After a year of open submissions for future editions of the Forensic 4:mag I’ve decided to give up and move on. Before I do, however, I wanted to post this article submission by Patrick Siewert. Originally he submitted this for printing in the next issue but has agreed to allow me to publish it here instead. I hope you find it valuable, I certainly did and found myself agreeing with a lot of what is said. Enjoy.
Digital Forensics vs. Data Extraction
I was having lunch the other day with a good friend who is a very well-trained & accomplished Digital Forensic Examiner for the Virginia State Police. He and I often get together and talk about trends in the industry, past cases, tools that work and tools that don’t among other things (we’re both avid motorcyclists). He mentioned something again to me recently that I’ve heard him mentioned in the past. “Forensics is all but dead”, he says. “Almost everyone now is doing data extraction & reporting, not forensics.”
This comment spawned some more thought from me on the topic. Is forensics almost dead? There are several factors at play, not the least of which is the ubiquitous nature of digital forensics practices within government sectors. These factors encompass personnel, practice, cost & overall expertise, to name a few. I, for one, would like to think that forensics is not dead, rather going through an evolution of sorts, as most technology-oriented fields do over time. So what’s the difference between digital forensics and data extraction? Plenty!
Data Extraction & Reporting
I propose a hypothetical case: Agent Smith is an investigative field agent. He works child exploitation crimes for the Mayberry Police Department. He receives an anonymous cybertip from the National Center for Missing & Exploited Children (NCMEC) that John Jones, who lives in Mayberry, has numerous images of child pornography on his smart phone. Agent Smith does his due diligence in background case work and goes to visit Mr. Jones at his home for a knock-and-talk.
Jones consents to talking to Agent Smith and further consents to have his phone examined, but refuses to let Agent Smith take the phone with him. Smith pulls out his field kit, hooks up the phone to his laptop and starts the extraction. Jones admits to nothing, the extraction is complete and a brief review on-scene of the images on the phone indicates there is illegal material, so Smith seizes the phone and arrests Jones based upon the images he found on-scene. Now Agent Smith needs to dig further into the evidence to prove the case, but does he?
Part of the problem and delicate balance with easy-to-use forensic tools (especially mobile forensic tools) is that they’re easy to use. Point, click, extract, view, report, done! This is simple data extraction, not digital forensics. While some of the methods employed to acquire the data may be mostly forensically sound and/or within best practices, that’s about where the forensics ends. The practice of data extraction simply pulls out the data Agent Smith needs to prove his case, not necessarily the whole story. How did the images get on the device? Who put them there? When were they created? Who else may have had access to the device (the anonymous tipster, perhaps)? What additional inculpatory or exculpatory evidence may be present on the device? In short, what does the whole picture look like? These are questions that go mostly unanswered by simple data extraction & reporting. This practice makes the evidence look very damning and very simple, where it may not be either.
The Forensic Difference
Digital Forensics in the simplest definition goes far beyond simple data extraction. Forensics looks at all of the available evidence with an open mind, objectively looking to prove or disprove the case from the start and looking to recover whatever relevant evidence that may be present. The practice of forensics also looks much deeper than what can be found on the surface level. Forensics seeks to answer questions like:
- Are there old partitions on the disk that can be recovered? If so, what evidence might they contain to help prove or disprove the theory of the case?
- Are there deleted items in unallocated and/or file slack space that may provide proof of an attempt to cover up evidence?
- Are there file fragments that could be recovered and/or pieced together to provide a clearer picture of what may have been going on at the time of the incident?
- Are there logs of network connections, operating system journal entries, registry artifacts, encrypted or other data that needs to be examined at the hexadecimal level to put the pieces of the puzzle together?
All of these questions and more encompass just the basic differences between simple data extraction and digital forensics, which is much more complex. It also requires much more training and hands-on experience. I can honestly say that I don’t think I’ve ever conducted a true digital forensic examination where I didn’t have the need to research file types, headers, footers, applications and any number of other assorted case-specific items to help figure out what activity may have been going on with regard to the submitted device(s) and report those findings accurately & intelligently. Indeed, digital forensics is true investigative work, not simply a point-and-click approach to recovering evidence.
So why do so many field and some lab practitioners do data extraction rather than forensics? There are several reasons. The first, and easiest to explain, is laziness. This may shock you, but some people are just plain lazy. They can take a test, pass a certification and have all the on-paper credentials, but if they’re lazy and simply don’t want to do the work, none of that really matters. The next factor is time, which can be closely related to laziness. In the government sectors especially, examiners are pressured to turn over more cases in less time, especially when it comes to mobile devices. A true digital forensic examination takes time and, oddly enough, some governmental supervisors don’t understand that. It is entirely possible that a 64 GB smart phone or tablet full of valuable evidence could take much longer to examine than a 1TB hard drive that doesn’t really have much evidence at all. Ask the bean-counters to wrap their heads around that one!
Along with extensive time goes money, but with digital forensics, it goes beyond that. It takes not only an extensive investment in money, but time as well to get an examiner to a competent state. In order to train a digital forensic examiner to be proficient, knowledgeable and effective requires a huge commitment. Point-and-click classes take less time and are cheaper than weeks or months of in-depth digital forensic training and hands-on experience. To add insult to injury, consider this: I have a friend with whom I attended BCERT – a 5-week computer forensic “boot camp” of sorts. He works at a local law enforcement agency at the level of Sergeant conducting digital forensic examinations. He’s been at it for years and is a go-to resource for me whenever I have a question. If he chooses to advance his career in law enforcement to the next rank (Lieutenant), he would have to quit doing forensics, go back in uniform on patrol and essentially give up that investment he and his department have made, thus starting all over again with a new, green examiner. This practice is not limited to my friend’s department and is in fact commonplace in law enforcement and other government sectors. What sense does that make? Good question. But the ultimate outcome is departments don’t want to spend that mountain of money to train somebody to my friend’s level again (and again), so they take the easy route: Train them to get just what we need, i.e., data extraction.
It seems to be a no-brainer – Trained, equipped, effective examiners are in the best interest of conducting thorough investigations and thus proving or disproving a case, which is in the best interest of justice. Unfortunately, the general reality doesn’t reflect that. Since I started in digital forensics in 2008, I’ve seen several cycles of examiners at the government level. The highly-trained ones get cycled out and the newer ones have less and less training & experience at actually performing any forensics. Conversely, the gap is widening between those who stick with the practice of digital forensics, whether it be in private or government practice, and those who are constantly in the refresh cycle of digital forensics. The smart get smarter & better and the newer ones keep doing data extraction, often not even submitting evidence to the lab unless it’s a “high-profile” case.
This gap will undoubtedly get larger and the numbers of practitioners conducting data extractions will grow, while a few of us are continually staying up-to-date & trying to hone our skills. At some point, the house of cards has to fall, but until it does, I really wish those doing simple data extraction would stop using the F-word: Forensics.
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia. In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history. A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.