How to Solve Digital Forensics Challenges? Be Curious
A new Magnet Forensics white paper is coming soon, and while it focuses on the technical aspects of Android Marshmallow Forensics, running underneath those details is another theme: the only way to stay current on mobile device technology changes is to know how to get out in front of them.
Yet few, if any, forensic examiners would agree that they have time to be that proactive—much less the time they need to work cases and still get three square meals and a good night’s rest each day. In fact, a rising tide of digital evidence keeps many examiners working late, under-rested and overcaffeinated, and still worried about whether they found all the data they needed to make or break a case—while still more cases wait in the wings.
These are not concerns to take lightly; indeed, our customers often tell us that to deal with backlog, they sometimes have to prioritize which cases they dig deep on and which cases to build primarily on “low-hanging fruit.” On the other hand, our development experience tells us that personal digital technology is advancing so rapidly that sooner or later, focusing your energy on the easy evidence will lead you head-on into a brick wall.
As our new white paper will show, Marshmallow, Google’s next-to-latest operating system, is just different enough from other Android flavors that its full disk encryption, password storage mechanism, adoptable storage, and other features could make you think Android is going the way of Apple in terms of usefulness to investigations. However, we also show that making just a small investment of time to dig deeper, to learn to look at evidence in new ways or try new ways to obtain it, could be a lifesaver later on as you apply your learnings to build stronger cases. Sign up to get your copy of the Android Marshmallow Forensics white paper!
Know what you don’t know in Digital Forensics
Having certifications and using multiple tools doesn’t give you all the answers. If you don’t know how to explain how a piece of data got to be stored where it is, why it wasn’t where you expected it to be, why it presents one way and not another, or why it’s missing altogether, then you need to go beneath your tool’s interface.
Learn how various tools work to obtain data; for instance, the difference between Android Debugging Bridge and installing a forensic agent. Knowing how and where to look for “missing” data, and how to explain why evidence you anticipated to be in one place ended up in another (or nowhere at all), helps you establish your credibility as a forensic examiner and potential expert witness.
Think globally, parse locally
Going hand in hand with understanding a device’s file system structure is understanding the market forces that led to its development. For example, when developers add features that respond to user requests for things like privacy and security, that impacts the forensic process.
Likewise, hardware standards you’ve never seen before, like Android One which improves user experience on low-end smartphones, may unexpectedly show up at your lab—unless you understand the market trends that brought it there.
Why? Manufacturers are trying to keep up with consumer demands for more convenience, better privacy, and higher security. Therefore, the easy-to-crack passwords of today may be the two-factor authentication of tomorrow, while a fully encrypted device could bring your investigation to a screeching halt.
Take Marshmallow. The first to deliver fully end-to-end encryption—not just the performance-diminishing feature introduced with Lollipop—Marshmallow could, at first blush, cause headaches. As it turns out, though, it’s simply rearranged a few things. To make it work for you, you have to know where to look.
Get out of your comfort zone
Command-line tools may seem intimidating, especially the more intuitive our software becomes. Learning how to use tools like the ADB shell, however, can be a crucial step in learning how to interact with a device’s storage structure—its file system. Take the time to purchase test devices and learn what they look like “under the hood,” how they are similar to other devices and how they are different. This way, if you ever need to change the container your forensic tools rely upon to obtain data, you’ll know where and how to do it.
Our white paper also describes how other, non-forensic tools can help accomplish your forensic mission. For example, understanding the relationship between Android and Linux, how to work in a Linux environment, and what evidence to mount there can enhance your forensic investigation and help get the answers you need.
Moreover, few forensic examiners won’t encounter “that one case” where they’ll need to throw every tool they have at a particularly tricky device. Short of sending it back to the vendor, which is costly in both time and money, the more forensic tools and methods you know how to use, the better off you’ll be. In situations where you may need to (for instance) downgrade firmware to get access to a device, or scrape data directly off the device’s memory chip, having the training and tools to get it done can be well worth the time and expense it took to get there.
The changes in smartphone technology can seem like a major headache, but a little bit of time spent now to experiment—to get to know how your tools work, what artifacts are available, and where they “live” on a device—can turn these challenges into opportunities to expand your knowledge base and become a better forensic examiner.