Welcome to Forensic's monthly column, Digital Intelligence in the 21st Century. This column is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media. Check back the second friday of every month for more digital intelligence as Mahalik takes on managing and sharing data, testing and validation, hihgly encrypted phones and more.
*co-authored by Matt Goeckel, Solutions Engineer at Cellebrite
Data from digital devices is essential to modern law enforcement. Now that we live our lives on our phones, most if not all of our daily activities are recorded on the device itself or in the Cloud—everything from our communications with friends and family, to where we’ve been and where we’re going. In case after case, in law enforcement agencies around the world, suspects are quickly found, shown incriminating evidence from their own devices that often leads to a confession, or found guilty by courts because digital evidence exposed exactly where and how crimes were committed, and by whom.
The challenge today is that data extraction is becoming tougher to do, as device manufacturers such as Samsung and Apple respond to consumers’ desire for privacy by building in much tougher data encryption and security. For law enforcement, the days of simply asking suspects for their log-in credentials and collecting data from their phones are long gone, as are the days of easily bypassing a passcode.
Today, law enforcement officers need more advanced technology, more training, and stricter workflows to obtain Digital Intelligence (DI) from devices. (Digital Intelligence is the data that is extracted from digital sources and data types—smartphones, computers, and the Cloud—and the process by which agencies access, manage, and leverage data to more efficiently run their operations.)
In this column, I’ll break down the steps needed to perform simple data extractions, including the legal steps to consider as well as technology, training, and workflows to implement.
Workflows For Data Extraction
Step 1: Handle devices with care
Law enforcement teams should handle digital devices just as they do any other piece of forensic evidence: as little as possible, and with care not to disturb or delete evidence inadvertently. Handling a digital device sloppily is right up there with tromping willy-nilly through a crime scene. Before any device is touched, plans should be made to log details of every device’s chain of custody—who handled the device, when, and why.
Resist the urge to scroll through texts, e-mails, or recent calls. You might change a message from “read” to “unread,” a seemingly inconsequential switch that could have bearing in court. Or by looking at the most recent calls or messages, you could unintentionally cause old calls and messages to roll off the device—and those messages might be the ones that crack the case. Likewise, you might accidentally make a phone call, and that call will show up as being made after the phone was seized, raising questions by defense attorneys about whether the process of securing the evidence followed proper procedures.
Step 2: Isolate the phone from online access
Once the device is in the digital lab, it’s good practice to immediately put it into airplane mode, so you isolate it from available online access. This step prevents a device from being remotely wiped, which could only take a second; it also ensures the device remains in the state in which it was found.
At this point, training is critical, since next steps require broad knowledge of devices and their data encryption, password protocols—and of course, how to take many models of phones off of network access. In addition, lab personnel need ongoing training on the unique extraction techniques associated with certain device models; those specific extraction strategies could yield more data.
Step 3: Nail down what you can legally extract
With the device safely isolated from online access, investigators can slow down a bit and prepare to extract data. It’s important to understand what you can legally extract from the device. There are three types of legal permissions, each with their own subtleties:
- Consent from the device owner: This can come with stipulations, such as, “You can search e-mails and texts but not my photos.” That means extraction may be limited to specific areas of the device, or related data in the Cloud.
- Search warrants: These may also set limitations on what data you can collect and analyze.
- Exigent circumstances: In the case of imminent danger, like the kidnapping of a child, investigators can legitimately search all areas of the device in order to uncover timely evidence.
Step 4: Decide on the type of extraction you wish to perform
- Logical extraction: This is the “what you see is what you get” extraction. It includes data that is readily viewable, but often not the data you can’t see, such as deleted messages and underlying system files.
- File system extraction: This extraction gets you more data since you are copying files and folders on the device. It’s the most intrusive extraction you can conduct on an iPhone or Android device.
- Physical extraction: In this case, you’ll get every bit and byte off the device, including all files and folders, as well as data in unallocated storage, which may include deleted data. Any data in encrypted, unallocated space may not be accessible.
- One-off supported extractions: Many vendors offer methods to extract key artifacts that may be otherwise inaccessible. This includes taking screenshots of data on the device (applications included) or leveraging a chat capture feature when File system and Physical aren’t possible.
When all three options are available, you should conduct the three extractions. Today, physical extractions are becoming less commonplace, since devices that use file-based encryption can’t be decrypted. You may find that nothing is working and you are forced to take screenshots or capture as many chats as possible.
On the other hand, if time is short, the best practice may be to complete a logical extraction first, which takes the least amount of time. For example, you may be collecting data from a crime victim’s phone; in the interest of sending the victim home quickly, it may be better to perform a 15-minute data extraction, instead of one that takes two hours. Or, you may have received consent from a suspect to extract data from a device, who then decides shortly thereafter to withdraw their consent; at least you’ll have access to data that you extracted while the consent was still in force.
Step 5: Decode data and present it to analysts in a readable format
Investigators should decode digital data and present it to analysts so it’s easy to read and understand. The process should help surface actionable intelligence—that is, key insights for solving cases, and timelines of events.
This process should also include validation of data, which is essential when presenting data to prosecutors and courts. The validation process proves that the data was on the device in question, and has been decoded properly.
Never stop learning
The above steps can help improve data extraction workflows, as can this recent episode of the “Carved from Unallocated” podcast, which focuses on the most common mistakes made by mobile forensic examiners. But the very best advice is to keep training and keep learning. If you spend even several days away from the process of keeping up with digital forensics, you’re in danger of falling behind given the rapid changes in this field. We owe it to victims, suspects, and defendants to do the most thorough job possible when data is extracted and analyzed.