The purpose of this paper is to encourage mobile forensic practitioners to consider a wider number of critical factors surrounding their choice and use of mobile forensic tools. Specifically, the quality of decoding, training of users and ultimately the preservation of digital as evidence in court proceedings.
There is a tendency in the world of mobile forensic tools to focus on one thing: data acquisition.
Most users tend to focus on purchasing a tool that gets them access to the data. Makes sense, right? Not much point in doing anything else, if you can’t get the data in the first place and we would agree. But it shouldn’t stop there. There are four critical factors to consider:
1: Accessing Data
2: Decoding Data
3: Data Integrity
4: Training Users
This white paper focuses on points 2, 3 & 4 on the assumption that point 1 is already self-evident and gets plenty of attention in the marketplace.
The message here is that it doesn’t just stop once you have access, there are still some vitally important matters to consider before presenting your evidence in court.
1. Accessing data
If you do mobile forensics, you know that the hardest thing is getting the data in the first place. It is also the one thing customers are more than willing to pay for when it comes to the commercial aspects of the business.
This is currently the entire business model of Grayshift, for example, with their iPhone tool GrayKey. This tool is a way to get the data. The value of their product is that they have a unique exploit that allows users to bypass the iOS device security to recover the data.
Critically though you need to purchase another mobile forensic tool in order to decode that data. The Grayshift business model assumes users already have another mobile forensic tool that can ingest their data and decode it to view the contents.
In other words, getting the raw data isn’t enough. You also need to be able to read it. Which leads us to the second priority – decoding.
2. Decoding Data
Why is decoding important? Put simply – time.
Unless you happen to be a digital forensic expert who reads hex binary data natively and has unlimited time to analyze data dumps, you’ll appreciate that some mobile forensic tools can automatically decode data for you.
Not many people are skilled enough to review binary data on a daily basis. But pretty much anyone can look at pictures acquired from a mobile device and work out if they are relevant or not. That is the value of decoding, it means you can quickly see what has been recovered and then determine if there is anything of evidential value on the device.
Disappointingly, we see a trend of users not giving as much thought to the quality of the tool’s decoding, compared to whether or not it can acquire the data in the first place. This is a significant oversight, given that most people only view what is automatically decoded by the tool.
It is almost as if it is assumed that the data presented will always be everything from the mobile device. Further that every extraction will present the same data regardless of the tool used, if acquired from the same source. A simple comparison test between different digital forensic tools should soon debunk this assumption.
While the original raw data is always there in the extraction, a forensic tool’s ability to decode and present it is a separate matter. That’s because it relies on software engineers’ understanding of the latest data formats which are changing all the time.
In our comparison tests between tools we have seen significant variances in the data presented based on the same acquisition. The speed of development and frequency of updates in apps, for example, means that the way data is stored is changing all the time and it is an endless task for tools to keep up to date.
The unpleasant truth is that mobile forensic tools often produce different results when you compare the outputs of their decoding. So, all other things being equal, you want to be sure that your tool decodes the most data in the most reliable way.
A true professional knows this and will have access to multiple mobile forensic tools for comparison and validation purposes. If two different tools come up with exactly the same result, the level of confidence in the results is significantly improved.
Equally, if there are variances, then the need for more verification is justified to ensure the integrity of the evidence presented. In serious crimes this should always be done as a matter of course.
The challenge of time, however, means that this isn’t always done in every single case. For example, it is neither practical nor proportionate for a non-specialist investigator to spend days studying digital data, for a minor case of shoplifting.
Nevertheless, investigators do need to review the contents of the phone extraction to ensure they are not overlooking evidence of similar crimes or more serious offenses that make the case a more serious matter worthy of further investigation.
The simple shoplifter?
Imagine a scenario where you are using a mobile forensic tool without the latest decoding capability for WhatsApp and because it can’t see the contents of the messages, it presents no more evidence. You assume the shoplifting suspect is a one-off case and let him off with a warning and the case never goes to court.
Now imagine the same phone going through another tool that does have the latest support for WhatsApp and the data reveals that the suspect is working for a network of criminals who are dealing in stolen goods in order to fund terrorism.
This is an extreme example to make the case, but hopefully you now appreciate the importance of checking the quality of decoding that a mobile forensic tool offers.
3. Data Integrity
What if you did all that work to generate a report for presentation in court, only to discover it wasn’t usable in court?
Getting past security and encryption to acquire the data is important. Hopefully you now also appreciate the importance of good decoding too, but what about producing it as evidence?
We call this the ‘Chain of Custody.’ That’s because in many courts you need to be able to prove the origin and reliability of the evidence you present in court – from the moment it is first acquired until the day of the trial to demonstrate that it has not been interfered with or altered in any way.
Most law enforcement users understand the necessity for the preservation of physical evidence. It’s commonly understood that you should preserve and not contaminate DNA evidence. Equally that you should allow the defense the opportunity to examine the evidence to see if they get different results.
So how does this work in the realm of digital data evidence?
The Principles of Digital Evidence
The best guide written on this topic came from the Association of Chief Police Officers. The Good Practice Guide for Electronic Evidence outlined four principles when dealing with this type of evidence:
Principle 1: No action taken by law enforcement agencies or their agents should change data held on an electronic device or storage media which may subsequently be relied upon in court.
Principle 2: In exceptional circumstances, where a person finds it necessary to access original data held on an electronic device or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.
Principle 3: An audit trail or other record of all processes applied to computer-based electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.
Principle 4: The person in charge of the investigation (the case officer) has overall responsibility for ensuring that the law and these principles are followed.
Look at Principle 3 again – an Audit Trail. Does your mobile forensic tool have one?
Seriously, check it out – is there a detailed log of all the processes applied to the device and the results that created the end report?
We know of at least one major tool that does not have an open, accessible audit trail that can be read and understood by an independent expert for the defense. An encrypted audit log of the extraction is not a transparent tool open to inquiry by the court.
Imagine taking all the time to acquire the data, decode it and then prepare a report in order to present the evidence at court – only to have it thrown out because nobody can make sense of what the tool is actually doing?
Impact of Privacy and Data Protection laws
It may seem obvious that by its very nature, the data recovered from a mobile device is often personal data.
Data Protection by design is important when you consider there is a piece of legislation with global reach that impacts law enforcement officers in the European Union as well as law enforcement officers anywhere in the world when handling personal data transferred from EU-based authorities.
The European Union’s data protection laws, require that personal data be protected so that it is not lost, unintentionally deleted or accessed by unauthorized personnel. And more and more countries, over 100 as of mid-2019, are enacting their own data protection laws and regulations, according to a United Nations tracking study.
The monetary fines for violating data protection laws can be significant – that should focus everyone’s mind on the importance of data protection.
Data Protection by Design
You may be surprised to learn that one of the most popular tools on the digital forensic market stores data in an open file format easily readable in its native format when stored on a computer.
That should be of immediate concern. Consider, for example, an investigation into indecent images; where the file format allows you to see the images natively in Windows or on a USB memory stick or DVD.
This type of data should be protected by default.
If you store digital evidence in an open file format, that leaves it open to accidental alteration. How can you show that it has not been interfered with prior to presentation in court? What if someone accidentally dropped images from another case into the wrong folder on the computer where the evidence is stored – how would you know?
Please be sure to check that your digital forensic tool is not susceptible to this basic oversight when considering the issue of data protection and integrity for presentation in court.
4. Training Users
The final piece of the puzzle is training. Your organization probably spent lots of money investing in mobile forensic tools, but does it then invest in the users?
Sadly, too often this seems to be overlooked. The budgets allocated seem to be directed exclusively towards the purchase of products and training comes as an afterthought.
In times of budget cuts, we appreciate that Training may be one of the first areas to be cut, as organizations focus on their immediate shortterm need for savings, over the long-term beneficial investment in their staff. It’s natural that tough choices need to be made.
However, the big challenge with mobile forensics is that in order to get the data off a mobile device, you usually need to power it on and because they tend to be proprietary electronic devices, that will alter the state of the device. Thus, from a purely technical perspective a conflict with Principle 1 of the Digital Evidence guidance.
However, Principle 2 has the answer – the user must be suitably trained.
That leads us to a very relevant court case in Australia where mobile forensic evidence was ultimately rejected. Not because the evidence was unreliable, far from it – the tools worked perfectly. The reason for the appeal was because the officer presenting the data was unable to adequately explain how the tools worked or show that he was suitably qualified:: HERE
… It was the first time he had experienced the relevant software and he did not
have any formal training in its use. It was also his evidence that the software
‘tried to do its best job at doing it’. To my mind this clearly raised questions as
to the reliability of the software and of Constable B’s correct use of it. In my
view, the prosecution failed to establish that the downloading process was of
a type generally accepted by experts as being accurate, and that the particular
downloading by Constable B was properly performed.
Hopefully, from this example you can see that it’s vitally important that organizations keep their users suitably qualified to present digital evidence in court.
The last thing anyone wants is for good evidence to be thrown out because it was not presented in the correct procedural manner or because a law enforcement witness was not adequately qualified to present the evidence. The mobile phone market moves fast, and new techniques and solutions are being developed all the time. Keeping up to date is a full time job.
If you invest in specialist tools, be sure to invest in the operators of these tools as well – to ensure you get best value from your investment.
If you have understood the need to cover all four of these critical areas, your organization will be well on the way to leading the field in terms of best practices for mobile forensics.
The quality of decoding available in the tool, the security of the data recovered and the ability of the user to understand and explain these processes is just as important as data acquisition, when it comes to the bigger picture of getting your case to court.
Mike Dickinson has spent half his working career in military/law enforcement and the other half in the private sector supporting these services. His specialism is providing tools and technologies designed to help in the fight against crime. Using his previous experience as a Senior Investigating Officer in the UK Police, Mike is dedicated to helping agencies make best use of their existing assets to improve the prevention and detection of crime; through the use of digital forensic technology.