Cellebrite Spotlight: Interview with Director of the Research Group, Shahar Tal, Cellebrite

180020_502158187216_7446504_n

Shahar Tal – Director of the Research Group at Cellebrite –  has built an extensive and impressive career within the realm of R&D. Hailing from an elite military background, Shahar in his current role oversees Cellebrite’s research efforts to provide extraction-enabling solutions – for all devices of interest, including the most complex and challenging.

Read up on his career highlights, opinions on Cellebrite’s future in digital forensics as well as advice to newbies entering this technological sphere.

Have a question for Shahar? Leave us a comment below!

Shahar, you are the Director of the Research Group at Cellebrite. Tell us a bit about your role. What does a day in your life look like? 

In my role, I am responsible for Cellebrite’s research efforts to provide extraction-enabling solutions for all devices of interest. This core role within the company helps define what our products and services can do. Our unmatched research is one of our strongest differentiators, creating high expectations among our customers and colleagues. My job is to ensure that we continue developing unique capabilities to match these expectations. Luckily, I have several research teams made up of top talent that are dedicated to the task in each different research domain. They deserve a lot of the credit for the technical breakthroughs achieved at Cellebrite.

What does a typical day at the office look like?

Hectic – with dozens of ongoing research projects in various stages! One moment, you may hear cheers and excitement from one of the rooms, where researchers successfully discovered a new extraction method for a previously unsolved device; the next moment, you take part in a critical design review for the next UFED version, while simultaneously reviewing open issues and feature requests for five other projects. After lunch, I usually interview several candidates to join the research team, and then round-up the team for a weekly follow-up of progress and status.

The most gratifying moments are when we receive customer feedback – that praise both our technology and efforts, which enable them to solve a critical case, that may happen to appear all over the news that week. This feedback is significantly rewarding, and contributes to the drive and motivation behind our work every day.

Can you tell us a little bit about what first sparked your interest in digital forensics? 

I am still a newcomer to the digital forensics field, and I learn from the experts and my peers at Cellebrite every day. Coming from a research background, my introduction and continued involvement in the digital forensics arena are incredibly interesting. I think it is crucial for a researcher to understand the needs and concerns of the end user, and that is why I personally follow and often respond in community forums and mailing lists.

Shahar, you hail from a military background. I can imagine that this is quite different from work in the private sector. Can tell us how working in the private sector compares with the military life? 

I have a history in elite army R&D units, and in many ways these years have provided the best training possible – by shaping the nature of my work and sharpening my skill sets. Working under tight schedules in an environment where product performance and reliability are absolutely critical, helps you sharpen your instincts and prioritize tasks accordingly. I am also delighted to have had the opportunity to work with some of the best talents in the world on extremely challenging projects.

When comparing, I find that the private sector brings many new aspects into play – where cooperation and outbound communication are legitimate and important facets of your role. I enjoy taking part in and interacting with the research community; I regularly attend and sometimes speak at conferences around the world. I welcome potential collaboration opportunities and keep an eye out for new developments in the field.

This year has been a big year for Cellebrite’s technologies. Which current trends in forensic computing particularly interests you, and what new challenges do you foresee in the future? 

I believe the challenges of encryption are strongly influencing the forensic landscape already, and will continue to do so in the coming years. Full Disk Encryption has easily been the most significant mobile forensics game-changer since last year, in effect rendering chip-off/JTAG/ISP methods useless in all new devices. This landscape shift leaves on-device unlocking capabilities as the only alternative. Fortunately, this is where Cellebrite, as the forensics research leaders, have excelled throughout the years.

I also expect that we will continue to see device manufacturers implementing more layers, mechanisms and obstacles, further challenging evidence extraction. We see this today and witness the difficulty and resources invested per solution – which is increasing steadily.

And, moving forward – what does the future hold for Cellebrite? What can we expect to see over the next year or so? 

Cellebrite is making great strides in providing a complete digital intelligence portfolio. Our dominant extraction capabilities are only where it begins, and I think many law-enforcement and intelligence investigative practitioners will be excited about what’s coming next.

I expect to see us maintain our leadership in device unlocking services – being the first to provide the technology to unlock a newly released device, while simultaneously seeing our analytics platforms integrate into many agencies’ processes and infrastructure.

I think that we definitely have the ability to change people’s perspectives when it comes to mobile forensics. That is, to make people realize that a locked device is not a dead-end road, and that they can turn to Cellebrite – who can help them recover the most available data possible from locked as well as encrypted iOS and Android devices.

As you stated, you are a newbie of sorts to digital forensics. Do you have any advice for individuals who are just starting out in their digital forensics career? 

Be prepared for a rapid rate of change, and understand extraction challenges. Digital forensics is no longer restricted to decoding and analysis of data – examiners and responders from the lab to the field should have a deep understanding of what is possible to extract and under what conditions. Stay involved, read about technology and security research news, be prepared to learn something every day – this will give you an edge in a field where you can never learn enough.

Finally, when you’re not working, what do you like to do in your spare time? 

I enjoy spending time with my family, reading books and playing puzzle games with my young daughter. I am a serious basketball fan and a less-serious, mediocre player – on good days. My favorite team since childhood is Hapoel Jerusalem… and occasionally you may find me waking up at 03:00 AM to watch NBA matches.

Click here to learn how Cellebrite’s mobile forensic solutions meet your investigation needs.

Follow Shahar on Twitter: @jifa

Speed Cloud Data Extractions from Anywhere

In our socially-driven world, it’s not surprising that Facebook, Kik and Instagram posts, as well as other cloud data sources have the power to break criminal cases wide open. The challenge for forensic examiners is getting to that data quickly. Together with mobile device data, these sources often capture the details and critical connections investigators and prosecutors need to solve a wide variety of crimes. UFED Cloud Analyzer, the first tool of its kind, removes the roadblocks and red tape involved in getting access from cloud service providers, reducing valuable time and cost to investigations.

“Social media data is a headache to access from application providers, but is so critical now to forensics investigations,” said Sgt. Andrew Weaver, Hartford, C.T., Police Department. “It can takes months to receive data with a warrant and then we do, it’s challenging to review and uncover pertinent details – not to mention time consuming. UFED Cloud Analyzer gives us access to this data quickly so we don’t lose valuable investigation time waiting.”

Part of the UFED Pro Series exclusive and powerful investigative tool automatically collects both existing cloud data and metadata without the need for credentials, because the tool impersonates the phone in order to perform the extraction. It then packages this data in a forensically sound manner either in the field or the lab. This allows investigators to search, filter and sort data to quickly identify “Who?, When?, Where?” details to speed investigations from anywhere.

Extraction Criteria Definition

UFED Cloud Analyzer Retrieved Google Location Data as Key Evidence for an Investigation

The forensic practitioners already using this new tool are not only reaping its considerable rewards, but singing its praises.

“While assisting a local law enforcement agency with a recent criminal investigation, we were able to utilize Cellebrite UFED Cloud Analyzer to remotely collect Google location data pursuant to a search warrant,” said Jim KempVanEe, Director of Digital Forensics.

LogicForce Consulting, Nashville, Tenn. “Within minutes of collecting the location data, we were able to confirm for the investigators that the suspect’s phone was within feet of the 12 year old victim’s home and we was able to trace the suspect’s movements after he left the scene.  All of this while another search warrant for location data sat idle at Google waiting to be processed.  Great tool – thank you Cellebrite!”

Cloud Analyzer with Google Maps icon2

Extract Insights Faster with New, Faster Capabilities

In the latest release of this tool, the capability to decode a cloud data account package from an Android device via a logical extraction just got even faster and more actionable. Investigators can now decide upfront which data should be extracted, selecting specific files and directories from cloud storage services including Google Drive and Dropbox. You can also now select a specific portion of email messages to access – headers only, headers and body without attachments, etc., helping to reduce investigative cycles.

Other key enhancements include the ability to:

  • Extract detailed location information from a suspect or victim’s private Google Location History, stored on Google cloud servers, allowing investigators to track all timestamped movements minute by minute
  • Track and analyze a suspect’s Facebook Likes and Events to get a better understanding of a suspect or victim’s interests, opinions and daily activities
  • Gain access to more Twitter connections, including pending requests either requested or received, to dive deeper into a suspect’s relationships
  • Reveal changes and/or discrepancies in images, videos and files stored in Google Drive and Dropbox

To learn more about how the UFED Cloud Analyzer and the UFED PRO Series can help you solve more cases quickly and accelerate investigations by gaining instant access to cloud data, contact your Cellebrite sales representative or visit http://www.cellebrite.com/Mobile-Forensics/Applications/ufed-cloud-analyzer

banner1

 

3 Reasons to Vote for Cellebrite for a 2015 Forensic 4:Cast Award

For as long as the Forensic 4:cast Awards have existed, Cellebrite’s UFED tools have been named Phone Forensic Tool of the Year. Being nominated among some of the greatest products in the industry, we couldn’t be more proud that the forensic community recognizes our continuing efforts to deliver the best, most innovative and  functional mobile forensic tools for seven years running.

Thanks to you, Cellebrite’s nominations include:

  • UFED Touch for phone forensic hardware of the year
  • UFED 4PC for phone forensic software of the year
  • Digital forensic organization of the year

Will you vote for us this year? Here are a few reminders why Cellebrite deserves the Forensic 4:cast Awards.

1. We’ve got your back.

Cellebrite has always been known for its breadth of support for new devices, but in 2014 we deepened our support for both smartphones and the apps installed on them. We improved our automated decoding, so you can spend more time analyzing data than figuring out how to decode it; brought our device profile support up to more than 14,000; and added decoding support for 25 prepaid Android devices—including Tracfone models that stumped investigators for years.

2. We make data analysis as simple or as complex as you need.

The visual analytics we include in tools like UFED Physical/Logical Analyzer and UFED Link Analysis give you a basic, at-a-glance look at key people, places, and communications via Project Analytics, Timelines, Maps, and Graphs. These help you immediately visualize your data and focus on only that which is most relevant to your case.

When you need to get “into the weeds” with the data—at the device memory level—you can do that too. Locate, carve, and validate data using advanced search functions like regular expressions and searches for strings, dates, codes, numbers, ICCID, SMS formats, etc., and import your JTAG and chip-off extractions into UFED Physical Analyzer for decoding.

3. We give you the tools you need not just to extract and analyze the data, but also to testify about your process with confidence.

Tools with as much functionality as ours deserve investigators who can put them to good use, so in 2014 we stepped up our training and certification program. We are now the first and only digital forensic vendor to deliver courses not only in person, but also online, and more than 4,000 practitioners earned their Cellebrite certifications through the end of 2014.

Vote for us today!

 

Balancing data actionability with forensic soundness

The ability to extend mobile evidence collection capabilities into the field has a great many benefits. Reducing costs associated with overtime, outsourcing, and diminished forensic lab productivity renders a field-based solution an investment rather than an additional cost. Reducing the risk of human error in data analysis is attractive, too, as automated tools help to improve field-level decision-making about cases.

Even so, decentralizing mobile forensics also carries its own risks. Will field personnel handle mobile device evidence the right way, including securing proper legal authority? Will they follow policy and standard operating guidelines when it comes to extracting and preserving mobile device evidence?

The legalities around field-based mobile device extraction have yet to be determined in many countries, but authorities can ensure compliance with organizational policy and overall forensic best practices by using permission management and auditing features. These kinds of capabilities take into account that not everyone needs the same level of access to mobile device evidence, depending on the types of cases they are investigating as well as the offense severity.

With the UFED Field Series, as well as the UFED Pro Series, permission management functionality allows agency administrators to define and configure user authentication settings to ensure that only users with the right credentials can access the application. An encrypted permission management file that contains usernames and profiles can be imported into multiple UFED InField applications.

Not only credentials, but also extraction privileges can be assigned. Certain investigators may be able to have access only to logical and SIM card extractions, while forensic lab examiners can access full physical extractions as well.

In addition, administrators can define content types available from logical extractions. Some investigators may be granted extraction permissions only for images and videos, for example, while others can access messaging in addition to images and videos.

These privileges can be based on user roles and/or training and certification levels. For example, investigators who have received the Cellebrite Certified Logical Operator (CCLO) or the Cellebrite UFED Field Operator (CUFO) certifications, or completed the coursework without receiving the certifications, can be assigned as many or as few extraction privileges as an administrator deems necessary for their role.

On the flip side of granting access to mobile extractions and data is tracking what the logged-in users do once they’re in the system. With UFED InField, an activity log maintains a list of all transactions including extraction start and end times; transaction type, duration, and status; device owner, vendor, model, and name; case ID and crime type; and who seized the device. Administrators can use this log to audit usage and ensure accountability among users.

The UFED Field Series solutions promote the treatment of mobile devices as crime scenes, so that the evidence they contain is fully preserved from seizure all the way through search and analysis. It offers organizations the “technology” component of a three-pronged approach that Cellebrite encourages towards implementing legally defensible field-based extractions for personnel who do not specialize in mobile forensics. By combining the UFED Field Series with training, policy, and standard operating guidelines*, organizations can reduce risk while meeting the need for improved access to actionable mobile device data in the field.  To learn more, download our solution brief today.

Umbrella - blog banner

*We recommend you work with your prosecutors and administrators to develop policy and appropriate training, including processes for obtaining written consent and search warrants (either traditional or electronic, if your jurisdiction allows).

Introducing Cellebrite’s new mobile forensics solutions for lab and field

Today we’re excited to launch two new ways for law enforcement, military, and private-sector investigators to approach investigations. Our suite of mobile forensic solutions relies upon tried-and-true, flagship UFED technology together with a couple of newcomers designed to unlock the intelligence of new and disparate mobile data sources and extend investigative capabilities to the field so that actionable information can be qualified and shared quickly.

The new offerings are founded upon insights gleaned in our recent mobile forensics trends and predictions survey. Among them, 60% of respondents indicated that more data stored off the device and on the cloud was of major concern to them, while 80% of respondents reported experiencing some level of device backlog in the last year.

The UFED Pro Series, designed for forensic lab practitioners, and the UFED Field Series, designed for field personnel, each respond to those and other concerns by optimizing data extraction and analysis capabilities by role—and unifying investigative workflows between lab and field.

In other words, field-level investigators now have a way to obtain a simple data preview capability, enabling them to access actionable data without having to wait for a lab, while lab-level investigators can use specialized tools to tackle a larger swath of visible, hidden, deleted, and cloud-based private data, when a situation demands.

The UFED Pro Series comprises Cellebrite’s flagship UFED Ultimate together with UFED Link Analysis and, when appropriate, the all-new UFED Cloud Analyzer in two solution sets: UFED Pro CLX and UFED Pro LX. The integration allows examiners to unify disparate data for easier analysis, helping to bring key insights to the surface quickly.

The UFED Field Series – an integrated software and hardware solution comprised of UFED Field IX and UFED Field ILX — allows field-level personnel to perform simple, efficient, data extractions onsite via in-car workstations, laptops, tablets, or our new secure, self-service UFED InField Kiosks at stations or other locations. This frees forensic specialists to move beyond basic evidence collection and focus on more complex analytical work.

Both solution sets include user and data management controls that forensically preserve evidence, maintain chain of custody through the unified workflow, and promote device owner privacy by filtering data by date, time, and/or content types to focus only on what’s most relevant to an investigation.

Learn more in our press releases about the new UFED Series solutions, including the UFED Pro Series and the UFED Field Series, and be sure to leave us a comment should you have any questions!

Prepare to tackle smartphones & JTAG with Cellebrite’s new Advanced Training Pathway courses

Smartphone operating and file systems, damaged and prepaid devices, and increasing amounts of data all present conundrums to mobile forensics examiners. It takes time to learn the intricacies of various device and OS versions, and time to sift through the gigabytes of data that each device can contain. These problems are compounded when a device is severely damaged and you have to send it out to a specialist lab to recover the evidence.

To help you build professional expertise to meet those challenges, Cellebrite is pleased to announce the addition of an all-new Advanced Training Pathway. Designed to enhance the forensic expertise you received from the CCPA Core Certification, the courses included in this pathway provide you with the specialized extraction and analysis skills you need to maximize the amount of evidence you can retrieve from smartphones and damaged devices:

  • The 3-day instructor-led Cellebrite Advanced Smartphone Analysis (CASA) course allows students to take an in-depth look at the challenges posed by iOS, Android, and Windows Phone® devices. The course covers the analysis of SQLite databases, issues related to iOS passcodes, and artifacts from the three major smartphone platforms.
  • The 3-day instructor-led Cellebrite JTAG Extraction and Decoding (CJED) class teaches participants about the methodologies, purpose, and origins of the JTAG process. Participants can expect hands-on practice with fundamental soldering skills, as well as with using UFED Physical Analyzer to decode JTAG extraction. A RIFF brand JTAG box, a Molex adapter kit, a class specific tool kit, and a Cellebrite soldering practice board will all be available for participants to take back with them.

Get the skills you need to maximize your mobile device evidence collection and analysis efforts. Register at the Cellebrite Learning Center today to advance your professional expertise!

A case study on mobile victimology from #CACC2014

What is mobile victimology? The concept of “victimology” involves in-depth analysis of a victim’s life, including the normal and abnormal patterns of life over the days, weeks, even months leading up to a violent crime.

Mobile devices help this process because they are so intimately tied to an individual’s life that they often help to fill in incomplete or inaccurate witness statements, surveillance video footage, credit card receipts, and other information.

As this February 2014 article in Police Magazine noted:

Smartphones, GPS devices and other mobile media can be good starting points in any investigation, whether the victim is alive or deceased. The existing, deleted, and hidden data stored on them can help you develop leads to focus your investigation and move it forward. The data can also serve as corroborative or exculpatory evidence, along with mobile carrier data.

In a post-Riley world, of course, getting access to this degree of data requires proper legal authority: written consent, a search warrant, or a defensible exception to the search warrant requirement. Once you do identify the device as a nexus to a crime, however, its evidence can make all the difference.

Case study: mobile victimology in action

Last week at the Crimes Against Children Conference, Ronen Engler, senior manager of technology and innovation joined Michael Hall, chief information security officer at DriveSavers Data Recovery, Inc., to present how just this type of analysis helped prove how a rapist had premeditated the murder of his rape victim.

Their session was a corollary to a case study offered by the Dallas County District Attorney’s felony chief, Brandon Birmingham, together with Carrollton Police Det. Dena Williams and the DCDA’s special field bureau chief, Russell Wilson. Over that session, the three detailed how rapist-murderer Franklin Davis Googled the name and location of his victim, Shania Gray, as well as phrases like “Best way to get off a sexual assault charge” and “Gun shows in Mesquite,” after which point he purchased a gun and used social media to harass and intimidate Shania.

Davis also used a mobile app to spoof messages from Shania that appeared to recant her accusations against him, which he then used in his own defense. Our case study, published jointly with DriveSavers, shows how forensic examiners were able to prove definitively that not only had the messages come from his phone, not hers, but also the level of premeditation he engaged in. Davis was sentenced to death in November 2013.

Have a case study you’d like us to feature? Leave us a comment!

UFED 4PC and UFED TK join UFED Touch in the UFED Series portfolio

UFED 4PC software runs on any PC platform.This week we’re excited to announce the launch of two brand-new products: UFED 4PC and UFED TK. In addition to our press release that hit the wires this morning, we thought we’d take the opportunity to address a few additional questions about these new products.

What’s new?

First: are UFED 4PC and UFED TK replacing UFED Touch? No. UFED 4PC and UFED TK are extensions of our UFED Series portfolio. Together with the UFED Touch, they are part of an approach that Cellebrite developed to better align the forensics solution with a wide range of customer work flows, environments and other use cases.

20130711121027-b7026a95-meUFED 4PC is designed for customers who wish to simultaneously extract, decode and analyze mobile device data on your choice of Microsoft® Windows®-based PC or a Mac running Microsoft® Boot Camp® software.

UFED TK supports users who seek to extract, decode and analyze mobile forensic data on a pre-configured, ruggedized PC hardware platform (we opted to install it on Panasonic® Toughbook® 53, Toughbook® 19, and Toughpad® G1 platforms) that includes all hardware, software and accessories in a single convenient kit.

We anticipate that many users will still require the ability to perform mobile forensic extractions from a dedicated single purpose device, a closed environment that does not allow installation of additional software. Other benefits, like the ability to perform forensic extractions even after power failure (as this book excerpt in DFI News pointed out), may be an added reason to maintain at least one UFED Touch in a lab.

What’s the same?

UFED Touch continues to be Cellebrite's flagship hardware.Whether you purchase a UFED 4PC or UFED TK to supplement your existing UFED Touch, or upgrade to a UFED Touch, UFED 4PC and/or UFED TK from the UFED Classic, remember: all UFED firmware upgrades will support all three systems. In addition, the same interface across all three solutions means that Cellebrite’s new training curriculum will enable you to use any and all of the three.

UFED 4PC incorporates the most comprehensive extraction and decoding support for the widest range of devices. It is built on the trusted UFED platform with its read-only boot loaders, unified device drivers, and other features designed to save time and deliver the most accurate data.

And, just like UFED Touch, UFED 4PC and UFED TK purchases will—depending on your license—include installations of UFED Physical Analyzer or UFED Logical Analyzer software, along with UFED Reader and UFED Phone Detective.

Which UFED is right for you?

One of the things that excites us the most about expanding the UFED Series is our ability to offer greater flexibility to customers. Some customers may opt to bring UFED Touch into the field and use UFED 4PC in the office or lab environment. Others may prefer exactly the opposite.

A variety of factors—how often you travel into the field, for what purpose, and even how your office or lab environment and work processes are constructed should inform your decision. Contact our sales team to determine the UFED Series product (or mix of products) that may be right for you.

Visit with Cellebrite at upcoming events this July

July will be a busy month for us, as we present at four shows in the United States and Brazil. Read on for details about our talks regarding best practices for effective mobile forensics, data analytics, mobile forensics and school safety, and our latest contributions to the mobile forensics workflow:

July 9-10: SANS DFIR Summit

SANSlogoJoin us tomorrow and Wednesday at the Omni Austin Hotel Downtown for the 2013 SANS DFIR Summit. Tomorrow from 12:30pm – 1:45pm we’ll be holding a Lunch & Learn in the Lone Star room – Ballroom Level. There, forensic engineering product manager Ronen Engler will discuss “Using Data Analytics to Focus and Streamline Forensic Exams.”

Both Tuesday and Wednesday we’ll be available at our booth in the Capital Ballroom Foyer – Ballroom Level. Join us there as well!

July 14-16: NASRO

JOSS Conference BannerCurrent case law supports searches of student mobile devices when school officials have a reasonable suspicion that the student has violated school policy, or the law. At the National Association of School Resource Officers (NASRO) Conference, we’re offering an exhibitor demo on best practices, data analytics and the documentation SROs need to communicate their methods to school administrators, parents and students.

Join us on July 16 from 11:20am – 12:00pm on L4 – Level 1 of the Rosen Shingle Creek Hotel in Orlando, Florida, where sales engineer Lee Papathanasiou will detail what data might support or disprove allegations of bullying, assault, drug abuse, dating violence, property crimes and even school violence. We’ll also be available to talk at Booth #11 in the Panzacola F Ballroom – Level 1.

July 16-18: NATIA

memphis_small_natiaThe National Technical Investigators’ Association (NATIA) gives exhibitors three days in their week-long conference, and we’ll be at the Memphis Cook Convention Center (Memphis, Tennessee) in Booth 344 offering demos of UFED Link Analysis, UFED Touch and other products.

We’re also presenting a 2-hour lecture session on two days: July 16 from 5-7pm, and July 17 from 10am – 12pm. In “Secure, Extract, Analyze, Act – Best Practices to Seize, Process and Follow the Data Where It Leads,” forensic sales director Keith Daniels and forensic engineering product manager Ronen Engler will help you understand the best practices that help you build stronger cases and better credibility, as well as how to get more meaningful leads that you can put to work right away in an investigation.

July 23-25: ISS World LATAM

ISS WORLD Latin America 2013ISS (Intelligence Support Systems) World Latin America is the world’s largest gathering of Latin American law enforcement, intelligence and homeland security professionals. At this conference, Cellebrite LATAM’s Nicolas Mauricio Wernicke will be presenting on the latest ways we are “Revolutionizing Mobile Forensics.”

Are you attending any of the above events? Be sure to visit with us once you’re there!

How the past 6 months have shaped mobile forensics trends: MFW 2013 panel

Since releasing our “Trends in Mobile Forensics” white paper in January, the industry has continued to rocket forward. In just six months, some of our panelists’ predictions have remained accurate—and others have arisen. Watch the video to learn more, and keep reading for some additional highlights (and presentations) on mobile apps, evidence validation and gang suppression, among other things:

Mobile forensics as its own subspecialty

David Papargiris, director of digital forensics at Evidox Corp., believes that mobile forensics is becoming its own discipline because phones are so much more complex. For example, even three years ago, malware on mobile devices was unheard of. In addition, Papargiris believes that issues like apps and chip-off extractions are a good reason for mobile forensics to be a separate discipline.

Heather Mahalik, mobile forensics technical lead with Basis Technology and a SANS Certified Instructor, noted that specialization is already happening among defense contractors. In her lab, hard drive forensic specialists don’t handle mobile devices at all and vice versa.

Her team’s ability to specialize has led them to methodology like chip-off extractions, which are most handy on devices damaged by water, bullets or explosives, devices whose locks can’t otherwise be bypassed, and so on. “We rely heavily on tools like UFED to parse the data,” said Mahalik.

However, because these specialists go deep–“sector by sector”–on the devices they do examine, parsing is a “huge issue,” said Mahalik. She questioned whether examiners are fully aware of what they might be missing after they get their data and print a report. “What if a third-party app is the only way [your suspects] communicate?” she asked. “The tool needs to obtain that data.”

Asked what her caseload is like, such that her 4-person team can fully analyze every handset, Mahalik responded that priorities are ranked—and not every device that comes in is processed. “Knockoffs and simple phones are easy because we know exactly where to look,” she explained, while iPhones – especially those containing apps – can take a few weeks.

Dan Morrissey, a sergeant with the Sacramento County Sheriff’s Department, questioned whether mobile forensics was progressing to a point where chip-off extractions—still considered by many to be “hacking” despite efforts to legitimize it within the forensic community—become less popular than wiretapping. “Encryption is getting better, so if [evidence is] not intercepted in transit, we don’t get it,” he explained.

Even so, Papargiris pointed out, while encryption tools like BitLocker led to the same thought process, the forensic community ultimately overcame the issues with better technology and live acquisition.

John Carney, chief technology officer at Carney Forensics, agreed that specialization appears to be a trend. However, he also pointed out an apparent trend towards the integration of computer and mobile forensics.

That fit with an observation from audience member (and 2012 panelist) Shafik Punja, a Calgary, Alberta, Canada police officer, who pointed out that mobile forensics’ foundation remains in the bits and bytes and binary data derived from computer forensics, making the original discipline an important “fallback” to dealing with mobile devices.

Apps are another rich source of data that may require specialist skills, such as Python programming. Learn more in Mr. Carney’s presentation on the subject:

A need for analytics beyond data

The days are going away where all an examiner had to do was dump the phone and give a report. That’s because at one time, asking for everything on phone was doable; today, storage is moving into terabyte territory, not just because of what phones can store but also because of how much removable media like microSD cards can hold.

Because digital forensics’ ultimate goal is to put the suspect behind the keyboard, mobile forensics needs to be about not only how to extract the data, but also perform analytics and explain the data. In cases where investigators don’t know what to look for, analytics can help them determine keywords and other basic information to drive a case forward.

One type of casework where this is most critical: gang suppression. “There’s a distinct difference from the way things used to be on the gang scene compared to where they are now,” said Morrissey. Thirty years ago, gangs were large, paramilitary organizations with distinct hierarchies.

This made it easy to pinpoint and disrupt their leadership. Now, however, small hybrid gangs have created an “asymmetric” threat. Their communication activity is more limited, and they lack a consistent leader. Moreover, members may switch alliances as often as it suits them.

Morrissey observed that this activity echoes what has been happening in overseas battle theaters for about the past 10 years. “In the 2000s in Iraq and Afghanistan, we hit everyone’s houses, dumped their phones, and mapped out their networks. But it killed communication events because we took their phones.”

To avoid a similar problem here, first responders, who come in contact with phones on a daily basis, need to get device data into the law enforcement information cycle faster so that it becomes actionable. How do teams like Sgt. Morrissey’s combat gang threats like these? Take a look at his presentation:

Training, certification and ensuring data accuracy

Joe Church, founder and owner of Digital Shield Inc., raised the related issues of casework and court. When your forensic tool pulls SMS, location information or any other data, do you look at where in the file system the tool is extracting from to verify the data is true and accurate? How do you validate (for example) the 99 SMS messages the tool tells you are there?

Audience members responded that you can look on the device, or else refer to call detail records that can corroborate dates and times. You can also verify with other tools to show due diligence in ensuring that your original tool was correct.

Church pointed out, though, that this process is very time consuming. Cases pile up at the same time that supervisors demand results “today,” which forensic examiners must balance against the eventuality of having to face a defense attorney and expert witness who have had time to mount reasonable doubt as to whether you could have missed information.

Why is this important? “Experts” have gone on the record to testify that they were never properly trained, or else admitting to it on listservs and forums. An untrained, uncertified forensic examiner presents another way for the defense to attack; certification provides a baseline for the court, showing that the expert had to pass a test at one point that says s/he knows how to utilize the tool.

Mahalik raised the point that even if you are certified, you still have to know how tool currently works in its latest version; a UFED certification from 3y ago is outdated. Carney added that if you own 5 tools, you must be able to stay up to date on them all (another argument for mobile forensics as subspecialty).

But the basics are important, too. Some investigators continue to believe that they only need training to learn how to push a button, a matter of policy compliance rather than developing skills. Morrissey noted that even chain of custody can be breached when officers take pictures of evidence with their own phones, forget to isolate a device from its network, or pile evidence devices on an examiner’s desk.

Mr. Church presented at MFW in greater detail about mobile forensic validation. Learn more:

What trends have you spotted in over the past 6 months, and where do you see the industry headed? Leave a comment!