The digital forensic community has been around for decades (remember when it was simply called ‘Computer Forensics’?). Unlike many tech fields where processes can become simpler and more streamlined, Mobile tech and cloud storage has brought on more complicated and cumulative obstacles.
From the sheer number of devices a person or household maintains, to the total volume of data now stored on cell phones, cloud locations, and network attached storage devices, quantity has become a major hurdle. Digital forensics examiners must be taught how to examine digital devices with such large volumes with efficiency and an ability to meet client needs under short deadlines.
Another challenge: the products we use advance. For example, Apple Inc. has made strides to the manner in which they store and protect data on their devices which can impede the digital forensic team’s ability to properly extract and analyze crucial data.
As many are aware, Apple Inc. has a process called “Continuity” which, among many things, allows a user to answer FaceTime, text messages and phone calls with any of their connected devices. A person with this capability can move from device to device to do things. Which can bring up a frequently seen question: Which device first received the message and what person in the household was responsible for the response?
Over the last few years, Apple Inc. has been migrating their computer file system from Mac OS Extended also known as HFS+ (Hierarchical File System) to APFS (Apple File System) and even prior to this, introduced Fusion Drives on some of their computers. Simply put: a spinning hard disk drive and a solid-state drive work in tandem as one drive, transparent to the user. To make things even more complicated, Apple produced FileVault full disk encryption to assist users in protecting their data.
If an examiner doesn’t understand the system they are attempting to extract data from, including what type of file system is in use, if there is a Fusion Drive installed, and if the disk(s) are encrypted with FileVault, usable data will not be properly acquired.
Which means potential evidence can be lost or simply missed.
These types of changes and advancements have and will continue to have a significant impact on digital forensic software and hardware designers, methodology employed, and ultimately, digital forensics teams.
Which brings us to how examiners can handle these changes when attempting to best handle devices, data, and deadlines: Proper training. Though not always a requirement, many Clients seek out examiners holding specific certifications related to the type of data being analyzed. This can assist when testimony is being introduced or for additional weight to be given for an opinion that is provided by way of written report. Many of the major forensic software tool manufacturers have their own certification processes which can be time intensive and costly to maintain, but a well-certified examiner can be invaluable when opinions are necessary.
At Roloff Digital Forensics, we overcome both old and new challenges with proper training, team collaboration, and the necessary tools for forensic acquisitions, extractions and analysis. See our staff page to learn more about our personnel’s current certifications.