Although the digital forensics’ community has been around for decades (remember when it was called ‘Computer Forensics’?), instead of processes becoming easier and more streamlined, the Mobile challenges have become more progressive and cumulative.
From the sheer number of devices a person or household may maintain, to the total volume of data now being stored on cell phones and network attached storage devices, quantity has become a major challenge. Digital forensics examiners must be taught how to examine digital devices with such large volumes to be efficient and meet customer’s needs in a reasonable amount of time.
Another challenge is major vendors changing their products in significant ways. As an example, Apple Inc., has made significant changes that are challenging to the acquisition of their devices as well as the ability of examiners to properly analyze the data being examined. As many are aware, Apple Inc. has a process called “Continuity” which allows a user to answer FaceTime, text messages and phone calls with any of their devices that have been set up for Continuity. An individual with this capability can also move from device to device to carry on text and phone conversations. The challenge becomes determining which device originally received the incoming communication and when it was received. Apple Inc. has also recently changed their computer file system from HFS to APFS (Hierarchical File System, Apple File System). This major change has had enormous impact on examiners and the companies that design digital forensic software.
Apple Inc. has also introduced on some of their computers Fusion Drive. This is a combination of a spinning hard disk drive and a solid-state drive working in tandem as one drive, transparent to the user. If this type of computer is not recognized by an examiner as having Fusion Drive or is not properly acquired, a great deal of data will not be examined and potential evidence can be lost.
And although not a current requirement, many judges across the land are looking at examiners who testify in their courts to have certifications in the tools that they use. Many of the major forensic software tool manufacturers have their own certification processes. These certifications are challenging and costly to obtain and maintain. But when an examiner is on the stand, they can be invaluable to declaring an individual an expert in his or her specialty.
Naturally, there are a large variety of issue that are challenging to the digital forensics’ community like encryption, anti-forensics and wait times for examinations. It would take a book to delineate all of the challenges.
But to achieve positive outcomes in the digital world today, a Prosecutor’s or Defender’s Office, as well as a civil attorney’s office, needs to know that the company they select to overcome these obstacles is prepared to do so.
Roloff Digital Forensics is such a company.
RDF’s personnel have achieved and maintain Cellebrite’s certifications: Cellebrite Certified Logical Operator (CCLO), Cellebrite Certified Physical Analyzer (CCPA), and Cellebrite Certified Mobile Examiner (CCME).
Also, OpenText’s (previously known as Guidance Software) Encase Certified Examiner certificate is maintained by many employees. In all levels of court proceedings today, criminal and civil, judges are looking to see digital forensic examiners with the appropriate level of certifications.
With proper training, team collaboration, the necessary software tools for forensic acquisitions, extractions and analyzes, RDF has been able to achieve great success in meeting its client’s goals in the digital forensics’ community and overcoming the many challenges in the digital forensics’ community.