co-authored by Paul Lorentz, Product Specialist, Portfolio Strategy and Engagement, Cellebrite
When every binary digit of evidence holds the potential to shape justice, there exists a hidden digital treasure chest capable of unravelling the most intricate of mysteries—it’s called the full file system (FFS).
Why the FFS Matters
Picture the pursuit of truth in high-profile cases like the Long Island Gilgo Beach serial killer or the ongoing Idaho murders—an instrumental element in connecting the dots, establishing timelines and uncovering crucial evidence is the full file system. It’s not merely a component; it’s the cornerstone that holds the potential to lead investigations toward conviction or exoneration.
Moreover, consider the time-sensitive aspect of every investigation. Deleted data is like a fleeting whisper in the digital realm. The full file system stands as the only means to capture these whispers before they vanish, potentially altering the trajectory of an investigation.
Understanding Full File System (FFS)
Gone are the days of outdated methods like ‘chip off’ or ISP—using hair wires and soldering circuit boards to communicate—they simply cannot decode the depth and richness offered by modern forensic methodologies. Even mainstays like advanced logical that only yield partial extractions are not enough for the data-rich crimes of today.
To build the full picture is to have every bit of data you can get your hands on and that is where the full file system comes in. Imagine tapping into user data AND system files that tell you the truth about how the user data was created.
What’s in The Treasure Chest?
For iOS, get access to Biome and knowledge C – key places that track how the user data was created and hold the keys to understanding iOS user behavior. Consider health data that tracks things like heart rate, steps and elevation. This can help paint a full picture of where the device has been.
It is the same story with Android, where extraction without the full file system is akin to painting a portrait with missing brushstrokes. Without access to application data or their databases, critical pieces of the investigative picture are missing, affecting the road to justice.
Mind Your Method
The method matters when it comes to getting a full file system—especially when there is a need for additional decryption keys. Remember:
- Not all tools that can do FFS are created equal: understand the limitations.
- Certain applications require additional decryption keys to access the data you need
Look forward to system usage artifacts and all the files you need to construct a complete timeline within your tool—a full picture you could never draw with a partial extraction!
Too Many Agencies Are Missing Out
If FFS is the golden goose, you may be wondering why agencies aren’t using this extraction method. In a word: understanding—or a lack thereof at all levels.
Myths and misconceptions often overshadow the significance of full file systems in law enforcement agencies. Unfounded fears about device damage caused by failed full file system extraction—which is a false assumption—impede the pursuit of pivotal evidence, leading to missed opportunities and unresolved cases.
Then there’s the time factor—or a lack of it. Some don’t allow or don’t get the time to do a full file system extraction and resort to methods such as advanced logical that only yields partial extractions. Constructing a true timeline with a partial extraction isn’t possible. Consider that this data could be your path to conviction or in some cases—exoneration of an innocent party.
Overcoming Roadblocks and Garnering Support
Educating law enforcement professionals at all levels is key to getting buy in. By showcasing actual comparisons between partial and full extractions, while shedding light on the gaping holes in investigations, we bridge the knowledge chasm and underscore the indispensability of complete file systems—encouraging the right investments in digital investigative solutions.
And when you do get the right tools in place, maximizing the technology comes down to training, training, and more training. Check out resources like the Tip Tuesday series that offers best practices and advice to help every examiner keep up with an ever-evolving digital landscape to effectively accelerate justice one full file system and case at a time.
About the Author
Heather Mahalik Barnhart is the Senior Director of Community Engagement at Cellebrite, a global leader in premier Digital Investigative solutions for the public and private sectors. She educates digital forensic professionals and advises on strategic digital intelligence operations. For more than 19 years, Heather worked on high-stress and high-profile cases, investigating everything from child exploitation to Osama Bin Laden's digital media. She’s helped law enforcement, eDiscovery firms and the federal government extract and manually decode artifacts used in solving investigations around the world.