This interview was originally published on the web’s leading digital forensics portal FORENSIC FOCUS
Martin, you’ve worked for MSAB for 15 years. What changes in mobile forensics stand out to you from that time?
The most important one during this 15-year period would be the introduction of actual smartphones, because they were the biggest game changer when they came out in terms of being adopted as fast as they were. If we look back even 10 years ago — not in the U.S. but here in Europe — it was about 90 percent Nokias and some other models, and Nokia is long gone now. They were making smartphones, but nobody really understood how to use them, and then of course Apple and Google came along and changed that.
Of course, related to that is the amount of data we get out of the phones today. I remember in 2008 I was doing a demo in the University of Singapore and we were decoding a 128-megabyte phone, and it took some time, and I was like, “It’s a big extraction, it’s 128 megabytes,” and that’s nothing today — that’s one app! Also, the amount of data we’re collecting right now. It used to be, “Give me everything,” and now it’s more like, “Hold your horses, all I need is this and this because it’s too much information.”
What does a typical workday look like for you?
I wish I knew! Every day starts almost the same — with some planning and support. Every morning we go through status reports and the research with the development team working on our XRY ‘extraction platform’ to see how to plan their days. There may also be an escalated support case that needs to be discussed.
From that point, the day could take any direction. It could involve research discussions of some exploits that we have found, or some other breakthrough on the market; there could be new ideas for products, or development direction.
It’s very diverse and that’s one of the most fun things with my job, is that no two days are the same. There’s always something to learn. In my 15 years, not a single day has passed that I’m not learning something new about this area: mobile phones, forensics, encryption… every day is a learning day, and that’s really fun.
How do your previous roles as trainer and product specialist inform your current role and make you so well placed to manage the XRY extraction platform?
One of my strengths is that I’m well informed about the market and its inside needs. I used to train all around the globe in all kinds of organizations, so I know many customers in many parts of the world, not just one limited geographical area. I think that gives me an insight into what is generally needed.
There are always the “edge cases” where you have to adapt for a certain organization or a certain law enforcement branch, but I think on the whole, my experience gives me a good foundation for taking a decision on where to move the extraction platform forward, and also the research for getting into new locked down platforms.
Tell us about your biggest success managing this platform — are there any particular exploits or other breakthroughs that you’re particularly proud of (that you can talk about)?
First is our domination in the Huawei field. A while ago we chose to target certain Huawei models, and today we have very good decryption and penetration capabilities. That has proven to be fruitful because many non-law-abiding citizens have favored this brand. We have a huge amount of success with some quite severe cases regarding this platform.
Another thing is the creation of our AAL, the Advanced Acquisition Lab, where we’ve enabled a few selected customers to have access to our most volatile exploits that they would otherwise have to access through our in-house Access Service. With Access Service, customers send us their phones or we go to their location to unlock phones. We can unlock a lot of phones that are not supported by our traditional solutions, but we have the know-how in house, so we can help customers on these kinds of “edge” or difficult cases.
With the Advanced Acquisition Lab, we’ve packaged our research knowledge — the volatile exploits — into the hardware and software needed to get into these locked and encrypted phones, and we actually train the customers on how to use it. These exploits are too volatile to be put into our regular product and require specialist training to operate. So that’s one thing I am very proud of.
We do adhere to the Wassenaar Agreement because the powerful decryption functions in our tool make it a dual-use technology for use by the military and police. The E.U. governs us, which means that we have a responsibility not to give this to the wrong people, and we also don’t broadcast too much about our capabilities.
A third breakthrough is XRY Photon. We know Google is closing down the backup procedure on Android phones, so we started looking for alternative methods to extract data from phones that doesn’t involve the last resort of taking pictures of the screens. Photon is a new, unique take on extraction, and it’s been extremely successful. It allows the data to be digitally secured in our forensically secure container — we are the only one in this business to have a forensically secure container proven by NIST in the US — which allows the data they couldn’t get before to be electronically searchable.
And we just released the big Exynos chipset exploit in XRY this fall, which was very well received, as well as support for all the Qualcomm phones we’re seeing in the U.S. market, where Qualcomm has been a locked platform for some time.
Finally, we’ve sped up extractions and decoding, especially around the new iPhone readouts, where we can now reduce the extraction time for baseline data to under two minutes.
In general, over the last six months, we’ve been really productive in getting stuff out in the field, and the customer notices as well. There’s a lot of positive feedback, so we’re in a good spot, and the aim is to keep up the pace.
Phone encryption is probably the biggest evolution on mobile devices in recent years. Going into 2020, what are the chief issues you anticipate with encrypted devices and data?
The issue is of course getting the data, and while we’ve always worked with this, we changed gears this year to focus more on both N-day exploits and zero-day exploits that we discover in-house. We anticipate seeing more and more exploits coming into use in the future, which will change the whole process of how to handle a seized, encrypted device — some countries have as a direction to always shut off the phone, and that should not be the case in the future because if a phone is turned on, we have more attack surfaces to get into that phone.
We’re also going to depend less on built-in backups, so we might find new backup methods that we can use. Encryption is one of the two biggest challenges for the future, alongside the volume of data, so it will separate the leaders in the business from the followers. I consider us to be one of the leaders for the future.
We are geared up for the future, and we are always hiring, so if you’re an exploit researcher, we always have a place for you!
Bigger data volumes and lab backlogs are also challenges most labs are experiencing. How is MSAB addressing these challenges, and what successes are customers reporting?
We have this concept called “Frontline First” to roll out the tools to where they are actually needed, for example a triage platform that allows customers to take the unlocked devices from a witness or victim — where you can easily get access to the phone, and read them before they hit the lab. The idea is to keep the easy phones out of the labs so they can be extracted by people who have sufficient training but aren’t lab forensic people, to ensure the data is captured as soon as possible in our forensically secure file format using the methods and the tools in our Frontline kiosks and tablets. That way, they know they have a forensically secure chain to capture evidence and use later in court.
We had one case where a phone was extracted on the Frontline Kiosk, and the suspect and phone was released, and later they found after going deeper into that extraction, that this was a bad person. They arrested him again and tried to do a lab analysis on the phone, and he had factory reset the phone. But because of the Kiosk process and the forensically secure file format, the initial read could be used in a court of law and he was tried and sentenced to more than seven years in prison.
In another case, a prison service purchased our tablets because they had a big problem with inmates having contraband cell phones. When we started, the average price for a phone inside the prison walls was about $200, and after one year, the prison staff had captured so many phones, the price went up to $3000. Ultimately the staff needed fewer of our tools because they had eliminated the phone backlog and were processing the new ones quickly, so they handed our technology out to a neighboring department because they were so successful.
So we’ve seen our Frontline focus have an impact on how people are handling phones, and it also reduces field personnel’s training time and the lead time on devices, so the lab people can focus on the real important phones — the locked, encrypted ones, the ones that are tricky and hard to get into. You know the 80/20 rule; if you remove the 80 percent of simple devices, the lab can focus on the 20 percent of the difficult ones.
When we introduced the Kiosk, the lab people were the most reluctant to implement it. They believed extractions could only be done by a highly trained forensic person. It turned out in the end, though, they are the happiest, because they can focus on the important and exciting phones! I think it’s a win-win and the only way to go, because there’s no way you can scale the labs to take care of the amount of phones coming in.
Tell us about the EU-funded FORMOBILE project. How is MSAB contributing, and what excites you most about the project?
It’s such a good project because there are so many different contributors working for the same goal: to get into the phones, and safely sharing the data. We and one of the best digital forensic labs in Europe are now working together on a project targeting a certain range of devices used by the worst criminals — not the daily drug dealers or the random killer, but the real nasty people, and these phones are becoming problems. Before, we were working on our side and this lab was working on their side, but now we’re all sharing our breakthroughs and ideas, and we’re already moving faster than we had done before because we’re working together on a common goal. That’s really exciting.
And also the collaboration. Many European countries are part of this project, and everybody is working towards the common goal to have a better understanding of how mobile evidence works in the law enforcement chain and also sharing the results across borders without breaking any GDPR or other laws. It’s a very controlled project, but it’s also very rewarding to work in. We are the key industry partner in this project, the others are institutes and schools, so we are very happy to be contributing in this project.
What are you looking forward to the most in 2020 and beyond?
Getting into the phones! I think we have great challenges coming up. The good thing is that we have geared up and are quite ready for the challenges. We’re going to see more and more encryption with the vendors working hard to prevent access to their data. One thing we know is that the people who own the data have control of it and that’s why Apple and Google locked down their platforms, because they want to control the data. And we have to be more and more creative to extract the data from the phones. There’s no standard method of getting data out of phones anymore, there have to be more and more unique device-specific ways.
We also plan to move toward more collaboration with more partners, similar to our relationship with BERLA and URSA, where they contribute on areas — car and drone forensics — where we do not do our own development. The customers appreciate these collaborations because the benefits to them are more like 1+1 = 3 rather than = 2 — when they can combine a car extraction, a drone extraction, and a phone extraction in one layout, and see how they interact, it’s really powerful. So I think we will see more collaboration in the future.
One final thing that we definitely feel will be more important is the technical support we provide to our customers. That’s going to be needed even more in the future because with fewer standard extractions, having someone available to answer the phone when you’re sitting with a device in front of you will make a big difference. The vendors without adequate support are suffering already, it’s going to be harder in the future.