Reading through the paper“Forensic framework to identify local vs synced artefacts” from DFRWS 2018 Europe, I came across a paragraph with several statements that I had to read twice, actually several times. The paper cited a book that I wrote in 2013 (Placing the Suspect Behind the Keyboard). The paper states:
Actually, back in 2013, in that cited book, that was exactly what I wrote about: the challenges of not only attributing activity of a user to a device, but the activity and data of interconnected devices. Then I read...
I respectfully disagree with the premise that the forensic community has not been trying to determine which device data has been created. Even going back way before 2013, metadata has been paramount to every case, from all evidence devices, connected to each other or not. As soon as mobile devices became connected to other devices, correlating the data between devices became something done as manner of practice. To state that “It is something that computer forensic examiners are not even considering in many cases” is foreign to me. One of the major points of my first book was to instill the concept that electronic evidence needs to be integrated with the physical world to make a complete case (or more eloquently, paint a beautiful picture).
Oh well. They must have missed those pages about inteconnected devices...and the pictures of interconnected devices too...
Today’s lesson, “Interconnected Devices and Your Investigations”
There are two things to consider with interconnected devices in your investigations:
1) Do the forensics independently on each device
2) Correlate the evidence you find from all the devices
That’s it. There isn’t much more to the secret other than forensics in/on the cloud. Interconnected devices may likely have data contained in the cloud (it’s how the data propagates between devices…). But even then, correlating the data between devices is no more difficult than the forensic work you do on each device.
Here is a visual figure from Placing the Suspect Behind the Keyboard, where I show a visual of a circle of interconnected devices. Every case you do, you should be thinking about this circle that revolves around your suspect (or custodian). It is constant and ever-changing with new and newly replaced devices. Keep this in mind as we continue.
The “I didn’t sync that file to my phone” defense
Let’s take a scenario of finding evidence on a mobile device that is synced to other devices (and the cloud) through a service like Dropbox. Finding the evidence on the mobile device, which was seized from the suspect, in which only the suspect ever had control, generally ties that evidence to the suspect. The possibility that a defense of that mobile device evidence being unknowingly synced to the device would be solely dependent upon if any other person has access to accounts that sync data, such as two persons with admin rights to the same Dropbox account. Meaning, if the suspect is in sole control of the Dropbox account, then the synced files are his. If not, maybe they are and maybe they are not. You need to dig a little more to be sure.
The “Someone else searched that on my home computer” defense
Internet browsing synching is cool. You can bookmark something on your home PC, it gets synched to your tablet, and also gets synched to your smartphone. Cool. However, if browsing history is the evidence found on the tablet, it might be important to know if the evidence was synced from another device if other persons had access to the other devices. Conversely, if the suspect has sole control of all devices, then the defense claim is moot as only the suspect had physical access to all devices (or is the only person with the creds to log into the devices). There is a trend here: he who controls the devices is generally going to be the possessor of the evidence found on those devices.
Ease your mind by doing a little extra work
With every case I have ever done, I have always wished that I had more time to work it. No matter if I worked 10 hours on a case or 10 thousand hours, I can work a case forever because I want to make sure I got it right. With that, you can probably tell that I love interconnected devices in a case because it gives me corroboration of what I found on other devices in a case. Even evidence files that are not synched between devices are great finds to corroborate findings and suspect’s intentions.
A lack of activity can be an indication of activity
Smartphones are great for historical activity. If Google is turned on (as in, logging everything you do), you can recover a great deal of geolocation data, which can be accessed through Google without even having the device in hand. This is a great tool for investigators. Just as cool is that for criminals who leave their phones at home when they are criming* in town, even a log of missed calls can give an indication that perhaps the suspects weren’t actually home with their phone since no one answered any of the incoming calls…or logged into email…or surfed the net…all while a bank robbery or drug deal was happening downtown… Historical activity is great to place suspects at a scene, and a complete lack of activity can give indications they were not where they said they were.
Circles of non-interconnected devices can be connected to each other
One suspect with multiple devices is easy enough to put together. Examine all the devices in the suspect’s circle of interconnected devices and put together a timeline of the important data points. But here comes the really fun part: In some cases, you have several suspects and each suspect has his own circle of interconnected devices. This type of case gives you a world of opportunities to reconstruct history by combining each suspect’s circle of interconnecting devices into one glorious timeline.
I’ve done this type of case on few occasions and assisted others. Without doubt, it is an immense amount of effort that exponentially increases with every device. In one particular case, we had a big box of smartphones was seized. The case revolved mostly around geolocation and text messages. The end result was that each phone geolocations were matched to a person, and the text messages matched between phones. Those with multiple phones had the identical geolocation on their phones, indicating they were carried together. The timeline of criminal activity was superimposed over the geolocation of each device along with text messages sent/received by geolocation. I can tell you that there are a group of criminals who will forever hate mobile devices because of this work.
We simply connected a circle of interconnected devices to other circles of interconnected devices and let the data paint the picture of what happened. Very cool. And you can do it too.
*the act of committing crimes, “criming”
Article Link: http://www.brettshavers.cc/index.php/brettsblog/entry/snap-oh-no-you-didn-t