Our previous two blogs covered the reasons why we think file system forensics’ marginal returns are rapidly diminishing, and the changes in consumer electronics that continue to drive the need for a focus on artifacts and the apps they come from in digital forensics.
In our final post, we’re discussing how the artifacts-oriented approach allows examiners to get a sense for the user, save time, and still validate within the file system. We demonstrate how this approach gets to the heart of sharing and communicating targeted, visualized results with reviewers, especially those who in turn apply the results of forensics examinations to investigations and trial preparation.
Getting a Sense for the User
Experienced forensic examiners like to use file system tools to understand user habits: programs, apps, and files they use regularly; times of day and days of the week when they’re most and least active; and how they work with digital data.
As we wrote in our first blog in this series, however, this approach is best applied only in limited circumstances: for the verification and validation of data in cases heading for trial, as well as some specific types of cases, such as investigations of child abuse materials, in which the recursive view of image sizes and types is needed.
However, data volumes are increasing, but case timetables and lab capacity are not. Neither experienced nor new-to-the-field examiners always have the resources or time to take the time to explore each and every file system the way they might have even five or ten years ago. How can examiners learn user habits in compressed periods of time?
Using tools that zero in on people’s most used apps, most frequently messaged or called contacts, most often visited locations etc. deliver the same important information in a fraction of time it would take to carve those artifacts from a computer or mobile device file system.
By focusing on artifacts—combining file system elements with artifact elements, such that an artifact can be both a file and a piece of a file—examiners can even explore data from multiple devices simultaneously, getting a much quicker picture of habits across devices than they would if they had to go one file system at a time. Going beyond frequency of communications, filters on these artifacts enable a highly targeted approach to zoom in on dates, words and specific artifacts.
This is, critically, a highly visual process—relying on dashboards, link maps, geographical maps, and timelines to demonstrate at a high-level glance what examiners most need to know. Also critically, it still allows you to drill down to the file system level when necessary, to prove where a piece of evidence resides on a device.
Making Collaboration Easier
The visual, high-level nature of the artifacts-oriented process also makes it easy for you as an examiner to communicate with other stakeholders in the investigation. Investigators, attorneys, supervisors, and others lack the time to pore through technical reports detailing the ins and outs of larger data volumes; they need non-technical overviews to help build cases, with you supplying the relevant context as needed. Jurors likewise need to be able to understand what the evidence means at their level.
Another side benefit of collaboration: it reduces the risk of human error. Investigators and examiners, even attorneys, who are able to ask and answer questions back and forth can more easily find inconsistencies—that is, when they occur; the ability to find more data from databases that might previously have been overlooked can help to identify case theories much more quickly.
In the broader digital forensics toolbox, having both artifact tools and file system tools encourages a better balance between speed and accuracy, promoting higher quality investigations overall. It encourages forensic examiners to work more closely together with investigators and other stakeholders, and provides better accountability for everyone involved with a case—which ultimately paves the way for speedier, sounder justice.
This blog concludes a series of three posts on the benefits of an artifacts-oriented approach to digital forensics.
An abridged version of this series, “Artifacts and File System Forensics are a BOTH/AND, Not an EITHER/OR,” first appeared in the inaugural edition of the INTERPOL Digital Forensics Pulse, February 2018.