Earlier this week at the Washington Hilton in the US capital, we joined the SANSFIRE conference for a Lunch & Learn and Tuesday’s exhibit. Our visitors, most of whom were very familiar with UFED tools, asked many questions about deleted data, encryption, and other advanced topics during both opportunities.
On Monday, our Lunch & Learn covered our Smartphone Drill-Down: OS Extraction, Decoding & Analysis. Forensic engineering product manager Ronen Engler took his audience through locked devices, encrypted and deleted content, databases, and applications as just some of the complications investigators may encounter when examining a smartphone.
Participants asked a lot of questions during the hour, mainly regarding deleted data. What can be recovered? In what cases is deleted really deleted (including when a phone has been wiped)? What about encrypted data and deleted encrypted data?
Ronen has contributed answers and more about these issues in two recent articles: “6 Persistent Challenges with Smartphone Forensics” from DFI News, and “Smartphone Overload” from Law Enforcement Technology (note: this article starts on page 44 of LET’s digital edition).
We’ll be rejoining SANS at the SANS DFIR Summit in Austin, Texas in just a few weeks. There, we’ll be offering a second Lunch & Learn about our new UFED Link Analysis software and how it can help narrow and focus investigations. We hope we’ll see you in Austin!