verification and validation of findings
DESCRIPTION
Mobile forensics has come a long way over the past decade. The more complex it becomes, the greater the need for forensic examiners to "trust but verify" -- to validate that their process is acquiring evidence correctly, and that it is acquiring the correct evidence.TRANSCRIPT
Digital Shield, Inc. Verifying and Validation of Findings
Who Are We? • Former Local LE
• Conduct Live Case Work
• Specialize in Training & Dev.
• We like this stuff
• We conduct investigations
• Testify to findings in Court / Defend our results
• How are you validating information produced by tools?
• Challenged in court yet?
So Why Are We Here?
State of Mobile Forensics • Come along way in last few years
• Logical
• File systems
• Physical
• Password extract / bypass
• Applications
• OH MY!
Forensics “Trust but Verify”
• Tools produce decoded data • Do you believe the tools extracted ALL the data? • Ok it extracted it, but was it decoded? • Detective is it possible you could have missed anything?
Validation Techniques • Hand Scroll Analysis
• Database Searches
• Unallocated space
Hand Scroll Analysis • Thumbing through a Phone
• Documenting all visible information on the phone
• Time Consuming UGH!!
• Validation collected information
• May not have access to all data through interface
Database Verification
Sample Number One
Sample One Verify
Sample Number Two
Sample Two Verify
Sample Number Three Verify
Sample Number Three Verify
Sample Number Four “Decoded”?
Is the Application supported for Decoding? If not then what?
3rd Party Tools
What tools do you use?
• Cellebrite • XRY • Oxygen • IEF • EPILOG • Are you serious?
EPILOG – SQLite Deleted?
IEF Mobile -- SMS Unallocated
IEF Mobile – Snapchat / Skype
Questions?
More Information? Digital Shield, Inc.
321-704-1336
Hanover, Maryland
Grant, Florida