Digital Shield, Inc. Verifying and Validation of Findings

Who Are We? • Former Local LE

• Conduct Live Case Work

• Specialize in Training & Dev.

• We like this stuff

• We conduct investigations

• Testify to findings in Court / Defend our results

• How are you validating information produced by tools?

• Challenged in court yet?

So Why Are We Here?

State of Mobile Forensics • Come along way in last few years

• Logical

• File systems

• Physical

• Password extract / bypass

• Applications

• OH MY!

Forensics “Trust but Verify”

• Tools produce decoded data • Do you believe the tools extracted ALL the data? • Ok it extracted it, but was it decoded? • Detective is it possible you could have missed anything?

Validation Techniques • Hand Scroll Analysis

• Database Searches

• Unallocated space

Hand Scroll Analysis • Thumbing through a Phone

• Documenting all visible information on the phone

• Time Consuming UGH!!

• Validation collected information

• May not have access to all data through interface

Database Verification

Sample Number One

Sample One Verify

Sample Number Two

Sample Two Verify

Sample Number Three Verify

Sample Number Three Verify

Sample Number Four “Decoded”?

Is the Application supported for Decoding? If not then what?

3rd Party Tools

What tools do you use?

• Cellebrite • XRY • Oxygen • IEF • EPILOG • Are you serious?

EPILOG – SQLite Deleted?

IEF Mobile -- SMS Unallocated

IEF Mobile – Snapchat / Skype

Questions?

More Information? Digital Shield, Inc.

jchurch@digitalshield.net

321-704-1336

Hanover, Maryland

Grant, Florida