Making Time for Forensic Curiosity: Digital Forensic Research

We kicked off our series on the importance of being forensically curious last spring—specifically, we talked about the fact that achieving justice depends on that curiosity in a constantly evolving digital landscape.

That said, the time it takes to find the truth can vary widely. How can you make the time to perform the critical validation your cases need, and still have enough time to devote to your other cases? We spoke with Magnet Forensics, Director of Forensics Jessica Hyde and Forensic Consultant Jamie McQuaid to get their thoughts on making the time for digital forensic research.

Caseload Both Impedes and Drives Digital Forensic Research

“In my previous roles I loved doing investigations,” Jamie, a former corporate investigator, says, “but that’s all I had time for. I would finish a case and while I was working on it, three more came up for me. I never had time to do the research or dive as deep as I wanted into a given case.” Jessica adds, “Often, the low hanging fruit will be enough, or will have to be enough, so that you can move on to the next case.”

On the other hand, when it isn’t enough—when the case is a high priority or some other situation that requires a deep dive—that’s the time to ask questions. At that point, Jessica, a longtime forensic investigator, says, “You have to prioritize your research according to the investigation. Ultimately, if something doesn’t seem right or seems to be missing, or you need to prove something, you have to be able to get to the artifacts that support that.” In other words, she says, trying to understand the context of evidence is what leads to research.

The good news is, however, that validation still counts as digital forensic research.  Often examiners need to do research to prove what a result means or how the artifact came to exist.  “That’s important when you don’t understand something and there isn’t published research to explain it, if your go-to tools don’t support the artifacts, or if the device is being submitted as evidence in a case,” says Jessica.  This can be critical when it comes time to testify.

As long as you have a standard testing methodology, she adds (the rest of this series will help you develop one!), you have the chance to document what does and doesn’t work on a new operating system or a new version of a regularly used app, why that is, and what to do about it. “This is why you should always look for new and innovative ways to get to the right haystack to find the needle quicker,” Jessica explains, “so that you can spend more time finding what the commercial tools miss or validating and understanding the results from your tools.”

Making the Time for Digital Forensic Research

“Many examiners do research on their own personal time outside of work hours because they love forensics,” says Jamie, though Jessica cautions a pragmatic approach that depends on the caseload, your overall workload, and of course your personal responsibilities.

While you can’t really “schedule” research when it’s on a case by case basis, Jamie points out, you should work to learn something new each week. One small but essential step for forensic examiners at any level: learn something new each time you look at an artifact, file or operating system, etc. “Even if it’s not groundbreaking research, it will make you a better examiner in the long run,” Jamie says.

Jessica also recommends saving time up front by building a research profile—fake contact information, chats, location data, etc.—and storing it in test iTunes and Google accounts. “That way, when you log into your test device(s) or your emulator, the data will auto-populate from profile to device,” she says.

Finally, getting your lab manager’s buy-in is critical. “Stress that you need the time to verify and validate, and that without doing that, you won’t be secure in your findings,” Jessica advises. “You need to explain that you don’t know what some finding means at this time, and that you need to verify and validate it before you can confidently say what your hypothesis is, so that you can go forward with the research.”

Some managers, especially those who are responsible for more than just digital forensics evidence, may still resist or not fully understand the need. In those cases, Jessica says, try to tie your request back to what they do understand. “For example, you can reinforce the scientific principles of repeatability and reproducibility to lab managers who understand other forensic disciplines, even if they don’t completely understand digital,” she explains.

After the fact, be sure to show the value of your research, not only to your case, but also what it means for other investigations down the road. That could be in the form of time savings, or better evidentiary value, or some other key performance indicator that’s important to your lab manager. You can use this as leverage to obtain buy-in for future time investments in your research.

When Forensic Research Takes You Beyond the Case

Sometimes, even the research you do for cases ends up not being quite enough. Says Jamie, “For me it was either finding something I hadn’t seen before and I couldn’t find research done by others on the same topic, or a topic that I had read about previously but still didn’t understand well enough.”

Jessica offers another example. “I had to understand how the Android Usage Stat Manager’s statistics on battery usage worked for a case,” she explains, “but then I wanted to see what other data it was recording as running in the foreground and background.” She adds: “This can be a great opportunity to go down the rabbit hole to see other things to learn and figure out more that might be of value to a future case.”

In fact, just because something doesn’t appear important now doesn’t mean it won’t be further down the road. “In my current role,” Jamie adds, “it’s a little more proactive, which goes hand in hand with our artifact creation. We add artifacts based not only on customer feedback, but also what is popular out there, hoping that it will help someone in an investigation even if they weren’t looking for that particular app or artifact.”

Seek Ways to Make Forensic Research More Rewarding

Research may not seem like “fun,” so look for ways to make it interesting for you. Jessica recommends identifying at least one new outside project per year to work on. “If you need a timeline to force you to commit, and you’re open to public speaking, submit a proposal paper to a conference,” she says, “which is also a good way to put yourself out there.”

Public speaking can be a good way to help educate other professionals—as Jamie points out, if you don’t understand something, likely someone else out there doesn’t either—but not everyone is open to public speaking. In that case, another way to make it fun is to find someone else to partner with on a research project.

“I’ve buddied up with people who weren’t necessarily coworkers to explore a topic,” says Jessica. “It can be a great way to get research done and to encourage yourself—and other forensic examiners—to explore a previously unexplored area. You can populate data, bounce ideas off each other, mentor a younger professional or learn from a more experienced one. You can try something neither of you have ever done so that you can ask questions and learn from each other.”

Another good way to learn: challenges—like puzzles—done on your own or with your buddy. “These are great because there are different levels within challenges, and they can let you know where you’re at,” says Jessica. “Older challenges like the ones from the Naval Postgraduate School (NPS) can help get you caught up. Even if you work on a challenge on older systems, say a Windows XP system from 2009, you’re still building the same mental methodology of building confidence and basic skills towards ultimately participating in challenges like Capture the Flag at a B-Sides event, or a SANS NetWars tournament.” (For other challenges, see lists at Forensic Focus, AmanHardikar.com, and the SANS Institute.)