How Digital Forensics Can Help Solve Legal Cases

You may have seen in a modern time Hollywood blockbuster a detective trying to hack into a device to reveal more about their suspect. But how realistic is this portrayal of digital forensics?

We speak to Chris Collier, a Senior Digital Forensics Analyst, who reveals more about the process of digital forensics and how his findings can benefit legal cases.

How has digital forensics developed over the years and what importance does it play in legal cases now, in comparison to a decade ago, when the digital world was a lot different?

From a mobile device perspective, the last ten years have brought massive changes in the world of digital forensics. Phones have drastically changed over this time, especially with the introduction and growth of smartphones (the original iPhone was released in 2007). At the beginning of this period, phones were generally built for storing limited contact data (primarily a short name and a number), making calls and sending/receiving SMS – with limited storage volumes. Current smartphones are now capable of storing vast amounts of data, from contacts, calls and messages (which covers standard SMS to application messages, multimedia messages, emails), to media files such as music, images and documents. With handsets capable of 512GB storage data and an additional 1024GB expansion with memory cards – a potential 1.5TB of storage. A vast array of free and paid-for applications now allow users to communicate away from standard networks, send encrypted data and automatically destruct messages/images. Apps also interact with on-device cameras/video recorders and GPS locators to provide organisers, navigation tools, file sharing tools, IoT (Internet of Things) controllers, document processing, health application data etc.

Additional security features on the handsets such as PIN, Passwords and data encryption (handset and application-specific) greatly affect the ability to recover data from handsets.

 

The volume and type of data have increased the importance of information recovered from digital devices from ancillary data to key evidence. Examples of this can be: GPS data recovered from handsets putting suspects at the scene of a crime; communication data discussing a crime to be committed, or a crime after it has been performed; documents relating to fraud; illegal image files stored on the handset or additional storage; health application data showing the activity of a user when the crime was being committed, including heartrate/physical exertion.

Data is now split across storage on physical devices and data stored on the cloud. With applications caching data on devices and full data stored on the application creators’ servers, such as Facebook Messenger, Dropbox etc., new techniques have had to be developed to recover data directly from separate servers to combine with the data recovered directly from the handset.

Additional security features on the handsets such as PIN, Passwords and data encryption (handset and application-specific) greatly affect the ability to recover data from handsets.

Forensic methods have also changed over this period such as: connection techniques such as infra-red and multi-pin cables; ever-faster USBs, Bluetooth extractions and the development of advanced techniques – such as, Chip Removal (where the memory chip is removed from the device and data is read directly from it), ISP (In-System Programming, where connections are soldered directly to the board, allowing communication direct to the chip); password bypass tools and decryption techniques; and, changes in the way data is stored on the handset with an increasing reliance on SQLite database storage for applications. The volume and complexity of recovered data have also changed which has led to more time being spent on examination and analysis.

Once a device has been pre-imaged, we move onto the Extraction/Analysis stage.

What are the steps in digital forensics?
The first key step is seizure of devices. With mobile phones it is important to stop the connection to the network – this can be done as simply as turning the handset off – because, with an active network connection, it is possible to remotely wipe data on a handset. This is generally performed by our clients, however, MD5 can perform onsite collections to securely recover exhibits. Once exhibits have been seized, they are brought to the MD5 lab for analysis.
Handsets will initially be pre-imaged at MD5; this allows us to perform an initial assessment of the device. This is performed in the MD5 shielding unit, a secure room that blocks all network connections. Here, we check devices for PIN/Passwords, record the handset’s date and time against the atomic clock, check for further handset information, such as specific model variant and operating system, and further disable the option to connect to a network.
Once a device has been pre-imaged, we move onto the Extraction/Analysis stage. Initial attempts will be made to extract a physical image of the device using non-destructive forensic methods. If this fails, advanced techniques are then reviewed and further assessments of the device are made, whereby we will determine what advanced techniques are viable and consult the client on which route they would like us to take.
Once all data has been recovered, the analyst will review the data and identify what is relevant to the given case remit. This can be searching for given user contacts, looking for specific files, reviewing a timeline of data for events or further complex work. Once this has been completed, the analyst will prepare a report on their findings.
Once completed, the report and exhibits are passed onto the client, with the analyst on hand if further explanations are required.

The volume of data can vary between applications or handset make, model and OS (Operating System).

How do you piece together the digital ‘chain of events’?

Data is reviewed together with a remit from the client. More information provided in the remit allows the analyst a better understanding of the case and requirements. The analyst will then manually review the data against the client remit looking for information relating to the case.
This can be looking for specific data, i.e., contacts with a specific person or looking for specific files. It could be a more complex review of data: reviewing a timeline of data to build a picture of events and interpret this into something more accessible, attempting to determine where data has come from or how it has appeared on the device.

How much can you actually recover when undergoing a legal investigation?
The volume of data can vary between applications or handset make, model and OS (Operating System). Effectively, all live data is recoverable, either through forensic tools, advanced methods or, as a last resort, manual data capture. Deleted data can vary on an application, OS, make and model basis – this can also be further affected by the presence and type of handset encryption.

Generic web browsing is normally completed in applications such as “Chrome”, “Safari”, “Samsung Internet”. From these, we are able to recover varying sets of data, depending on the application or handset make/model/OS.

Application data can vary depending on what the application chooses to cache (store in the application’s memory). Applications such as Facebook Messenger do not store full message communications on the handset – full messages are stored on the Facebook servers with a selection of messages cached to the handset memory. The application will temporarily store a copy, to speed up retrieval the next time the user wants to access the same data from the internet. This is largely done to save space on the handset, improve performance, and allow the data to be accessed by a wide range of devices.

What evidence can be obtained from web browsing and social media and how can this change the course of a legal case?
Applications generally separate web browsing and social media data on mobile devices, with dedicated applications for each social network.
Generic web browsing is normally completed in applications such as “Chrome”, “Safari”, “Samsung Internet”. From these, we are able to recover varying sets of data, depending on the application or handset make/model/OS. This can include Web history and bookmarks, Web searches and autofill data, Cookie data, password and account information. It is also possible to recover cached images and web pages from some devices. This can be very relevant in many cases. The data may relate to: accessing/downloading illegal files; searches relating to locations/places prior to the suspect being there; often criminals search for answers on the internet in relation to commenting/covering up crimes which can be important when building a case.

Along with the application data, the user accounts are recovered from the handsets. This allows for easy tracking of evidence.

Social media data can be recovered directly from applications. This can include cached data (such as wall posts and direct messages), user accounts, user activity (in some cases this can include data volumes transmitted to the network), messages data including multimedia, location data. All of which can be used when building a case and viewing a timeline of events, or may even contain the incriminating data vital to a case.

How easy is it to trace evidence back to the accused? What challenges may arise for you?
PIN- and password-locked devices can ease the process of attributing handset data to an owner. Often a locked device will only be accessible to the owner, without access to forensic tools. This gives us a level of certainty with attributing data to a device owner.
Most applications are activated with a user account. Along with the application data, the user accounts are recovered from the handsets. This allows for easy tracking of evidence. Often accounts are set up with a personal email, phone number, user name and contact image.
This can be a challenge if the account has been set up with data to obfuscate using generic names or data not related to the owner, however, the presence of this account on a device allows us to tie the data back to the owner.

Chris Collier
www.md5.uk.com/
My name is Chris COLLIER and I am a Senior Digital Forensics Analyst and the Head of Mobile Device Forensics at MD5 Limited. I have been a digital forensic practitioner since 2007. I first started my career at the Digital Forensic Unit in Humberside police. There, my duties included the collection and investigative analysis of digital devices (including mobile phones, tablets and satellite navigational aids) and the presentation of the data in evidential form suitable for a court of law. During this time, I examined in excess of 6,000 Digital devices. In this role, I gave evidence in courts within the English Legal System and the United States of America.
In March 2017, I moved to MD5 Limited. Here my role involves forensically acquiring data from digital devices (including onsite examinations), analysing and investigating data according to client specifications and clearly and accurately producing written reports where I have to verbally ‘translate’ technical findings to clients and stakeholders. I am also called upon to clearly and accurately present digital evidence in court, including being able to explain my actions taken and support conclusions under cross-examination.
I am also responsible for running the mobile phone forensics team which involves: mentoring, monitoring and development of staff members; leading Research and Development on projects into new working practices to ensure that MD5 Ltd is offering the most appropriate and effective service to meet client requirements; developing Standard Operating Procedures and proactively acquiring knowledge to ensure MD5 is using the most appropriate hardware and software to meet client requirements; overall responsibility for quality assurance checks; providing advice to internal and external stakeholders regarding the feasibility and reliability of forensic analysis in relation to the digital evidence sought.

MD5 LTD is a UK leading provider of Digital Forensic & eDisclosure services to large multi-national corporate businesses, Law Enforcement & Government Agencies and high profile legal firms. Founded in 2003 by a former Head of the Digital Forensics Unit at the National Crime Squad. MD5’s forensic laboratory continues to investigate the business world’s ever-changing digital environment, allowing our experts to discover reliable evidence from the investigation of Computers, Mobile Phones, other Digital Devices and Digital Storage Media, Cloud Data and Internet activity.
The work taken on by MD5 ranges from standard forensic examination and analysis, to bespoke advanced data recovery techniques, or large-scale eDisclosure projects, where a high level of knowledge may be required or where an expert opinion may be required. MD5 have the ability to recover data from a wide range of primary storage devices, interpret complex data and then present the evidence in a clear format to establish legal facts for courts. As a result, this allows us to provide expert Digital Forensic Services tailored to the needs of our clientele.
Digital forensic investigation often identifies a large volume of suspect documents and emails. MD5’s eForensics approach combines our expertise in digital forensics and data analytics with electronic review tools, so our commercial clients can recover evidence from a mountain of data in significantly shorter timescales. MD5’s eDisclosure service provides our clients with proportionate, defensible outcomes for every day as well as complex commercial cases. Our experienced eDisclosure team helps our clients to meet the challenge of the increasing volumes of data stored in computers, mobile phones, and the Cloud.

Leave A Reply