All posts tagged Mobile Phone Forensics

The Life Of A Computer Forensics Consultant

To those who don’t work in the industry, computer forensics has an aura of mystery. Portrayals on film depict a secretive world inhabited by maverick hackers and all powerful government organisations, both of whom have the capability to quickly and easily access and obtain data from any computer in the world.

Of course, whilst computer forensics is a very exciting field, we thought we’d give insight into what it’s really like to be a computer forensics consultant by getting one our experts to write about.

Aaron Watson, one of our computer forensics consultants, kindly agreed. Read his account of life in the world of computer forensics below:

Can you tell us about your job in a nutshell?

As a CF consultant my role involves the collection and investigation of electronic data. Both have their challenges and can be as complex and rewarding as each other. Having been at Kroll Ontrack for 4 years I have travelled to many countries, worked on hundreds of projects and collected many thousands of gigabytes of data. The role often involves responding to complex time critical situations, coming up with effective solutions to get the required results, be it collecting data in a very small time frame with a number of technical complexities or investigating unauthorised access to electronic data.

So what does a typical day as a Computer Forensic consultant look like?

I don’t think there is one to be honest! No day is ever the same and every day includes a challenge or three. At any one point in time I can be involved in a number of investigations across a number of countries working with various clients. Investigations can develop and change at a rapid pace, each having their own challenges and complexities, who knows where in the world I could be tomorrow! Mondays for the most part have some regularity in that we aim to have a team meeting to discuss on-going projects, availability and any issues. This gives us a chance to go over current projects and their requirements, but this thankfully is where the regulatory ends and the fun begins.

What does a computer forensic investigation involve?

Within the computer forensic team we often have clients coming to us with a situation which requires our investigation capabilities; some simple, some complex and on occasion, some very bizarre! The first port of call for a client is our sales team who then come to us with the general background information and requirement. An example of one of the more bizarre requests was received by my colleague, Joanna Ward. A dog owner whose third dog had died wanted to prove that the dog was ill before he purchased the dog and requested that we help to prove that the post mortem report had been electronically tampered with as it did not read in his favour. Unfortunately for him, we did not take the case due to the fact that he only had a copy of a copy of the document.

Most CF investigations conducted by Kroll Ontrack relate to employee investigations; be it intellectual property theft, access to inappropriate material or outright fraud. In most cases the investigation will lead to employee dismissal or prosecution but on the rare occasion we may act in the defence of the employee.

Forensic data collections and dawn raids

This is an area of the role I particularly enjoy and fortunately for me is the role which takes up most of my time. Clients often have a disclosure order whereby they have to disclose any and all electronic data relating to a matter. This data is often across a number of systems and depending on what country you are collecting the data from can come with local privacy regulations which can cause a number of difficulties. A data collection can start out in one of two ways, in an organised manner with time for scoping and planning or we find find ourselves in a last minute “we needed you in Romania yesterday” type of project. Let’s go with the first, a client calls our sales team requiring a data collection with a disclosure deadline three months away.

The first step for us is to have a scoping call with the client which often includes a CF consultant, a lawyer from the law firm which approached us, possibly the end client and if we are really lucky someone from the end client’s IT department. The call allows us to get an understanding of the requirement, including the number of custodians (people who have access to the data), the type of devices they have and systems they have access to. We also look to discuss logistics including the site location/s, dates/times and availability of custodians. All of this information will make for a much more efficient data collection which means less time required onsite and as a result less cost to the client.

Ultimately we do have a lot of last minute “client panicking” type of data collections. We often have to take a quick assessment of the situation and have an educated guess as to what kit we need to take and how much data storage media we may require. We then get onsite and scope the job on the ground working closely with IT which if know their IT systems well will make for a much more efficient collection. In some cases we have had no IT support available at all (in one case they had all walked out) which meant we had to scope the complete IT infrastructure in order to determine all data storage sources in order to fulfil the requirements of the disclosure requirment. All of this makes for great technical challenges which for me are a great part of the job.

 Perks and pains of the job

Thankfully there are a far more perks than pains. The biggest perk for me is the variety of work and the lack of similar days. Closely in second place is the sheer number of interesting people we meet and places we get to visit, even if only to work in an office or a data centre for the most part. As a fan of travelling, I am generally a very willing volunteer and if it’s a particularly interesting case you’ve got me! As far as pains go I think pain would be a strong word but at times we can be dealing with quite repetitive processes which can involve playing the waiting game… This isn’t Spooks; we can’t image a hard disk drive or clone a phone in a matter of seconds!

Aaron’s FAQs

What exactly is it that you do?

Hopefully I have covered that bit.

If I delete my files can you recover them?

Well, that would depend on how you have deleted them and how long ago. For the most part, yes we can recover all, if not fragments of deleted files. As a general rule, if the files haven’t been overwritten there is a good chance they can be recovered.

Have you had to go to court?

As yet I haven’t but some might say if your findings and report are sufficient they shouldn’t need defending in court…

When travelling for work do you have any free time to explore?

For the most part no but sometimes yes. Ultimately it depends on a number of factors including the volume of work, the client and surprisingly the location. For example, the Spanish love to finish earlier in the day than us Brits. When I have some free time it’s usually in the evenings. I like to make the most of this free time and explore the local city/area with my camera in hand. On one occasion I was fortunate enough to have a free weekend when in the Ukraine. I think I made the most of this as I visited Chernobyl which I would recommend to anyone!

How did you get into the field of computer forensics?

From a young age I have had a passionate interest in computing and have always been inquisitive, some might say nosey. After finishing my A Levels I wasn’t particularly keen on University but found a Digital Forensics course which sounded like something I wanted to get into. This led me to Teesside University where I studied Digital Forensics which luckily for me got me internship with Revenue and Customs for 12 months as a Computer Forensic Technician. This was an absolutely fantastic kick-start to my career and from there I went on to work for Kroll Ontrack and here I am!

Do you like your job? Would you recommend it as a career?

I absolutely love the job but you have to have a certain mind-set and put in the hours when required to be successful. The challenges and interesting cases certainly outweigh the sometimes long hours and rare frustrations.

About Aaron Watson

Aaron Watson joined Kroll Ontrack in April 2011 and currently serves as a Computer Forensic Consultant in the London office. Aaron is involved as part of a team or as a lead consultant in forensic data collections both large and small in the UK and abroad in relation to discovery exercises and corporate and private investigations. Aaron has worked are large scale disclosure exercises and corporate investigations often for high profile clients or large corporations. These have ranged from investigations into Intellectual Property Theft, Computer Misuse, Fraud, Deception and corruption.

Forensic Mythbusting: Luke ‘CF Guru’ Aaron explores some truths and myths about Digital Forensics.

Forensic Mythbusting

I get asked a small number of questions a lot of times, so I thought it useful to explore some of those questions in an expose of the main capabilities and myths of the forensics industry, as well as a few helpful hints.

  1. Can you recover deleted data?

The answer is “yes, usually”. When data is deleted it remains on the drive, but is no longer traceable by the file registry. A good analogy is to think of a lazy librarian, who upon being instructed to remove an unwanted book, instead simply removes the index card but leaves the book on the shelf, the book is still there but no one has any way of knowing where to look. At some point in the future a new book is required to fill “the space” where the old book resides, the librarian now simply pushes the old book to the back of the shelf, now it is slightly harder to find (as it has a new book in front of it) but it is still lurking there on the shelf, if you know where to look.

Of course computers, like shelves, do not have an infinite amount of storage and eventually new data will overwrite old data. So the amount of usage since deletion and how much free space is available on the hard drive are key factors when advising on the likelihood of data being overwritten.

  1. Is it possible to forensically wipe a drive so nothing can be recovered?

Unfortunately yes, it is possible to forensically wipe a drive so that no data is recoverable. When used correctly, there are products available that will completely fill a Hard Drive with a random pattern of “0’s” and “1’s” thus stifling any efforts to recover data. Some wiping tools will even try to self-delete and hide the fact they have been run. By looking at a timeline of the usage on the device since the date of the deletion, we may be able to draw some conclusions as to the type of tool used and the date of deletion. However this shows why it is key to have robust polices on what can be downloaded to a device and how data is backed up and stored.

  1. Can you extract data from a mobile phone?

Whether we can recover data off a mobile phone depends almost solely on the make and model. The forensic industry is constantly playing catch up with new operating systems and proprietary file storage systems on mobile devices. We use a range of tools and techniques to increase the likelihood of extracting the relevant data, however a good initial guide of whether your handset is supported for extraction is freely available at .

  1. Can you crack passwords?

The ability to crack a password depends almost entirely on the password. We can use “Rainbow Tables”, “Dictionary Attacks” and forensic tools to attempt to overcome passwords. However a sufficiently strong password is exceedingly difficult to crack in a reasonable time frame. In the password world, length is key. There are only 10 numerical values and approx. 20 symbols on a keyboard, so adding one to the end of a basic password does little. If a phrase that combines words such as “THEMERRYWIVESOFWINDSOR” or a series of unconnected words “HORSESTAPLEBATTERYGOAL” has been used, it may take hundreds of years of “brute force” processing to crack.

  1. Can you crack encryption and is Truecrypt still safe to use?

The short answer is no. The major encryption algorithms in use today are not possible to crack of themselves. However, most successful attacks are against the security protocol surrounding the encryption (how you exchange or store the encryption key for example).

Having undertaken research on the so-called “demise” of Truecrypt, in our opinion there is no basis to believe that it is suddenly unsafe to use for the transport of data. Scare stories and hearsay aside, there is no reason to suspect that a product used safely and securely for many years since the previous update would become redundant and unsecure overnight. The developers, whose identity remains a mystery, clearly have their reasons for not wishing to continue with the development of Truecrypt and not wishing to pass the baton to a company or the wider internet, but that does not diminish from their previous good work which makes Truecrypt still the most viable encryption solution for the transport of data.

  1. Can you forensically image a hard drive in 5 minutes, using a mobile phone, you know, like Jack Bauer does?

“No, no, no” My message to Jack Bauer, Chloe O’Brien, the rest of the staff at CTU (all 24), Gil Grissom (CSI) and Sir Harry Pearce KBE (Spooks) is to stop making us real forensic folk look bad.

Forensic Imaging and investigation takes time. A forensic image creates an exact replica of the drive, so the fact the drive only has 50GBs of active data is irrelevant, the image captures all the unallocated spaces of the drive as this is where “our lazy librarian” (see point 1) has hidden the deleted data. The amount of time taken to create a forensic image depends on the size of the Hard Drive and the speed of the connection. For reference purposes we would expect to image at a rate of approximately 80GB per hour, so a 1TB Hard Drive could take up to 13 hours to forensically image. Investigations are conducted in accordance with ACPO guidelines and adhere to a strict chain of custody with contemporaneous notes protocol; this ensures that any evidence uncovered can be used in court.

  1. Can you tell me who sent a specific email?

If the email came from an anonymised webmail account (Gmail, Hotmail etc), then almost certainly not. The IP address will merely refer back to the host server (e.g. Google or Microsoft), and the hosts will almost never give up account holder details without a court order. If the email is a corporate email, then it may be possible to trace the source IP address, but it’s pretty rare that this is the position.

  1. Can you tell me when a specific email was sent or received?

Generally a received email will contain some metadata from which we can determine provenance. The email has left the sender’s email server, bounced around the internet and landed in your email server, this path leaves data inside the email that may be analysed. A sent email goes straight from your outbox to your sent items folder, it doesn’t touch any servers and therefore there are no external times/dates that attach to it. So in the absence of a read receipt you will not be able to provide evidence that the email was sent, received or read.

  1. Can you tell me who I should call and when?

Yes, absolutely. You should call us straight away. All of our pre-consultancy services are free of charge, so we will be able to tell you what can be done and how we can help, quickly and at no cost. Simply call 0207 549 9600 and ask to speak with a member of the forensics team.

Only write the novel when you can solve the crime

A forensic mystery at Churchill War Rooms

When I first started as a Trainee Computer Forensic Analyst the sage advice I received from my manager was (as best as I can remember) “There are two types of people in this business: those that sit around figuring out how to commit a crime and the others that actually do it”.

When Tracey Stretton first suggested that my ‘creative’ imagination ought to be used for a “CF Murder Mystery” event I reeled.  Where do you start? How can I make it believable? What details are necessary for a mystery story?

By far the quote I found most helpful was from Andrew Hixson, of the James Bond short stories.

“I only write the novel when I can solve the crime”.

After the initial shock had worn off I quickly realised that I had been given a free ticket.  Without any billable time pressures I could finally, once and for all, take the time to work out from start to finish all aspects of a full ‘crime’.

The core of the plot came about in our first brainstorming session.  The event was to be limited both in time and, as alcohol was likely to be involved, complexity.  We needed a goldilocks computer security incident which was ‘just right’.

The simplest story is often the most believable, so it’s no surprise that we went with good old fashioned larceny.  After all, barring the consequences, we all can think of a way to steal data.

Between myself, Julian Sheppard and Tony Dearsley we collectively had enough stories about thieves and experience with thefts to provide a whole mini-series, not just one evening.

One of the more entertaining ideas we came up with was the discovery of a USB key found in the Channel Tunnel, equally laid on a rail across the Anglo-Franco border (The Discovery).  Unfortunately Sky Atlantic beat us to it and unveiled The Tunnel.  I still maintain that they took my idea and filmed an entire series in two weeks, just to throw me off!

Writing up the suspects and their backstory caused the most concern.  Each time I mentioned the name of an obscure fictional British or American spy there would be worried looks between colleagues.  “Is he day dreaming again?”, “What has this got to do with The War Rooms?”, “Why aren’t you on billable work?” was often asked.

Working out the details was easy once we had realistic characters.  Ultimately, for each of our suspects we laid out their motives and opportunities so as to leave a trail of clues to be picked out by our guests.  The plot becomes something far more interesting when we cheat and use the imagination of others to fill in the gaps.

In the words of Tolkien “Good stories deserve embellishment”, so it was decided that in order to describe a unique story we would need a unique visual guide.  This was Dial D for Data Theft, not Death by Powerpoint!

With judicious use of motion sickness inducing Prezi we were able to develop an interesting, if quirky, set of ‘slides’.

And then suddenly it was time for us to set out to the Cabinet War Rooms!

What a night it was! A perfect combination of story, location and audience.  Indeed the audience participation was, as I expected, the most inventive part of the presentation.

When asked why they thought a particular culprit was guilty, some of the answers were not exactly scientific:

Shifty Eyes”
“He owns a Porsche.”
“She reminds me of my ex-wife”

However, my favourite quote of the night goes to the guest who wrote on his guessing card:

“It was Felix [because] his shirt is far too tight and he’s a liar!  There’s no way he’s 6’10”! 5’11” at MOST“.

Then, with a bottle of something nice to the winning entry from our audience (none of the above were winners, sadly) we wrapped up the evening with an exciting dénouement and final farewell.

Mobile Forensics – What should companies be doing?

Mobile Forensics

Mobile Forensics

Anyone who’s tempted by the ‘There’s an app for that’ message from Apple eventually succumbs to the lure of an iPad® or iPhone®, believing (usually correctly) that their home and work lives will be transformed forever.  But as the newer versions of Apple’s ubiquitous devices continue to take the personal and business worlds by storm, it becomes increasingly important to understand the unique way in which they retain and share information.  Companies need to be aware of the security risks they present and to keep in mind the evidence trails they create.  According to the Kroll Fraud Report information theft is one of the most widespread categories of fraud currently facing companies and it’s not just customer data being stolen but also internal strategic company data and internal financial plans or data.

What information can you get off these devices?

Most mobile devices use technology similar to that used on a personal computer. As a result, nearly any kind of file or program that can be saved and run on a computer can also be saved and run on a mobile device.  iPhones and iPads (and more generally, devices that use Apple’s iOS operating system) are capable of being forensically analysed.  Exactly what you can get out of them varies depending on the particular version of iOS, how the device is set up with regard to encryption and other factors. There are, however, specific technical approaches and forensic protocols applicable to the IOS (and Android and Windows mobile) environments and companies like ours have made investments in the specific hardware and software needed to keep up with the evolution of these operating environments.

The challenges presented by mobile forensics

The iPad features solid-state device (SSD) memory and, similar to the iPhone, manages data within SQL database files. This storage process makes it difficult to forensically retrieve deleted information from an iPad, because the data is essentially locked down, requiring forensic investigators to gain access to raw data in order to retrieve the deleted information.  For the iPhone and iPad, tools to carry out this process have only recently become available to forensic investigators. The majority of commercially available forensic tools for the iPhone and iPad perform a backup of selected data contained on the device. This results in the partial extraction of user data, but does not allow forensic investigators to recover the majority of the deleted data.  Forensic tools that do allow for the recovery of deleted data have only recently appeared on the market.

Of the many “apps” these devices run, some are harmless, fun and useful, and others are poised to turn traditional forensic investigation on its head.   For example Dropbox® allows users to upload files into the Dropbox app from their mobile device. From there, the app automatically copies the files onto the user’s online Dropbox account, which is accessible from any device with internet access, anywhere in the world. In the corporate world, individuals could use this technology to capture and transfer confidential information. Even if the activity is suspected and the device can be seized for forensic examination, data transfer methods like Dropbox are often easily overlooked and instead investigators turn to email and the use of removable media.  Furthermore, iPads are equipped with the same remote wipe function found on the iPhone. If a seized device is not properly isolated from its network, this highly effective function allows users to send their device a command to permanently erase its contents – stopping any forensic investigation in its tracks.

And all of the signs are that Apple will continue to improve the safety and security aspects of the iPad as it competes for market share with other vendors such as Samsung. Mobile forensics experts are already anticipating new challenges from the introduction of next generation devices and iOS 6.

What should companies be doing?

Powerful tools such as the iPad emphasise the need for companies to fully understand the capabilities of the technology they choose to implement. If misconduct is suspected within a company (whether that be the theft of information or the involvement of employees in fraud, anti-competitive behaviour or corruption) it is important to determine quickly whether the subject of the investigation is using a tablet or smartphone device such as an iPad or iPhone.  If so, and the company has the ability to seize or access the device it should be handled by an expert in mobile forensics.  These devices provide additional ways in which individuals can take proprietary information with little to no trace left behind and also new evidence trails that forensic experts can tap into to work out what has been going on. As the usage of iPads in the BYOD corporate environment continues to grow, they will continue to present challenges to information security and opportunities to forensic investigators that companies cannot ignore.

About Graham Jackson

As a Legal Consultant at Kroll Ontrack, I promote our computer forensic and ediscovery services to both corporate companies and law firms. This is to support any form of their electronic evidence needs, whether that is advising our clients to help prepare in advance of an electronic incident occurring, a real time incident such as data theft, or advise on the best course of action in dealing with post incident response to better protect against future occurrence.

The Bring Your Own Device (BYOD) Phenomenon

Bring Your Own Device (BYOD)

I wondered recently whether or not the BYOD phenomenon was old news; whether companies were surviving the influx of devices into their businesses and had found ways of addressing the security risks that can result,  or if they have simply acquiesced and allowed it to happen, turning a blind eye to the consequences.  Slightly closer to home for those involved in evidence management, I wondered whether computer forensic experts were keeping up to date with the explosion of devices and managing to extract valuable evidence from  iPads and smartphones.  Here are some of the answers I found as I set out to check on the latest information about BYOD.

A quick look at recent surveys shows that the BYOD trend continues to grow and that the majority of companies  now allow employee owned devices to be used – mine does.  On the question of how many have policies and procedures in place to handle the security and legal risks, the last survey I saw said only 8% of UK companies do and that’s probably because the technical, legal and ethical issues around BYOD are so complex.

The benefits are clear – allowing personally owned software and devices into the workplace can unlock a wealth of potential.  Let’s face it, when we are allowed to use our own devices we can often work more creatively and productively and we can take the office home in our pocket, to the coffee shop or wherever.   At the forefront of companies embracing the change stands a CIO like Oliver Bussman, CIO of SAP who has deployed over 18,000 iPads to SAP’s global workforce, and who maintains an app store of authorized apps and IT repair centre modeled on Apples Genius Bars.

Despite all of this, BYOD remains a minefield when it comes to data security. Allowing personally owned devices full access to a secure company network is risky. Any data on these devices can potentially fall into the wrong hands, confidential company information can be stolen or might be extracted after the device is lost, stolen, sold or thrown away.  Employee owned electronic devices often use older versions of systems and software, which may be less secure than modern systems. They may be infected with viruses and spyware that can infect the employer’s systems. If employee-owned devices are allowed full access to a secure network, there’s no guarantee that company data will not be passed on to insecure systems and networks later on.

So how do companies protect their data on these devices?   In short, they are deploying Mobile Device Management software. This software allows the company to manage security policies, content and privileges associated with devices, whether the device is owned by the business or employees.  This ensures that only authorised devices access the network, that the company’s information is secured, and that the device can be wiped clean if it is stolen or lost.  Data can be protected by using a virtual desktop infrastructure (VDI) and a hosted virtual desktop where all the user sees is a virtual image on their mobile device. VDI is used widely in the finance and healthcare sectors because it allows users to access the required data but never stores it on a device.

Unfortunately, as with all technological evolutions, there are people who exploit the changes. As of late 2012, Trend Micro estimated that the number of applications written for Android tablets and smartphones that could be characterized as either high risk or outright malicious at 350,000 with that number expected to triple in the following twelve months.

When it comes to evidence, the ‘lifestyle imprint’ now available on devices and the evidence trail they store and create might be highly relevant in an internal or regulatory investigation or in litigation. Smartphones yield much more evidence than their predecessors and skilled forensic investigators can extract evidence from these devices.  It is also possible now to view all the contents from an iPad by plugging it into specialist software.

The social trends that have made BYOD into common practice show no signs of reversing. Apparently the UK leads the world in terms of mobile data usage and a fairly large chunk of that (40%) is created on social networks.  Clearly, businesses cannot afford to be lackadaisical about BYOD.