There are many tentacles to the practice of digital forensics. As explored in a previous article, there can be two main tracks to the practice of digital forensics: Incident Response & Litigation Support. Along the same vein, there are practitioners both in the public sector (law enforcement, government contractors, etc.) and the private sector. While the practice is essentially the same across both sectors, the types of cases called upon to work and the complaints or inquiries received can be vastly different.
When I was a law enforcement examiner, my time was spent mainly investigating criminal incidents involving child sex abuse material (CSAM) and other crimes, such as fraud, cyber-stalking, etc. After transitioning to the private sector, I found the case inquiries and cases worked to be quite different. Sure, there’s a minority percentage of cases in the criminal realm, but many of our cases span family law, corporate law, intellectual property theft and other civil disputes. One of the most notable areas that the shift has occurred has been in the types of inquires receive. The three questions explored and answered here are designed to provide those would-be clients with answers that they can readily access without the need to contact a forensic service provider and to help provide guidance for some in our industry as a whole. These questions are taken directly from inquiries we receive weekly.
FAQ #1: I think someone (estranged spouse, other person) is “hacking” me. Can you find out who it is?
This is probably the most frequent question we receive and it eats up a ton of time. Indeed, there are many reasons why someone might feel they’ve been “hacked”, but at a 30,000-foot level, it’s not likely. Why isn’t it likely? Well, the first question anyone needs to ask themselves is WHY would someone hack your devices on purpose? Jeff Bezos’ iPhone was hacked. He’s also the CEO of a multi-billion dollar corporation and he was targeted with a very specific electronic exploit by a quasi-trusted source in a coordinated event and the means to hack his device were engineered specifically for that purpose. Let’s be clear: No one is likely doing that to YOU. The time, effort, resources and level of technical sophistication needed to hack an individual’s devices at that level are so advanced and multi-faceted that no one with a standard or mid-range knowledge of computers or cell phones would be able to do that to you.
And just because they “work in I.T.” doesn’t mean they have any advanced coding knowledge to be able to hack your devices.
Most of these allegations surround mobile devices, but to be more specific, an iPhone is quite difficult to “hack”, at least to the level where one would be reading your text messages or tracking your location or listening to your calls. Everything on the phone needs to run in an application and there are no applications on the Apple App Store which allow this type of activity. This is why iPhones are generally considered more secure than Android devices – because you *have* to run everything as an app and the only place to get an app is the App Store and Apple has tight controls over what they allow on the App Store.
What is likely the case in roughly 99.9% of instances is that access was granted by the iCloud account holder (i.e., iPhone owner) to the alleged hacker at some point prior to the “hacking” and they are using utilities like Find my iPhone and iMessage syncing to track these locations and activities. Also not unlikely is that a formerly-trusted source knows your standard passwords and accessed your account using one of those, and may even have 2-factor authentication access from an older device. Change your iCloud login and password and make the password strong and unique. Also, disconnect older devices from your iCloud. Finally, don’t use public wi-fi.
Android devices, while theoretically easier to “hack” than iPhones, still require some access for 99.9% of users to be able to track location, read messages, etc. Apple, Samsung, LG, etc. don’t make money and keep customers by making their devices easy to exploit to any sort of hacking activity. If that were the case, we’d all be walking around with hacked smart phones. The security on these devices, particularly the newer models, is strong enough to ensure that the vast majority of people to whom access is not granted to the data, cannot access the data… And with each new generation of device, the security gets stronger.
The reality is that we are all bleeding our location, purchase history, check-in activity, life events and much more on our mobile devices every day without even realizing it. Google has more data on you than the NSA and they exploit it to make money. Does hacking of an iPhone or Android phone happen? Yes. But it is very, very unlikely for 99.9% of users.
As a final note, I tell all potential clients that call with this complaint, hacking in many forms is a crime. If you have evidence you’ve been hacked, report that to the authorities and initiate a criminal investigation. They work for you and you pay them with your tax dollars. They also have the power to issue things like subpoenas and search warrants, which any private practitioner does not. In short, they can help you much more than we can.
FAQ #2: Someone is sending me harassing text messages anonymously. Can you identify who it is?
The short answer to this is, probably not. If the only evidence we are afforded are the text messages from the phone of the person receiving them, there isn’t much evidence for us to investigate from the device itself. The existence of the text messages is not in dispute, the origin is what is sought. Most of these numbers are issued through a third-party and purposely anonymous at a practical level, so our ability to track down the number to a specific person is very limited.
In order to track the number to a person, litigation needs to be in place or a criminal investigation needs to be undertaken. This will provide the power of subpoena or search warrant to help track down and follow the bread-crumb trail to who may be responsible. Even still, this can require multiple levels of subpoena, which can take time and often be a dead-end in the investigation.
Harassing text messages and/or calls are annoying. They may even be illegal, depending on where you live. But it’s much easier and less expensive to change your phone number and let trusted friends & family know you’ve changed your number than it is to try to dig down into the rabbit-hole that is a chain of subpoenas to try and track down who is responsible. As a wise man once said to me, “the juice isn’t worth the squeeze”.
FAQ #3: I suspect my spouse or significant other is cheating. Can you analyze their phone to let me know if this is true or not?
We get this question a lot. And it’s usually followed up with a statement by the would-be client that “the account is in my name”. The problem is, the data isn’t in your name, and the data is what you’re asking us to analyze. The issue of marital ownership of property can get a bit murky, particularly when one feels their trust is being violated.
I know a lot about the law, but I am not a lawyer. Generally, we refer people who ask for this service to consult an attorney and the natural rebuttal is “I want proof that something is going on before I get an attorney”. At that point, we gracefully exit. Why? Because past instances have taught us that getting involved in domestic issues where there is no litigation is messy and fraught with complications. In short, we’re not going to be the reason you get a divorce.
Aside from that, there are technical issues which can arise in this. The first is access to the data. For all modern cell phones, we need the pass code in order to obtain the data. Period. There are no notable exceptions to this for private sector practitioners. Oh, you have the pass code? Great. We still won’t do it. Modern mobile forensic tools also extract authentication keys for social media and other cloud accounts, which is a very powerful tool, particularly if used in the wrong hands. By accessing the data on the phone and/or the data on the cloud without proper authorization, we are breaking the law. There is no client or any amount of money who would convince us that our professional integrity and reputation is worth one case. Finally, if we engaged in this practice and the case did go to litigation, we’d have to testify about how we accessed the data and by what authority. That would be a tough question to answer.
Are there digital forensic practitioners who will do this? Absolutely. Please contact them and let me know how their testimony goes.
Wrapping It Up
The FAQs discussed here are just a sampling of some of those we receive quite regularly. And while the answers may have a bit of pointed clarification in them, they also touch on a wider theme of ethical practices in private sector digital forensics. When you are researching a digital forensic service provider, please ask yourself 1) is what you’re asking them to do within the bounds of the law and/or ethical practices and 2) if they agreed to do it for you, what does that say about their ethical standards? The training, tools and ability to do what we do are all extraordinarily powerful and if used by the wrong type of practitioner, could lead to drastic consequences. Violations of what could be termed “standards of practice” will affect the industry as a whole. Let’s all work together to ensure that doesn’t happen.
Patrick J. Siewert
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!
We Find the Truth for a Living!
Computer Forensics — Mobile Forensics — Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia. In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history. Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping. He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Linked In: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc