The Shift from File System Forensics to Artifacts-Oriented Forensics (Part 2)
Our previous blog covered the reasons why we think file system forensics’ marginal returns are rapidly diminishing, and why we think the process needs to be balanced with a more efficient, artifacts-oriented approach that relies on the file system to verify and validate.
In this blog, we offer the historical context for how we think digital forensics has evolved—and continues to evolve—from a focus on the file system to a focus on the artifacts.
File systems continue to be foundational, of course, underlying everything from smartphones to storage devices like Flash drives and SD cards to the servers that store vast quantities of cloud data. It’s these very variations, however, that make it so necessary to rethink our approach to digital forensics.
The Changes that Smartphones Wrought
The need to capture data from cell phones existed, of course, long before the iPhone’s introduction to the consumer market. Increased storage sizes, removeable storage media, and other technology improvements—such as better camera and speaker quality—meant more pictures and video, while basic browser software meant limited internet searches and page visits.
Just as deleted data was a problem for investigators using computers to prove criminal cases, so it was for mobile devices. The ability to create a physical image of a mobile device, thereby obtaining everything on its flash memory chip – including the fragments of deleted data—became a major differentiator for mobile forensics tools.
Yet, as adoption of mobile devices increased—as we noted in our last blog, more than half of the world’s population now uses a smartphone—traditional, file system-oriented forensics tools had difficulty keeping up. The market for “apps” had exploded, and the more were developed, the harder it became for forensic examiners to retrieve evidence from them. App database fields could differ widely, even within app “families”; they stored data differently, and investigators could risk missing critical evidence if their forensic tool didn’t map all database fields correctly—or identify that there were fields to begin with.
How nimbly a mobile forensics vendor could adapt its product to these rapid-fire changes and distinct differences, along with its ability to bypass device passcodes and break encryption keys, defined its likelihood of becoming an organization’s primary mobile-forensics tool, used alongside its primary computer-forensics tool.
The Beginnings of the Artifacts-First Approach
Still, many examiners found that their primary tools couldn’t acquire or parse some critical data, even from apps and versions they claimed to support. Whether this was the result of the way the app interacted with the operating system-handset combination, or some other factor, examiners needed to run physical images through other tools—often a toolbox of freeware or specialty software—to validate whether they had acquired everything stored in device memory.
In other words, orienting the forensic process on the file system was too rigid an approach. It broke down when applied to the unstructured data of web browsers and multiple communication channels. By reversing the orientation to focus on artifacts rather than files, forensics could capture both.
This was the beginning of an artifacts-oriented approach to forensics. Magnet IEF was found to be particularly useful in this regard, with investigators validating browser and app artifacts from both computers and smartphones.
This ability proved important as investigators in some cases began to rely on iTunes and other smartphone backups from computers, and later, as apps and web services increasingly connected across devices. Consumers wanted a seamless experience, and mobile vendors were providing it, developing apps with cross-compatibility apart from backup capabilities. Evidence that couldn’t be recovered from a mobile device might be recoverable from a synced computer, and vice versa.
In other words, investigators could focus on the fact that criminal activity had occurred, while still showing on which file system it had taken place. The operational and investigative teams seeking quick results enabling them to apply intelligence could, for the first time, understand forensic artifacts without a dependence on deep file system knowledge.
As apps continue to move into the traditional computing environment, investigators may find that the traditional file system forensic approach still does well at capturing documents and pictures; however, using an artifact- or app-centric approach contextualizes these pieces of evidence by approaching it in terms of how people are communicating and sharing information.
From Mobile Devices to the Cloud and Beyond
In fact, this approach will continue to dominate, for several reasons:
- Manufacturers continue to respond to consumer demands for improved privacy and security. Data may reside in encrypted containers on the device; or, alternatively, be stored “in the cloud,” on servers that run outside federal jurisdictions and requiring the lengthy, onerous mutual legal assistance treaty (MLAT) process that can in fact halt the progress of justice.
- Adding to this is the non-viability of acquiring data from servers in foreign countries, where it may be governed by different privacy laws.
- Data from the Internet of Things (IoT) could be stored in multiple places—on the device itself, on the phone that controls it, and on the servers of the IoT developer. To collect forensically sound data, then, means to collect artifacts that can then be correlated with data from multiple devices, including at least one file system.
The smartphone has proven to be a change agent for so much about people’s daily lives—everything from how we communicate, to how we track our personal data, even to how we shop and maintain our homes. Our smartphones contain data and metadata—artifacts—about how we conduct our everyday lives; in turn, these form patterns which can be crucial to an investigation.
File system-oriented forensic tools and suites still have value when it comes to verification and validation. However, because they adopted the artifacts-oriented approach into existing platforms rather than building it in from the ground up, they’re behind the curve.
Being able to focus on the artifacts which matter most, therefore, gives investigative efforts much greater efficiency and impact. It can help separate relevant from irrelevant, narrow the field of suspects and the timeline of events, and even solve cases more quickly.
This blog is the second of a series of three posts. In our next blog, we’ll talk more about the artifacts-first approach, how it improves the efficiency of digital forensics process, and why you need both artifacts and file system forensics tools in your kit. Subscribe now to get updates by entering your email to the right!
An abridged version of this series, “Artifacts and File System Forensics are a BOTH/AND, Not an EITHER/OR,” first appeared in the inaugural edition of the INTERPOL Digital Forensics Pulse, February 2018.