Welcome to Forensic's monthly column, Digital Intelligence in the 21st Century. This column is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media. Check back the second friday of every month for more digital intelligence as Mahalik takes on managing and sharing data, testing and validation, highly encrypted phones and more.
*co-authored by Paul Lorentz, Senior Solutions Engineer, Cellebrite
The rise of file-based encryption on popular mobile devices like those from Google and Samsung is creating new challenges for forensic examiners. The old-school methods of gaining access to device data, like removing a chip from a circuit board, don’t do examiners any good when file encryption is the norm. However, all is not lost.
When lawful or consent-based access has been secured, if you’re confronted with devices using file-based encryption and you really need that data, there are workflows that allow your encrypted-device experts to take their best swing accessing the device. Advanced technology is also available to help examiners extract Digital Intelligence (DI) from devices. (Digital Intelligence is the data that is collected and preserved from digital sources and data types—smartphones, computers, and the Cloud—and the process by which agencies access, manage, and leverage data to more efficiently run their operations.)
Constant learning is also needed in order to gain access to data on encrypted devices. Encryption technology is changing rapidly, which means forensic examiners should never stop learning. They must stay current and continue to study up on the best approaches for each device, operating system, and encryption type. Fortunately, there is a good deal of knowledge-sharing going on in the law enforcement and digital forensics communities, with experts sharing tutorials on new encryption methods and their successes in obtaining data from these devices when lawful or consent-based access is secured.
In this column, we’ll offer some do’s and don’ts for working with encrypted devices, including advice on creating workflows and avoiding missteps due to inexperience.
Do’s and Don’ts for Working with Encrypted Devices
Do document, document, document
Always document what you see. Is there a lock screen on the device? Are there text or app messages visible? Note the time/date that is set on the device. Log these attributes, as they can help forensic examiners determine their approach to obtaining data from the device.
Don’t manually examine the device if you are worried about making accidental/permanent changes
In some jurisdictions, it is permissible to do a cursory examination of a phone upon arrest. However, tread very, very carefully here. One should ensure they have lawful access to the device prior to accessing any data. As mentioned previously, document everything you do and everything you see. This is an important lesson to pass along to tech savvy frontline responders. Even the most trained professionals can click a message marking it “read,” when really it was “unread.” It’s possible that actions done with the best intentions, like changing settings, could prevent a knowledgeable forensic examiner from gaining access to data on an encrypted device. If someone messes up a workflow as soon as the examiner has access to a device, the investigative team could miss out on obtaining crucial evidence. Bottom line: If responders are not specifically trained to manually examine device, they should not do it.
Do isolate devices from network access
Again, a frontline responder should only access a device’s network and Wi-Fi settings if they’re familiar with that particular device and have lawful access or consent to do so. If the responders don’t have knowledge on handling mobile devices, they can place the devices in Faraday or anti-transmission bags until an expert can look over the device. Remember, if you are isolating a device that is live, connect it to a battery pack inside the Faraday bag.
If SIM Card removal needs to take place, you don’t need special tools or hardware, a simple paperclip can work. Make sure you secure that SIM card somewhere safe, so it doesn’t get lost. Also, make sure you understand that removing a SIM card from some devices may lock the device and make it harder to access during forensic extraction. Again, knowledge is key.
Do keep devices powered up
If possible, keep the device powered on because some of the strongest encryption today might block any data being extracted if a device is powered off.
Don’t try to guess passwords
Some devices will lock out users or even trigger a phone wipe after a certain number of password entry-attempts. What’s more, the person entering the guessed passwords doesn’t know how many failed attempts there have been, or how many are left.
Do create standard operating procedures and workflows to ensure chain of custody
Chain of custody is important as it ensures the devices are properly handled and only when legally authorized or during a consent-based situation. Standard operation procedures (SOPs) need to be in place to ensure your organization has a reason for your actions:
- How do you respond to devices at a scene?
- Do you acquire on site or back in a lab?
- How do you document what you find?
- How do you handle locked or unlocked devices?
- How do your store the data to ensure nothing is changed inadvertently?
Ask trusted local agencies, such as associations of chiefs of police, for best practices and procedures for managing digital evidence.
Do consider whether the encrypted device even needs to go to the lab
Not every device needs to be added to the workflow of forensic examiners who are generally overloaded. If a device owner gives consent to allow specific pieces of evidence to be extracted from a device—like photos or text messages—then frontline responders can use relevant technology right at the scene. This way, unnecessary devices aren’t piling up in labs, and owners can get their devices back faster.
Learning never stops
It’s not easy for frontline responders and forensic examiners to keep up with the devices, operating systems, and encryption technologies on the market—but keep up they must. It’s not just the new devices: It’s also legacy devices that can turn up with a wide variety of OS upgrades, all of which might need to be managed in different ways.
Every change in OS or device type can change an examiner’s methodology and workflow. The state of the device when it becomes a part of a crime scene makes a difference. Is it powered on? Powered off? Will you face encryption challenges? That’s why knowing what’s in front of you is key before making a move to obtain data from an encrypted device.
Resources
Josh Hickman (@josh_hickman1) is a digital forensic practitioner whose blog (The Binary Hick) is an excellent source of DFIR information. A recent podcast from Cellebrite with special guest, Andrew Rathbun, Senior Associate at Kroll, also contains a wealth of information that those in the DFIR community will find useful.