co-authored by Paul Lorentz, Product Specialist, Portfolio Strategy and Engagement, Cellebrite
Since encryption came to consumer phones in a big way, the job of gaining access to phones for evidence has been made exponentially tougher. Without a witness who knows a suspect’s phone password, or a good clue from available evidence, gaining access to a modern encrypted phone is no one's idea of a slam-dunk task. Nevertheless, there are tools that can help digital forensic investigators get (somewhat) around encryption protections to access some data.
As time has gone by, technology companies have brainstormed solutions to work around many of the data protections provided by vendors of devices and their operating systems. But in the future, will legally accessing evidence on mobile phones become even tougher, or are there some hopeful signs of clever technology that can deliver the data needed to close cases? The answer is a mixed bag.
Certainly, encryption isn’t going away: The pendulum should keep swinging towards more privacy. Security has become a selling point for vendors of consumer phones: As consumers learn more about cyberattacks and are pressed by phone OS makers to keep updating software to eliminate security gaps, they’re inclined to want more security and not less. Passcodes themselves are becoming more complex, adding yet another layer of difficulty for the investigators.
Even if investigators do manage to obtain cell phone evidence through a data extraction, the truth is that it’s not all of the data. There’s likely to be data missing because of an additional layer of encryption on the application level. The type of extraction that investigators are obtaining matters more and more today because of these different layers of extraction.
Devices that have been damaged, either purposely or accidentally, have always been a challenge. But investigators with tenacity who had access to the essential pieces, like the chip, could often grab data from the remains of a phone.
Not so likely today, unfortunately. This process had become much more complicated in modern phones. Hardware-backed encryption means that multiple parts rely on each other to function properly. New technology packed into these new microchips means that they are smaller, thinner, and faster, but the devices are also much more fragile. This makes new chips smaller, thinner, and much more fragile, which makes chip transplants a much more complicated and delicate process. The risks of this technique being used today are very high.
What’s the good news?
It’s not all gloom and doom in the digital forensics world, however. Even as encryption gets stronger and consumers embrace digital privacy protections, there are trends afoot that will help the good guys.
Collaboration. Law enforcement agencies are much more connected to each other than in the past, on every level: federal, state, and local. There are task forces that work together across cities and even states on a specific problem, as in the HIDTA program (High Intensity Drug Trafficking Area) that’s part of the federal Drug Enforcement Administration.
There are also online forensic communities that share information about the challenges of forensics, and how to decode data. The group members help each other through these challenges. Groups don’t make the challenges go away, of course, but at least they allow investigators to share approaches with their peers.
Awareness. The importance of digital forensics technology and skills is in the limelight much more in today’s law enforcement agencies. At meetings among chiefs of police, the conversations are likely to turn to standard operating procedures (SOPs) for digital forensics and digital device handling. The conversations are no longer confined to just the forensics labs: Now it’s actually the executives who are working together on proper SOPs and training at a much larger scale.
Put simply, the decision-makers in law enforcement are realizing the importance of digital investigations and how they can solve or sink a case.
Digital forensics vendor innovation. The technology sector is keeping pace with the innovations (and barriers) coming from the consumer technology side. There’s also a good deal of collaboration between the technology vendors and their customers. The law enforcement agencies can help shape the necessary tools to deliver the results they need. It’s a win-win for everyone.
Traditional policing and SOPs. Innovative digital forensics technology has been a tremendous boost for law enforcement. But it can’t (and was never meant) to replace the investigative smarts of frontline officers and investigators. With higher awareness of digital forensics and the importance of training and SOPs for digital evidence, officers can play a greater role in protecting and preserving digital evidence. When officers handle devices as carefully as they do other evidence at a potential crime scene, digital forensics investigators stand a better chance of obtaining the data to help close cases faster.
Forensic's monthly column, Digital Intelligence in the 21st Century, is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media. Paul Lorentz spent nearly 15 years in law enforcement, most recently as a detective with the Ottawa Police Computer Forensic Unit. He is part of the product team of Cellebrite advocating for customers.