How the past 6 months have shaped mobile forensics trends: MFW 2013 panel

Since releasing our “Trends in Mobile Forensics” white paper in January, the industry has continued to rocket forward. In just six months, some of our panelists’ predictions have remained accurate—and others have arisen. Watch the video to learn more, and keep reading for some additional highlights (and presentations) on mobile apps, evidence validation and gang suppression, among other things:

Mobile forensics as its own subspecialty

David Papargiris, director of digital forensics at Evidox Corp., believes that mobile forensics is becoming its own discipline because phones are so much more complex. For example, even three years ago, malware on mobile devices was unheard of. In addition, Papargiris believes that issues like apps and chip-off extractions are a good reason for mobile forensics to be a separate discipline.

Heather Mahalik, mobile forensics technical lead with Basis Technology and a SANS Certified Instructor, noted that specialization is already happening among defense contractors. In her lab, hard drive forensic specialists don’t handle mobile devices at all and vice versa.

Her team’s ability to specialize has led them to methodology like chip-off extractions, which are most handy on devices damaged by water, bullets or explosives, devices whose locks can’t otherwise be bypassed, and so on. “We rely heavily on tools like UFED to parse the data,” said Mahalik.

However, because these specialists go deep–“sector by sector”–on the devices they do examine, parsing is a “huge issue,” said Mahalik. She questioned whether examiners are fully aware of what they might be missing after they get their data and print a report. “What if a third-party app is the only way [your suspects] communicate?” she asked. “The tool needs to obtain that data.”

Asked what her caseload is like, such that her 4-person team can fully analyze every handset, Mahalik responded that priorities are ranked—and not every device that comes in is processed. “Knockoffs and simple phones are easy because we know exactly where to look,” she explained, while iPhones – especially those containing apps – can take a few weeks.

Dan Morrissey, a sergeant with the Sacramento County Sheriff’s Department, questioned whether mobile forensics was progressing to a point where chip-off extractions—still considered by many to be “hacking” despite efforts to legitimize it within the forensic community—become less popular than wiretapping. “Encryption is getting better, so if [evidence is] not intercepted in transit, we don’t get it,” he explained.

Even so, Papargiris pointed out, while encryption tools like BitLocker led to the same thought process, the forensic community ultimately overcame the issues with better technology and live acquisition.

John Carney, chief technology officer at Carney Forensics, agreed that specialization appears to be a trend. However, he also pointed out an apparent trend towards the integration of computer and mobile forensics.

That fit with an observation from audience member (and 2012 panelist) Shafik Punja, a Calgary, Alberta, Canada police officer, who pointed out that mobile forensics’ foundation remains in the bits and bytes and binary data derived from computer forensics, making the original discipline an important “fallback” to dealing with mobile devices.

Apps are another rich source of data that may require specialist skills, such as Python programming. Learn more in Mr. Carney’s presentation on the subject:

A need for analytics beyond data

The days are going away where all an examiner had to do was dump the phone and give a report. That’s because at one time, asking for everything on phone was doable; today, storage is moving into terabyte territory, not just because of what phones can store but also because of how much removable media like microSD cards can hold.

Because digital forensics’ ultimate goal is to put the suspect behind the keyboard, mobile forensics needs to be about not only how to extract the data, but also perform analytics and explain the data. In cases where investigators don’t know what to look for, analytics can help them determine keywords and other basic information to drive a case forward.

One type of casework where this is most critical: gang suppression. “There’s a distinct difference from the way things used to be on the gang scene compared to where they are now,” said Morrissey. Thirty years ago, gangs were large, paramilitary organizations with distinct hierarchies.

This made it easy to pinpoint and disrupt their leadership. Now, however, small hybrid gangs have created an “asymmetric” threat. Their communication activity is more limited, and they lack a consistent leader. Moreover, members may switch alliances as often as it suits them.

Morrissey observed that this activity echoes what has been happening in overseas battle theaters for about the past 10 years. “In the 2000s in Iraq and Afghanistan, we hit everyone’s houses, dumped their phones, and mapped out their networks. But it killed communication events because we took their phones.”

To avoid a similar problem here, first responders, who come in contact with phones on a daily basis, need to get device data into the law enforcement information cycle faster so that it becomes actionable. How do teams like Sgt. Morrissey’s combat gang threats like these? Take a look at his presentation:

Training, certification and ensuring data accuracy

Joe Church, founder and owner of Digital Shield Inc., raised the related issues of casework and court. When your forensic tool pulls SMS, location information or any other data, do you look at where in the file system the tool is extracting from to verify the data is true and accurate? How do you validate (for example) the 99 SMS messages the tool tells you are there?

Audience members responded that you can look on the device, or else refer to call detail records that can corroborate dates and times. You can also verify with other tools to show due diligence in ensuring that your original tool was correct.

Church pointed out, though, that this process is very time consuming. Cases pile up at the same time that supervisors demand results “today,” which forensic examiners must balance against the eventuality of having to face a defense attorney and expert witness who have had time to mount reasonable doubt as to whether you could have missed information.

Why is this important? “Experts” have gone on the record to testify that they were never properly trained, or else admitting to it on listservs and forums. An untrained, uncertified forensic examiner presents another way for the defense to attack; certification provides a baseline for the court, showing that the expert had to pass a test at one point that says s/he knows how to utilize the tool.

Mahalik raised the point that even if you are certified, you still have to know how tool currently works in its latest version; a UFED certification from 3y ago is outdated. Carney added that if you own 5 tools, you must be able to stay up to date on them all (another argument for mobile forensics as subspecialty).

But the basics are important, too. Some investigators continue to believe that they only need training to learn how to push a button, a matter of policy compliance rather than developing skills. Morrissey noted that even chain of custody can be breached when officers take pictures of evidence with their own phones, forget to isolate a device from its network, or pile evidence devices on an examiner’s desk.

Mr. Church presented at MFW in greater detail about mobile forensic validation. Learn more:

What trends have you spotted in over the past 6 months, and where do you see the industry headed? Leave a comment!