When I began performing digital forensics more than 10 years ago, things were relatively simple. At that time, the complexity of digital forensics revolved around ensuring each artifact of relevance was identified, and the proper tools to analyze them were available to leverage against computers used by the suspect.
The computer(s) of the suspect were typically the only focus. In some instances, we were also having to deal with mailbox exports of corporate users. When mobile devices came onto the scene in 2008 timeframe, our single device analysis approach to investigations was disrupted significantly. What are these things? Why don’t my hard drive forensics tools work on phones? We “forensicators” had no idea what challenges we would face in the next decade.
The significant challenges facing digital forensics experts today are the vast amounts of devices and locations that may house the valuable information. It is no longer always the case that all data sought to derive a conclusion is on a single device or in a single location. While it is now common to analyze both the computer(s) and phones used by the suspect, there now must be consideration given to other mobile devices (tablets), cloud-based email, cloud-based storage, social media activity, game consoles, IoT devices and even wearables.
Forensics tools for mobile devices were historically valued based on how many phones were supported. We are now arguably down to four phone types that you will likely encounter. Even now as the forensics tools have advanced considerably, the collection of mobile devices requires different approaches than computers. In many instances, the trusted full forensic image of the evidence is not always available – only the data the phone manufacturer will allow you to have. With the drastic reduction in the types of phones you will now encounter, the value is now in the parsers for the applications. With the millions of mobile applications available, and the frequent updates, it continues to be a challenge for the mobile phone forensic platforms to keep up with the rapid pace.
Over the past decade, users have traded in their locally stored email from their Internet service provider (ISP) for the convenience of webmail platforms such as Gmail, Yahoo Mail, or Outlook.com. When users are using webmail services, it is very unlikely that their email will be stored locally and, compared to years past, only fragments of the email are available in Internet cache files. Depending on the nature of the investigation, forensicators may be given the needed access to collect this information from the provider for analysis. When involved in internal investigations involving employees, it is very unlikely that forensicators will be given this access. In addition, even if you can obtain the webmail credentials from the device analyzed, you are not permitted to log into their personal email account. Therefore, the Internet histories and limited file fragments are all that will be available.
This same scenario now applies to personal files as users have migrated this information to cloud-based storage such as Box, Google docs and Dropbox. The same difficulties as webmail email exist.
There are few investigations that do not have a social media component, either directly or indirectly. While Internet histories may demonstrate the usage of these sites, the available information related to all activity and communications can be difficult to extract from the device alone. While the social media providers likely have extensive activity available for each user, this information would require subpoena power that you may or may not have.
Lastly, the IoT phenomenon is also significantly impacting the digital forensics field to provide types of information we have not had in the past. From Internet cameras to fitness wearables, anything electronic may now be a potential target for collection and analysis. However, IoT devices pose similar challenges to that of mobile devices in 2010. There are thousands of different types of devices and little to no standardization. With that diversity and chaos, there are challenges for the collection, parsing, and analyzing of this information. As the mobile device forensic platforms exploded and faced challenges a decade ago, I predict the same for IoT devices going forward.
The overall goal of forensic analysts is to have confidence that every artifact has been properly identified, parsed and analyzed for an accurate conclusion. We have digital artifacts that we never dreamed of years ago. With the diversity of information and numerous locations where pertinent data may now be stored, it is a challenge to be certain you have everything you need.
I suggest that forensicators be patient, yet diligent, with the data sources available. As an artifact points to a data source that is not currently available, regroup and seek that information for additional analysis.
Bill Dean, Senior Manager, LBMC Security
[ISACA Now Blog]