As part of our ongoing cooperation with the SANS Institute to deliver effective training around mobile device forensic methods, this month we co-sponsored the SANS Survey of Digital Forensics and Incident Response. The survey saw 450+ participants answer questions about what they examine, how they examine it, and what they see as their biggest challenges in those examinations. Among the findings:
The role of different investigative techniques
Filesystem and physical data extraction are the most common tools and techniques used to examine mobile devices. However, interviewing the device owner/user and forensic acquisition of logical data are not far behind. The authors felt that this could indicate a few things:
- An immaturity of tools.
- Immaturity of investigator access to and experience with mobile forensic tools.
- The need for old-school “gumshoe” work in law enforcement and regulatory investigations.
Government investigators were much more likely than non-government respondents to acquire physical or filesystem data. They are also nearly twice as likely to perform forensic investigations on mobile devices than non-government respondents. “This seems to indicate that law enforcement personnel—presumably a large portion of the responding investigators who are employed by government—are as likely to encounter mobile devices in their investigations as not,” the authors wrote.
The immediate need for court-ready mobile evidence
Even so, 62% of respondents have used digital forensics to investigate “HR issues/employee misuse or abuse,” and 40% of respondents investigate employee-owned mobile devices. Concurrently, 57% indicate that they were looking for legal evidence that could hold up in court. This is especially salient given that more than a quarter of the respondents indicated that their main challenges regarding mobile devices are legal issues of ownership and privacy.
“This means applying an appropriate degree of rigor in the collection and management of evidence so that the trustworthiness of the evidence can be defended,” concluded the authors, who also believe that “organizations looking to increase forensic investigation capabilities in nontraditional areas should address mobile platforms first.”
Training and policies need regular review and updates
Forensic training appears to fulfill at least some of the need for skills related to mobile device extraction. The authors concluded, “It may be that “dump and image” of mobile devices isn’t a technical challenge for our respondents. Nevertheless, if use of data recovered by such means is a priority for an organization, it should ensure that the policies surrounding the use of such tools keep pace with their technical advancement”—and with the adoption of new practices and technologies.
The full survey will be released on July 18, together with the SANS webcast, “Digital Forensics in Modern Times.” In the webcast, authors Paul Henry, Jake Williams and Benjamin Wright will join Cellebrite global forensic training director Buddy Tidwell, and other vendor representatives, to discuss the findings in depth. Register for the webcast at the SANS website, and join us on July 18!