co-authored by Paul Lorentz, Senior Solutions Engineer, Cellebrite
Consumers who buy and use today’s mobile phones want assurance that their personal data is secure – so vendors are responding with increasingly sophisticated data encryption. This hardened encryption is now a must-have for mobile devices, and not just a “nice-to-have.”
That’s been good news for citizens but bad news for investigators who now face a virtual brick wall when trying to collect and analyze crucial evidence that could bring criminals to justice. Encrypted data is commonly thought of as simply unattainable, unless investigators are fortunate enough to figure out a password or get a willing witness to supply one.
However, digital forensics examiners do have faster, better tools at their disposal to gain lawful access to encrypted data – without having to endlessly guess at passwords. Just as consumers view privacy as a must-have instead of an option, law enforcement agencies must also view advanced access solutions, which can lawfully obtain critical mobile evidence, as a must-have.
With this technology deployed at digital forensics labs, along with in-depth training, examiners can retrieve the Digital Intelligence needed to solve cases. (Digital Intelligence is the data collected and preserved from digital sources and data types [smartphones, computers, and the Cloud] and the process by which agencies collect, review, analyze, manage, and obtain insights from this data to more efficiently run their investigations.)
Until encryption became pervasive, forensic examiners had some workarounds for encrypted phones, like physically removing a chip to bypass any encryption protections, and soldering directly to the board to read the chip. This relatively easy tactic is no longer a viable option, since the chips themselves are encrypted.
The newest advanced access solutions have cutting-edge technology that doesn’t involve physically removing chips from devices. These new solutions also provide a deeper level of data extraction when operated by highly-trained forensic examiners. Using the best practices below, frontline officers can also play a role in ensuring these examiners can go into investigations of encrypted devices with the best chance of success.
In the Field
Leave devices on. If phones and other digital devices are powered on when you find them, leave them on, and get them connected to a power source as soon as possible. Many officers at the scene will want to turn off devices to keep them off of available cellular and Wi-Fi networks. While isolating a device from network connections is generally a very good idea, you don’t want to do this by turning off the phone or tablet. When a device is restarted, it will be in a more locked-down state than before.
The best advice is to put the device in a Faraday bag, or place it in airplane mode.
Don’t try to guess passcodes. As anyone knows who’s had to fumble-finger a smartphone passcode entry more than a couple of times, you sometimes receive a warning about the limited tries you’ll get before the device is completely locked down. Don’t waste any of these password attempts – leave the passcode entry to the examiners. Attempting codes could make the situation much worse and it could inadvertently wipe a device.
At the Lab
Stick to the SOPs. Your digital forensic lab should have a set of standard operating procedures to follow when using advanced access solutions for encrypted devices. In fact, the best advanced access tools come with training that helps establish SOPs for the lab and the frontline officers.
The knowledge of forensic examiners and their adherence to SOPs can make a difference when a case finally goes to court. Defense attorneys will grill examiners on their knowledge of the technology solutions used to derive evidence, and will also ask how the device was handled (and by whom) at every step of the process.
Communicate what you’re after. Investigators and frontline officers usually have a sense of what evidence they need, like the timeframe and the form of communications. This information is immensely helpful to examiners using advanced access solutions, as it will save them time and allow them to concentrate their search on relevant information.
The time savings is particularly critical if the device and data being examined are under judicial authorizations and can only be legally held for a few days – unless evidence is uncovered that can be used to charge a suspect.
When all else fails, call in the consultants. Sometimes even the most advanced access solution and the very best examiners can’t gain access to encrypted devices. In these cases, it’s likely that investigators can get help from outside consultants, and even the vendors of their advanced access solutions. These specialists will likely have deeper knowledge of what advanced access solutions can or cannot do, and they’ll know about successful tactics that other digital forensics examiners have deployed.
Forensic's monthly column, Digital Intelligence in the 21st Century, is authored by Heather Mahalik, Senior Director of Digital Intelligence at Cellebrite. With over 18 years of experience in digital forensics, Mahalik has been an expert of choice for many law enforcement and intelligence agencies. She has worked high profile cases from child exploitation to Osama Bin Laden’s digital media. Check back the first friday of every month for more digital intelligence as Mahalik takes on managing and sharing data, testing and validation, highly encrypted phones and more.