Recently we had the chance to sit down with Troy Schnack, a forensics examiner with the Federal Public Defender’s office for the Western District in Missouri, to discuss his take on digital forensics. Troy had submitted a couple of artifacts to our Artifact Exchange and we wanted to talk a bit more about the importance of communities like the Artifact Exchange.
Magnet Forensics: How long have you been with the Public Defender’s Office under the United States’ Judiciary, and how did you get started in Forensics?
Troy Schnack: I have been here 18 years and doing forensics for 15 years now. The majority of the work I do is Child Pornography (CP) cases. Early on, we had a CP case that involved emails – whether they were sent or not. I was the computer systems admin and they came to me to interpret the data that the government had given them. Prior to joining this office, I had worked in private practice as a network systems consultant.
Working on cases with the Public Defender team, it truly feels like we are the last defenders of everyone’s constitutional rights and freedoms.
Magnet Forensics: How did you hear about the Artifact Exchange?
Troy Schnack: I’ve been using Magnet Forensics products for four years now. It’s one of my primary tools – and I use a number of them. Everybody should. When Magnet AXIOM came out, I started playing with it. I love that AXIOM is growing and getting new features. I’ve heralded AXIOM to other people that do defense work in the Federal system.
I think I heard about the Artifact Exchange in a tweet or a webinar, and I really got into the nuts and bolts of the exchange when I went to the Mobile Tech Conference. I attended a session on how to create artifacts.
I wanted to try it out and I found that using XML I could easily create an artifact. The template that Magnet Forensics provides will auto-determine what kind of data you are creating. You say, here’s the app; here’s the database file; here’s the table; here are the fields I want and the field names. It was easy.
Magnet Forensics: You’ve created two artifacts for the Artifact Exchange so far. Tell me about them.
Troy Schnack: One was the Speed Test app, which is popular and it stores some specific data of interest. It logs all the tests you do in perpetuity – gives you date and time, city name, it logs the speed, gives the GPS location of your device when you ran the test. Paired with date and time, that could be really important for a given case.
I wanted the artifact to be of interest and get used, and because of that I submitted it personally. I think most people understand that the defense teams are just doing our job and that double checking the evidence is part of a defendant’s constitutional right, but I wanted the artifact to stand on its own.
The second artifacts was for Pulse Secure. It’s used to login to office VPN networks. Although not as popular as the Speed Test app, it can be used to verify that VPN connections have been made in the past, the VPN authentication server and more.
Another helpful point – there were a bunch of artifacts in the Artifact Exchange already that were of interest. It was great to have multiple artifacts out there already, so I could download them and poke around to see how the developers did what they did.
Magnet Forensics: Were there any roadblocks in building the artifacts?
Troy Schnack: The one for the speed test – I had to fix syntax a couple of times, but even with that, I think I corrected it in under an hour. I did use a different tool to browse the SQLite database for the fields I wanted. I used Paul Sanderson’s SQLite Database tools.
All in all, it was an easy process. In the instructions, you can look at the examples to get an idea of the syntax. In the XML templates, there is a final field called “signature” with a lot of code and there’s not a lot of explanation about what that is, and I did wonder what I was supposed to do with it, but I was able to figure it out.
Basically, if you have any computer knowledge at all, it’s really easy. Half of creating something like these artifacts is luck – the luck of having pertinent data to build from.
Magnet Forensics: The digital forensics community is well-known for sharing. Do you think that forums and communities like the Artifact Exchange are helpful?
Troy Schnack: Absolutely. I follow so many people in the digital forensics arena. They constantly post, “Hey found this,” “Hey here’s a new way to look at xyz artifact.” We are all constantly sharing info, articles and research with each other. Take a look at the Forensic Focus website – the forums and people posting there. It’s already a community that’s happy to share knowledge to help each other.
Magnet Forensics: You mentioned above that Magnet Forensics products are part of your toolbox. How important is that approach and how has the Artifact Exchange played into that?
Troy Schnack: If I learned anything from creating these artifacts, it’s that you cannot just push a button and expect the tool to get everything. You have to look into all that geeky hex stuff and dig into those apps and uncover the truth. You may end up building your own artifact, but if you just rely on what a forensic tool gets you, you are missing out.
I will say, to get a little defense-minded quote in here, I like how Magnet Forensics is in search of the truth – whatever that might be. I’ve had four cases where the client was innocent – either an incorrect analysis, or a different party committing the crime. Out of those four, three of them I couldn’t have analyzed as quickly without a Magnet Forensics product to help me.
Magnet Forensics: Well, we like to hear that!
Questions/ Comments? Please email Rick Andrade at firstname.lastname@example.org.