Attendees to this year’s successful event in Myrtle Beach heard about a multitude of trends affecting their industry and as a result, their everyday work. From data storage and variety, to dealing with backlogs and courtroom testimony, many of the trends are only accelerating.
Cellebrite is hard at work developing solutions to help our customers overcome the challenges associated with these trends. Read on to find out more about the new solutions we debuted at MFW, which enable investigators to unify evidence processing efforts across multiple tiers, decode hard-to-extract data, and validate their results.
Technology trends: apps, storage locations, encryption
Monday, Cellebrite’s forensic product manager Inbar Ries spoke about trends in mobile data and data management on the various platforms. More app-based social sharing and day-to-day activities mean that data could reside in numerous locations: databases, configuration files, logs, and cloud backups. Investigators also can’t overlook metadata, tethering data, app permissions, location based information, and media EXIF data.
At the same time, panelists Bob Elder, John Carney, Joe Pochron, and Brian Farnsworth were talking about challenges surrounding these trends. Multiple devices and data locations can mean multiple search warrants, for one thing, including for iCloud or for computers to which mobile devices are synced. Carney reminded the audience that because only about 100 apps of varying versions are supported by mobile forensics vendors, examiners need to consider developing some degree of their own app support.
Demand for better data security is likely to fuel full chip encryption, said Elder, while Carney raised the issue of new kill switch legislation in several states. Whether a “kill switch” would wipe, partially wipe, or simply disable a mobile device and/or its cloud backup—and how this would be applied from state to state—could have significant implications for forensic examiners.
Unifying investigative teams
The panel discussion also raised the problem of backlogs, with Pochron noting that many labs have only enough funding for one full time forensic examiner and few tools. The sheer amount of data on many devices makes it difficult for these examiners to develop consistent forensic processes.
That’s why some agencies are beginning to take a more team-based approach to mobile evidence collection and analysis, explained sales engineer Lee Papathanasiou in three sessions at MFW. In cases involving active shooters, abductions, bomb threats, traffic collisions, and other incidents, first responders need actionable information that is often available via mobile device. Access to this information needs to be quick and easy, yet also legally defensible.
A team-based approach empowers existing personnel with mobile forensic technology, enables rapid evidence collection and assessment in the field, decreases the quantity of evidence lab examiners must handle, and increases the overall quality of evidence by ensuring proper handling from the start.
Another advantage to obtaining more mobile evidence sooner is the ability to generate more leads in less time via link analysis applications. On Monday and Tuesday, sales engineer Ronen Engler led two lunch and learn sessions on UFED Link Analysis, showing attendees how to put data together from multiple mobile devices—whether suspects’ or victims’, or both.
These sessions were rounded out by senior trainer Keith Daniels’ session on how to conduct interviews based on mobile evidence. How to evaluate suspects and victims, ask the right questions, listen carefully for the answers—and identify deception—and finally, how to use mobile data to move forward with interviews, were presented.
Testifying effectively in court
Panelist Brian Farnsworth expressed the concern, shared by others, that the UFED can be misconstrued as overly easy to use. As a result, untrained and/or inexperienced examiners may not be able to testify effectively about what UFED products are doing “under the hood.” Giving evidence at trial is tricky, Farnsworth noted; many defense attorneys are learning the right questions to ask.
Cellebrite trainer Brendan Morgan addressed some of these issues on Tuesday. His lecture walked audience members through understanding the risks of not knowing how to use their forensic tools and how to mitigate those risks through sound methodology and documentation. Training, networking and peer review, and vendor support are all important to this mitigation.
Morgan also described the importance of working with attorneys to help prepare them for eventual trials. These activities include explaining your report of findings in layman’s terms, demonstrating the process of recreating and validating findings, providing assistance with the creation of exhibits, and addressing possible defense expert theories, all in a timely manner.
One audience member noted that fact witnesses with less experience may be able just to fall back on tried-and-true terminology, for instance the concept of hashing. The simpler the information, in other words, the easier for judges and juries to understand, and the harder for defense attorneys to challenge.
Still, this is a risk, because as Farnsworth pointed out, we’re long past the days of taking pictures of device evidence. To that end, panelist Pochron stressed to the audience that it’s important not to take shortcuts by putting off training following a tool purchase.
Cellebrite rising to the challenges
Jeff Hayes, VP business development, and Buddy Tidwell, global training director, presented on new Cellebrite technology that addresses many of these challenges:
- Additional JTAG decoding support enables investigators to analyze data from devices that the UFED may not support for conventional extraction methods, or that are too damaged to attach cables. JTAG chains and plugins within UFED Physical Analyzer are automated for popular Samsung, HTC, LG, and other models, and provide access to SMS, MMS, emails, chat, location, and other artifacts.
- UFED Permission Management and a simplified, more intuitive workflow make in-field mobile evidence collection more controlled and easier overall.
- UFED Camera is a soon-to-be-released low-cost add-on that allows investigators to document a manual, “hand scroll” method of searching mobile device data, either as part of first response or as part of tool validation. It can also document device damage and identifying physical characteristics. Device screen shots and other images are included in a standard UFED report.
What has your experience been with these trends? Leave a comment!