In Digital Forensics, Beware of Over-Promised Tools and Techniques

Brad, you’ve been working in digital forensics and e-discovery for more than 20 years. Will you describe your background and highlights from your career to date?

I still recall my first few weeks on the job, when I was taught the basics of evidence handling, the concept of a proper chain of custody, and the standard workflow and protocols that my firm at the time had put in place. Similar types of trainings took place at other stops along the way for me and the tools and workflows differed slightly at each consulting firm. Even chain of custody forms and acquisition documentation varied in some ways. However, the concepts and protocol built into each workflow were common threads that followed the guidelines and framework established by the key governing bodies and organizations in the industry, including the International Organization for Standardization, Scientific Working Group on Digital Evidence, National Institute of Standards and Technology, etc.

Will you expand on that last point? Why is standardization so important in this field?

Standardized workflows are often necessary for teams that include technology savvy but entry-level practitioners. These protocols and standards are excellent at making sure practitioners are consistently upholding reliability, integrity and admissibility of the evidence. This is why I caution digital forensic practitioners and the clients that engage them, to avoid new and extraneous standards or approaches that can undermine the ultimate objectives of the mission. 

This is becoming even more crucial as technology advances. A decade ago, when a hard drive needed to be imaged, by and large, the workflow was straightforward. Yet, the past few years have seen a significant change in the way devices operate, which impacts forensic methodology. The amount and type of data on devices, security features and the way in which endpoints interface with cloud sources are examples of factors that have changed the game. Similarly, advancement in forensic technology has introduced more options for the tools available for data collection. With all these changes comes the risk of mistakes that can weaken forensic soundness.

Do you have an example to frame this issue in context?

One of the most notable changes with collection from mobile devices is the ability to perform a full file system extraction without having to jailbreak or root a device. This can allow our team to access mobile artifacts that were previously unavailable. Some examples of these artifacts include ephemeral messaging chats within apps such as Signal and Telegram, deleted data, emails, timelines of device activity and evidence of malware, viruses or other malicious activity on the device. 

There are still instances, however, when acquiring a full file system extraction is not possible due to the make, model or operating system of a mobile device. Professionals in this field know that mobile device manufacturers are constantly developing new models and updating software to improve security, privacy and user experience. Naturally, this results in new challenges when attempting to extract data from new devices or operating systems. Sometimes, the makers of forensic technology can keep up with updates in a matter of days or weeks. Other times, the challenges are more significant to overcome and may take a month or more to solve.

So, what should digital forensics practitioners do if a full file system extraction cannot be performed? 

This question gets to the heart of the point. The focus should shift away from the tool and onto the evidence that is actually relevant or could likely become relevant to the matter. 

Ultimately, digital forensic examiners should consider and exhaust every possible avenue to preserve data that may be pertinent to the matter. If the collection of third-party chat data and ephemeral messaging is germane to the data collection, and a full file system extraction cannot be done, supplemental collection procedures, such as an advanced logical extraction (or equivalent) to preserve native text messages and other information, may be needed. 

Depending on the application, investigators may be able to obtain an older test iPhone or Android running a prior operating system version and sync messages from the custodian’s account via the cloud. After the sync, the messages can then be collected from the test device using the full file system extraction technique. A visual comparison of what was collected to the third-party application chats on the original device can be performed for thoroughness.

Whatever method is used, the key is to uphold defensibility using reliable tools and workflows. This requires oversight from an expert and detailed documentation of the methodology in the event that the examiner must at some point testify to the procedures performed.

Are there any other examples you’d like to share that illustrate the complexity of digital forensics and the importance of expertise over shiny tools?

Internal investigations where very little facts are known can prove to be even more challenging than the scenarios already discussed. In these types of cases, it may initially seem that messages from a given custodian’s work devices are likely to be the only source of potentially relevant information. As such, counsel may direct the digital forensics team to obtain an advanced logical extraction from mobile devices, with the intention of reducing the amount of time the custodian will be without the device(s), containing costs, and avoiding over-collection. 

In this scenario, digital forensics teams that lack experienced practitioners or are not thinking ahead to forecast potential issues may simply proceed as directed. However, consider the possibility that the subsequent review of messages on the device reveals that the custodian may have been traveling to and from a foreign official’s home; but because a fulsome collection was not conducted, there is no concrete evidence to prove the suspicions. Later, when the custodian becomes aware of the accusations, the individual(s) involved could begin destroying any additional evidence that was not yet collected. 

We see situations like this happen frequently. In this example, had a full file system extraction been acquired at the outset, the investigative team may have had access to application data that could have been critical to pinpointing the dates, times and locations significant to proving the custodian’s nefarious activity. 

So, the takeaway is that clients need to beware of so-called experts or overreliance on unproven workflows?

Absolutely. It’s critically important that digital forensics practitioners ensure the reliability, integrity and the admissibility of the evidence collected. Equally critical is that the practitioner capture the evidence that is most important to the matter (or, at a minimum, preserve data sources until the needed collection technique can be performed). Digital forensics experts are also responsible for advising counsel on what will and will not be (as well as what can and cannot be) preserved should other artifacts become critical to the litigation or investigation later on. Experts who have been through these challenges know to predict the pitfalls that may arise later on and can take critical steps to avoid them. No technology can provide that kind of strategy and foresight. 

Related topics:

The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, its subsidiaries, its affiliates, or its other professionals.