MSAB Training : Devices and Digital Evidence PDF
Document Details
Uploaded by WellManagedEllipse
Staffordshire University
2022
MSAB
Tags
Summary
This document is a training module from MSAB. Module 2, Devices and Digital Evidence, discusses what digital evidence is, digital devices, data storage on different devices, digital forensics, data recovery, methods for extracting data, and handling digital evidence. The document also touches on different types of digital evidence. The document is useful for professionals in the digital forensics field.
Full Transcript
23/11/2022 Chapter List: 1. What is Digital Evidence?...
23/11/2022 Chapter List: 1. What is Digital Evidence? 2. Principles of Digital Evidence 3. Handling Digital Evidence 4. Digital Devices 5. Forensic Data Recovery Module 2 Devices & Digital Evidence XRY Version: v 10.0 1 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.1 – Chapter Introduction 2.1 – What is Digital Evidence? What is Digital Evidence? It is a question that could result in several different answers depending on who you speak to, or what you read. However, we are going to do our best in this chapter to provide you with an understanding of what digital evidence is, what it can include, and how this ties into the role of digital forensics. XRY Version: 10.0 2 2 1 23/11/2022 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.2 – What is Digital Data? Before we begin to discuss Digital Evidence, we need to first consider what digital data is made up of, how it is stored, and how it is interpreted. Binary Data Fundamentally, digital devices store their data onto hard drives, flash drives, discs, and other storage devices, as binary data. This means that rather than storing it as text or images as you and I see visually on the screen, it stores the data as 0's and 1's (zero's and one's), with each character being known as a bit. Together, eight of these characters make what is known as a byte, which may look something like 01001100. XRY Version: 10.0 3 3 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.3 – Digital Data in Mobile Devices Before we begin to discuss Digital Evidence, we need to first consider what digital data is made up of, how it is stored, and how it is interpreted. Huge storage capacity… Most modern, mid-range laptops now ship with 500GB (gigabytes) of storage. The latest smartphones are now offering 512GB+ of storage That data can come in the form of messages, apps, call logs, photos, videos, games, documents, emails, calendars, social media, personal health data, music, connected device information, web browsing... …or pretty much any activity carried out on that handset XRY Version: 10.0 4 4 2 23/11/2022 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.4 – What is Digital Evidence? There are a lot of different definitions for digital evidence in existence, but to truly recognize what it is, we should break it down into two component parts: "Digital" and "Evidence". See the following definitions as given by the Oxford English Dictionary: “Digital” “Evidence” "(of signals or data) expressed as series of the "The available body of facts or information digits 0 and 1, typically represented by values indicating whether a belief or proposition is of a physical quantity such as voltage or true or valid." magnetic polarization." XRY Version: 10.0 5 5 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.4 – What is Digital Evidence? So "Digital Evidence" could possibly be defined as: An available body of facts or information, stored or retrieved from a digital storage medium, indicating whether a belief or proposition is true or valid, that is admissible as evidence within given proceedings. XRY Version: 10.0 6 6 3 23/11/2022 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.4 – What is Digital Evidence? What does this mean? Digital Evidence should be treated with just as much respect and attention as traditional evidence. It could include anything that comes from a form of digital storage. However, it has the added complication of being stored on a digital storage medium. Therefore, we need to consider a forensically sound method of retrieving and/or capturing that data. All while maintaining its integrity and reliability as admissible evidence. XRY Version: 10.0 7 7 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.5 – What is Digital Forensics? “Mobile Technology leaves traces, like digital foot-prints. These can reveal a hidden world – a fragmented world at times, but a world that points to the truth.” (Part of the MSAB Mission Statement) The term Digital Forensics is used to cover a huge range of forensic disciplines, which include (but are not limited to): Mobile Phone Forensics Computer Forensics Drone Forensics Network Forensics Memory Forensics Video Imagery Forensics Vehicle Forensics …but what exactly is it? …and the list goes on. XRY Version: 10.0 8 8 4 23/11/2022 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.5 – What is Digital Forensics? Just like with Digital Evidence, we can break it down into two component parts: "Digital" and "Forensics". See the following definitions as given by the Oxford English Dictionary: “Digital” “Forensic” "(of signals or data) expressed as series of the "Relating to or denoting the application of digits 0 and 1, typically represented by values scientific methods and techniques to the of a physical quantity such as voltage or investigation of crime." magnetic polarization." XRY Version: 10.0 9 9 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.5 – What is Digital Forensics? So "Digital Forensics" could possibly be defined as: The application of scientific methods and techniques to digital data and digital media, in the investigation of crime. XRY Version: 10.0 10 10 5 23/11/2022 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.4 – What is Digital Evidence? What does this mean? We have taken our definition of Digital Evidence and combined it with the concept of applying forensics, and the scientific method, to the process of obtaining that evidence. The Scientific Method is interested in: A reasoned hypothesis. A documented and recorded methodology… …of how to investigate that hypothesis… …which is repeatable… …and is capable of being challenged and tested by others Conclusions can then be drawn from the findings, which are often presented in a forensic report and/or testimony. XRY Version: 10.0 11 11 Module 2 Devices & Digital Evidence 2.1 – What is Digital Evidence? 2.1.4 – What is Digital Evidence? What does this mean for digital forensic practitioners? The retrieval and analysis of digital data is a forensic discipline. It requires a degree of understanding and appreciation of the requirements and expectations surrounding forensic evidence. Digital data needs to be treated with the same (if not with more) respect and care as with traditional forensics, such as fingerprint and DNA analysis. XRY Version: 10.0 12 12 6 23/11/2022 Module 2 Devices & Digital Evidence 2.2 – Principles of Digital Evidence 2.2.1 – Chapter Introduction 2.2 – Principles of Digital Evidence In this brief chapter, we shall look at some of the globally recognized principles associated with handling and managing digital evidence. We shall then break them down in simple, generalized steps, that should help guide you through any areas of uncertainty during your investigations. XRY Version: 10.0 13 13 Module 2 Devices & Digital Evidence 2.2 – Principles of Digital Evidence 2.2.2 – Principles of Digital Evidence There are a number of recommendations and suggestions on how best to handle digital evidence, and regardless of where you are in the World, they are often similar in many respects ACPO Good Practice Guide for Digital Evidence Despite this guide being written in 2012, it has recently been reviewed and, while some updates have been implemented to account for changing technologies, the principles have remained unchanged. This document still forms part of the what is known as Approved Professional Practice (APP) as outlined by the College of Policing, and also features in international guidance and advice. XRY Version: 10.0 14 14 7 23/11/2022 Module 2 Devices & Digital Evidence 2.3 – Handling Digital Evidence 2.3.1 – Chapter Introduction 2.3 – Handling Digital Evidence In this chapter, we shall take a brief look at how best to handle digital devices and evidence in order to try to best secure and maintain its integrity. XRY Version: 10.0 15 15 Module 2 Devices & Digital Evidence 2.3 – Handling Digital Evidence 2.3.2 – Seizing and Securing Devices When seizing and securing digital devices, there can be a minefield of legal and procedural requirements that need to be navigated, in order to handle devices correctly. Ultimately, it is down to each individual organization to determine their own practices and guidelines. But before we do anything else… You can never take too many photographs, in digital forensics. If using the XRY Camera with XRY then you can capture images of the devices and their states. Alternatively, just have a good digital camera available to use. If in doubt, photograph it! XRY Version: 10.0 16 16 8 23/11/2022 Module 2 Devices & Digital Evidence 2.3 – Handling Digital Evidence 2.3.2 – Seizing and Securing Devices What state is the device in…? One of the major challenges of mobile forensics is what to do when first seizing and securing the device. Is it switched ON? Is it switched OFF? How can you tell that it is genuinely OFF? Does it have battery power? Does it have a PIN or Passcode? Is it encrypted? Mobile device forensics can sometimes be far more challenging than computer forensics in many respects, as you often have to break the first principle of digital evidence with every extraction. XRY Version: 10.0 17 17 Module 2 Devices & Digital Evidence 2.3 – Handling Digital Evidence 2.3.2 – Seizing and Securing Devices Other factors that need to be considered… Smudge Preservation Write-blockers Network Isolation Traditional “Biological” Forensics XRY Version: 10.0 18 18 9 23/11/2022 Module 2 Devices & Digital Evidence 2.4 – Digital Devices 2.4.1 – Chapter Introduction 2.4 – Digital Devices In this brief chapter we shall take a look at where evidence can be found, different digital devices you might encounter, what devices XRY supports, and some guidance on how best to separate out some of them into their component parts, in preparation for extraction. XRY Version: 10.0 19 19 Module 2 Devices & Digital Evidence 2.4 – Digital Devices 2.4.2 – Where can Evidence be Located? So where can evidence be located? When you seize a mobile device from a suspect or receive an exhibit bag on your desk with a phone inside it, where should you consider looking for different types of digital evidence? Three main sources of data… XRY Version: 10.0 20 20 10 23/11/2022 Module 2 Devices & Digital Evidence 2.4 – Digital Devices 2.4.2 – Where can Evidence be Located? Retrieving Maximum Data You may find a number of these devices together in one exhibit. Maximize chances of retrieving as much data as possible: examine every area independently (Do so in line with your Force/Organization's policies). …but where else could data be stored? XRY Version: 10.0 21 21 Module 2 Devices & Digital Evidence 2.4 – Digital Devices 2.4.2 – Where can Evidence be Located? The answer is cloud storage! XRY Version: 10.0 22 22 11 23/11/2022 Module 2 Devices & Digital Evidence 2.4 – Digital Devices 2.4.3 – Device Types Supported by XRY XRY supports a huge range of devices and is not just limited to mobile phones and SIM cards… XRY Version: 10.0 23 23 Module 2 Devices & Digital Evidence 2.4 – Digital Devices 2.4.4 – Levels of Device Support "In MSAB Headquarters in Stockholm, Verified we have an original copy of every single device we support so that it is on hand in case we need to carry out further research or tests." Community Verified XRY has three different levels of support for devices, and considerations that the examiners should have for each one. Untested XRY Version: 10.0 24 24 12 23/11/2022 Module 2 Devices & Digital Evidence 2.4 – Digital Devices 2.4.4 – Levels of Device Support Alternative Profiles Trial and Error... Sometimes a device profile does not exist in XRY, which may be for many reasons. It could be that the device is simply too new It has simply not been on the radar for investigators before. When this happens, it doesn't mean the phone isn't necessarily supported, but you might want to try an alternative profile instead, for a similar device. IMPORTANT NOTE: When using alternative profiles we strongly advise that you only ever use LOGICAL extractions to avoid risking damage to the device or its data. The ONLY exception to this is "Generic" profiles, where it is safe to attempt to carry out a physical extraction for the appropriate profile (i.e. Android Generic on an Android device). XRY Version: 10.0 25 25 Module 2 Devices & Digital Evidence 2.4 – Digital Devices 2.4.5 – Requesting Device Support As an MSAB customer, you can request either additional support for existing devices, or currently unsupported devices through the MSAB website (www.msab.com) or by contacting Support directly at [email protected]. XRY Version: 10.0 26 26 13 23/11/2022 Module 2 Devices & Digital Evidence 2.5 – Forensic Data Recovery 2.5.1 – Chapter Introduction 2.5 – Forensic Data Recovery In this chapter, we shall take a look at some of the types of data recovery methods we can perform within mobile forensics, and identify some common terminology used across the profession. XRY Version: 10.0 27 27 Module 2 Devices & Digital Evidence 2.5 – Forensic Data Recovery 2.5.2 – Different Extraction Methods In mobile device forensics, there are several different methods for extracting data which involve different ways for XRY and the forensic workstation to communicate and interact with the device. The three common terms that are commonly used are: 1) Logical Extraction – Protocol 2) Logical Extraction – File System 3) Physical Extraction XRY Version: 10.0 28 28 14 23/11/2022 Module 2 Devices & Digital Evidence 2.5 – Forensic Data Recovery 2.5.2 – Different Extraction Methods Logical - Protocol Can I ask you something? Sure thing, what is it? XRY Version: 10.0 29 29 Module 2 Devices & Digital Evidence 2.5 – Forensic Data Recovery 2.5.2 – Different Extraction Methods Logical – File System XRY Version: 10.0 30 30 15 23/11/2022 Module 2 Devices & Digital Evidence 2.5 – Forensic Data Recovery 2.5.2 – Different Extraction Methods Physical XRY Version: 10.0 31 31 Module 2 Devices & Digital Evidence 2.5 – Forensic Data Recovery 2.5.3 – The Library Analogy The Library Analogy Logical – Protocol Like going into a library and asking the Librarian for the books on a specific subject. They have a look at what they have on their index card system. They go and personally retrieve for you the best fit(s) based on your request whilst you wait. Logical – File System Like picking up the index card system from the librarian’s desk yourself. Walking around the library identifying where each book in the index card system is located. Then pulling them out yourself. Physical Like taking every book off of every shelf and trying to match them up to the index card system later on. You will get some books that were left on shelves that didn't have index cards (deleted files). There may also be some books or loose pages from old books that the librarian didn’t even know were there, but we've recovered them (albeit, we may not immediately know what they are). XRY Version: 10.0 32 32 16 23/11/2022 Module 2 Devices & Digital Evidence 2.5 – Forensic Data Recovery 2.5.4 – Extraction Interfaces There are several different interfaces available to use for extractions. These are not all always available or possible but read the devices’ profile to find out what options you may have. XRY Version: 10.0 33 33 Module 2 Devices & Digital Evidence 2.5 – Forensic Data Recovery 2.5.6 – What can be retrieved? XRY Version: 10.0 34 34 17 23/11/2022 Module 2 Devices & Digital Evidence 2.5 – Forensic Data Recovery 2.5.7 – Other Information from Service Providers Some of the information that they may be able to provide may include: Location information Calls made/received SMS/MMS logs (sent/received times etc) Voicemail ICCID/IMSI/IMEI links and cross-referencing Phone number (MSISDN) confirmation PUK codes Subscriber details Payment details XRY Version: 10.0 35 35 Module 2 Devices & Digital Evidence 2.6 – End of Module Knowledge Check 2.6 – Questions 1 to 5 End of Module Knowledge Check Questions 1 - 5 Follow the guidance from your Instructor to complete the knowledge check. XRY Version: 10.0 36 36 18