As I start the journey to Sydney for meetings I thought it would be no better time to work on another blog. I thought I might touch on attacking the TIME issue again. I had a live webinar with Officer.com this week wherein I spoke about this very issue. First, a huge THANK YOU to Officer.com for giving me a chance at the online platform and secondly THANK YOU for supporting the LE officers around the globe with your services.
So TIME; yes it’s a four letter word in forensics similar in sting to any other expliative one might hear. Its really due to the demand we as examiners see due to the inundation of digital evidence on our desks or in our labs. Glorified on TV and in movies as the smoking gun as well as the proliferation of devices in our world; we are slaves to the request of these falsely educated requestors of “on CSI they did it”. So now piled up in our evidence rooms, desks and trunks (I hope not) are digital devices set to be examined which range from cell phones to refrigerators. If it contains a chip it must contain evidence right? Well my concentration and focus in this blog will be of course cell phones, but I hope some of this can be used for the next ‘fridge you run into.
Distribution of labor is a concept used by many companies to “share the work” and become more effective and efficient. This is an easy concept really when we think about it; what better way for someone to focus but give them smaller portions. So using this model the workers can concentrate and focus on their small assigned task, but under the hood they are completing the piece used later to complete the entire project or solution. This is why the distributed processing model is used so well with AccessData’s forensic software. The examiner can use multiple computers to process the data with each core taking an assigned thread while the others are churning out other threads. All are concentrating or focusing on their task, the data thread, which amplifies the efficiency plus reduces the TIME element. Same would be evident in the usage of AccessData’s LAB product where we are now talking about users. Like TRON, throwing Users in the mix usually messes up the Programs (current movie on the plane sorry). Well, using LAB takes the Users non focused, non procedural, overwhelmed with evidence, and huge TIME commitment away because the task is no longer individualized. Distribution allows tasks to be assigned to each User and allows individuals to now focus on what they have been assigned; not wandering down the road of a Users fascination with all the rest of the data in the case. Efficiency and accuracy of the examination when distributed to Users increase exponentially by lowing the burden of TIME and data overload on the User (examiner). So does the distribution of labor mean we do not conduct a proper extraction? That we only extract the email, or internet history when we “image” a computer hard drive? Of course not, we obtain all data that we can; typically a bit by bit copy of the device storage medium. It is the examination that shapes the evidence by extracting the data that pertains to the case.
Why am I focusing on distribution of labor when I am talking about cellphones? We all know that one person is usually extracting and analyzing the data from a cellphone right? It could be a first responder on scene or an examiner back at the office. Technically, that might be true but ultimately that should not be the case. Let’s put a twist on the distribution of labor with regards to a small handheld device being processed in today’s world, using today’s tools.
A typical scene for cellphone forensics is this: A first responder shows up to a scene with multiple devices and begins to extact the data from the devices. Same would go with phones brought to the examiner in the lab. Reports are completed which typically contain only data I call “user data”‘ i.e contacts, call logs, sms, calendar and media. Simply obtained and jammed into a csv or html report after the extraction.
What is the first reponders or front line warriors primary mission? To protect, settle the scene and move on to the next call. TIME is never a luxury for them and the quickest, easiest extraction method for a digital device is all that matters. I am a big proponent of a first responders job not being a forensic examiner, but if we distribute the labor and not neglect the collection we all win.
Here is an example in todays quick and dirty analysis eyes. A first responder or street officer arrives on scene and his or her job is to quickly collect the data from a cellphone sitting next to the body. The phone’s contents are “dumped” quickly on scene; extracting contacts, SMS, media and callogs. This data is saved as a csv file, an html file or both. That output is then sent to the prosecutor for review and the phone is booked into evidence. Because of the work overload and and TIME commitment to extract the phones filesystem with the user files this step was not completed by the first reponder. Later while dealing the case, the prosecutor quickly looks at the case and the first responders case report on the cellphone. Because the prosecutor is looking for a specific MMS message and does not see it contained in the first responders report the case is settled without using any of the first reponders cellphone work. Granted, there were some phonebook entries and SMS that helped the case to settle, but later another trained forensic examiner was asked to look into the evidence from the device because now they had TIME. Remember, the filesystem was not extracted the first time due to the admitted lack of TIME of the first responder so the device had to be reacquired. Once the phone was reacquired the user information was AGAIN extracted but also the available filesystem. Needless to say the second examiner was duplicating the original work of the first examination in obtaining the user data, but this time had the embedded filesystem as well. The second examiner had to use another tool (FTK) to the carve and parse the phones filesystem which was only extracted in the second examination. To the suprise of the prosecutor (after the second examiner contacted them) the MMS was there with the criminal image and text content easily visible in FTK from the phone’s embedded filesystem. Too late came the informtion as I mentioned earlier; the prosecutor had already sealed a deal. That is an everyday occurrence in today’s cellphone world. Should it?
What can be taken from this real life example? One immediately evident fact has to do with the topic, TIME. Could this have been solved on the initial extraction? Maybe distribute processing tasks? Have the first responder conduct a FULL extraction, but only obtain the artifacts requested, say phonebook and SMS. Then have a more trained examiner just analyze the filesystem? That could be a solution. The first responder or examiner extracting the device can obtain and report on what they need, but also another examiner can import the forensic container and examine the data at any time. How about a cellphone tool with a built in carving solution. So extraction and file carving all wrapped up in one. That would have solved the embedded image in the MMS.
Having another examiner examine the device and extract AGAIN is another issue in both TIME and data integrity. Why not just give them the data files from the first extraction. Well, most cellphone tools output in a format not typically seen as forensic containers. Some examples are csv, html, zip and bin files. All are not good alternatives for a forensic container. Having a tool whereas an initial extraction is all that is needed, sealed in a container that is recognized all over the world as a forensic container. Having this ability protects the chain of custody and allows an extration to only have to take place once. Any amount of change, however small, will change the digital finger print of that forensic container.
Now lets analyze this in the sense of distribution of labor. Back to the TIME committment this is all about. As you can see there are tools available that can be the best of both worlds, one for easy acquisition and also deep artifact data mining for that needle that everyone complains they dont have time to look for. Devide the work by task design, not double the work by duplication of labor. Focus on what is needed for the “push button” extraction but also understand there are tools available that can allow a quick preview and reporting of the data but not at the cost of an examinations TIME commitment and data integrity.
Thanks for reading.
