co authored by Paul Lorentz, Senior Solutions Engineer, Cellebrite
What do you do when you know a crucial piece of digital evidence should be somewhere in a phone’s file, or in the Cloud, or in the social media account – yet it’s nowhere to be found? What are your options for finding that text message or photo?
This scenario is a fairly common one for forensic examiners – and one you should be aware of as you climb up the law enforcement career ladder. We estimate that in perhaps 40 percent of cases, examiners have to grapple with the fact that key pieces of data have been deleted (intentionally or accidently) or have just gone missing.
Here’s the good news: The technology that helps digital forensic examiners unearth evidence also includes highly advanced tools for data recovery, such as data carving, described below. With access to devices, and the ability to perform data extractions, law enforcement has a good chance of recovering data that can bring criminals to justice or exonerate the innocent.
The Basics Of “Data Carving”
With the right technology, digital forensic examiners can use a technique called “data carving” to piece together evidence that appears lost. It’s more of an art than a science, albeit one where examiners rely on technology to perform their “magic.” Today’s technology solutions allow examiners to conduct data carving in different ways, but on a high level, examiners look at a piece of data and try to recover parts or portions of that data that have gone missing or been deleted. This applies to computers, phones, and almost any type of media or data you’re dealing with. (For more basics on data carving, listen to our recent webinar on the subject.)
There are always advantages and disadvantages as to how any digital forensics vendor implements data carving methodologies. But regardless of which solution you’re using, the carving process can help recover data, piece data back together that’s been fragmented, and search for data in spots where it wouldn’t normally be stored. Without delving too deep into the technical aspects, basic file signature carving or “search” functionality is common among most tools. Where things start to branch out is in the proprietary methods, or “magic.”
Here’s an example of using data carving to find a deleted photo. If the picture gets sent as part of a text message, even though it’s deleted from the camera roll, it could be embedded in the chat application’s database file. And if the tool does a proper “carving,” examiners can potentially start digging into some of these files and pull them out. Even though the picture appears to be deleted, it may still be on the device in some other form or location. It’s simply knowing where to look for it.
Best Practices For Finding Missing Evidence
Here are some standard operating procedures that every examiner should follow:
Look for what you don’t know is missing. Yes, this does indeed seem counterintuitive: How can you find what you’re looking for if you don’t exactly know what you’re looking for? In many cases, witnesses or victims may tell you they sent photos and messages to suspects or that they received such messages, giving you a solid lead about the existence of a piece of evidence. But this isn’t always the case.
This is where technology can be a big help because it helps bring pieces of evidence to the forefront that can deliver more insights about a case.
Start investigating digital evidence as soon as possible. Say a witness deleted a photo they didn’t think was important to an investigation – but forensic examiners think it could be. If it takes a month to investigate the device’s data, the chances the data may be overwritten are very high. The difference between doing forensic data extractions within 24 hours versus waiting a week or a month is significant. Modern digital operating systems have mechanisms for cleaning up files that aren’t being used. You don’t want these clean-up tools to remove a useful piece of evidence before you’ve had time to consider it. The longer you wait to extract/acquire the data, the lower your chances will be of recovering it.
Pieces of evidence can make a difference – so they’re worth tracking down. An incomplete piece of digital evidence can still have value. Sometimes you don’t have that full-on smoking gun – you just have the building blocks of a case built on circumstantial evidence. It may be that a suspect’s act of deleting a piece of evidence speaks to the person’s intention to commit a crime. Deleting evidence can speak volumes to a court.
This strategy is, in part, how investigators for the South Wales Police in the United Kingdom helped put together a case against a person suspected of distributing indecent images of children. Officers received a tip that the suspect was using file-transfer services such as Mega and Telegram to share images. Using Digital Intelligence tools, investigators found artifacts of both Mega and Telegram, demonstrating that the person had deleted the apps. The discovery inspired investigators to keep searching for the indecent images, which they found in a secured folder. (The case is ongoing and may come to court by fall 2021.)
Create standard operating procedures. The SOPs that investigators or frontline officers implement will significantly impact the likelihood of success that the forensic lab examiner will have down the line when trying to bring lost evidence to light. The SOPs will reduce the likelihood that officers or examiners themselves will inadvertently delete data – and yes, that can happen.
Also, the SOPs that dictate how quickly digital evidence is examined can help reduce the chance that a device could be remotely wiped by a suspect – and yes, this can happen, too.
We don’t want to paint too rosy a picture of the ability to retrieve every lost piece of data 100 percent of the time – what with encryption now commonplace, and scenarios including badly damaged hardware, some searches may yield little. We’ve seen forensic examiners get data off of phones that had been at the bottom of a lake for a month, or piece together circuit boards that were ripped in half. So the possibility is always there.
One more thing to remember is cloud data. If data is on a phone, it’s likely stored somewhere else as a backup. The Cloud is perhaps the ultimate storage backup and a key source for what might at first glimpse have appeared to be “lost data.”
Finally, it’s important to remember that you’re not in this alone. Cellebrite has helped investigative teams all over the world establish the right processes and SOPs to make investigations run more smoothly, so don’t hesitate to reach out for advice. As a trusted partner, we’re always here to help.
Forensic's monthly column, Digital Intelligence in the 21st Century, is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media. Check back the first friday of every month for more digital intelligence as Mahalik takes on managing and sharing data, testing and validation, highly encrypted phones and more.