File System Forensics: No Longer the Gold Standard? Part 1
Digital forensics has relied on the file system for as long as hard drives have existed. The structures associated with File Allocation Tables (FAT), the New Technology File System (NTFS), Extended File System (EXT), and other file systems—as well as the partitions within—could be mined for file metadata, carved for deleted files, and accessed to validate results.
For more than a decade, this process was considered the gold standard for digital forensics. Keyword searches became particularly important in triaging a hard drive to get a sense for a computer user’s habits and activities, and to learn whether certain images, filenames, or other items of interest existed. From there, examiners could develop additional keywords and filters with which to perform deeper dives.
Automated forensic analysis tools, or “forensic suites,” adapted in response to these requirements, especially as hard drives grew progressively larger and began to store far more data. As digital storage media evolved past standard hard drives, however—to include mobile device flash memory, cloud-based media, and others—traditional forensic suites, and their users, have struggled to keep up. Consider:
- PC Magazine notes that “500GB is considered a ‘base’ hard drive in 2017,” with sizes ranging from 128GB for “lower-priced SSD-based systems” to 1-4TB for higher-end multimedia systems.
- Last year, EETimes reported, “The volume of unstructured data exploded in the past decade and half…. And IBM found that humans now create 2.5 quintillion bytes of data daily; that’s the equivalent of about half a billion HD movie downloads.”
- According to the January 2017 Digital in 2017 Global Overviewreport from We Are Social and Hootsuite, nearly 2.8 billion people were active social media users, with more than 90 percent of those accessing social media via mobile device. More than half of the world’s population now uses a smartphone, with 4.9 billion active users; more than half of the world’s web traffic now comes from mobile phones.
- In April 2017, Forbes reported, hybrid cloud adoption grew 3X in the last year, increasing from 19% to 57% of organizations surveyed; in 15 months, 80% of all IT budgets would be committed to cloud solutions. Meanwhile, Statista reports that the number of consumer cloud-based service users worldwide grew by more than one billion between 2013 and 2018; approximately 3.6 billion internet users are projected to access cloud computing services this year.
What the Statistics Mean for Investigations
Overall crime rates may fluctuate, even steadily drop, but crime never goes away—and, as Detective Inspector Eric Halford, digital media and cyber investigation unit manager at Lancashire (United Kingdom) Police, was quoted as saying in July 2017: “The Internet is part of everyday life and you can’t avoid it and criminals are using it in almost every type of crime there is.”
Across the pond in Maryland that same month, state police reported a 10-month backlog of digital media from around the small state. Det. Sgt. John Linton, assistant commander of the technical investigations section, was referenced saying that the four forensic examiners who work for him added 15 new cases per month, prioritizing “homicide, rape or cases involving children who are in immediate danger” and handling the rest in the order they arrive. The result: a 40 percent increase from 2016 to 2017, with both cases and pieces of digital media more than doubling since 2012.
It isn’t just acquiring and processing more forensic data that’s a challenge; it’s also interpreting and using it, or more specifically, helping others—investigators, supervisors, attorneys, and other stakeholders—to understand the findings and apply them towards building cases.
With labs unlikely to be able to budget to hire new examiners, forensic examinations remain bottlenecked, straining both examiners and their stakeholders. Under these conditions, no matter how well trained, skilled, or confident examiners are, the risk of human error rises—and with it, the risk of more criminals walking free.
Some solutions claim to be able to process high data volumes. However, they can be unwieldy, difficult to implement, and expensive. They aren’t a good option for small forensic labs with only one or two examiners. Nor, because they’re designed for labs, do they promote collaboration with broader investigative teams.
The end goal—a way to quickly and easily get actionable evidence and/or intelligence into investigators’ hands so that they can follow up leads and build cases—increasingly demands changes to both process and operations.
File System Forensics is Only One Part of the Right Approach
File system forensics remains a critical underpinning to the overall process; it is, and should remain, foundational to the process of verification and validation, a necessary part of the digital forensic toolbox. In some specific types of cases, such as investigations of child abuse materials, the file system-oriented approach additionally offers a recursive view where filtering by image size and type is valuable.
However, file system forensics—going storage device by storage device—has become an inefficient process too unwieldy to be a starting point. It demands too high a technical skill level that too few organizations have the time or resources to develop in their personnel.
For standard cases, when examiners can allow a tool to take several hours or even overnight to process high data volumes, or when the focus is on a victim’s or suspect’s mobile devices(s) and/or cloud-based accounts, a different method is needed to start forensic examinations off on the right foot—to recover data in a forensically sound manner and format which can be more quickly analyzed and reported on by more stakeholders.
Rather than think in terms of “primary” and “secondary” tools, then, we’d like to challenge examiners to think seriously about adjusting their focus to include investing in both an “artifact tool” and a “file system tool.”
Either one can be an examiner’s “go-to” or “primary” tool on any given case depending on case characteristics, as well as which method most effectively meets their operational objectives—not the lab’s budget or the perception about the tools accepted in courts.
This blog is the first of a series of three posts. In our next blog, we’ll talk a little bit about the changes in devices, data, and forensic methodology that have led to the need for an artifacts-oriented approach. To get updates via email, subscribe in the sidebar to the right!
An abridged version of this series, “Artifacts and File System Forensics are a BOTH/AND, Not an EITHER/OR,” first appeared in the inaugural edition of the INTERPOL Digital Forensics Pulse, February 2018.