Options for Dealing with the Digital Forensics Backlog

Options for Dealing With the Digital Forensics Backlog

Law enforcement and prosecutors face a daunting 6 – 18 month backlog to process digital evidence through an RCFL or state computer forensics lab. Unfortunately, the grim reality of public budgets and the explosive growth of digital evidence means that this backlog is not going away any time soon.

The only question is how your department will deal with it.

Option 1 – Do Nothing

You may opt to simply accept that digital evidence will take a long time to forensically examine. If you expect that a cell phone seized in a drug case will take at least six months to process, you won’t expect to get much actionable intelligence from it. The cost in this case is more than just the hassle factor. That intelligence you miss will likely cost you more in surveillance overtime or more investigative resources while you wait for that cell phone evidence to be processed. In future posts, we’ll explore some of the hidden ways that a backlog can cost your department big bucks in terms of overtime or lost opportunities.

Option 2 – Build Your Own Digital Forensics Lab

Many departments can make a case that an in-house digital forensic lab is worth the investment. Creating your own digital forensic lab is a big investment of both money and time. It requires that you have a good understanding of your forensic needs and that you set appropriate expectations about what and when a new lab can actually deliver. At Flashback Data, we’ve worked with lots of law enforcement clients who have chosen to build their own lab. In future posts, we’ll share some of their lessons learned so you don’t repeat their mistakes.

Option 3 – Outsource Your Digital Forensics to a Private Lab

Outsourcing your digital forensics to a private lab can be a quick and effective way to address your backlog, especially for complex, time-sensitive cases. There are a lot of private labs and solo practice examiners out there, and it’s important to choose a partner that is experienced in dealing with law enforcement and has the credentials and accreditation that can stand up to a legal cross-examination.

Flashback Data has been providing outsourced digital forensics services to federal, state and local law enforcement since 2004. Our digital forensics lab was the first private lab accredited under the same standards as FBI and state forensics labs. Our experienced examiners can work with your investigators to help plan, preserve, investigate and examine virtually any digital evidence in any format or condition. Our accreditation and experience mean that we can support our forensic reports through depositions and cross-examination, if necessary.

CONTACT FLASHBACK DATA to get help with your backlog today.

CALL US AT 866-786-5700 FOR A FREE CONSULTATION.

Flashback Data Digital Forensics Utility

Digital Forensics Hack – $I File Parser – Free Download

Digital forensics software has come a long way in providing tools to help digital forensic examiners do their jobs more efficiently. However, when you’re performing hundreds or thousands of examinations per month, you still find yourself doing a lot of repetitive, manual work. The experts at Flashback Data have created a nifty productivity tool to simplify a standard part of almost every digital forensic examination: processing the Recycle Bin for deleted files.

Most digital forensics software can help you find and extract the digital footprints of a deleted file on a Windows computer, but analyzing the most important part of these footprints can be a real bear when there are hundreds or thousands of deleted files. Flashback Data has created a tool to batch process the administrative or “$I” files that a Windows computer creates when a file is sent to the Recycle Bin.

What the Recycle Bin Does Behind the Scenes

When a file is deleted through the recycle bin on a computer with the NTFS file system, several things will occur. First the NTFS $MFT entry is updated with a new record number for a parent. Basically, that means its parent now becomes the Recycle Bin instead of its original location. Next, the file is given a new name. Instead of the original name it now becomes named $R with six random characters and the original file extension. For example if a file was named “dog.txt” it could become “$R24E32E.txt”. In addition, a paired administrative file is created. This administrative file starts with $I and then has the same six random characters and the original extension. So, the paired administrative file using the example above “$R24E32E.txt” would be “$I24E32E.txt”. These $I files contain a good deal of information, even when the paired $R file is overwritten.

The $I files contain:

  • The original file’s size
  • The date the file was sent to the recycle bin
  • The original file’s full path

Accessing This Data

There aren’t tools that specifically parse only this information out of these files quickly, so this is why we made the Flashback Data $I File Parser. You can take all of your $I files for your case (you can use your favorite forensics tool to get these) and put them in a directory. Point the program to it, set an output CSV file and click the “Create CSV’ button.

Screenshot of Flashback Data $I File Parser

The program will parse all of the files into a CSV for you with the following fields:

  • $I file name
  • $R file name
  • Size (in bytes)
  • Date (UTC)
  • Original path
  • Original File Name
  • MD5 hash of the $I file.

Screenshot of Flashback Data $I File Parser

You can download this tool here (UPDATED VERSION 2/28/17 – V0.95). Good luck!

If you need a more in-depth forensic analysis of your data, please CONTACT US for a free consultation or CALL US AT 866-786-5700.

 

Avoid These Mistakes When Hiring a Digital Forensic Examiner

3 Critical Mistakes To Avoid When Hiring A Digital Forensic Examiner

If you’re looking to hire a digital forensic examiner to address the backlog in your crime lab, we have a few tips to help you avoid making a bad hire. We’ve been in the business for 17 years, have hired over 50 examiners, and have interviewed hundreds more.

Here are our top 3 things to avoid:

1. HIRE THE IT GUY.

Obviously, a digital forensic examiner must be extremely knowledgeable and comfortable working with technology.  However, technical skills are probably part of the job that is easiest to learn.  A great forensic examiner needs to have excellent written communication skills in order to prepare a clear, understandable report that a non-technical officer, attorney or judge can understand.  He or she may also need to appear in court to defend the evidence, so great presentation skills are also a must.

2. CERTIFICATIONS ARE NOT THE SAME AS ABILITIES

There is a big difference between certifications, qualifications, and abilities.  In our experience, some of the worst digital forensic examiners have almost every certification available but don’t have the ability to tie the objectives, investigation, report and testimony together in order to complete a successful case.  On the other hand, we’ve seen examiners with fewer than two certifications and seemingly limited qualifications, who can easily lay the foundation for the evidence through a clear, meticulous report while supporting the results in a clear and easily understood manner that carries weight in the court system.

3. KNOWING HOW TO USE FORENSIC SOFTWARE IS DIFFERENT THAN KNOWING HOW IT WORKS

Avoid examiners who are only experts at operating forensic software.  We call these “button pushers” and we’ve developed a rule of thumb for identifying them.  If their CV or email signature only includes acronyms “EnCE” or “ACE”, then I know I need to dig deeper.  These are certifications offered by the forensic software vendor (EnCase or AccessData) to certify that the examiner is well versed on how to operate the software.  This type of certification does not imply that the examiner knows how the software operates or understands its strengths and weaknesses.  In addition, a good examiner may need to use lots of different software tools for a single case.  If a candidate’s credentials are based only on the ability to operate a few pieces of software, it won’t take much complexity for that person to be in over his head.

WHAT TO LOOK FOR

Enough of what NOT to do, here are the three key attributes we look for in every examiner we hire at Flashback Data:

Meticulous – A great examiner must be meticulous about what they see, do and conclude. What data is there? What data is supposed to be there? What data is not there?  Once the examination process begins, a great examiner must note all their actions, communications and thoughts within the case so it can be duplicated if necessary. A great examiner must also identify findings both large and small as accurately as possible.

Resourceful – Very few cases can be completed with a cookie-cutter approach.  A great examiner must understand the needs of the case, and be able to use the specific hardware and software tools the case demands. A great examiner must also know when to ask for help from peers in the industry.

Presenter – Digital forensics can be highly technical, and a great examiner must be able to translate that complex process into a simple report that can be understood by a 6th grader.  A great examiner must also be able to present well, be sharp, appear confident and well mannered, yet have the discipline to not overstate their findings or boast in court.

If you are relying on certifications, make sure one of them is CFCE (Certified Forensic Computer Examiner).  This certification focuses more on the examination process rather than just one or two tools.

If finding and interviewing digital forensic examiner candidates is wearing you out, CONTACT FLASHBACK DATA. We have highly credentialed examiners with years of experience in complex cases. Our turnaround time is usually measured in days instead of months or years and our digital crime lab is accredited under the same program as the FBI and state crime labs.

GET HELP TODAY! CALL 866-786-5700 FOR A FREE CONSULTATION!

3 Words Never To Use When Talking About Digital Evidence in a Courtoom

3 Words Never To Use When Talking About Digital Evidence in a Courtroom

At work, a “copy”, “ghost” or “mirror” of your data can help you collaborate with coworkers or quickly recover a lost or corrupted file.

In a courtroom, any of these three terms can get you into trouble.

WHAT EXACTLY ARE YOU COPYING, GHOSTING OR MIRRORING?

The trouble arises from what exactly is being copied. Most ways of copying, ghosting or mirroring a drive focus on what is called the “allocated data”. That is, all the data that your computer uses and can be easily found on the drive. The problem is, this allocated data is only part of the story and isn’t typically part of a copy, ghost or mirror of a device. This is where you can get into trouble in court when using these terms.

Drives also have “unallocated data” or what most operating systems call “free space”. This unallocated data can include deleted files, system log files, Internet search history and other hardware-related data. This unallocated data can be a treasure trove of evidence for forensic examiners, especially in cases where someone may have tried to destroy, delete or tamper with digital records. If a copy, ghost or mirror of a drive is introduced as evidence in a court, it may not include this valuable unallocated data.

“VERIFIED FORENSIC IMAGE”

Instead of using a copy, ghost or mirror, digital forensic examiners use what is called a “verified forensic image” when working with and presenting digital evidence.

A forensic image is an exact copy of all the 1s and 0s on every physical sector on a piece of media (hard drive, flash drive, etc) including allocated and unallocated data.

An examiner can “verify” a forensic image by comparing the “hash value” of the drive copy to that of the original. The hash value of a drive is a numeric value of fixed length that uniquely identifies the data on that drive. If the hash value of the copy matches that of the original, then the copy is a “verified forensic image”.

USE IN THE COURTS

In contentious cases or those that involve attempts to destroy or tamper with evidence, using digital evidence that is based on a “copy”, “ghost” or “mirror” of an original drive is an invitation to have that evidence declared inadmissible. Using a “verified forensic image” can avoid these traps in the courtroom.

If you’re concerned about your department’s ability to manage complex digital evidence in ways that will hold up in court, CONTACT FLASHBACK DATA. Our digital crime lab is accredited under the same program as the FBI and state crime labs. We can help you plan, gather, protect, examine and defend almost any form of digital evidence.

GET HELP TODAY! CALL 866-786-5700 FOR A FREE CONSULTATION!

 

Forensics on Digital Photos - Worth More Than 1,000 Words

Forensics on Digital Images – Worth More Than 1,000 Words

I used to carry a camera only on vacation. Now I carry the most powerful camera I have ever owned all the time…on my phone. I used to store my photos in a box in my attic. Now all my photos stay on my phone forever.

If a physical photo is worth a thousand words, a digital photo is worth more than that especially for a digital forensics examiner.

The additional value comes in the form of “metadata” that offers a treasure trove of information about the image for digital forensics examiners. Image files have a specific type of metadata that uses the acronym “EXIF”. EXIF stands for “exchangeable image file format”. Name an image file type and it probably has EXIF data: JPEG, PNG, JPG, TIFF, GIF, etc.

A recent phone upgrade reminded me of how much information this EXIF data contains and how powerful it can be. I was looking through the images that had been transferred to my new phone and saw the image below:

Digital photo from phone with lots of available metadata

I took this picture with my phone several years ago while visiting San Francisco. I have no idea what the date or time was, which phone I used, nor do I remember where in the city this was, but my forensic instincts tell me I can find out. I took a peek at the EXIF data contained within this image and found some interesting stuff:

Create Date/Time:   October 3, 2011 11:16:19

Make:                         Apple

Model:                        iPhone 3GS

GPS Altitude:            34.9 m Above Sea Level

GPS Position:           37 deg 47′ 24.00″ N, 122 deg 24′ 44.40″ W

This image was taken with my iPhone 3GS, was then transferred to my iPhone 5, then to my iPhone 6, and then to my iPhone 7. After several years and several migrations, the image EXIF remained intact and I can now use it to determine things about the image that I had completely forgotten or didn’t know.

Using the GPS coordinates I was able to locate the fire hydrant at the corner of Taylor St and Bush St in San Francisco. I took a screen shot from Google Maps to prove it:

Street view image that confirms GPS metadata from digital photo

Now, imagine how useful this information might be in an investigation or litigation case. Also, this is not a complete list of metadata that can be obtained from images, it’s just the most interesting.

If you need help with your digital evidence, CONTACT FLASHBACK DATA. We’re experts in digital forensics for law enforcement and attorneys, and our turnaround time is a fraction of what you’ll find at RCFL or any state lab.

GET HELP TODAY! CALL 866-786-5700 FOR A FREE CONSULTATION!

 

Forensic options on locked or broken mobile devices

Forensic Options – Locked / Broken Mobile Devices

“JTAG” and “chip-off” processes are a well-known last resort when standard forensic tools can’t recover data from a locked or damaged mobile device. While these terms may be well-known, the actual processes are extremely technical and involve an understanding of circuit board and memory chip architectures. Here is what you need to know about each process to make the right choice for your specific case.

DEFINITIONS

“JTAG” is shorthand for a standard set of tools built into almost every mobile device circuit board that simplify device testing and quality control. JTAG is an acronym for “Joint Test Action Group”, which was the industry group that originally defined these standard tools. Forensic examiners can piggyback on these testing tools to directly access a device’s memory chip, often bypassing the password or encryption scheme.

“Chip off” methods refer to physically removing a memory chip from the device circuit board and accessing it through a different chip-reading apparatus. This process is not reversible, so the original device is rendered inoperable. The actual process is like performing precision surgery on a circuit board. Flashback Data has even used x-ray machines to help us in some very technical chip-off cases. Even for an experienced examiner, the chip-off process isn’t without risks. Newer mobile devices are not built to be disassembled, and it’s possible to damage the memory chip and render some or all of the data inaccessible.

WHEN SHOULD YOU CHOOSE ONE OR THE OTHER?

If the target device is operational, but locked, JTAG should be your first choice. It often allows you to bypass password or encryption schemes and usually doesn’t damage the device. If JTAG doesn’t work, you can always move on to a chip-off option.

If the target device is damaged and not operational, then a chip-off process is likely your only option. Be aware that there’s still a risk that removing the chip will damage its memory, so it’s important to use an experienced, accredited lab when you need a chip-off exam.

WHAT IS THE OUTPUT OF EACH OF THESE PROCESSES?

Regardless of the method, the goal of performing a JTAG or chip-off process is to get a physical image of the memory chip on a specific device. Of course, that’s not the end of the forensic examination. The examiner will then need to use that image (or as much of it as is recoverable) to reconstruct the data, analyze it forensically, and produce a comprehensive report for use in ongoing investigations and prosecutions.

GET HELP TODAY!

If your digital crime lab can’t access data from a locked or broken mobile device, CONTACT FLASHBACK DATA. We’re experts in the most complex digital forensics cases and our turnaround time is a fraction of what you’ll find at RCFL or your state lab.

CALL 866-786-5700 FOR A FREE CONSULTATION!

 

Digital Forensics vs eDiscovery

The Major Differences Between Digital Forensics and eDiscovery

Our world is becoming more technological every day, and businesses and individuals are relying on a variety of digital means to store their data. If you or your business is involved in a legal proceeding, for example, your digital records may be required to assist with litigation. Although individuals and businesses are required to digitally store and retain their data, there are differences in how this data can be obtained. Digital forensics and electronic discovery can be used to collect data.

Electronic Discovery

Data collection involves identification and preservation as well as collecting, analyzing, and reporting data. Electronic discovery utilizes all those processes and generally collects active data. Active data is classified as information and data that is easily available through file storage and program managers utilized by a business or individual.

When collecting data through electronic discovery, the data usually goes to the legal counsel who then performs his or her own review on the data. The professionals collecting this data are simply transferring information and do not discuss the intent of the user or business. They also do not provide legal advice.

Electronic discovery is useful when the only information needed involves easily accessible files such as email, calendars, documents, and databases. A computer forensics expert is needed to further analyze the data if it has been deleted or if someone has tampered with it.

Digital Forensics

A forensic analysis of data is needed when the litigation requires a deeper look at the data. A digital forensic specialist sorts through data in search of hidden files or deleted data to help provide more-reliable evidence. Here are some examples of data that could be discovered using digital forensics:

Data being stored automatically. After many years of digital backups, automatically stored data may have been removed from a server. Forensics can discover this data typically located on a hard drive.

Deleted data. Any files that have been deleted from the system will usually remain on the computer’s hard drive. Forensics will be used to locate this information as long as the hard drive has not been overwritten or wiped.

Wiping software. Most computer forensic specialists can determine if any hard drive wiping software was used on a computer. This can help make a case that data was destroyed purposely.

Digital forensic experts are brought in to produce more than data for a case. They analyze that data in hopes of finding evidence that can be used for a client. Typically, they partner with a legal team to determine what type of data they are seeking. These experts are more active with the case and can be called on in legal proceedings to defend their claims about the information.

Maintaining Data Integrity

Regardless of what method of data collection is used, it is important that the data remains protected. When collecting data through electronic discovery, large amounts of information are transferred from the original source. Copies of the relevant files should be made to ensure that no changes are being made to the original files.

When forensics experts are utilized, their skills should include creating exact copies of the data they are extracting to protect the original form of the data. These experts have tools to ensure that the information is accessed safely. Extra caution must be taken when extracting hidden or deleted files, as these must remain unchanged to hold up in court.

Utilizing This Data in the Court System

As our use of technology continues to increase, the courts are putting stricter regulations on data collection and how it can be used in trials. Specifically, in the US, courts are no longer likely to approve a request to obtain all the data related to an individual or business. Instead, they require details regarding the specific information you are looking for that will support your case.

When collecting data to support your case, the court system usually requires a forensic analysis of the data. These regulations ensure that the data collection is not intrusive and that the information collected relates to the case.

Both Forms Can Be Useful

When your investigation requires simple information about a business or individual, electronic discovery can be useful. You may be limited, depending on the nature of the litigation, regarding how far you can search without court approval. As your investigation grows more serious and more-detailed information needs to be recovered, you should bring in a digital forensics expert. These experts can preserve and restore data and can help aid your case.

Regardless of what type of data analysis and recovery you need, it is important to reach out to the court system where you are to determine your limitations. Your legal team may benefit from both electronic discovery and digital forensics to help in your case.

delete button

Free Forensics Tool – $I File Parser (UPDATED VERSION)

A couple of years ago we released a free tool for digital forensics investigators.  Well, we had the need to update it with some new features. Bugs are fixed and features added. So, If you are a forensic investigator. This tool could help you a bunch in quickly and easily parsing out all the NTFS Recycle Bin files.

See the old blog post for download links and description. Let us know if you have any feedback by filling out the contact form on our site here.

new law image

Effects of RULE 902(14) Amendment

A recent rule amendment was passed which reinforces best practices pertaining to digital forensics and eDiscovery investigations. It is critical in forensics that only qualified personnel handle electronic devices, and collect and analyze digital evidence. Examiners must be proficient in this specialized field of forensics, and their work must be credible, accurate, and reproducible if opposing counsel’s examiner conducts the same analysis on the device.

The Amendment to Rule 902(14), which went into effect on December 1, 2017, eliminated questionable evidence, such as screenshots, that may have been manipulated prior to being presented as evidence in court. Because digital forensics is a science, it requires qualified personnel to preserve, analyze, and report on the process and findings of an investigation.  Such processes and findings should, therefore, be repeatable by another expert and allow him/her to reach the same verified conclusions of the investigation.

In June of 2016, the National Commission on Forensic Science voted that digital evidence presented as part of a federal case should be processed by an accredited crime laboratory.  Digital forensic laboratories accredited through organizations such as ASCLD/LAB International must comply with the standard, validated procedures of International Organization for Standardization (ISO) 17025:2017, which reinforces best practices for forensic examinations. Such procedures address not only standards for laboratory management, but also technical competency of personnel, testing methodology, equipment, quality assurance measures, and reporting of test results. Flashback Data, LLC has been internationally accredited as a computer forensics laboratory since 2010 through ASCLD/LAB. As part of this accreditation, its laboratory’s forensic examiners maintain certifications such as the Certified Forensic Computer Examiner (CFCE) issued by the International Association of Criminal Investigative Specialists (IACIS) and undergo annual internal and external proficiency tests.

While the Amendment of Rule 902(14) currently applies to the federal courts, the rules of evidence for most states either mirror or closely resemble the federal rules of evidence; thus, it is expected that most states will soon adapt this amendment as well. Utilizing an accredited laboratory for digital forensic investigations ensures confidence and credibility in the results obtained that may be presented in court proceedings.

Although previously only offered to law enforcement agencies, Flashback Data, LLC is now extending its Casework Packages to law firms across the nation. These packages allow attorneys to receive discounts and other incentives when they choose to use Flashback Data, LLC as their own private digital crime laboratory. Contact us for more information about our investigative services and secure this special offer for your firm today.

CALL 866-786-5700 FOR A FREE CONSULTATION!

samsung new memory chip image

New Developments in Mobile Phone Forensics and Recovery

We have a love-hate relationship with new technologies. Yes, we want our computers and mobile devices to get faster, but the technology is advancing so quickly that it takes a lot of time and effort for us to research new ways to get at that data when a device fails.

So, when Samsung started switching from eMMC memory to UFS memory in their phones we were stuck. We had no way to work on these devices if the motherboard was destroyed. We started looking for solutions and after some time, we finally worked out a way to read these new chips.

We have successfully recovered data from UFS based devices including the Samsung Galaxy S6 and Note 5 when no one else could get the data!!

In the same week, a customer sent in a Samsung Galaxy S7 that was working but it was passcode locked. There are no forensics tools on the market that can bypass the passcode lock on this phone. However, one our Senior Forensics Examiners spent hours with it, hacking away at the phone’s firmware and ended up bypassing the lock and getting a full physical acquisition of the device.  BIG WIN!

We get excited when we expand our capabilities.  It means more people can get their precious data back!  And for our Law Enforcement friends – it means we can solve more crimes.