I started in
digital forensics in 2002 which seems like a lifetime ago when I look at the
digital forensics world today compared to back then. One of the primary changes is that the center
of gravity for host-based digital forensic examination has moved from file
systems to applications. There has been
quite a bit of discussion about this trend over the years so it’s not a unique observation
on my part, but I’ve certainly watched in wonder as digital forensics methods
and tools have changed to adapt to this reality.
Around the
turn of the century, the primary focuses of host-based digital forensic examinations
tended to be web browser artifacts, document and photo metadata, file system
artifacts, operating system log files, and email parsing. Forensic examinations weren’t exclusively
focused on these areas, but most digital forensics exams would involve at least
some of them as their core components. If
you had proficiency in these areas, there was an excellent chance that you were
a competent digital forensics examiner. In my mind, the key differentiator at that
time was whether an examiner understood file systems well enough where they
could understand and articulate concepts such as how date and file data
manifested itself inside of a master file table. If I interviewed someone for a job and they
told me that there were only four date stamps inside of NTFS master file table
record, I knew they were likely just someone who drove a digital forensics tool
and didn’t really understand much more beyond that.
As I look
back on it now, the relatively lack of diversity in digital forensic tools at
that time makes more sense to me. It was very common for a digital forensics
shop to use EnCase as their primary digital forensic tools along with FTK as
their indexing/email forensics tool. FTK
was also nice to have around for a second opinion on what EnCase was telling
you in regards to the file system. Both tools did web parsing reasonably well,
but many of us used the very fine NetAnalysis tool for web browser history
forensics. We didn’t have a vast
diversity of tools because there just wasn’t the business case for them. Our
existing tools generally did what we needed them to do.
If someone
were writing the history of digital forensics, the advent of Magnet Forensics
Internet Evidence Finder (IEF) would likely show up at the start of a chapter
talking about the switch of focus from file systems to applications. IEF became very popular, very quickly because
it was designed with a focus on parsing application information whether that application
was part of the operating system such as a native web browser or whether it was
a third-party application such as a third-party web browser, chat program,
email client, P2P client, and the like. Of
course, it also did a great job parsing a whole host of operating system
artifacts just like the other tools did, but the long-term secret sauce of IEF
was that it was focused on application artifacts in an era when apps were becoming
the primary focus of consumer technology use and spending.
IEF was a great
product and, as it turns out, the sign of a great business strategy in the
making. The computing world was moving
from one where user activity was focused on things such as web browsers and office
applications to one where users were using an amazing diversity of applications
primarily on their mobile devices. It’s
not that we gave up using web browsers and office applications, but they were
just part of the greater mix of applications being used. Just take the Apple store as an example. It opened up in 2008 with about 500 applications available on
it and by 2017 it had over two million applications.
This rise in
applications drove changes in the development of digital forensic tools. The
companies that have focused their development work on applications have
generally done very well for themselves.
Magnet is an obvious example since it went from a one-person shop to a
global digital forensics company by riding this wave. Other examples are MSAB, Cellebrite, and
Oxygen Forensics who have done very well for themselves by also capitalizing on
this trend and creating products to address it.
It’s not that
the core digital forensics skills such as file system forensic analysis are
obsolete. Far from it. You still have to
load yourself up on materials such as the magnificent Harlan Carvey books especially
if you are investigating network intrusion cases in an enterprise computing
environment, but now you also have to understand how operate as a digital
forensics examiner in this application-centric mobile device era.
What do I mean
by this? We’re in this new era of digital
forensics where examiners are going to have to get comfortable with being even
less able to rely on their forensic tools for support than before. You can’t rely on your commercial tools any
more than you did in the past file system focused era. In that era, the name of the game was going
beyond your tools and understanding the underlying technology well enough so
that you could validate the output from your tools. That’s still the case now. In this new era, the commercial forensic tool
developers will use their finite development capacity to support only the
applications that are broadly used and whose support will drive people to
purchase their tools. Because of this, the digital forensics community will need
to provide their own support for applications that aren’t covered by commercial
digital forensic tools.
What will
this support look like? It’s going to come in the form of enterprising digital
forensics people using their knowledge of parsing technologies such as JSON and
SQLlite to create their own tools and scripts to investigate these artifacts. In some cases, this will take the form of creating
scripts that leverage existing digital forensic tools or creating tools/scripts
that work as standalone solutions. As
always, we’ll still need to have the ability to double check what these tools
are telling us so that we can validate the results. I use the term “have the
ability” because I understand that an individual examiner can’t be expected to
know everything such as having the ability to comfortably parse a particular
Python script or JSON artifact. The ability
to do these things might take the form of being able to leverage someone you
know to do this work for you. Digital forensics
is a team sport and one of the most important tools in your inventory is a list
of people who are willing to help you out when you are in a bind.
Cryptocurrency
wallets are a good example of all of this.
Cryptocurrencies are the primary payment system of the online underground
economy and wallets are applications that allow people to interact with
cryptocurrency blockchains so they can send and receive transactions. There are
just too many wallets for the digital forensics companies to provide support
for all of them and it’s going to take the community creating tools to parse
them to provide the necessary support for cryptocurrency related examinations. This is not an original point on my part
since Jad Siliba made this observation
about cryptocurrency forensics at the 2019 Magnet User Conference (MUS2019) this year and those
comments have stuck with me ever since.
Various and Sundry
I’m still trying
to get back into a monthly blogging tempo and I have another AFoD interview in
the works as I write this. I’m coming towards
the end of a very heavy conference presentation schedule this year that started
about the time of MUS2019 and will end for me at the end of the upcoming Dallas
Crimes Against Children Conference. Thanks
to everyone who came out so see me speak on Business Email Compromise and
Virtual Currency Investigations over the past four months or so. I’ve enjoyed getting to meet so many new
people as well as to finally meet some people who I had only known
electronically through the years. I’ll
still be doing some presentations in 2019, but I think the heavy digital
forensics conference season is pretty much done for me and most of the people I
know who do speaking on this circuit. I’m
going to be working on developing some new talks for the 2020 season.
I basically
wrote this blog post in my head while at the MUS2019 conference after listening
to people like Jad and attending some great talks. For example, Alex Brigoni did a magnificent
talk called “Unsupported Apps. What Can Be Done? A Methodological Approach
to Mobile App Forensics” that
covered must how digital forensics people should be approaching this new
application-centric era. He’s a razor
sharp fellow and you can find him over at his blog and on the Twitters. You should also read an interview he did on
the Magnet blog regarding
application forensics.
Eric,
ReplyDeleteI have to agree with a lot of what you said...you're on point. However, as you mentioned, analysts need to move away from relying on a single commercial application to perform data parsing and presentation for them. Analysts still need not only validate the output of these tools, but also understand the context of and correctly interpret the data to which they have access. There are more than a few cases where commercially available tools do not support full exploitation of artifacts; but then, often they don't have to. Full exploitation is often equally obviated the business model.
New applications are an issue, even with our familiar data sources. This is why I still resort to timeline analysis...done appropriately, it allows me to see where valuable information that I wasn't aware of before might now be available.
> ...the digital forensics community will need to provide their
> own support for applications that aren’t covered by commercial
> digital forensic tools.
And therein lies the challenge. By and large, there is little in the way of "support" from the community, as a whole. Most often, a new tool is created, downloaded, and if for some reason the data is not as the analyst thought, nothing usually happens beyond that. It's human nature to not value those things that are free, and provided without any effort.
IMHO, what's needed to drive the change is knowledgeable consumer of DFIR services.