Digital Forensics Can Use Facebook to Solve CasesBy Guest Author | Posted 2014-12-03 Email Print
WEBINAR: On-demand webcast
Next-Generation Applications Require the Power and Performance of Next-Generation Workstations REGISTER >
Given the complexity of data in various mobile devices, clouds and social media, many nontraditional sources must be examined during a forensic investigation.
This approach is not as easy as using a third-party forensic tool, and it requires an experienced forensic expert who can manually reconstruct content from the deleted entries. While cumbersome, the result is recovery of a message’s content, senders and receivers, the date and time it was sent, and, in some cases, the GPS location of the iPad at the time a message was sent.
While this approach could ultimately deliver evidence that may solve a case, the more activity that’s going on in the app, the less recoverable content there may be, since the database file will allow new messages to overwrite the deleted entries.
While the approach outlined above may work on any Apple device and also has worked for the recovery of deleted text messages, it may not be applicable to every platform, every form of data or every case. Typically, an investigation into mobile device data requires a variety of techniques to collect everything that may be used as potential evidence. Some methods include:
· Use of third-party software: Cellebrite, Katana Forensics, Lantern and Internet Evidence Finder are a few examples. This is typically the most defensible approach for collecting and analyzing data from mobile devices.
· Manual solutions customized for the type of data and type of device/application from which it is being collected: For these methods to be defensible, they must be performed by computer forensic practitioners who have the appropriate education, training and experience.
· Extraction of files from iTunes backups that can be viewed in a database for analysis
· Examination of cloud storage: In some cases, data deleted from the device may still exist in cloud-based archives.
All of these methods are nuanced, and many are cutting-edge and still being tested in the field. However, any matter that requires the collection and extraction of data—especially deleted data—from mobile devices and cloud-based data sources is best performed by experienced practitioners. It is also paramount that these techniques be applied in a manner that is defensible in a courtroom and follow a methodology that can be explained to a judge and jury.
As forensic examiners continue to identify and create new approaches, corporations will ultimately have more-effective ways to investigate thefts, recover stolen data and fight back against nefarious activity, which can account for significant losses.
About the authors:
Brett Harrison is a managing director in FTI Consulting’s Washington, D.C., Technology segment. He has more than 20 years’ experience assisting clients with technology-related aspects of investigations and has testified many times in civil and criminal cases. He assists clients through all phases of investigations and helps them understand their options when responding to government subpoenas and requests from opposing parties.
Chad McDonnell, based in Washington, D.C., is a senior consultant in FTI Consulting’s Technology practice. He has worked on numerous projects involving computer forensic investigations and e-discovery. His areas of expertise include computer forensic acquisitions and investigations, live email server acquisitions, data extractions and preservation, data analysis and processing of electronically stored information.