Wednesday, August 24, 2011

Obtaining Information from Mobile Devices in Criminal Investigations

by David W. Bennett

Mobile device forensics is the process of recovering digital evidence from a mobile device under forensically sound conditions and utilizing acceptable methods. Forensically sound is a term used in the digital forensics community to justify the use of a particular technology or methodology. Many practitioners use the term to describe the capabilities of a piece of software or forensic analysis approach (McKemmish, 3). Mobile devices vary in design and manufacturer. They are continually evolving as existing technologies progress and new technologies are introduced. It is important for forensics investigators to develop an understanding of the working components of a mobile device and the appropriate tasks to perform when they deal with them on a forensic basis. Knowledge of the various types of mobile devices and the features they possess is an important aspect of gathering information for a case since usage logs and other important data can potentially be acquired using forensics toolkits.

Mobile device forensics has expanded significantly over the past few years. Older model mobile phones could store a limited amount of data that could be easily obtained by the forensics investigator. With the development of the smartphone, a significant amount of information can still be retrieved from the device by a forensics expert; however the techniques to gather this information have become increasingly complicated...


Tuesday, August 23, 2011

An in-depth analysis of the cold boot attack: Can it be used for sound forensic memory acquisition?

by Richard Carbone

The purpose of this technical memorandum is to examine the technical characteristics behind the cold boot attack technique and to understand when and how this technique should be applied to the field of computer forensic investigations. Upon thorough examination of the technique, the authors highlight its advantages, drawbacks, applicability and appropriateness for use in the acquisition of computer memory contents. The original cold boot attack paper, as conducted by a team of students and researchers in 2008, demonstrated the usefulness of computer memory remanence and how this phenomenon could be used to defeat popular disk encryptions tools and other data hiding techniques necessary for the safe storage of secret data and information. However, the technique is not a panacea and has many drawbacks dictated by the laws of physics, which cannot be overcome by the technique...


Monday, August 22, 2011

Google History Forensics

by Craig Ball

Craig Ball
About the Author

Craig Ball is a Texas lawyer who limits his practice to service as a court-appointed special master and consultant in computer forensics and electronic discovery.

In my last Forensic Focus column, I touched on migration to handhelds and the cloud, mushrooming drive capacities and encryption-by-default as just some of the factors auguring the eventual extinction of conventional digital forensics. But an end to old school digital forensics is no threat to examiners who evolve. There will be plenty to do for those adapting their skills and tools to new sources and forms of information. We will learn to read new tea leaves.

Happily, for every source of forensically-rich information that fades away, others emerge. For every MacBook configured to wipe deleted data, there’s an iPhone storing screenshots and typed text. When webmail shooed away some of our ability to locate messaging artifacts, social networking and geolocation wandered in with stories to tell.

Now and then, the emergent sources just seem too good to be true.

Case in point: Google History.

Certainly, forensic analysts routinely look at Google searches locally; parsing Internet activity to assess what the user searched and surfed: “Nude children.” “How to make chloroform.” “Wipe a hard drive.” It’s compelling evidence.

But, as users grow savvy about covering their tracks, we see more cache deletion and deployment of antiforensic “privacy” tools designed to deprive us of the low-lying fruit. It’s potentially “spoliation” on the civil side and “obstruction of justice” on the criminal side. On both sides, proving it helps justice be done.

Then again, data can disappear innocently, too. Oliver Wendell Holmes, Jr., observed that, “Even a dog distinguishes between being stumbled over and being kicked." Discerning evil intent—mens rea in the law—is crucial to deciding whether and how much to punish actions that result in lost evidence. One way we demonstrate intent is by showing the planning that preceded an act. We reasonably infer intent to destroy evidence from web searches seeking ways to make evidence disappear.

But what do you do when the data destroyed is the evidence of intent in its destruction?