Digital Forensics & Incident Response Strategic Services Advanced Testing Services Managed Security Services
February 13, 2020
Why Today’s Digital Forensics Can Feel Like the Wild West (and What to Do About It)

A little more than a decade ago, digital forensics professionals had a much simpler task in front of them: examine the computer or computers of the suspect, look at the suspect’s incoming and outgoing emails, and ensure that each piece of relevant data is collected, identified and analyzed with the right tools in the right way.

When cell phones entered the scene around 2008, the digital forensic professional’s methodology was challenged. Hard drive forensics tools weren’t designed to work on mobile devices. And, this was only the beginning of the changes and challenges that were ahead for the unsuspecting digital forensics expert.

Today, ancient technologies such as faxing and email are being replaced with instant messaging and social media platforms such as Facebook, Twitter, SnapChat, TikTok, etc. Data moves at a rapid pace across many different types of mobile phones, tablets, cloud-based email and storage, game consoles, IoT devices and wearables. According to a recent report published by the World Economic Forum and Raconteur, the astonishing amount of data transmitted daily includes: 500 million tweets, 294 billion emails, four petabytes of data on Facebook and 65 billion messages sent via WhatsApp. By 2025, it is estimated that 463 exabytes of data will be created globally, each day.1,2

Because of this, digital forensics experts are struggling to employ the Daubert Standard—the standard used in all expert testimony within the United States–to ensure the testimony itself is based on a reliable methodology.

On newer social media platforms, data is being deleted, altered, moved, and housed in other countries or on cloud platforms where it is more difficult for forensic experts to defensively acquire a pristine copy when they need it. The key to digital forensics is not about showing data; it’s about collecting and preserving it in a way that is defensible and admissible in court. So, the Daubert Standard suggests that preservation and collection of data must be conducted in a way where if somebody with the same skill sets and tools followed the same procedure, they would get the same results. It’s designed to ensure that forensic experts maintain independence along with law abiding methodologies.

Some forensic experts may fall into the trap of believing that since they’re being paid by one side, they have to find that “smoking gun,” or nugget of discovery that will help them prove their worth. The Daubert Standard, in essence, encourages independence. Professional forensics experts should be just as proud to find nothing as they are to find evidence—because they aren’t working for one side or the other, but instead unveiling, acquiring and preserving potentially relevant data that remains uncompromised.

New media. New cloud frontiers.

Generally, when data is stored on new media or in the cloud, it is not backed up in a way that’s conducive to an investigation. Vast data repositories with treasure troves of potentially relevant nuggets are housed outside of the digital forensic expert’s care, custody and control. Forensics experts will attempt to gain proper credentials to access these areas legally. This is not always easy on Facebook, Twitter, Office 365, Dropbox and many other well-known cloud environments. Forensics experts often find that by the time they are granted legal access, a great deal of potentially relevant data has already been purged and is unrecoverable or lost in the cloud.

These platforms all have different levels of log-ins and connections. As a professional forensic expert, you would not, for instance, lie about your identity to try to gain access to the suspect’s social media account. Nor would you hack into an account or bend the rules in any way that would fall outside the guiding principle of “what a reasonable person would do under similar circumstances.” When you’re classified as an expert witness, that is because a judge believes in your standards, qualifications, general practices and in your ability to provide defensible, independent evidence.

Because data is everywhere, it’s important not to focus on just one repository. Creative forensics experts unable to legally access the suspect’s social media accounts could instead put a timeline or story together based on cell phone records. If the suspect sent messages by phone, they were going to somebody—which means there are tower logs and many other legal and effective ways of generating leads.

The good, the bad and EDRM

Since electronic data is very different from paper information, because of the intangible nature, sheer volume, impermanence and ability to carry metadata, the

Electronic Discovery Reference Model (EDRM) was developed. Basically, EDRM is the discovery reference model that outlines the process involved in a proper e-discovery engagement. The process includes: identification, preservation, collection, processing and review. So, from the first time an expert arrives on the scene, all the way through to production of data in court, there should be a full chain of custody that protects everything documented. Professionals who follow EDRM can honestly claim that their collected data was never out of their sight. Forensics experts who aren’t professionals might collect data onsite, put that data into their cars and drive it away. One would hope they would go directly to their lab, but if they are careless, or not following procedure, they might stop for lunch, pick up their kids from school, or run other errands that could compromise the data. When asked, these forensics experts could not guarantee that the data in their custody wasn’t altered. Compromised evidence needs to be thrown out, which would spoil their whole procedure. If a forensics expert ever tampers with or taints evidence—even if it’s accidental—his or her career could be ruined. That’s why it’s extremely important to follow proper procedure, standards and collection.

Best practices for a successful digital forensics engagement

At the start of a digital forensics assignment, digital forensics experts will first want to sit with their client and get a topology, or overview, of the facts. They will start by asking:

What is relevant?

What are the timelines?

What are the repositories?

Who are the targets?

Who are the custodians?

The target is the person/persons to potentially go after, and custodians are people who may have some evidence or relevant information.

Look at the narrowest area first. This is also known as, “early case assessment.”

Often, within two days, professional forensics experts should be able to collect and process enough data to present a findings memo. This will show the experts if they are on the right track, or identify if the target is still accurate. In some lucky cases, the entire engagement can be concluded within this short period of time.

Consider working with an outside firm to ensure your digital forensics professionals are truly independent. Anything that might impede independence always has to be evaluated. Look for forensics experts that are not only credentialed, but also participating members of the forensics industry. When hiring an expert who has written industry rules or guidelines, you will be able to leverage professional guidance that is based on the most up-to-date regulations, standards and practices. Steer clear of anyone in forensics who acts like a cowboy. It is critical that your forensics experts follow the laws, rules, standards and guidelines to the letter.

It’s also important to hire an organization that has experience with the appropriate technology. There are a lot of people who can do forensic imaging of a Windows Workstation, but they have no real experience of Linux, Unix, MacBook, iPhone or a cloud repository. Some forensics experts are very good on-premise, but they don’t know how to handle Dropbox. So, when hiring forensics professionals, you will want to ensure they can cover all of your potentially relevant repositories that exist across your vast cloud landscape.

References:

  1. https://www.weforum.org/agenda/2019/04/how-much-data-is-generated-each-day-cf4bddf29f/
  2. https://res.cloudinary.com/yumyoshojin/image/upload/v1/pdf/future-data-2019.pdf
About the Author
CBI Jeff Goreski
Jeff Goreski
VP | DFIR
Jeff is a seasoned risk assessment, risk mitigation, compliance and eDiscovery professional. His qualifications encompass many different areas in both the Anti-Money Laundering (AML) and Economic Crimes Investigation marketplaces. Jeff created the world’s first global email archiving software for Exchange, Domino, GroupWise, SunOne and First Class mail systems.

As a certified AML and financial crimes specialist and a certified e-Discovery specialist, Jeff has consulted, advised and served as an expert in the collection of technological data for global clients. Forensic gathering as well as in depth discovery of relevant data has been at the heart of his eDiscovery expertise.

Jeff was appointed to the ACEDS (Association of Certified eDiscovery Specialists) advisory board in late 2011.
I Need To...
S
Safeguard my data and my brand
Solutions
E
Envision my cybersecurity program
Digital Forensics & Incident Response
C
Comply with regulations
Strategic Services
U
Uncover what I have
Advanced Testing Services
R
Run my cybersecurity operations
Managed Security Services
E
Elevate my business
Why CBi