The Role of Digital Forensics in Criminal Investigations
16 Sep, 2016
Evidence from the Hillsborough disaster was originally only in the form of tatty notebooks and water impaired folders, until a series of floppy disks came to light and critical documents were found. Further to this, film and photographic evidence has also been recovered aiding the resolution of the case. Evidence is crucial in all cases, but sourcing and physically recovering is not as simple as it sounds.
The challenge is that data that is likely to be of most interest to investigators in a historic case in particular is likely to be stored in an old or even obsolete format. We may have stopped using the once ubiquitous 3.5-inch or even 5.25-inch floppy discs long ago, but as our investigations often demonstrate, that doesn’t mean that organisations have got rid of their old media altogether.
While best practice dictates that data is transferred from old storage formats onto back-up tapes or, increasingly, the cloud, in our experience old floppy drives never die, they just get put into boxes in a cupboard or an off-site facility.
Finding the disks as part of an ongoing investigation is one thing, but identifying the information on them is quite another. As technology is refreshed and updated within an organisation, the means of reading old file formats disappears. Just as many a household has a box full of videocassettes or LP records stored in the loft but nothing to play them on, so plenty of corporate organisations retain disks and tapes that can no longer be read by their IT equipment.
The answer may be to source an old machine from the same era and hope they are both compatible. However, you have no idea what is going to happen or whether you will be able to extract the relevant files. From an exterior perspective the machine may look in working condition, but hidden failure or damage internally may be working against you and prevent any data from being found.
Tracing the author or editor of a document can be equally challenging. A Microsoft Word document, for example, may have multiple date and time stamps included within it, having been invoked whenever a document is drafted, saved, amended printed or shared.
Tangled Up in Tape
If organisations have chosen to back up data to tape rather than simply put old disks into storage, then a whole new set of challenges emerge for investigators. Tapes are very different to structured file storage solutions on disk.
At the basic level, disk structures can have three or four main formats – Windows based formats such as FAT32 and NTFS, Unix based formats such as UFS and EXT3, Apple HFS, and with the fairly standard equipment the access to the data is relatively straightforward.
Tapes on the other hand are far more varied. For example, over a period of the last seven years tape technology has continued to change, particularly in relation to capacity and the latest LTO6 can contain a massive 6.25 terabytes of data. There are at least 20 different physical formats of tape still in use, all of which require the appropriate hardware and given the frequency of technology refreshes, it is highly unlikely that tapes from seven years ago can be read in a current solution.
To add to this complication there are probably 20 software solutions used to write to the tapes, each with its own format. So whereas you may need six or seven options to recover data from disk, when it comes to tape you may be looking at choosing between 400 combinations. Having the correct equipment and knowledge of the software used is essential (and the latter is often missing due to a fragmented or incomplete approach to retention). Of course, once you have the tapes and before selecting a recovery option, you need to identify which tapes go together as spanned sets.
In an ideal situation where companies have been archiving and documenting everything and can identify the tapes required and they are in working order, the question is when did they last review the data that they are keeping? The oldest set of data I personally have ever seen was 32 years old, and it contained microfilm reels as well.
Many companies place their tapes in storage and then fail to review the need to keep them due to the absence of a cogent data retention and destruction policy. Not only can this incur unnecessary storage costs but in the event of a request for ediscovery, this significantly increases the timescales and costs associated with accessing, processing and reviewing the data.
Requests in litigation cases and from regulatory bodies and other investigators can be demanding and have stringent deadlines. So when the request arrives and you have 15 years of tapes to consider, what are you going to do? Hopefully the request will relate to a specific time period, but if you cannot identify the relevant tapes you may have to investigate all of them, causing delay in the response to the regulator and even the impression of non-cooperation.
On the other side of the coin, if forensics teams are able to find the data even when organisations believe it is irretrievable, they may well be at risk of falling foul of data privacy laws, especially now that general data protection regulation (GDPR) is coming down the track in 2017.
Businesses and individuals need to consider how they are ‘destroying’ data and if this really getting the desired outcome. Data can be found in places which we once thought were hidden or ‘forgotten’. However, as technology advances digital forensic teams are seeing a shift in data storage from magnetic data to cloud storage which is introducing new challenges.
The Social Media Shift
There was a time when electronic evidence was perhaps there to supplement other types of evidence. It has to be the other way around now as we approach cases knowing that the electronic evidence may well be the primary or only source of evidence.
As numerous news stories this year have demonstrated, this electronic evidence increasingly needs to be sourced from social media channels. Of course, it is not only celebrities who live their lives out on social media and you only need to look at your own digital footprint to know that a large part of who you are and what you say is now played out on social media channels and is recorded and capable of being played back.
Even when it is impossible to source information from an encrypted iPhone phone or WhatsApp message, there are normally other ways to identify the data that is needed for a case or investigation.
Luckily, our modern day dependence on technology has fuelled a massive growth in digital forensics. Assuming even tiny parts of original data are retrievable, digital forensics teams are able to replicate copies and produce a list of files and their content. Over the years, these teams have been able to adapt and advance their capabilities, and nowadays legal cases and crime investigations are heavily dependent on their services.
Notwithstanding, it is now essential for companies to have an effective and fully documented information retention policy and practice that involves all of the relevant parts of ae business. Some key questions need to be addressed. From a legal aspect; how long do records need to be kept? From a security aspect; where should the records be kept? From an IT aspect; how are these records going to be kept and what needs to be done when there is a technology refresh? And finally from an overall business perspective, who is going to maintain all the necessary records and own the review process?
None of the scenarios outlined above suggest that anything will change in the future in terms of data storage complexities. Indeed, the number of formats will only continue to mushroom, adding to the pile of existing disks, tapes and devices already on the investigators’ inventory list. Good practice information governance is the only way to instigate streamlined data storage that can be cost-effectively examined by the forensics specialist.
Authored by Tony Dearsley, Principal Consultant at Kroll Ontrack.
(Source: Kroll Ontrack)