Best practices for evidence recovery in pandemic

John J. Carney
BridgeTower Media Newswires

Digital forensics activity has not paused during the COVID-19 pandemic. Why? From my vantage point digital forensic examiners serve essential cases by recovering relevant evidence and testifying to it as expert witnesses.

The cases are usually felonies and high stakes litigation. The criminal cases are felonies like homicides and criminal sexual conduct, also high profile Innocence Project post-conviction cases. The civil cases are active in a few, select practice areas including family, employment, personal injury, and probate litigation.

We are also seeing cybersecurity attacks and data breaches on the increase and new forms of COVID-19 phishing scams taking advantage of Minnesota citizens and companies. These are investigated using digital forensics.

Digital forensics cases are COVID-19 cases. By that I mean they are active during the pandemic of the past three months and into the indefinite future. They are essential cases more likely to depend on relevant digital evidence than other non-essential cases. And they almost always require immediate attention. Why?

The fundamental tenet of digital forensics is to keep evidence safe. And often that translates into urgent and immediate evidence preservation. Timeliness is everything in digital forensics. But the need for immediate attention can mean more. Magnet Forensics, a top digital forensic tools vendor, says aspirationally about their goals, “Reveal the truth. Seek justice. Protect the innocent.” We must keep people safe while pursuing these lofty goals for digital evidence. And that applies now during the COVID-19 pandemic. Best practices are the most effective way to do it. Let’s examine some of these best practices for evidence and for people.

Best practices — digital forensics

A foremost best practice is maximizing the probative value of data extractions by digging deep into the device’s memory or file system to extract all potentially material evidence. Ideally, the extraction should obtain deleted evidence and probe unallocated storage for evidence fragments or traces from both Android smartphones and computer hard drives. For iPhones a full file system is the best available extraction from a probative perspective.

Maximizing the probative value of the device also includes overcoming evidence access challenges like encryption, passwords, and any device damage. Extraction techniques are often available to decrypt device memory and with proper legal authority to bypass passwords. Advanced hardware extraction methods are also available, again with proper legal authority, to bypass passwords and obtain physical images (forensic copies) of the device.

Advanced forensic repair facilities are available to remediate hardware damage to mobile devices or computers. Examples include broken screen, discharged or defective battery, failure to power on or boot up, water damage, or a damaged data port. The latter is important because device data extraction involves connecting the device to a forensic workstation. If the device cannot connect, it cannot be extracted. Advanced data recovery services can rescue precious data from damaged storage drives, both magnetic and solid state, for smartphones and computers to deliver evidence otherwise lost.
Another important digital forensics best practice is stated often by my colleague and smartphone forensics instructor, Heather Mahalik, who says, “One tool is never enough.” By that she means the examiner’s use of just one digital evidence recovery tool is never enough to obtain all the evidence buried in the device. I agree. One size does not fit all cases and all fact patterns. And one tool cannot handle the over 31,000 mobile devices in circulation over the past decade and cannot plumb the several million apps in the Apple and Google Play app stores. We need a second or even third opinion, which means using a second or third digital forensics tool to probe every device.

New, open source digital forensic tools take exploratory paths to scout and recover cutting edge evidence. Their bright and curious software developers parse fruitful data sources the established commercial vendors have not yet found time to master. Therefore, open source tools provide a valuable complementary approach toward maximizing probative evidence recovery when used alongside best-of-breed commercial tools.

Best practices advise examiners not only to employ multiple tools, but to compare and contrast each tool’s evidence recovery quantitatively to evaluate analytical performance. This best practice is called “cross validation.” Examiners often find surprising differences in the recovery inventory when assessed this way. For example, one tool may find twice as many messages as another, but the message-deficient tool may find more email and photographs. Examiners use this best practice to determine best evidence of each type for analysis and production to the legal team.

A final best practice calls for automated evidence processing using the latest innovative forensic tools to derive value-added results. Artificial intelligence is a good example. The software can read all the messages and chats on the device and profile or categorize those with sexual content, drug references, or grooming and luring language. The software can recognize photographs automatically and categorize them as paper documents, credit cards and IDs, drugs, money, weapons, license plates, or screen captures from phone or computer screens.

Other automated capabilities include cyber malware scans to identify virus, spyware, exploits, and digital threats infecting the device and to pinpoint when infiltrated. Wi-Fi network names and cell tower identifiers can be transformed automatically into GPS coordinates to enrich device location evidence. Last, contact tracing logic can discover electronic communication and other connections between individuals and depict them in social graphs or network diagrams.


Best practices — COVID-19 pandemic

COVID-19 cases are essential cases and present entirely new challenges to lawyers representing clients during a pandemic. Digital forensic examiners must be available to assist lawyers when needed to provide answers and evidence expertise to sustain effective advocacy. Meaningful, initial evidence consultations can be crucial. Whether they occur on an online ZOOM conference, by phone call, over email, or by chat session they must transpire whenever and however meets the lawyer’s needs for insight and expertise.

Lawyers need responsive legal services during this pandemic to overcome new challenges. They include responsive digital forensic examinations that go to the heart of issues upon which cases turn. And responsive court documents to present evidence findings with clarity often including illustrative demonstrative exhibits that speak visually to clients, parties, judges, and juries.

Remote cloud forensic examinations are ideal for keeping people safe during the COVID-19 pandemic. The evidence stored in an online cloud account subject to examination might be web mail, chat or instant messaging, cloud storage or backup, social media, photo sharing, local or community interest, dating, professional or industry networking, e-commerce, or one of the major Internet Service Providers (ISPs) like Google, Apple, Amazon, or Microsoft. The examiner obtains legal authorization conferred by a subpoena, court order, or party consent to undertake a remote cloud forensic collection.
He or she uses cloud forensic tools in the lab to collect digital evidence from private cloud accounts stored in an ISP data center subscribed to by individuals, groups, or institutions. The collection can also be an electronic evidence package prepared by the ISP for download from their data center.

But the material evidence may not be in the cloud, but stored in a mobile device or computer. To keep clients safe, and also couriers and evidence technicians, examiners have formulated coronavirus plans which incorporate prudent evidence handling for a hyper-contagious pandemic. The plan requires contactless device pickups from client locations, third party locations, or the digital forensics lab. It relies heavily on overnight device shipment to and from the lab. And it also relies on contactless, electronic delivery of digital evidence from the lab in minutes through encrypted, online digital distribution systems. Encrypted evidence packages arrive in a lawyer’s or paralegal’s inbox for immediate digital download and review. Plans that incorporate best practices can keep both evidence and people safe.

—————

John J. Carney, Esq., is chief technology officer of Carney Forensics, www.carneyforensics.com.