The Techno Security and Digital Forensics Conference, an annual event in Myrtle Beach, South Carolina, has a reputation for delivering great content in a beautiful coastal location. This year was no exception, with industry speakers and vendors giving their perspectives on issues like the Internet of Things (IoT), the latest Android and iOS operating system versions, and the newest digital forensics methods.
It’s exciting to see how the industry continues to adapt to new technology and new ways of using technology. Here are four key takeaways I got from sitting in on multiple sessions:
1. The scale of evidence demands new methods and ways of thinking.
Forensic examiners often speak in terms of terabytes and even petabytes of data (can exabytes or zettabytes be far behind?), but these terms are limited in capturing the reality of tens or hundreds of thousands of pieces of evidence, dispersed across multiple devices and apps—which investigators have to parse to determine whether and how they are even relevant.
INTERPOL senior mobile forensics specialist Christopher Church said in his Monday morning keynote address that these issues affect everyone, whether they are asking, or being asked, for “everything on the device.” To mitigate or even avoid forensic lab backlogs, a range of solutions has been developed. Some include more stakeholders along a workflow continuum, encouraging more communication to merge data and build a better picture of suspects and victims. Other solutions automate more of the process and, as Magnet Forensics Product Manager Tayfun Uzun noted in his presentation “How to Address Backlog,” reducing the downtime between steps.
Triage therefore continues to be a hot topic, expanding beyond images and video to chat messages as well—and using machine learning to target data collections more specifically. Going beyond skin tone analysis and hash set comparisons, heuristics and binary classification such as Magnet.AI can help to narrow down content and identify where to start looking.
2. Encryption offers opportunities as well as threats.
As Forensics Trainer Chris Vance talked about in “Taking a Bite Out of Android’s Tasty New Versions,” the Nougat operating system has gone a few steps beyond Marshmallow. By implementing Direct Boot, file-based encryption, and credential- versus device-encrypted storage, Nougat makes potentially more evidence available to examiners, both before and after boot, than might otherwise have been accessible with Marshmallow’s full-disk encryption. (Want to know more? Stay tuned for details about our soon-to-be-scheduled Nougat webinar!)
Similarly, Forensic Director Jessica Hyde noted in her presentation, “How the Onset of Security Apps Is Impacting Investigations,” “encrypted” apps may only be partially encrypted, and thus may not do what they advertise. These likewise offer opportunities to investigators. For example, an app that encrypts only the message body within the SQLite database still leaves critical metadata in the clear, offering you clues to contacts and date/time ranges.
However, beware other things apps can hide in their feature sets that can compromise your identity and investigation. Jessica’s presentation detailed how some apps allow “intruder selfies” to be taken of anyone trying to enter a PIN code on a device, as well as apps that can record conversations. (Her advice: cover a device camera before trying to access it, and don’t discuss sensitive details within range.)
3. Data exists where you might not expect… and doesn’t exist where you might think.
Thanks to synchronization, evidence can be “contaminated” or obfuscated due to data availability across multiple devices—and even users. Privacy apps can feature decoy PINs and vaults, so that the PIN the suspect gives you leads to a vault that contains only decoy evidence. Other privacy-oriented apps hide themselves by appearing to be an innocent app, or removing their icons altogether.
Android Nougat, meanwhile, has introduced some new file paths, moving artifacts such as call logs and text messages to new database locations to match its new file-based encryption scheme. Another confounder with Nougat is that it steps up the game for multiple users of single devices. Although it sandboxes users each with their own profile and database, forensic examiners need to be able to explain why a piece of data belongs to one user and not another.
Furthermore, the Internet of Things muddles the search for digital evidence by storing important data on devices or in the cloud apart from the apparent focal point of an investigation. For example, devices like Amazon’s Alexa don’t actually store a lot of data on their own, as Magnet Forensics founder Jad Saliba’s talk, “Making IoT Relevant to Forensic Investigations” described.
4. Timelines continue to be crucial to digital forensic investigations.
The importance of timelines can’t be overstated, a point hammered home by our Forensic Consultant Jamie McQuaid in his presentation, “The Dark Side of P2P Apps and Shared Content in the Forensics Landscape,” as well as by both Jessica and Jad in theirs.
Not only do peer-to-peer apps contain a wealth of time stamps that can help establish criminal activity such as uploads, downloads, and live streams; the range of devices people use to manage their lives—from personal assistants to health monitors to home security and environment monitors—can all, in the aggregate, be used to establish patterns of life and identify anomalous behavior.
Some apps, like Nest or similar home environment controls, can even be used to confuse good investigative timelines—such as turning down a thermostat after a homicide to slow the rate of decomposition and thus throw investigators off!
Although many of these technologies don’t yet have high adoption rates, a recent NPR article, “The Internet of Things is Becoming More Difficult to Escape,” noted: “Almost half of the world’s population is connected online. And technology is constantly looming in our lives: the Nest thermostat regulates our household temperature, a camera watches our dogs, our health is constantly monitored, and technology keeps our houses safe when we’re at work.”
As the technology becomes ever more prevalent, then, so does the likelihood that you’ll encounter it in your investigations. Are you prepared?