Tip:
Highlight text to annotate it
X
Mobile Device Investigations
We've got a couple of really, highly qualified speakers here in just a moment on the use
of mobile devices for investigations. Now I'm going to introduce, I got to meet both
of these fellas, I had dinner with Adam last night and was just highly, highly impressed
with his level of knowledge in this area. Adam Wandt, Professor at John Jay College
and assistant professor of public policy and a member of the full time faculty, Department
of Public Management at John Jay College. He is a member of the graduate faculty in
both the masters of public administration IG program and masters of digital forensics and
cyber security program at John Jay. Research for John Jay's center for crime studies. He
has worked and sponsored research for in partnership with Sprint, blackboard entourage, the FBI
interpol, the UN and the U.S Bureau of Justice, NYS tax reform, fairness commission and
on and on, he's got really great credentials.
Abraham Rivera has over 23 years experience with computers, networking, information security
and digital forensics in the public and private sectors including academia. Former executive
director of IT and investigative operations, law enforcement officer for the city of NY,
currently an investigator for a global financial services firm. Again two highly knowledgeable
and qualified instructors today. So please give a warm welcome to Abraham Revera and Adam Wandt.
Thank you for the wonderful introduction.
Abraham and I are very honored and pleased to be able to speak before the association of inspectors general today
on a topic that we think is of critical importance because its a fairly new topic and its becoming more and
more important. Abraham and I will split up our time about 20 minutes a piece. We'll save
about 10 minutes for questions. However, if you have any questions during the presentation.
If what we're talking about doesn't jive with your experiences please raise your hand and
we will identify you and feel free to chime in at any time. In addition, we've taken this
entire presentation. It's full of useful links and tips and it is all online on my website.
You can go to that website to download this entire presentation PDF, including working
links that will get you where you want you to go. Don't forget there is an X and a period
before my name in order to get there.
I have to start out by saying nothing in this presentation should be construed as legal
advice in any way, shape, or form. It's informational advice and you need to check with your agency's
attorney before putting any of this into practice.
So, we're here to help impress upon you the need for what Abraham and I call a holistic
view of mobile device forensics. And thats the best I could do for a holistic view graphic,
sorry. A holistic view that takes the entire mobile device package, archives, preserves,
and prepares it if necessary for the investigation later on down the line. Because if information
is improperly preserved according to the chain of evidence if its not accessed on time and
in a way that could be helpful to law enforcement and prosecutors. Suspects could get off. One
of the best examples of this in recent history, although not an IG case, is the Casey Anthony
trial. After the Casey Anthony trial, after she was found not guilty, after she went home
and smiled, lots of information came out about digital forensic evidence that was missed
by the digital forensic experts. Had they found this information and folded it into
the trial I personally believe that there would have been a different outcome.
Today information is ubiquitous, it is everywhere. I'm looking out in the audience to people
wearing bluetooth headphones, playing on their smartphones, playing on their laptops. This
information that you are putting into these devices you are creating an archive, a diary
of your life from moment to moment. And its this archive or diary of your life that could
be of use to investigators. The question is when and how could you get access to this
stuff and what could you do with it after you get it. I want to impress upon you how
important smartphones are today in society.
Right now, just at the end of the summer, nationwide we hit 66 percent of Americans
owning smartphones. Thats about two thirds of all Americans have a smartphone and they
use it regularly. That is a U.S wide statistic, but if we look at little microcosms it gets
a little bit different. For example, this number might not be of interest to you, but
if we look at like a college community, John Jay College for example. At this point we
have 90 percent of college students using smartphones. Sitting, taking buses, entering
their daily thoughts into their phone, whether its on Facebook or text messages. Smartphone
distribution, 53 percent of the phones being sold over the summer were Android,
40 percent were iOS Apple products, and blackberry and windows and other phones just equal 7 percent,
a very small percentage. It is easy to start focusing attention on Android and IOS systems
so that you can get a better idea of what people are doing with them. I don't know about
you guys, but when I'm in New Your City riding the bus or taking the subway, this is what I see
I see people sitting there using their phones every single moment. As a matter of
fact I often notice that its rare not to see people using their phones. What are they doing
with these phones, how savvy are they, what are they entering into it? If they just robbed
a bank or they just committed a fraud, are they bragging about it to their friends or
are they posting it up on their social networking sites, and if they are how do you get access
to it and use it against them at trial. Smartphone savviness differ with all of us.
We have basic users and there are many basic users in this room and around. And they just use these smartphones
for phones, contacts, emails and games. The email or the phone logs could put somebody
in jail for a very long time. Average users use all those basic functions, but then they
use wavy applications, third party applications or apps as we tend to call them these days.
They use a lot of bandwidth, they use a lot of video, they spend the most money.
Many of them can add second lines to their phones very easily.
I was talking with one of our IG's last night about how this one iPhone has three different
phone numbers. Three different, totally different phone numbers that work over three totally
different protocols. And if your only checking my Verizon number you will see nothing. I
never use it. You will think I walk around with the phone and never make a call or send
a text message. The adept user, the phone is just an access device. I could throw away
this phone and I'm perfectly happy carrying around a laptop. I can do everything from
my laptop. But this phone has access to my digital world. And if you get access to my
phone, access to my digital world, and if I'm a criminal committing frauds or crimes,
what evidence could you get. This is not a simple topic. The law on this issue is not
clear. If its one thing that is clear to me, its that all of us in this room have a constant
struggle with the laws of mobile device investigations, in digital forensic investigations
and the reason is quite simple. Many of our laws were written in the days of the landline, the days
of the telephone. Much of the case law out there that tells us what we can and cannot
do were written in the time of the telephone. Before cellphones and today the laws are just
as complicated even the new laws.
The electronics communication privacy act, the stored communications act, the patriot
act, protect america act, these are laws that were passed, uniformly post 9/11 I believe
and they are laws that try to regulate and control a balance of people's privacy versus
government homeland security or criminal investigations. But its very, very difficult to find that
balance. Specially in a Congress that doesn't seem to be too technologically adept. On top
of that we have this overwhelming third party doctrine that is so rooted in case law, it
goes back to medieval times. Third party doctrine being that if you have a secret and you give
it to a third party, its no longer a secret. Those of you in the audience who are attorney's
know that if you're interviewing a client and it needs to be confidential the client can't
have a friend in the room. Just the presence of that friend in the room can completely
destroy your privilege. You could be forced to testify about that conversation. However,
all of this device, all of my information here is uploaded to third parties all the
time. Dropbox, Evernote, Verizon they all have my information, they're all third parties.
Some of these situations are regulated by the stored communications act, the electronic
communications privacy act. But many of them are not so we're still trying to figure out
what the third party doctrine still means today. Is it antiquated, is it still a good
idea, I don't have an answer to that, we'll find out as time goes on.
What is clear is that some of the traditional methods of obtaining information still apply.
The single most important one in my opinion is consent. And the reason why I think it's
so important is that for your community, for the inspectors general community, very often
your dealing with government employees or contractors. Those government employees or
contractors, more often employees, may have government-issued phones and devices of which
you have policies over that regulate them. There is more than enough legitimate case
law and most of you know that if your internal policies make sure that your employees have
no expectation of privacy on your mobile devices or their laptops or whatever. That you have
a consent to go in and do a search.You don't need to notify them at times and it gives
you a lot of power. User agreements, it's really important in user agreements and agencies
that it very specifically states that there's no expectation of privacy. And that the agency
or government entity or investigative services could go in and get anything at any time.
We still have the ability for subpoenas and search warrant's of course and we'll talk
a little bit about that in a second. And then of course we have plain view. If you're going
into an office to seize computers and you see a printer and oh yes that printer has
a hard drive, could you seize the printer then get the warrant to take a look at it.
A lot of those questions will depend on the jurisdiction that you're in. So its not really
an easy question to answer.
What are your practices in your office, your IG office? A one-to-one image is the absolute
best way to preserve digital evidence. For those of you who don't understand what a one
to one image is, is would be literally copying the flash memory in this phone bit by bit,
preserving it at the time you made the image. You're copying it in a way that changes nothing.
Personally, and we'll talk about this in the next slide a little bit, I am an advocate
of making one to one images incident to arrest as an inventory. And those of you with some
evidence background know what I mean. When you arrest a suspect and take them in for
questioning you inventory his personal belongings, you inventory his keys, his briefcase
I believe most jurisdictions you can inventory the trunk of his vehicle once impounded. But
you're making a simple inventory information, you're not necessarily exploring it yet. So
the advantages of making an immediate one to one image of that person's cellphone or
many, it brings a very important question into play. Do you first arrest then make a
one to one image, then obtain a search warrant? Or do you take the safe view, safer view I should say
where you arrest then get the search warrant, then get the image? Now its important
to remember that when we make an image we don't have to look at it. So we can make an
image to preserve it, then get the warrant in many jurisdictions to take a look at it.
This might be making some of you uncomfortable, but there's something you might not realize.
It is today in 2013, getting extremely easy to remote wipe your phone. How many people
here just by a show of hands, the technologies really not streamed out there yet, how many
people have the ability to remote wipe their own phone, just by a show of hands? I mean
its about 15 to 20 percent of the room at least. So you lock up your suspect, you bring
them in. His brother has his password, logs into a website, wipes the phone completely.
These are native functions today on every single iPhone, every single person with an
iPhone could do this easily. Android you just need to install one application. Even worse,
today I figured out a way to do a remote forensics swipe, totally forensically wiped the drive.
Including deleted information, including text messages, you're not recovering the stuff with
EnCase, you're not recovering the stuff with a forensic investigation. It's gone from at
least the phone.So since you could destroy the information almost instantly.
Do you have the legal justifications since it's destroyable, to obtain it and image it. There some other
techniques you need to know as well and when Abraham takes over in a little bit, he's going
to talk a little bit about a concept called Faraday bags, I'm not sure who has them. Faraday
bags allow you to isolate the phone from the environment and cut off the signal. However,the second
you take that phone out of the bag, that signal reconnects.
The technology in these phones are incredible. Not even in the book, 1984, was Orwell able to dream
up the types of things that we can do today. Not even in StarTrek, it's absolutely incredible
and I'm going to date myself a little bit with the next slide.
Zach Morris, Saved by the Bell in high school with one of the first cellphones. That cellphone was a monster,
it was a power house, you wouldn't believe how much power that thing used. The reason
why you can't use your phones in hospitals is because of that phone. Not the phones we
have today. That phone had so much power in it, it was able to knock out and mess with
things and that's what we started with. Today what we have is far more sophisticated and
thats an understatement. This is a rip apart of the Samsung Galaxy S4. It is full of sensors
and its no longer a phone, it is a computer. It's a computer with assisted GPS, a digital
compass, wifi, cellular, LTE, bluetooth, near field communications, RFID, a three axis gyroscope,
accelerometer, proximity sensor, ambient light sensor, thermometer, barometer, dual high
definition cameras, and high definition audio. It has a sensor array built into it that you,
if you learn how or criminals if they learn how, could take advantage of to obtain intelligence and information.
With those sensors we can calculate so much and the best part for you guys is
as much of the stuff is calculated, is preserved in the phone or at the service provider level
for a very long period of time in some cases. We could calculate geolocation, around up
to 30 feet. A history of where your suspect has been the entire time, traveling around
with them in the pocket. We could measure things like angular velocity, which direction
they were traveling and how fast. We could try to figure out if they were running or
walking at the time that you wanted to find out. We could determine pitch, roll and yaw,
rotation around gravity, six axis motion sensing and we could tell so much about the environment
and surroundings that you're in. I've coined this, The Santa Effect. He knows when you're
sleeping, he knows when you're awake, he knows when you've been good or bad , so get rid of your
phone for goodness sake. Now I'm not the first one to figure out we can take advantage of
all this. Your app manufacturers figured it out long before I did. Guess thats why I'm
here and not in Silicon Valley. But, the good news is, is that we could kind of brainstorm
with some of this and I can't tell you all the possibilities. Here's an app, it's a running
app. Turn it on, stick it in your pocket and go for a run. It runs in the background, you
might forget to shut it off. It's constantly monitoring your GPS, wifi signals around you,
gyroscope, accelerometer. And if your suspect uses this program and leaves it on, which
is very possible. Not only could you tell where he was, but you could tell where he
was in a building with precision accuracy. You could tell if he was on the second floor,
the third floor, what office he was in perhaps. All by using these four sensors combined.
It's absolutely incredible.
We know when you're sleeping. There are sleep apps as well. And I guarantee you the majority
of people in this room aren't used to looking at third party apps to be able to understand
what's going on. But your suspects are leaving digital bread crumbs all over the place and
it's up to you to be able to find them. Third party apps are just one example. There are
tens of thousands, if not hundreds of thousands of apps out there. These apps collect information
on your suspects. These apps transmit information on your suspect to the app manufacturer
Luckily the wall street journal about a year ago put together a website, might've been
two years ago at this point, it's called What They Know mobile. You can launch it after the presentation.
But what that website allows you to do is identify any application your suspect is running and it tells you what information
is transmitted to the app manufacturer. So that you could know if it's worth subpoenaing
that app manufacturer. Now Apple and Google are constricting a little bit, their privacy
to give additional privacy to us. But there's still a treasure trove of information that
you might not even know exists. How many of us have had to deal with this, prepaid cellphones,
dirty phones or burners. How do you know when your suspect has a second phone on them that's
prepaid and not registered to them. Many of us deal with this everyday. It's in everyday
media. I had to make a Breaking Bad reference in this presentation and any of you who have
watched breaking bad or one of many other shows where there are criminals heavily involved,
you know that there are lots of disposable cellphones around, dating back to popular media
in the sopranos which I think is where it came out of at first, where most of us first
saw it. Criminals know this, they use this. They pick up these prepaid or these go phones at
Kmart or the 7/11and they use them to commit crimes. How do you know when they're using a
disposable phone? How could you identify that?
The importance to go through service providers when you have suspects. The amount of information
you can get from a service provider is incredible. It's so incredible that the guides that they
release on a regular basis, Verizon, AT&T, Sprint, they release law enforcement guides,
you guys have them. But whats so incredible about them is every new year, every new guide,
the data retention policies seem to be increasing. At first text messages were only kept for
three days. Now certain providers are keeping them for 3-5 years. So if you wanna go back
and see what text messages your suspect sent a year ago, reach out to the service provider
even before you pick up your suspect. You need a warrant in that situation, get one
and go and do it. And it's not just text messages. It's years of geolocation data, it's emails,
it's IP addresses. It's another treasure trove of information that's there. And the best part
about doing this at the service provider level is that your suspect won't even know it's going
on. You don't have to lock them up, seize their equipment and do an investigation that
way. You could do it right through Verizon or AT&T.
We can create and start identifying sophisticated networks of people.
Who your suspect's talking to, who are they talking to. Social network analysis of an incredible scale all through
the service provider. And as I mentioned, the service providers themselves have dedicated
units to help you, dedicated units to help you get the information that you want. So
to continue a bit with the service provider information, I'm going to turn this over to
Abraham Rivera. And he's going to walk you through the service providers and then some
detailed forensics things that you might find interesting. Thank you.
Good morning, everyone. I'm just gonna go right into it. In regards to service providers,
a very good resource, is the international association of chiefs of police, center for
social media. So they have a bunch of, not only typical internet service carriers like
AT&T, Verizon, T-mobile, but also all the social networking and application social providers
as well that a lot of us are familiar with in regards like Facebook, LinkedIn, eBay,
I mean you name it, Pinterest. And a lot of how to guides as well. Now sometimes a new
social networking app comes out and we're not too familiar with the app, so I'll give
you an example. Snapchat, one of the ones that is fairly new that a lot of the children
are using for like sexting and everything else, they have a how-to guide of how does
snapchat actually work. In addition to that, in addition to how it works they also have
a lot of references as far as how to go about obtaining these information from a legal perspective,
from a legal authority perspective. Both civilly and criminally as well so you can just take
advantage of all this plethora of information and they try to update it on a regular basis
as well. In addition to these social media, there's also a lot of chat acronyms that actually
go out on a regular basis, that spring up on a regular basis and so you have acronyms
such as TCOB, Taking Care Of Business, Talk To You Later, TTYL, we all know those. But
what about, you guys know what, for example TWSS, That's What She Said.
We all like to say that right so.
In addition to that, one of the things that Professor Wandt was referencing was cell towers.
Now these cell towers for the most part, the proximity is about 10 square miles. Now thats
being very generous in very ideal conditions and situations. But the reality is when we
talk about cities, the cell towers are anywhere between 1 to 2 square miles. That's one of
the reasons why you might see these cell towers on buildings. They actually look like large
speakers. You see them on buildings or maybe you're driving across the highway, you might
see that. Now there are some communities that don't like the way the cell towers look so
they'll have disguises for them. So they'll have them, you know, looking like cacti, or
water towers, or you know church crucifixes or something, or they'll have them embedded
in buildings or houses you know so. I have included two references here about cell towers,
one its sort of giving you an overview of what a cell tower is as well as all its components
and that one in particular is called withoutthecat .com. And withoutthecat.com has all
the breakdowns of like what's an antenna, the microwave dish, an amplifier, the transceivers
that are involved in the base station of a cell tower, a router that connects to other
cell towers, a remote monitoring device, cause a lot of these cell towers are located in
very remote sights. So there's this constant check to make sure that it is operational.
And if you guys don't know what I'm talking about don't worry about it. You go to this
website, you're gonna see the breakdown of what each of these components are. Now one way
to remember without the cat it will say that the Albert Einstein, they ask Albert Einstein
what exactly is the wireless telegraph and he said well if you squeeze the cat in New
York, the cat's tail in New York you hear the meow in California. The wireless telegraph
is everything, it's the same thing but without the cat . So that's one way to associate without
the cat .com with a cell tower.
The other thing is a lot of times we might get the cell tower data from a service provider.
But we need to, we need additional reference points. So we can go to a website such as
cellreception.com, now there are quite a few of these websites that have this information
I just chose one and this one in particular is within the New Orleans area. And there
are about like 20 something cell towers. Now that's not to say is, the reality is there
are actually more cell towers in this given area. But these are the cell towers that are
either registered with the FCC or that the company found out about. So the reality is
because these lines, these cell towers are leased, the service providers like AT&T, Verizon,
Sprint, do not necessarily have to disclose where these towers are. When we're dealing
with evidence, especially you know mobile forensics a lot of the times we have to make
sure that we adhere to the evidence handling guidelines of the given agency in addition
to adhering to its chain of custody. Now when we talk about evidence handling of a device
there are many levels we can discuss so such as the gathering of the evidence,
the transporting of the evidence. If the phone is on or off there are ways to treat this phone. If the
phone happens to have you know fingerprints that we need to lift or maybe some DNA evidence,
we have to treat that different than if we just took it from someone's house or we arrested
a subject and have to perform analysis, if we have to perform analysis right there and
then, or immediately, or we had to, we can take it back to the computer forensic lab
do the analysis then and then worry about it later on to actually do the analysis and
a reporting of this information. So just taking it in baby steps, we have acquired a cellphone,
we got a cellphone on the scene, what do we do? If it's on, well we wanna, if it's on we
wanna try to keep it on, but we wanna put it in, a faraday bag. Now these faraday bags
shield all the other wireless communications to and from the phone. And one of the ways
to do that, these bags also have like a power cable so you could potentially put the phone
in the bag, power it and make sure it has some sort of external power battery before
you take it back to the lab for analysis. Now that's if the phone is on. If a phone is off,
normally you start the same exact way, you have the phone, you put it in a faraday bag
if it just so happens that you have one of those phones that the battery is in the phone
and you can remove the battery, you wanna remove the battery first. Now there are some
instances where a phone could automatically turn itself on. Now in doing that the possibility
still lies some remote wipe has been initiated. And maybe the remote wipe was initiated a
few days ago and you just picked up this phone that's off. You know, so you always want to
treat even a phone that's off, you always treat it as if were on ,you wanna place it in this
faraday bag because as soon as you turn it on, just like when we turn on our phones in
like early in the morning or like if you turn off your phones at night the first thing we
get hit with are text messages you know, voice mails you know and everything else, emails
that we get to our phones immediately. So the same way we can get those types of items
is the same way we can get the remote wipe initiated and if that happens, normally analysis
is almost impossible and I'll get to that in a little while when we discuss levels of
attraction using the pyramid of paradigm. Just to, so you can see what it looks like
there are faraday bags that are like duffle bags, if we have a whole bunch of mobile devices.
It doesn't have to be a cellphone it can be an iPad, an iPod, it can be a laptop with
wireless communications. There's also these, they're normally referenced as a faraday box
or a faraday cage and now they come up with what's known as a faraday tent. So it's just
basically mesh shielding that you put your hands through it and you can actually perform
analysis through the shielding guaranteeing that no signals are coming into the tent and
no signals are exiting this tent.
Now the pyramid levels of examination, this one concept I would like to get into with
you guys. Referencing the bottom piece is the easiest and as you climb higher in the
pyramid the levels of extraction become that much more difficult. So for example a manual
extraction would literally be looking at your phone and sifting through your phone. So if
you had a phone and you found a phone on the scene and you want to see if well you know
what, what was the last number that was dialed. We see this all the time. That's considered
a manual extraction, you're still doing something to the phone. So let's see the appointments
he had or whatever, so you go into the calendar application on your phone, that's manual extraction.
Let me get into logical extraction which, I have one slide to show you all the items,
but logical extraction is you're taking not only the active files, in traditional forensics,
when we talk about a logical acquisition, what we're referring to is the active files,
the files that are actually used on a regular basis. So when we talk about mobile forensics,
a logical extraction is for example backing up your iPhone and now looking at iTunes or
some respective data back up for your phone whether you're using a blackberry or an Android
and looking at that application and seeing all the entries and seeing all the voicemails,
the calendar entries, the contact list you know so that's what's considered logical extraction.
Then we get file system extraction, where file system includes everything that the logical
has but also includes additional files that primarily could have information that was
marked for deletion that wasn't formally deleted. So for example you could have information
such as text messages that were marked for deletion that do not come up in your logical
examination but do come up in the file system examination. The same goes for history. Most
of our phones contain where we've connected to in regards to wifi. We've come to this
hotel, we connect to the hotel's wifi. We go into one of the other conference rooms
we connect to that particular wifi which actually utilizes a different code right. It's for those
of you who were in the other rooms you may have to put in different codes then you are
in the room. Well all that information, the historical information is found in the file
system level of extraction. Then you get the physical level of extraction which is the
most detailed. It's the one thats most people, most investigators especially would want to
have. And this includes all the deleted information, so stuff that was deleted is part of this
physical extraction. It's that bit by bit copy that was referenced earlier.
Chip off, I just mentioned it here. Chip off - sometimes we may not have the ability to plug in a phone for whatever reason, maybe the
phone was destroyed maybe you knocked it with a hammer, or maybe you actually have a phone
that doesn't have a typical output to be powered. Maybe you have a USB recording device that
does not have a USB input. So in that respect you would use a chip off technique and which
is why its the top of the pyramid and also the most difficult where you actually extract
the chip, you have to have a special chip reader for it and then it will dump the data
which is known as a hex dump and very painful but painstakingly you can actually extract
the information or the memory that was on that chip. So again logical, in regards to
the data types, call logs, contacts, SMS messages, videos, audio, music. File system, its data
types now contain additional information such as bluetooth, historical information, bluetooth,
GPS, and very specific application type of information if you use, you know, Skype , if
you use Google Voice, or any other type of third party applications on the device, you'll
see this information within the file system. And the physical extraction gives you the
most detailed, the most information. The most important part of the information that you
get with physical that you don't get with the others is the deleted content and that's
what mobile forensics wants to be. It wants to be at this point, but the reality is because
all these, most of these phones use flash memory it makes it that much more difficult
to obtain this unallocated space or this unallocated memory that when somethings deleted it's very
difficult to retrieve this information. So mobile forensics is not there yet in regards
to being able to undelete all data especially if you have various phones that do have encryption
built into it, it makes it that much more difficult. So a lot of times you have to rely
on the file system extraction. And the reality is physical is the most difficult, most likely
the product will be a costly forensic product that you're gonna get, whether it's a software
or hardware based forensic tool that's used and all the various data types that can be
extracted with the levels of examination.
Now certain limitations exist in phones. One I mentioned was the ability to do an actual
bit by bit physical extraction of a phone. Now it makes it difficult because not all
phones can be physically extracted. There are a lot of companies that may claim they
can do it but then the reality is it really doesn't work as well so you have to go down
a level, in this case either file system or or the logical level on an active file level
when we're looking at the pyramids, the logical.
When we talk about seizing evidence. One evidence to keep in mind is on a phone itself, phones
also have external memory cards. Now if their external memory cards we have to treat those
external memory cards as if we were doing a computer acquisition or any type of hard
drive acquisition. In that case those can be recorded as, excuse me, acquired as physical
extraction where if stuff was deleted on that card there is a possibility to undelete information
from the card itself. And a lot of times, a lot of us use these cards to store our videos
or audio, as well as our pictures. And sometimes that's where a lot of good information, a lot
of good data exist.
In regards to preparing equipment, when we're doing analysis we have to make sure that the
hardware and software that we use is in fact accurate and it can be validated. And its
very important that you don't only use or rely on one typical application whether software
or hardware based. You should have a combination of the two. And most of my career in civil
service and as well as private we have multiple applications. Hardware and software and we
validate one with the other. Aside from this validation we also have the need to do a peer
review. Some sort of QA quality assurance to make sure that once I perform some examination
which includes the acquisition of the extraction, the analysis, as well as the reporting that
I have my peers, I have two other at least two others QAing my work to make sure that
the methods and the procedures I followed also is repeatable. And if they look at this
information, if they can repeat it then it passes QA and now it gets sent out to legal
or for that matter maybe prepare for some sort of court report.
As far as most products. I just want to give you some numbers. These are the more popular
forensics that are used in public and corporate. EnCase Neutrino is five thousand dollars.
I have an asterisk next to it, again depending on whether it's public or private. Encase also,
it includes Neutrino within the package itself so you already have Neutrino if you have bought
Encase. Then there's Access Data MPE Plus, thats about 5,000 dollars also.
Cellebrite UFED is one of the more popular mobile forensic devices and being the most popular also means
the more costly, right. So that one's ten five and then there's Lantern3 which is six
hundred dollars and then Oxygen Forensics. I just wanna show you what it looks like from
an investigators or examiners perspective when you actually image something. So in this
case I used the least expensive product but this is also actually a very good product.
And it processed the data very nicely. Now this was a file system extract not a physical
a file system. And this was done on an iPhone 4S which had encryption built into it. And
as you can see you get everything from not only the notes, the messages, videos, the
dictionary. Have you ever sent text messages to someone and your words get repopulated
automatically, right? That gets stored in the dictionary. Thats a bread crumb. So if
your constantly saying typical phrases or something like that, that would be included
in this examination, or for that matter in this report. So you get all your calls information.
How many times you called it, whats your duration, the date and time, a voicemail, you can actually
listen to voicemail messages that are stored on this phone. So we're not even going onto
the service provider and requesting and having to do a search warrant to actually be able
to listen in on the voicemails, we can actually do this in regards to what's stored in that
phone. Messages, text messages, how many messages overall, what's the hash value, what's the integrity
of these messages. And also the location of the messages within the file system. Wifi
history, bread crumbs, geo tagging. Have you guys ever taken a picture and then you have
the GPS information behind it and maybe not know that you had the geo tagging enabled.
Someone had at a bar taking the picture, can pinpoint exactly where you're at. Well all this
information, you can take the actual picture, look at it, get the geotagging information,
click on the link which automatically ports it to google earth, or maybe it has its own
interface and gives it the exact location of what it looks like, how google earth has
it you know, in relation to the picture. So you can match the pictures based on the location.
And this is just another application, another, this is actually using physical analyzer which
is a Cellebrite uFed. And we list various resources, everything I've spoken about
can be found in these resources as well, and we'll also include additional guides on the website
so thank you.
And we'll take some questions now.