iphone capturing a photograph

Photo Forensics

Remember what it was like in the 90’s when you needed to take a picture? My family almost always used disposable cameras with film or Polaroid cameras with self-developing film. Jump ahead 20 years and film is only being used by professional photographers, while everyone else is using digital photos and storage.

One major difference is that now digital forensic examiners can gain a ton of information about the pictures you created with your iPhone or digital camera from “metadata”.

Metadata is a broad term that generally refers to “data about data”.  Imagine your trendy Pink Floyd T-shirt is data and the tag on your shirt is metadata.  You can learn a lot about your T-shirt by reading that tag, and the same applies to metadata within files and images.

Image files have a specific type of metadata called “EXIF” data which stands for exchangeable image file format.  Name an image file type and it probably has EXIF data: JPEG, PNG, JPG, TIFF, GIF, etc.

I know what you’re thinking: “Gee Matt, that sure sounds boring, why should I care?”.  Here are some reasons to care:

  • GPS data
  • Original Creation Date/Time
  • Make
  • Model

 

Take the image below for example:

gf

 

I took this image with my phone several years ago while visiting San Francisco.  I have no idea what the date or time was, the phone I used, nor do I remember where in the city this was, but my forensic instincts tell me I can find out.  I took a peek at the EXIF data contained within this image and found the following items:

 

Creation Date/Time: October 3, 2011 11:16:19
Make: Apple
Model: iPhone 3GS
GPS Altitude: 34.9 m Above Sea Level
GPS Position: 37 deg 47′ 24.00″ N, 122 deg 24′ 44.40″ W

 

This image was taken with my iPhone 3GS, was then transferred to my iPhone 5, then to my iPhone 6, and then to my iPhone 6s.  After several years and several migrations, the image EXIF remained intact and I can now use it to determine things about the image that I had completely forgotten or didn’t know.

Using the GPS coordinates I was able to locate the fire hydrant at the corner of Taylor St and Bush St in San Francisco.  I took a screen shot from Google Maps to prove it:

map

Now, imagine how useful this information might be in an investigation or litigation case.  Also consider, this is not a complete list of metadata that can be obtained from images, it’s just the most interesting.

wasted money - getting flushed down the toilet

Waste Not, Want Not – The turmoil for today’s law enforcement

Wise use of one’s resources will keep one from poverty.

One of our favorite things that we get to do here is assist Law Enforcement with cases. It is really rewarding when we can help them solve a case, find a suspect and make an arrest. We want to help and we know we can, quickly and cost-effectively. However, on a daily basis, we speak with Sergeants, District Attorneys, Chief of Police, Chief Deputies, and Sheriffs and the most common theme is that “we don’t have enough money”. Budgets are continually getting slashed and law enforcement entities are expected to do more with less.  Criminals and the rest of society are embracing the digital age with the use of different storage media like computers, phones, and tablets. These devices hold plans, conspirators, discussions, and actual evidence (pictures, accounts, etc..).  The digital age is forcing law enforcement to not only consider DNA and latent prints when they come up on a crime scene but also requires them to collect cell phones, computers, and DVR’s. This alone places most, if not all, law enforcement entities in a bind because they would like to process this information before the case goes cold; however, resources are slim. In order to accomplish this problem, most law enforcement entities look within instead of looking for outside help.

The most common scenario we have ran across:

Chief:  Jim is a great street COP and I know he loves computers.  Why don’t we send Jim to training and he can be our computer expert?   

Jim:  So I get to take a two week training, I get a promotion, a raise, and I get off the street?  Sure, I am your man. 

Jim comes back from training and has a laundry list of required tools and additional training.   

Jim:  Chief, I am going to need approximately $20,000 in equipment and software to get started. 

Chief:  I am sorry Jim you will have to wait until the next budget request.  I am spent.

Jim:  I will go and see if I can find grant money, which takes an excessive amount of time, paperwork, and energy.

Chief:  Great idea; however, I really could use your help in other areas of the department. 

 In the meantime, the Chief’s decision to move Jim has required him to hire another Police Officer to fill in Jim’s space, which cost the department additional uniforms, training, salary, and benefits.  Jim has found a small amount of money to assist him get started with providing his first analysis.  The detective hands Jim a phone; however, Jim has not had training with analyzing phones so he will be required to send it out to the State Lab.  The State Lab is overburden with digital devices to process and is suggesting a turnaround time of 18 to 24 months. 

 Detective:  My case is going cold and I need a faster turnaround time. 

 Jim:  Chief, I found a solution that will process phones with a click of a button the only problem is it will cost us $10,000 the first year and $6,000 for every year after as a licensing fee. 

 Chief:  Ok let’s buy it and we will charge other departments to use it.

Jim becomes familiar with the solution to process phones by attending a course that cost the department another $6,000.  Jim begins processing phones and requests that the phone they sent to the State lab be sent back so he is able to perform the analysis.  Jim spits out the report to the Detective, but the report is limited.  Jim explains that he would need additional training to perform any type of carving of deleted information.  In the meantime, the Department is aware of the new abilities of Jim and has begun to continually collect digital media.  Jim finds himself overwhelmed with cases involving Child Pornography and has little time to keep up with the latest technology and processes.      

 Jim is called to testify in court.  This would be the first time Jim has testified in court in regards to Digital Evidence.  The Defendant’s Attorney simply asks, “how is the data allocated and how would you explain what your tools do to get to your conclusion?” 

 Jim fully understands how to use the specific software and has even received certifications; however, his lack of understanding with the allocation of data, FAT tables, and unallocated space is working to the Defendant’s benefit.  The Defendant’s expert was able to explain to the jury a better understanding of what evidence proceeded and how it may have gotten on the device, which won the case for the “guilty” Defendant. 

 The budget season is getting close at hand and Jim knows that the yearly license fees are coming up and the requirement to purchase new equipment is necessary.  However, his own turnaround time is longer than nine months to turnaround a case. 

 Jim: Chief, I am going to need to hire additional Digital Examiners to keep up with the case load.

 Chief:  If you can justify the need by comparing your caseloads to other digital labs than I will consider it. 

 Jim does what his Chief did and looks within the Department for additional help and then the process repeats itself. 

 Throughout Jim’s tenure he has accrued a large amount of training and certifications.  A private laboratory offers Jim a job, but with better pay and opportunities of better cases like IP Theft or Embezzlement rather than Child Pornography.  Jim quits the Department before additional assistance is hired and the Department has to start all over again wasting taxpayer money. 

 This common scenario continually depletes law enforcement from the resources the department needs the most and the scenario proves to not be very effective.  Digital evidence is like DNA back in the 1980’s. Outsourcing is proving to be more cost-effective, faster, and has additional capabilities to handle a broader array service rather than do it in-house.

So why do not all law enforcement entities outsource digital evidence?

It cost departments a lot of money in continual training, equipment, salary, benefits, and liability to only have their experts leave for the private side. It is my understanding speaking with two different departments that it costs a department approximately $250,000 for each officer in digital forensics and this includes the salary, benefits, vacation, car, training, equipment, and yearly software licenses. Scalability is another problem because one officer can only process so many cases per week.

A department that outsources digital forensics could save $150,000 each year and process up to three times the amount of cases per week with limited liability. To not outsource and continue to hear that law enforcement entities have a lack of financial resources is very disheartening. Law enforcement is a required large system that is difficult to move in a turbulent discipline of digital forensics.  Where and how data is stored is constantly changing. Private laboratories are nimbler to adapt and scalable in order to keep up with the constant change.

Flashback Data was the first private digital laboratory to achieve the American Society of Criminal Laboratories International accreditation (ISO17025:2017) under the discipline of digital and multimedia evidence, which is the same accreditation held by the FBI RCFL’s and some State Laboratories. This accrediting body creates a culture of continual improvement for the laboratory.  The majority of law enforcement entities that provide digital examination internally are not ASCLD Internationally accredited, which leaves large holes for defense to use against them. This may involve a chain of custody, evidence retention, examination processes, personnel training, equipment validation, and the assurance of a third party to evaluate if they are meeting the best standards.

The White House released its findings in 2015 that will suggest that all digital evidence be processed through an accredited crime lab, much like DNA.  Flashback Data is the first private laboratory to work on consistently improve processes and policies, but we are for sure not the last. It will be required that the shift of Law Enforcement entities providing digital forensics internally to outsourcing will need to be intensified in order to keep up with the demand of processing digital media involved in either civil or criminal cases. In order for that to happen Law Enforcement entities will have to start looking outward for solutions.

cartoon - superman concentrating x-ray vision through walls

Innovation in Digital Forensics

Many digital forensics labs solely rely on the tools they purchase and the specific training methodologies that they are taught. We just don’t think that way. We are constantly trying to find new ways to uncover more information in ways that most digital labs either haven’t thought of yet or don’t have the ability to try. Our years of research and development in data recovery has given us that ‘never give up’ attitude when it comes to digital investigations.

For example, we were recently assisting an agency in a homicide case and ran across a victims phone which had been broken in half.  All we had was the circuit board from this older flip phone.  In most cases on newer phones we can perform a chip-off of the memory and read it with a device programmer.  From there we then reconstruct the data on the phone for analysis.  However, in this case, the form factor of the chip was much smaller than a typical eMMC chip seen on newer phones.  Searches on the numbers on the chip itself came up empty as to what it was.  So we were stuck with a dilemma: If we pulled the chip off the phone and it ended up being a type of chip that isn’t able to be analyzed, then we just ruined the only chance for getting any evidence in the case.

So, how could we come up with a new way to find out what type of chip was on the phone without pulling the physical chip off the board?  What if we could see through it?  Aha!  That’s it!  However, although we like to think of our examiners and engineers as superheroes, Superman doesn’t work here.  That’s OK, we can use regular x-ray for that, right?

X-Ray

 

There you go.  It worked!  The chip right in the middle is the memory chip, and yep, its a regular eMMC chip.  Now we knew we can remove the chip and grab the data to solve the case.  Of course, we removed it with our heat vision.

digital forensics policy

When You Need to Finally Call a Digital Forensics Expert

In an age of the cloud, it is easy to take convenient access to data for granted. With older or more secure information, localized storage can fail potentially corrupting valuable data. Before handing the job off to your in house IT team, consider hiring a digital recovery expert first.

Digital Forensics Expert: Job Description and Overview

Digital forensics is often very similar to the crime scene technicians and coroners seen on many TV shows. Experts in data recovery and digital forensics also perform autopsies in order to extract evidence from hard drives, mobile devices, or any other electronic device.

Hiring a Digital Forensics and Data Recovery Specialist

There are a number of reasons to hire computer forensics experts. Police departments often use them to sort through Google searches or Facebook posts. Divorce attorneys use digital forensics specialists to uncover hidden assets or evidence of an affair. Corporations use digital forensics experts to protect their intellectual property to ensure that current or ex-employees will not steal information or work for competing businesses.

Best Qualifications for a Digital Forensics Expert

While many digital forensics specialists have advanced education, such as bachelor’s or master’s degrees in computer science, it is not a requirement. In fact, some of the most widely regarded experts in the field do not have a university education. Interestingly, many of those same people often teach courses at prestigious colleges.

Accreditation and experience are far more important for a company concentrating digital forensics and data recovery expert. Flashback Data, for example, conducts its investigation in a lab accredited by the American Society of Crime Laboratory Directors (ASCLD/LAB International). This is the same accreditation assigned to the FBI and state law enforcement forensics labs.

image of money - dollar notes

Case No. 06286- Embezzlement

We were engaged by a company to examine its technical infrastructure for suspected intrusion and/or monitoring. Investigation revealed an ongoing breach was in fact occurring, but the source was internal. We discovered multiple keyloggers and other monitoring software had been deployed to company computers. Further investigation determined the source was a trusted employee and that, in addition to monitoring, the employee had been embezzling money from the company for several years.   It was later revealed her motive was to steal customer lists and spy on management in order to later separate from the company and form a competitor. Both civil and criminal proceedings were instituted against the suspect, who was ultimately convicted and imprisoned.

 

fraud

FRAUD CASE No. 07715

Our client represented the wife in a complex divorce proceeding. Husband and wife had co-owned and sold an early stage company during their marriage for approximately $8M dollars. At the time divorce was filed, the marital estate was estimated to be approximately $2M dollars, and there was no accounting for the missing $6M dollars.

Forensic examination of cell phones, personal computers, and financial activity uncovered data fragments which, upon analysis, were traceable to an undisclosed bank account that had been surreptitiously accessed by the husband. Following a subpoena to the bank, it was discovered that this undisclosed account contained about $6 million dollars. A settlement agreement was reached and greatly favored our client.

delete button

Free Forensics Tool – $I File Parser

In nearly all digital forensics cases where a Windows computer is involved, we need to process the recycle bin for deleted files. When a file is deleted through the recycle bin on a computer with the NTFS file system several things will occur. First, the NTFS $MFT entry is updated with a new record number for a parent.  Basically, that means its parent now becomes the Recycle Bin instead of it’s original location. The second thing is that the file is given a new name. Instead of the original name it now becomes named $R with six random characters and the original file extension. For example, if a file was named “dog.txt” it could become “$R24E32E.txt”. In addition, a paired administrative file is created. This administrative file starts with $I and then has the same six random characters and the original extension. So, the paired administrative file using the example above “$R24E32E.txt” would be “$I24E32E.txt”. These $I files contain a good deal of information, even when the paired $R file is overwritten.

The $I files contain:

  • The original file’s size
  • The date the file was sent to the recycle bin
  • The original file’s full path

There aren’t any good tools that specifically parse only this information out of these file quickly, so this is why we made the Flashback Data $I File Parser.  You take all of your $I files for your case (you can use your favorite forensics tool to get these) and put them in a directory.  Point the program to it, set an output CSV file and it will parse all of the files into a CSV.  The CSV fields outputted are: $I file name, $R file name, Size (in bytes), Date (UTC), Original path, Original File Name and MD5 hash of the $I file.

Please send any feedback by clicking here.

We hope this helps some of you make your job easier.

To Download UPDATED VERSION (2/28/2017) v0.95 click here

Unzip the file and run IFileParser.exe

digital forensics policy

Digital Forensics Policy

We get excited when one of our examiners get published! We get even more excited when it has to do with digital forensics policies and procedures. As you know, we take this subject very seriously as we have an ASCLD/LAB and ISO 17025 accreditation.

SO, check out what Andre Champagne wrote for this month’s Evidence Technology Magazine here!!

easy button

When the Easy button fails! Cell Phone analysis of a Samsung Galaxy Note 2 (SPH-L900)

Often times clients come to Flashback Data because their forensic examiners have “run out of tools” to use on cell phones. Literally, an examiner will have run through their entire toolbox, ranging from UFED, Lantern, Susteen, Oxygen, XRY, MPE+, etc. The examiners will usually tell me “XYZ forensic product says the device and operating system are covered” or “I even reached out to the company for help.”

It has been my experience that these hard-working professionals are desperate for something that will allow them to obtain data from a cellular device. Usually because one of their bosses is breathing down their neck due to a case backlog. I can literally hear the desperation in the forensic examiner’s voices, it’s as if to say “WHY CAN’T ANYTHING JUST WORK!” I have even heard their desperation conclude with a statement along the lines of “Dude, I even tried BitPim”. HOLY COW! REALLY! Man, you are desperate!

But all in all, I know what these examiners are feeling. For some reason, it never seems to happen on just a “run of the mill case”. NO! It happens on cases that are either live or die by the forensic evidence obtained. It will happen on a homicide, a major felony, a multimillion-dollar lawsuit, or some other major intellectual property theft. I myself have had this happen way too many times, and quite frankly it leaves me feeling a bit HACKED OFF!

Yup! Your boss is breathing down your neck. He just doesn’t understand why yesterday you were able to find evidence on a phone and produce a report within hours, and today you ran $30,000 dollars’ worth of software against a device and nothing. Although my bosses understand that software fails, it is still a pain to me when the traditional “easy button” for data extraction fails.

Sorry to blog about this, but I had to let out some frustration because this same thing just happened to me. We recently had a client who wanted deleted text messages from a Samsung Galaxy Note 2 (Model: SPH-L900) running Android 4.4.2 (KitKat). I whipped out the ole’ trusty UFED Touch with the most current update. Sure enough, this showed to support a physical acquisition of the device, and then it happened. That precious little DING sound that we are all too familiar with. It doesn’t matter where you are at in the lab, but when you hear that sound it the same feeling. It’s as if a group of ninjas descended from the heavens and all decided to kick you in the gut at the same time. BAME!

We tell ourselves “No problem, I know how finicky those physical acquisitions can be”, but in the back of your mind your thinking “my goose is cooked”. I restarted the acquisition, except this time add the step of hitting the button tucked away in my top drawer. FAIL! Dang you “Easy Button”, you failed me again. Okay, well I guess I’ll be happy with just grabbing the file system. So once more I initiate the sequence and again DING!

This time I get the awesome message “Operating system not supported”. I tell myself there might be a workaround. I take to the next step that most examiners who are pressed for time do, Google. Yup, we have all done it! There is no shame in it. I start to research the Galaxy Note 2, and at the same time shoot an email over the awesome team at Cellebrite.

I get the response “I can tell you that the new version of UFED should have support on 4.4.2 and below” I will say this the Cellebrite engineers are great and have helped in several cases especially when it has come to whip out a Python Script for certain tasks. This time they gave several suggestions, but nothing worked.

I think to myself, a year ago I saw an episode of C.S.I. where they placed a cellular device onto the table, and it immediately threw all the contents onto a holographic wall. I thought what the heck, so out of desperation I placed the device up to my computer screen. I had a glimmer of hope that through some sort of data osmosis the “mmssms.db” would be projected onto the holographic wall in the lab. That’s when it hit me, nope somewhere in our budget the line item expense “holographic wall” had been denied.

I didn’t throw every tool in the toolbox at it, but I did quickly check to see if JTAG would be an easy option. Nope! I made the decision to resort to the good ole’ down and dirty. Yep, Chip-Off. Now, all I had to do was contact the client and receive their authorization. You know how that conversation goes. UM yes, that’s right, your phone will never work again. They usually ask something along the lines of “will I be able to turn it back on again and keep it for (XYZ reason)”. NO [INSERT FAVORITE WORD HERE], your phone is going to be destroyed in the process. I will give you all the pieces back though if you like. After it sinks in for a minute the client realized the data was more important than ever getting the phone back in a working manner. WHEW! We jumped that hurdle.

So now the fun begins. Disassemble the Samsung Galaxy Note 2. It’s irritating taking your time to get the device open without breaking anything. I know the device will never work again, so I wish I could just smash and pry my way to what I want. Nope! After all, we are an Accredited Crime Laboratory so unfortunately, I have to put on my “kiddy gloves” to get at the phone.

After watching a few youtube videos I was able to get the housing off of the phone. It’s funny, in those videos have you ever notice how the creator’s device always seems to magically just “fall apart.” It’s either because they edited 20 minutes of manipulating and prying or because they had already misplaced about half of the screws from the 18 previous times they dismantled their device.

Another minute or two I removed the logic board for the phone, and now it was time to begin the ‘tedious’ work of actually removing the embedded multimedia card from the logic board. Bingo! After a bit more work it’s removed. Clean it up, and “vuala” I have what I need. Now it’s just a matter of getting my favorite imaging tool to read the chip and BAM! instant DD file to import into Cellebrite. We all know from there it’s just a matter of going through the data, and looking getting what I want.

In your face easy button!