co-authored by Jean-Philippe Noat, Senior Director of Strategic Advisory Services/International, Cellebrite
Malware plagues just about all organizations – from major financial services companies and healthcare facilities, down to mom-and-pop shops and sole-proprietor businesses. Law enforcement agencies and digital forensics labs aren’t immune to the disruptive and dangerous effects of malware either. Even analysts and examiners who are savvy about detecting and avoiding cyber attacker exploits, such as phishing emails with links that lead to malware, must grapple with devices and files that may have malware, and might infect other digital tools in the lab setting.
Fortunately for analysts and examiners, their own know-how, along with protections built into Digital Intelligence software and hardware solutions, can protect their workflows and the wider law enforcement team from falling victim to malware. (Digital Intelligence is the data collected and preserved from digital sources and data types – such as smartphones, computers, and the cloud – and the process by which agencies collect, review, analyze, manage, and obtain insights from this data to more efficiently run their investigations.)
Why worry about malware?
For law enforcement agencies working to bring criminals to justice and protect citizens, the dangers of malware go beyond corrupted files and stolen data. If the digital evidence process isn’t secured against malware – and if the processes are not documented – defense attorneys gain a foot in the door to protest the legitimacy of evidence. Defense could claim that text messages or emails attributed to a suspect could have been altered by malware, and that someone else in fact created those messages. That’s a long-shot argument, but it’s enough to raise doubt in a jury.
Examiners need to anticipate tough questions about malware protection and document the steps taken to prevent malware infections in systems that touch digital evidence. The steps and tips below can help law enforcement teams demonstrate that proper protocols have been followed to guard against malware and maintain the chain of custody.
Check for malware immediately after extracting data from a mobile device.
This advice applies to mobile devices, for which examiners want to complete data extraction as rapidly as possible. The issue is that when mobile devices are turned on, any potential malware is also running – hence the need for speed when it comes to data extraction in case malware damages the evidence. The examiner can use a vendor’s malware-screening tools to detect the presence of malware. The examiners can then detail the processes used to scan data and devices for malware. (Users should actively explore which malware-screening tool their vendor offers to ensure they are getting the solution that offers the most advantages.)
If the examiner needs to extract data from a computer device, such as a laptop or desktop computer, the malware scan should be done first when the computer is running (if possible with a RAM capture) then later in a cold state after the acquisition of the disk. This is because hard disks with data can be removed from the computer devices while they are in “cold” state or static, and when malware is not running.
Look for signs of malware activity.
To a trained eye, a mobile device infected by malware may exhibit unusual behaviors. For example, the device could be operating very slowly, consuming a good deal of power, or running many apps at once. In addition, the device’s operating system could be asking for out-of-the-ordinary permissions like access to the device’s camera or the ability to send SMS messages.
Detect possible missing data – and search for backup data.
If examiners detect the presence of malware, it’s a good idea to look for signs that evidence is missing – for example, missing sequential numbers in images, or looking for traces of deletion on Sqlite databases and other logs. If evidence appears to be missing, search for backup files that could confirm the data on the device has been altered.
Report on the potential impact of malware on digital evidence.
While a deep dive into the type of malware or the extent of the malware infection might be beyond the scope of the examiner, reports on the state of digital evidence need to contain analysis of the possible impact on data.
For example, examiners might know that malware has affected SMS messages and phone call records, but has no impact on WhatsApp messages. This is vital information for a report, as it can show that critical data was unaffected by malware. Examiners can then report that human users of the devices sent the WhatsApp messages, and not the malware.
Match use of tools and maps with data that confirms user activity.
The digital evidence report may need to detail what type of malware has been detected, and how it attacks or takes control of device functions like messaging. An examiner can also strengthen arguments for human activity versus malware activity by showing that a mobile device keyboard was being used at the same time an app was active.
The examiner can also include data about which apps were operating on the device screen, and when – more indicators that the activity was driven by the device’s user instead of by malware.
Stay on top of cybersecurity training regarding malware trends.
While Digital Intelligence solutions can do much to automatically detect and identify malware, examiner knowledge is critical. The world of cybersecurity and malware is constantly evolving, placing demands on examiners to continually undergo training from in-house instructors or trusted partners. It adds to examiners’ training burden, but the training time will pay off in the ability to strengthen investigate reports and close cases successfully.
Forensic's monthly column, Digital Intelligence in the 21st Century, is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media. Check back the first friday of every month for more digital intelligence as Mahalik takes on managing and sharing data, testing and validation, highly encrypted phones and more.