Following up on last month’s article about “Three FAQs About Digital Forensics as a Service”, we thought it useful to spend some time debunking some myths about digital forensics from both a general practitioner and service provider perspective.
Every industry comes with “urban legends” or popularized myths that surround the practice. Many of these rarely represent reality and some are outright false. The more intriguing or interesting the field, the more pervasive these falsehoods can be. Digital Forensics is no different than any other industry in this respect. The reality is that TV and movies have sensationalized what we do to the point where there are several misconceptions about the practice of digital forensics, which run the gamut of the various sub-sets of the practice and affect those in law enforcement, private sector litigation support, incident response and government contractors. While Hollywood has tried to make the profession “sexy”, there are some realities to this field, including the long hours spent staring at a computer monitor, developing a script or researching an application. While not overly exciting, those are activities in which any practitioner worth their salt needs to engage on a regular basis… But it doesn’t make for good TV.
In order to dispel some common myths about our field, three of these misconceptions are discussed in this article. This selection of industry myths has been garnered through discussing and working cases with people outside the industry over the combined time in law enforcement and private sector practice of digital forensics for the past 12 years.
Myth #1: Nothing Is Ever Truly Deleted
I wish this were true. However, the reality is that it is not. Not only are there anti-forensics methods readily available to users on the market (i.e., Hillary Clinton and “BleachBit”), but increasingly there are measures being put in place at the manufacturing level for both mobile devices and higher-end computer systems that make deletion of data a permanent state. To be more accurate, the security over the stored data is such that when and item is deleted, it is often not recoverable.
For example, on an iPhone, data is stored in the same basic way for most applications. However, if an item is deleted from the phone, depending on the type of item (i.e., picture or video vs. text message), the item is sent to free space on the phone memory, which is encrypted and not accessible through the forensic process. The image may not be gone, per se, but it is not accessible or viewable. On newer Mac computers and other devices equipped with solid-state memory (i.e., not a spinning hard drive), there is a process in place called “Trim” which also helps clean up the free space of the memory and makes recovery of deleted items extremely difficult, if not impossible. In the era of heightened data security, these measures are becoming more commonplace. Deleted text messages that were once partially recoverable are now increasingly unavailable, even with the most state-of-the-art forensic tools.
There are almost always alternative storage methods, however. Hard backups (computer-based) or copies or cloud-based data can all be potential areas where valuable evidence can exist, but the reality of the digital consumer marketplace is that if all we have is the device and nothing else, we may not get your deleted data.
Myth #2: If It’s Deleted, It’s Gone
I know this sounds totally contradictory to the previous comments and Myth #1, but just because it’s deleted, doesn’t mean the evidence you need is gone. Indeed, this is and always has been at the heart of the forensic process. We utilized industry-standard methods to acquire, analyze, recover and report about the data. The emphasis with this myth is the recovery part. I tell potential clients and attorneys all the time, the data is *usually* stored in more than one place. The aforementioned cloud-based data storage being the most ubiquitous, but there can also be additional data stored in some surprising places. The more data we can get our hands on that is related to the matter at-hand, the more success we will have in getting you some evidence that will help confirm or refute your assertions in the case. There are also methods of analysis that a trained, competent examiner will attempt to incorporate in many cases, including partial recovery of valuable data from places like file-slack (leftover space where a file may have previously existed) or volume shadow copies that are automatically created in Windows.
In most cases, the proverbial smoking gun is not a realistic possibility. We have certainly worked and seen cases where the smoking gun has come about and it has always met with great success, but the reality of our practice is that we will likely find *something* to help you, but it may not be the one piece of evidence that will confirm or refute the matter at-hand. Will it add value? Most likely. The real value comes in with the examiner’s ability to articulate what they did, how they found what they did and to explain these findings in non-technical terms that everyone can understand.
Tools don’t do the work. They present the data for the analyst to do the work, so make sure your analyst is knowledgeable and not afraid of doing the work.
Myth #3: It’s Just A Phone… What’s The Big Deal?
It’s not unlikely that the origination of this myth is rooted in our innate perception of the fact that the size of things should equal more cost. Bigger vehicles cost more than smaller vehicles. Bigger houses cost more than smaller ones, and so on. So why should a device that fits in my pocket be more of a challenge to acquire and analyze data than my laptop or desktop computer?
In recent years, the marketplace has demanded that phones be more complex, store more data and be much more secure than your computer. Apple comes out with a new iteration of iPhone every year, and they usually (and much more quietly) update their computer hardware and software as well, but the emphasis since the inception of the iPhone has been on the mobile device. So what’s so problematic about it?
As I tell attorneys and their clients frequently, many times we are acquiring the data that Apple allows us to have. To be clear, this is almost always more than what the user could do themselves and in a forensically sound manner appropriate for evidence presentation, but Apple can be quite restrictive for non-law enforcement to obtain data. We get the basics – messages, photos, videos, web history, and supported app data. Many times we can also analyze unsupported app data as well. But much of the deleted data is unavailable. In recent years, more advanced methods for acquiring iPhone data have come about, but they are only available on certain iterations of the iPhone hardware and software. But to be clear, we always try to get as much data as possible.
Android phones are increasingly problematic as well. Last year, we had a Samsung Galaxy S20 in for acquisition and analysis. I was amazed at how little data we obtained, despite multiple attempts at multiple different methods of acquisition. Fortunately, the mobile forensic tool developers are always coming out with newer ways to get more data for our use and analysis, but it’s a constant game of catch-up.
A final point about the volume of data that can be analyzed on phones, Apple currently has up to 512 GB of storage on an iPhone. Some Android phones are pushing to 1TB or more worth of storage. That may not seem like a lot when you’re using the phone, but it’s A LOT of data. And the more we have to search that mountain of data, the longer it takes. These are not the Nokia flip phones we all had in the mid-2000’s. They’re not even the Blackberry Pearl you had and thought was so cool. These are complex computer devices with as much storage capacity as many commonly used computer systems, with many enhanced security measures. They may be small, but they’re mighty!
Wrapping It Up
The myths discussed here are a small sample of the push-back we sometimes get when it comes to the length of time and the cost associated with acquisition, analysis and reporting about the data on these devices. For those in law enforcement, phones are seized daily and sometimes the means by which to simply acquire the data are challenging and time-consuming (if not impossible). We are not miracle workers, but we do try to get you data that you can use in your case to help confirm or refute your suspicions or claims. Just know, it’s not always easy, it’s not always quick and it’s unfortunately not always possible. Sometimes, we just don’t know until we get into analyzing the data!
Patrick J. Siewert
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!
We Find the Truth for a Living!
Computer Forensics — Mobile Forensics — Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia. In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history. Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping. He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Linked In: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc