the question of “why didn’t you do it?”. And if you attempted, but it failed or was not supported for that model. Is that not better then I did not do it at all or even make an attempt? If they have an expert that understandably has more time to complete a full examination and finds data in the filesystem that you elected not to extract, how does the rest of your exam look? I simply do not want to be in that situation to have a moment in court where my lack of preparation was the issue in the case.
2. This is the biggest issue that most people have with conducting a complete process, “My Detectives only want to obtain specific items”. I ask you this: Has a detective or more a prosecutor as you if there was any other data that was recovered that could of been deleted? Was your answer “No”. If it was are you sure there was not anything else? Because if you just manually searched the phone commando style of course you are not going to find it logically, but what if there was information in the file system that you missed? If you backed up the filesystem you could have went back when asked and looked at that time and positively said there was nothing there, but as it stands by just “getting the minimum” you cannot. As for search warrant limitations, a simple dump of the filesystem can be easily conducted without looking into the filesystem, and ONLY text messages, ONLY contacts, ONLY pictures can be simply extracted with the logical get evidence button, but should the warrant be refreshed for additional information you don’t have to hunt the phone down or ask the person for their phone back after the fact.
3. As for the cellebrite filesystem dump you conducted you might check your updates etc. I processed that same phone and it took 25 minutes to obtain the filesystem not the physical dump. I am not sure which selection you are using. I also used another tool and it took less time. I am sure you just might have had alot of media, but with only 55 MB of internal storage on the chip I would say there was an issue with the transfer.
Not withstanding that issue, it appears you are good with math as you have hours worked etc, vs hours on vacation, and hours per year. My whole point in getting examiners to utilize a process is just that, have a process that you can stand up to in court. As it currently stands if there were trained examiners in the criminal or civil defense realm competent to complete a full examination, the current examination methods of a lot of LE examiners would be torn apart. This will come in the form of: “Did you alter any of the data on the phone” and they say “no”. The other examiner will have a hay day. And if they say “yes, things change simply by turning the phone on” they will be asked, “what was changed”. The examiner will say “I dont know, but something changed”, again not helping the case. Conducting a proper examination and understanding what has changed, if possible can help answer that question. I think you are in a far worse position if you did not at least attempt to complete a full examination. Do you not look for the last time the computer was turned on in the Windows Registry? I always did.
You mentioned that you conduct computer examinations as well? Would your current form of cellphone examination work for a computer examination? I know pressing the get evidence button most likely would not fly on a computer examination (unless FTK and Encase have one of those). Is a current mobile phone anything less than a computer? Both have web cache, chat, applications, email and more, but we simply do not have the time to look now, but stand by we will be forced to because of poor exams. I would rather be prepared for this then forced.
Thank you so very much for the comments and the only way to work this out and get a great process is doing this!
Again, thank you for the kind comments and I hope to help as much as I can in this area.
Use your favorite tools to analyze and report. If your detectives only want certain information, you can report this but include your examination of the other areas in support of these findings.
Judges and lawyers are getting more knowledgeable everyday on the inner workings of a forensic exam, as well as strategies to counter sloppy exams.
I can’t remember the exact case but, a forensic examiner found porn on the HD. The defense did a complete exam and found that the emails were never opened therefore, they did not get a conviction. Do a complete exam so you won’t have to say I don’t know.