Digital ForensicS BEYOND TIMELINES. / magazine

Transcription

1 Digital ForensicS The Quarterly Magazine for Digital Forensics Practitioners Issue 18 February 2014 WIN! an ipod Nano / magazine BEYOND TIMELINES Anchors in Relative Time Mark Spencer takes an in-depth look at timelines, and highlights the importance of checking detail, using a recent case in Turkey to demonstrate the dangers Latest News, 360 Book Reviews, IRQ & much more inside! PLUS! Forensic Readiness Malicious use of Android Permissions Using Fuzzy Hashes for Malware Classification Issue 18 / TR Media DFM18_OFC_Cover - Online.indd 49 27/01/ :30

2 / FROM THE LAB A BROAD EVIDENTIAL VIEW A recent news article announced Nuix and Cellebrite Partner to Leverage Complementary Strengths in Mobile Device Forensics, Investigation and ediscovery. We contacted them to explain why / ENTRY Nuix, a worldwide provider of information management technologies and Cellebrite, a global provider of mobile data extraction, decoding and analysis solutions, announced they have formed a technology partnership to leverage their complementary strengths in mobile forensics, investigation and ediscovery. The alliance will enable forensic investigators, law enforcement, military and intelligence analysts and ediscovery practitioners to efficiently incorporate forensically sound mobile device data into investigations and legal discovery procedures. / Mobile Phone Forensics Using Cellebrite & Nuix. Mobile phone market penetration has reached 90% globally. In North America and Western, Central and Eastern Europe, there are more active mobile phone accounts than people. Mobile data plays a critical role in investigations and legal discovery procedures. Low-cost, readily available and anonymous communication channels help to keep criminals just as connected as everyone else. Criminal networks make extensive use of messaging applications, mobile calls, SMS and s. These channels warrant considerable attention from law enforcement. Mobile phones are intrinsically personal devices that deliver up a wealth of information on people and their habits, which can sometimes illuminate new leads for investigators to follow. 64 The challenge for investigators is that mobile devices do not give up content easily. They were designed with user convenience, rather than evidential value, in mind. As a result, investigators looking to extract data from mobile devices must be armed with a creative mindset and a strong set of tools. More challenging cases may also require a level of experimentation. Thankfully, forensic technology is keeping up with the wide range of communication devices and formats. Mobile data becomes even more valuable to investigators when they can cross-reference it with intelligence from other sources of evidence. Gaining a comprehensive view of mobile and other digital evidence sources makes it easier for investigators to track down connections between individuals, events and critical facts. Figure 1. Mobile Phone Penetration by Region (Ericsson, June 2013) Digital ForensicS / MAGAZINE

3 devices. However, Cellebrite s UFED platform supports more than 11,000 device profiles, including all major smartphone platforms. The combined mobile data collection is a multi-stage process that involves: Connecting the phone to an extraction device to access its internal storage Using Cellebrite s physical extraction method to obtain existing and deleted data, along with metadata Exporting the device data using the UFED Physical Analyzer Ingesting the retrieved data into Nuix with Nuix s full rigour and speed Analysing the mobile device data alongside all the other electronic data involved in the investigation. A COMPREHENSIVE VIEW OF MOBILE AND OTHER DIGITAL EVIDENCE SOURCES MAKES IT EASIER FOR INVESTIGATORS TO TRACK DOWN CONNECTIONS BETWEEN INDIVIDUALS, EVENTS AND CRITICAL FACTS. / Collect the Data with UFED, Process the Data with Nuix Any investigation is about gathering information and building up a picture of suspects, events and facts. Combining the mobile forensic strengths of Cellebrite s UFED and Nuix s indexing, search and analysis provides a fast way to put pieces of the puzzle together. What s more, examining all relevant sources at once can throw up alternative leads for the investigator and will help to identify key facts within an investigation. It s easy for investigators to become overwhelmed when it comes to navigating the many different data formats, file systems and data types associated with mobile Nuix Investigator software tools can rapidly ingest and process terabytes of evidence per day and make it available for timely analysis. Nuix s advanced electronic investigation technology is engineered to search and correlate across vast amounts of data quickly and efficiently. It can extract content and metadata from s, SMS and MMS text messages, images, call logs, contacts, apps content, browser caches and other vital structured and unstructured evidential data within mobile devices. Extracting mobile device data using Cellebrite s UFED technology is the first step in contextualising complex investigations. It lends additional details about who and what is involved in a case, along with the location of potential suspects. In turn, Nuix will integrate this mobile data with all the other diverse data it can ingest, enabling more efficient investigations by helping investigators see the larger connections quickly. / Content-Based Forensic Triage In a case where time is of the essence, such as a kidnapping case, fast analysis of the available evidence is critical. Even for less urgent investigations, organisations need a way to wade through massive volumes of data, or they will face growing case backlogs. In this, traditional forensic tools and methodologies do not assist investigators; they need to run each device through a laborious process and timeconsuming, in-depth forensic analysis. 65 DFM18_064-67_Cellbrite.indd 65

4 / FROM THE LAB Cross-referencing this intelligence across all available evidence can rapidly reveal relationships between people and entities, deliver points to prove and also offer broader intelligence. It brings to light connections that human investigators might miss. Finally, the process allows investigators to examine only the most relevant data sources. In most cases, this process will already have located the critical facts of the case. If not, it will almost certainly have provided clues as to where such information is hidden. Investigators can then use their digital forensics skills to dig deeper into the likeliest evidence sources. In this way, they avoid wasting countless hours forensically analysing irrelevant material. / Adjust Data Extraction For Purpose Cellebrite s UFED Nuix This is why in recent years law enforcement and corporate investigators have taken a content-based forensic triage approach to investigations. This approach involves collecting all available data in a single storage location, then using a combination of data management, analytical and forensic techniques to focus on the most critical evidence sources until the key facts emerge. The content-based forensic triage process is simple and logical. It begins with ingesting all data sources into a single repository, followed by a light metadata scan to tabulate information such as the 66 DFM18_064-67_Cellbrite.indd 66 sender, size, format and subject line of an . Then, using techniques such as network diagrams and timelines, investigators can see connections and relationships between people and evidence. Having identified the most likely evidence sources, investigators can then extract full text and metadata and with the use of advanced investigative tools, can then automatically extract and highlight intelligence items; including names, addresses, IP addresses, credit card numbers, bank account numbers and amounts of money. Cellebrite and Nuix provide multiple options for levels of data extraction that assist in the process of pinpointing the relevant data sources. With Cellebrite, a logical extraction delivers general data, rather than an in-depth breakdown, in a much quicker time. A physical extraction provides a detailed history of data from a suspect s phone but takes more time to extract and analyse. The physical extraction option is best suited to highly critical investigations where large volumes of evidence need to be collated and triple-checked. However, this in-depth scan may only be required for a small number of devices that investigators identify as potentially containing the key facts of the case. Similarly, Nuix can conduct a light metadata scan on all devices, then a full text scan on the more likely evidence sources. Where required, Nuix can conduct in-depth forensic analysis of only the most important evidence sources. / Sharing The Workload Cases often hinge on a particular type of evidence, such as documents, s or text messages and the connections between them across multiple sources. In addition, people who have particular expertise must review certain evidence types. However, it is common for a single digital forensic investigator to handle all devices involved in an investigation. This solo digital forensic investigator will typically examine Digital ForensicS / MAGAZINE

5 each storage device in turn, extracting the information he or she thinks is relevant then preparing a report for the investigative team. Using the methodologies discussed, investigative organisations can adopt a more collaborate workflow that brings the experts and the evidence together. Once the investigative team has chosen the evidence sources most likely to be relevant, they can then process these devices following a set of previously agreed standards and settings. Investigative organisations can build a series of best practices or case-specific workflows, which automate many of the time-consuming and error-prone tasks that are performed on each case. These include date range filtering, keyword searching and tagging, identification and optical character recognition (OCR) for non-text documents. The workflow can also include actions to filter out irrelevant information such as duplicate items or system files. This approach significantly reduces operator-level decisions and inconsistencies, around which files are processed and how they are processed. The next phase of this investigative workflow involves dividing the processed evidence into review sets. At its most basic, it can be a way of sharing the work between multiple investigators to complete the task faster. They may choose to divide up the evidence by date ranges, custodians, location, language or content, but there are many other options. In a fraud case, for example, investigators could pass on financial records to forensic accountants and Internet activity to technical specialists. In an inappropriate images investigation, detectives could package potentially relevant pictures and videos for specialist child protection teams, while leaving other file types for their digital forensic investigators. In multi-jurisdictional investigations, teams can produce evidence or intelligence packages for third parties to review, comment on and return. / Case Study 1 Mobile forensics delivers key evidence on bombing suspect for Judicial Police of Cali Cali is the third largest city in Colombia, with a population of 2.5 million. The city is one of the most dangerous urban centres in Colombia; from January to December 2011 there were 1,870 recorded homicides. SIJIN (Judicial Police of Cali), deals with a huge volume of cases including murder, celebrity extortion, theft, drug trafficking, arms smuggling and terrorism, including a bomb explosion outside Cali police headquarters in Cellebrite s UFED platform is a major weapon in SIJIN s fight against crime. While investigating the 2008 Cali police headquarters bombing, SIJIN had difficulty proving the direct involvement of a suspect. Using Cellebrite s UFED, police reconstructed messages, information and keyboard commands and already deleted data from his mobile phone. They were able to prove the suspect used this device to communicate with other conspirators and also to remotely detonate the explosives, leading to a successful conviction. / Case Study 2 Serious Fraud Office processes 20 times more data using collaborative workflows and Nuix software. Combining Nuix tools with a collaborative investigation model and lab workflow, the United Kingdom Serious Fraud Office increased the volume of data it could process each year 20-fold and made it possible to deliver timely responses to information requests from courts. From 2009 to 2010, the SFO standardised and streamlined its digital investigative processes. The SFO reduced its focus on in-depth forensics; created and automated investigative workflows; and developed a more collaborative approach to investigations. This change in approach helped to transform the SFO s capabilities. While traditional computer forensics techniques dig deep into a handful of computers, [the SFO can now] quickly distil the huge volumes of data captured in our search operations and to focus on material likely to have greatest evidential yield, wrote the SFO s Chief Executive in its Annual Report and Accounts. [1] We can now handle up to 100GB of new information each day, a 2,000% increase year on year. It is also allowing us to respond quickly to court requirements; in one case we were able to identify and produce over 47,000 s overnight to satisfy a judge s order. Such speed of response would have been impossible before. / Use cases for investigators Law enforcement. Build up a picture of a suspect s communication network, compare data across the mobile devices of other suspects involved, find new leads and strengthen existing ones. E-discovery consultants. Be prepared as e-discovery rules encompass data on mobile devices by being able to collect and produce mobile data for litigation. Corporate Investigator: Proactively audit employees mobile devices as part of a regular audit process, or for ad-hoc situations when an employee is laid off. Regular audits allow you to establish baseline usage and behaviour patterns so you can quickly spot anomalies that could hint to instances of white-collar crime. / Conclusion In the world of immunology, scientists must regularly create new vaccines as viruses mutate and present new threats. In the same way, investigative methods must evolve as circumstances change, or risk becoming a dead end. As our methods of communication mature and proliferate, investigators have to think outside the box to stay ahead of criminals and wrongdoers. Likewise, the global digital forensics industry must remain one step ahead of the methods and technologies unlawful operations use to communicate, so they can arm investigators with the latest software to reveal what criminals are trying to hide. / REFERENCES 1. resource-accounts pdf 67 DFM18_064-67_Cellbrite.indd 67