The Evolving World of Digital Forensics
Josiah Roloff, EnCE, CCE, CCLO, CCPA, CCME
Roloff Digital Forensics, LLC
Obligatory�Background
Began career in digital forensics: 2003
Investigated > 1700 cases
Consulted in > 400 trials
Testified as an expert > 90 times
Education/Certifications
Digital Evidence: The Cat and Mouse Game
A little time goes by…
Our Goals
THE EVOLUTION OF DIGITAL EVIDENCE
GENERAL DIGITAL FORENSIC CONCEPTS
THE CAT AND MOUSE GAME SURROUNDING THE IDENTIFICATION, COLLECTION, AND ANALYSIS OF DATA IN TODAY’S DIGITAL LANDSCAPE
The age-old question: What is digital forensics?
Close…but not exactly what we see on TV…
Identification
Collection/Preservation
Analysis
1
2
3
Presentation
4
Digital Forensics is the Art and Science of:
How do YOU use your digital devices?
What our digital devices lives (can) say about us…
Everything we have ever looked at, searched for, written about.
.
What our digital devices lives say about us…
Everything we have ever looked at, searched for, written about.
Every interest we have had, regardless of how fleeting it may (or may not) have been.
.
What our digital devices lives say about us…
Everything we have ever looked at, searched for, written about.
Every interest we have had, regardless of how fleeting it may have been.
Every communication we have had, or those who have used our devices have had on our behalf or otherwise.
What our digital devices lives say about us…
Everything we have ever looked at, searched for, written about.
Every interest we have had, regardless of how fleeting it may have been.
Every communication we have had, or those who have used our devices have had on our behalf or otherwise.
Every bit of financial information we have looked at, notated, and filed.
.
What our digital devices lives say about us…
Everything we have ever looked at, searched for, written about.
Every interest we have had, regardless of how fleeting it may have been.
Every communication we have had, or those who have used our devices have had on our behalf or otherwise.
Every bit of financial information we have looked at, notated, and filed.
Every journal entry we have created, blog posted to, and feedback provided.
.
What our digital devices lives say about us…
Everything we have ever looked at, searched for, written about.
Every interest we have had, regardless of how fleeting it may have been.
Every communication we have had, or those who have used our devices have had on our behalf or otherwise.
Every bit of financial information we have looked at, notated, and filed.
Every journal entry we have created, blog posted to, and feedback provided.
Every password and set of credentials used to access the most innocuous and sensitive areas of our life….…
.
What our digital devices lives say about us…
Where we travel.
What our digital devices lives say about us…
When we travel.
What our digital devices lives say about us…
How much we exercise.
What our digital devices lives say about us…
How much we exercise…or don’t.
Our #1 Criminal Case Type?
Homicide
But it isn’t just criminal litigation…
Why aren’t all digital forensic examinations equal?
Just like there are different lawyers...
Each person brings their own “special” skills to the equation.
Step 1: Identification
The original
Motorola DynaTAC released in 1984
Feature Phones
Flip phones became popular in the late 90s and this factor lasted until the early 2010s.
Question: When was the first text message sent?
Step 2: Collection/Preservation
The process depends on the source(s) of evidence…
Can we gain access it?
Luckily, we are dealing with humans!
�Case Example�
ALLEGED WORKPLACE HARASSMENT
- KIK (SNAP, WHATSAPP, ETC.)
- NATIVE TEXT
- PICTURES
WHERE IS THE EVIDENCE?
�Kik Content�
Where is the evidence?
- Kik content = Phones (both parties), Kik, Cloud Storage Providers
Phone Content
Service Provider “Kik” Content
Possible Cloud Content?
�Case Example�
Where is the evidence?
- Kik content = Phones (both parties), Kik, Cloud Storage Providers
- “Normal” SMS = Phones (both parties), Service Providers, Cloud Storage Providers
Why Service Providers?
Because their metadata allows for comparisons…
�Case Example�
Where is the evidence?
- Kik content = Phones (both parties), Kik, Cloud Storage Providers
- “Normal” SMS = Phones (both parties), Service Providers, Cloud Storage Providers
- Pictures/Multimedia = Phones (both parties), Kik, Cloud Storage Providers
�Case Example�
Where is the evidence?
- Kik content = Phones (both parties), Kik, Cloud Storage Providers
- “Normal” SMS = Phones (both parties), Service Providers, Cloud Storage Providers
- Pictures/Multimedia = Phones (both parties), Kik, Cloud Storage Providers
What if location data is of interest?
�Case Example�
Where is the evidence?
- Kik content = Phones (both parties), Kik, Cloud Storage Providers
- “Normal” SMS = Phones (both parties), Service Providers, Cloud Storage Providers
- Pictures/Multimedia = Phones (both parties), Kik, Cloud Storage Providers
Time is always of the essence.
Extractions of Digital Devices
What Happened to “Bit for bit” Forensic Extractions?
�Hard Drive Extractions�
- Forensic bit by bit copies
- Logical targeted copies
�Mobile Device Extractions�
- Manual
- Logical / Advanced Logical
- File System / Advanced Logical
- Physical
LOGICAL | FILE SYSTEM | PHYSICAL |
SMS | SMS | SMS |
Contacts | Contacts | Contacts |
Call Logs | Call Logs | Call logs |
Media | Media | Media |
Audio | Audio | Audio |
| Files | Files |
| Hidden Files | Hidden Files |
| Deleted Files | More Deleted Files |
Mobile Device Extractions
Do I have access to ALL the relevant data?
You must understand your device(s) and the extraction type(s) available…
VISUAL EXAMPLE
Logical vs. Advanced Logical/FS vs. Full File System
“Logical”
“Advanced Logical”
“Full File System”
LOGICAL
ADV. LOGICAL
Full File System
Let’s Look More Closely…
What kind of data
exists on a mobile device?
It depends…
What about deleted data?
It depends…
“Non-Invasive” Extractions
Manual Search of Device
Non-Invasive Extractions
Manual Search of Device
Determine Extraction Type
Pay attention to “Logical”…
Other Indications
Please remember!
Quick Sidebar: What Story Does a Files Location Tell?
What About Inside the File?
You Can Go Further
You Need More?
But, what about the “Circle Of Confusion”?
Is it an original?
And sometimes, tools just give themselves away…
�Why Can’t We Simply Trust the �
Chrome Browser Forensics
Invasive Extractions
JTAG
ISP
Chip-Off
�Case Examples�
The case of the mysterious barnacles
�But, what about other options?�
Jail-breaking
Super User
Root
�But, what about other options?�
Jail-breaking
Super User
Root
�How about we…
…”escalate our privileges”?
�Service Provider “Extractions”�
Subpoenas
Court orders
User credentials
Recognize this?
They produce this…
NELOS, PCMD, RTT, TrueCall, etc.
Verizon: RTT, EVDO, ALULTE, Levdort
Sprint: PCMD
T-Mobile/MetroPCS: TDOA, Timing Advanced Information, TrueCall
AT&T/Cricket: NELOS, LOCDBOR
Preservation Requests��AT&T/Cricket
Sprint
T-Mobile/MetroPCS
Verizon
Be Aware Of Challenges!
Quiz 1
Network Event Location System (NELOS) data should be requested from which Service Provider:
What about Geofencing?
So, it isn’t just the cellular service providers…?
Where is this information coming from?
A number of places
Embedded GPS Coordinates
“Location Services”
Please tell us more about location services
Google Data
Gmail Account
Date And Time
Location
Display Radius
The Maps Display Radius field reflects an estimated uncertainty value regarding the reported coordinate. Its value depends on a great many factors and is an approximation sufficient for its intended product uses.
Source of Data
Device
Data Retention
Indefinitely – even if the user deletes their data and/or account.
If deleted, the data becomes “anonymized” (Google’s device ID is removed).
Additional Logged Data - Android Example
1. Movements and likeliness of them (e.g., walking, biking, driving, on mass transit)
2. Barometric pressure
3. Connected wireless networks and their MAC address
4. MAC address, signal strength, and frequency of nearby wireless access points
5. MAC address, identifier, type, and two measures of signal strength of every nearby Bluetooth beacon
6. Charge level of your phone battery and if the phone is currently charging
7. Voltage of your phone’s battery
8. GPS coordinates and elevation of your phone, and its anticipated accuracy
How this looks behind the scenes
Be Aware Of Challenges!
The “alibi”
Be Aware Of Challenges!
Be Aware Of Challenges!
Additional CSLI Data Points
But wait, there is more…
…and it is only going to get worse…
Summary
Digital media, social networks, cloud computing, cellular phone usage, and people’s reliance on such mediums is not going away.
Technology is only continuing to advance, and the legal arena is always going to be playing catch-up.
Understanding where the technology is and is headed, is an important first step for conducting the most thorough investigation possible.
Questions?
Contact Information