BASIS TECHNOLOGY AND NUIX TRIAGE MULTILINGUAL DATA AT BLAZING SPEED

In the movies, investigations are clear-cut and fast. Look for a body with bullet wounds and expended shell casings nearby. Look for the gun; there’s no need to look for a knife (no stab wounds) or a hammer (no evidence of blunt force trauma). The reality of digital investigations is more like looking for a body buried somewhere in a 5,000-acre junkyard with a mountain of debris on every acre. Forget the ‘needle in the haystack’ (that’s too easy); you’re looking for a specifc needle in a stack of needles.

Nuix specializes in tackling this kind of problem, expanding beyond investigations to include eDiscovery and data governance. It enables users to swiftly reduce the scope of a case from hundreds of systems to just the relevant ones. How? The Nuix engine is blazingly fast. It eats terabytes of data for lunch, thoroughly unpacking, processing and enriching the most complex data types — including unstructured and semi-structured text, mobile phone images, videos, files nested in PST or NSF files, social media data and forensic images. Other tools may silently fail on difficult files, but not Nuix.

Nuix then enriches data with normalization, concept grouping, deduplication and other programmatic analytics that empower analysts to ask questions (Where’s the body?) in order to ask better, targeted questions (Where’s the gun, what type of round was used, where else have similar rounds been found, is there pattern?). Nuix boasts of a 90% reduction in turnaround time for various types of investigations quickly reducing data to only what’s relevant and necessary to answer the questions being asked.

ROSETTE MEETS THE MULTILINGUAL CHALLENGE

We sought a partner to meet the surge of data that was becoming increasingly multilingual. Without proper language support, relevant data could be missed or erroneously excluded from a case. For Nuix, the multilingual text processing also had to be fast, thorough and accurate because:

  • In eDiscovery, multilingual documents need to be searchable such that a paragraph-long, English email footer doesn’t obscure the crucial one-sentence Japanese email body where the critical evidence is located.
  • In investigations, all bad actors do not communicate in English. Investigators without multilingual capabilities need a tool that overcomes the language barrier.
  • In data governance, the data containing names and personally identifiable information needs to be identified and securely stored, regardless of the language it is written in.

Nuix chose to partner with Basis Technology for its sophisticated, AI-powered text analytics platform, Rosette®. Operating at the same blazing speed as the Nuix Engine, Rosette identifies the language of unstructured text and then enriches it with language-specific processing in 30+ languages and their native scripts. Rosette is consistently accurate across European languages, ArabicChineseJapanese, Korean, Persian, Russian, and Urdu, ensuring that Nuix searches are accurate and comprehensive.

For example, languages without spaces between words — e.g., ChineseJapanese, and Korean — need the words to be segmented to be accurately searched. Complex languages like Arabic add affixes before, in the middle and at the end of words. Thus the stems and roots of words must be identified to enable a comprehensive search. An exact match search in Arabic for “book” (kitaab) will not match the plural “books” (kutub), unless you know that the root of both words is k-t-b.

Rosette-enriched text also enables Nuix to apply its own analytics.

In data governance or eDiscovery, you don’t want to give out personally identifiable information (PII) when you have to show data. Being able to understand PII in multiple languages quickly, accurately and at scale are essential.

Rosette also stood out to Nuix for its track record powering mission-critical systems for government intelligence, border security, financial compliance and eComms surveillance, as well as customer feedback analysis.

THE PROOF IS IN THE RESULTS

By integrating Rosette, Nuix strengthened its offerings in three key areas:

For eDiscovery, Rosette detects different language regions in a single document, so that text in each language section is properly processed to be searchable. One pass with Rosette produces a report on what proportion of a corpus of evidence is in which languages before early case assessment even begins. Every full-text search will be thorough and comprehensive, uncovering the most relevant information quickly.

In an investigation, the language used in communications can provide valuable clues. If Rosette reveals that one actor only speaks his native tongue with his mother, but then starts using it in another conversation with another person, that could be an anomaly that warrants further examination. This is particularly important in cases of human trafficking and crimes against children, where speed is essential to save lives.

Finally, with governance, understanding where your company stores sensitive data — such as unencrypted credit card numbers, electronic personal healthcare information (ePHI) or PII, is of critical importance. If a data breach occurs, you need to quickly know what the hackers found. Accurate search across languages is an indispensable tool.

AN ECOSYSTEM OF CAPABILITY TO MEET FUTURE NEEDS

Nuix has already encountered cases on the scale of hundreds of terabytes. Data volumes are increasing at an unbelievable rate, especially if you add in social media and chat messages. To think that any individual is going to go through all that data is unrealistic. There needs to be a programmatic way to cull it down.

The need to cope with astronomical data volumes is already appearing outside of traditional knowledge-based tasks. The COVID-19 pandemic has only accelerated the massive move to digital data.

“Basis Technology and Nuix are empowering legal technologists, intelligence analysts and law enforcement to cope with the information avalanche they face every day,” said Carl Hoffman, CEO of Basis Technology. “We support Nuix’s vision of building a capabilities ecosystem that combines solutions from multiple partners to meet these challenges.”

We need to be prepared for what is going to happen, and working with Basis Technology helps us do just that for our customers. We don’t yet know the shape of the data, but it definitely isn’t all going to be in English, which is why Rosette is such an essential piece. The ability to meet the future needs of our customers will enable and empower them to continue to do their jobs; uncovering waste fraud and abuse, prosecuting the guilty and exonerating the innocent.  This requires constant vigilance, and a collaborative pushing of the envelope of what’s possible.

Source: https://www.nuix.com/blog/basis-technology-and-nuix-triage-multilingual-data-blazing-speed

Taking a ‘narrow’ view of artificial intelligence

Artificial intelligence is a term that’s risen to become one of the most talked-about topics across many technology and business fields. Just look at LinkedIn, for example – #artificialintelligence has nearly 2.5 million followers! By comparison, #digitalforensics has only just under 6,000 followers, which says something about just how interested people are in artificial intelligence.

I think it’s important to have an honest and realistic understanding of what artificial intelligence is (and isn’t), the effects it will have on the world as it advances and how it has already transformed many of the business practices we take for granted today.

Over the next few months, I’d like to dive into the many facets of artificial intelligence that apply directly to digital forensics and investigations. While I’m looking at the subject from one perspective, many of these views can easily apply to other functions, technologies and industries. To begin the conversation, I think it’s important to look at some of the overlooked distinctions in the types of artificial intelligence to understand where we are today and where we’re headed in the future.

ARTIFICIAL INTELLIGENCE: ANI, AGI AND ASI

According to IBM, a leader in AI development, artificial intelligence “leverages computers and machines to mimic the problem-solving and decision-making capabilities of the human mind.” Discussions about AI range from the futuristically mundane (self-driving cars, a reality even today) to the downright dystopian (who hasn’t seen The Matrix?). I think it’s safe to say that self-driving vehicles aren’t going to take the world over tomorrow and enslave mankind, yet the same label is applied.

There must be some distinction under the broader umbrella of artificial intelligence. This is where the terms artificial narrow intelligence (ANI), artificial general intelligence (AGI) and artificial superintelligence (ASI) come into play.

Artificial Narrow Intelligence

ANI, which also goes by the term “weak AI” is where we’re mostly at today. This form of AI is programmed to perform a specific task, and as far back as 1996 we saw this with the famous set of chess matches between Gary Kasparov and Deep Blue. Not only does ANI operate on a specific task, it also uses a specific set of data to base its decision-making on.

With the advent of the internet and so much data available so readily, ANI can foster the illusion of broader intelligence, but realistically speaking ANI lives up to its name of ‘narrow’ intelligence, what many of us today regard as machine learning. The differences between true artificial intelligence and machine learning deserve their own article (or several!).

Artificial General Intelligence

AGI, “strong AI,” moves into the realm of exhibiting the flexibility of actual human intelligence. Probably the best example of this at present is IBM’s Project Debater, which by some estimates can debate topics at the level of a high school sophomore. This kind of intelligence, which lacks what we would consider sentience, is difficult to produce in computers despite the advances made to date in processing power and speed.

Artificial Superintelligence

ASI raises the bar another level, surpassing human intelligence. This is likely not something we’ll need to worry about until much farther into the future; I’ll potentially touch on ASI in an article down the road.

WHAT DOES ANI MEAN RIGHT NOW FOR INVESTIGATIONS?

There’s always a conversation about whether artificial intelligence will someday replace examiners, which I think is unlikely. There is simply still too much value in the human perspective and decision-making process to expect computers to take over completely given the state of the technology.

What is true, however, is that ANI has changed the face of investigations. Gone are the days of heavy manual file carving or hex review; there’s simply no need to get that technical anymore inside of every investigation. And while I’d rather not think too much about it, artificial intelligence has done wonders by limiting the amount of time examiners need to spend looking at the disturbing images and videos that make up CP/CSAM cases.

Artificial intelligence, even at the ANI level, has come a long way in its ability to automatically identify things like skin tone, body parts, drugs, weapons and other common artifacts that can lead investigators to the truth in a case.

It’s interesting, as I considered this topic, just how far technology has progressed. It’s possible to do so much more in an accelerated window of time as an examiner. I’m not a computer ‘nerd’ in the traditional sense – a fact that I’m sure many IT departments I’ve worked with can attest to – but I get genuinely excited as a forensic examiner thinking about the possibilities that exist by combining the Nuix Engine with existing artificial intelligence capabilities.

And I’m looking forward to exploring the topic of artificial intelligence, along with other investigations subjects, in the articles to come!

Source: https://www.nuix.com/blog/taking-narrow-view-artificial-intelligence

Take an Investigator-Led Approach to Digital Forensic Investigations

A recent article published in The Guardian highlighted ‘bias’ on the part of digital forensic examiners when examining seized media. In the original study, the authors found that when 53 examiners were asked to review the same piece of digital evidence, their results differed based on contextual information they were provided at the outset. Interestingly, whilst some of the ‘evidence’ for which they would base their findings was easy to find (such as in emails and chats) other ‘traces’ were not. These required deeper analysis, such as identifying the history of USB device activity.

One of the things that struck me was that the 53 examiners were all provided with a very short brief of what the case was about (intellectual property theft) and what they were tasked to find (or not find), including a copy of a spreadsheet containing the details of individuals who had been ‘leaked’ to a competitor.

This immediately reminded me of my first weeks within the police hi-tech crime unit (or computer examination unit as it was called). I vividly remember eagerly greeting the detective bringing a couple of computers in for examination into suspected fraud. I got him to fill in our submission form – some basic details about the case, main suspects, victims, date ranges, etc. I even helped him complete the section on search terms and then signed the exhibits in before cheerily telling him that I’d get back to him in the next few weeks (this was in the days before backlogs…).

As I returned from the evidence store, I was surprised to find that same detective back in the office being ‘questioned’ by my Detective Sergeant. “John,” as we will call him (because that was his name), an experienced detective with over 25 years on the job, was asking all sorts of questions about the case:

  • Who were his associates?
  • What other companies is he involved in?
  • Does he have any financial troubles?
  • Is he a gambler?
  • Did you seize any other exhibits?
  • Does he have a diary?
  • How many properties does he own?

The list went on. In fact, it was over an hour before John felt that he had sufficient information to allow the detective to leave. Following the questioning, John took me aside and told me that whilst we used the paperwork to record basic information about the case – it was incumbent on us to find out as much information as possible to ensure that we were best placed to perform our subsequent examination.

My takeway? You can never ask too many questions – in particular, those of the ‘who, where, when’ variety.

HAS DIGITAL FORENSICS CHANGED SINCE THEN?

Given the rapid development in technology since those early days in digital forensics, you would think the way agencies perform reviews of digital evidence would have, well, kept up?

I recently watched a very interesting UK ‘fly on the wall’ TV series (Forensics:The Real CSI) that followed police as they go about their daily work (I do like a good busman’s holiday) and one episode showed a digital forensic examiner tasked to recover evidence from a seized mobile phone and laptop in relation to a serious offence.

“I’ve been provided some case-relevant keywords,” he said, “which the officer feels may be pertinent towards the case.” “Murder, kill, stab, Facebook, Twitter, Instagram, Snapchat … and for those keywords I’ve searched for, there is potentially just under 1,500 artifacts that I’ll have to start scrolling through.”

Wait, what?

“Have I been transported back to the 90s?” I thought as I watched in (partial) disbelief and was again transported back and reminded of John’s sage advice all those years ago about asking lots of questions.

Whilst I understand that the show’s director was no doubt using the scenes to add suspense and tell the story in the most impactful way possible, there is no getting away from the fact that the digital forensic examiner was working with limited information about the case and with some terrible keywords.

Yes, they can (and no doubt did off-camera) pick up the phone to the Officer in the Case (OIC) to ask further questions … surely, the OIC is the one who will see a document or email (that perhaps hasn’t been found by keyword searching) and see a name or address within it and immediately shout “Stop! That’s important!” The OIC will recognize the suspect in a holiday photograph having a beer with another suspect who they swear blind they’ve never met.

FOCUSING ON THE RIGHT EVIDENCE

How does this all tie back into the research I mentioned at the outset? The various ‘traces of evidence’ the examiners were tasked to find were both ‘hidden in plain sight’ and required skilled forensic analysis in order to identify and interpret their meaning. If the digital forensic examiner spends most of their precious time reviewing emails and documents – in the real world – will they have the time to perform the skilled digital forensics work to build the true picture of what happened?

If the OIC is only provided with material to review based on such basic keyword analysis or a couple of paragraphs that detail a very high-level overview into the case – will the smoking gun holiday snap make it into the review set?

Expert commentary in the article suggests that “Digital forensics examiners need to acknowledge that there’s a problem and take measures to ensure they’re not exposed to irrelevant, biased information. They also need to be transparent to the courts about the limitations and the weaknesses, acknowledging that different examiners may look into the same evidence and draw different conclusions.”

A spokesperson for the National Police Chiefs’ Council is quoted saying “Digital forensics is a growing and important area of policing which is becoming increasingly more prominent as the world changes … We are always looking at how technology can add to our digital forensic capabilities and a national programme is already working on this.”

Nuix is keen to support this national program and I truly believe that our investigator-led approach to reviewing digital evidence by using Nuix Investigate is the way toward helping to put the evidence into the hands of those who are best placed to make sense of it (the easier ‘traces’ as per the study). Doing so allows the digital forensic examiners to focus on the harder ‘traces’ – such as undertaking deep-dive forensic analysis or ascertaining the provenance of relevant artifacts.

Please note. No digital forensic examiners were harmed in the writing of this blog – and I fully appreciate the hard work they do in helping to protect the public and bringing offenders to justice, often working under significant pressures and with limited resources and budgets.

Source: https://www.nuix.com/blog/take-investigator-led-approach-digital-forensic-investigations

Corporations: Listen to what your regulators are saying

Regulator Report

The sea of cubicles is quieter than normal. All eyes seem to be turned toward the conference rooms at the far end of the room, where strangers in suits approach carrying cases of computer equipment. They enter the appointed spaces and close the door, where a sign printed on plain white paper is taped.

“This room is reserved indefinitely.”

This isn’t fiction; it’s a scene I witnessed firsthand working inside the financial services industry. While the silence and anxiety were more centered around the fact that one of our most precious resources – a 10-person conference room – was likely out of circulation for months, there was definitely a sense of trepidation as the regulators went to work.

I recalled that scene several times as we worked on the 2021 Nuix Global Regulator Report alongside Ari Kaplan Advisors. How valuable would the insights in the report have been for our business unit during those months of meeting our obligations to the regulators? How much anxiety would have been put to rest? Most importantly, how quickly would we have gotten that conference room back?

RESPONDING TO REGULATORS MORE EFFECTIVELY

During a Q&A webinar about the report, chief report author Ari Kaplan and Stu Clarke, Regional Director – Northern Europe at Nuix, addressed the topic of corporations working more effectively with regulators.

Based on their conversations with regulators, it became clear that regulated corporations should take control of their environment. “Holistically, it makes life much easier when an inquiry kicks off,” Stu said. “They have a much better understanding of where risks lie and where employees are working inside the organization,” making it that much easier to respond to inquiries.

It also helps to look at regulators as guides who are there to advise the company, not just punish it when it goes astray. Summarizing some of the comments during the webinar, regulators have a role to inform and guide the organizations they are responsible for. There’s a desire amongst the regulators to work more collaboratively and build an ongoing relationship, not just swoop in during a one-time event.

It also helps to understand where the regulators are coming from. “The regulators are incredibly savvy and have experience in private industry,” Ari said. “They are well-versed in the various tools and they talk to each other.”

HANDLING A CONSTANTLY CHANGING ENVIRONMENT

The regulatory environment adapts as the realities of day-to-day business change. “Things change rapidly,” Stu said. For example, “we weren’t talking about Microsoft Teams two years ago, and we can’t stop talking about it or using it now.”

Those changes are just another set of reasons to better understand what the regulators are looking for. Download the 2021 Nuix Global Regulator Report to learn more about regulators’ approaches to their respective industries, preferred technology and enforcement practices, all of which can help you work more efficiently during a regulatory inquiry.

source: https://www.nuix.com/blog/corporations-listen-what-your-regulators-are-saying

The State of Contemporary Digital Investigations – Part 2

Since my early days of forensics, like data storage and available devices, data transfer cables were a growth area. To stock a competent digital forensics laboratory, you needed to have the cables and adapters to read all the devices you might find in the wild. These included IDE, the occasional RLL and about 100 different configurations of SCSI cables. Along with these cables, it was important to have the appropriate write blocking technology to enable proper preservation of digital evidence while duplicating it.

Times have naturally changed, as I discussed in part 1 of this series. As storage interfaces grew and changed, the type and number of these write blockers grew at the same time. The investigator needed to show up in the field, confident that no matter the size and configuration of a storage device, they had the equipment to properly interface with it and conduct analysis.

While the need to be prepared and competent has not diminished in the slightest, the sheer volume of digital data found at a given crime scene or under a search warrant has exploded, from a bunch of floppy disks and maybe a hard drive or two in the late 90s to multiple tens of terabytes or more in the 2020s. This dramatic increase in raw data has required the high-tech investigator to learn additional strategies to find key data on-site, possibly before performing full forensic analysis in a lab. Tools like Nuix Data Finder and Automatic Classification can be deployed in the field to find crucial items of digital evidence now, not 6-12 months from now when the laboratory backlog gets to your case.

THE DIFFERENCE IN DECADES

I mention ‘prepared and competent’ because it can’t be overstated that what was required in the 90s is darn near trivial when compared to the massive scope of the digital investigations field today.

In a nutshell, investigators in the 90s required knowledge of:

  • Windows
  • DOS
  • Linux
  • To a very minor extent, Macintosh/Apple.

The knowledge included how their file systems worked and the technical ability to analyze floppy disks and hard drives using:

  • IDE
  • RLL
  • SCSI

While networking could be a factor in business investigations, most people using their computers at home dialed up to their service provider and the records were fairly easy to understand.

Fast forward to today and what investigators need to know dwarfs all past generations:

  • Windows (multiple flavors)
  • Linux
  • OS/X
  • iOS
  • Android
  • Storage
    • SATA/SAS spinning disk
    • SATA/SAS solid state disk
    • IDE disks
    • SCSI disks
    • NVME disks
    • M2.Sata disks
    • Flash storage
      • SD/Mini-SD/Micro-SD
      • Compact Flash
    • USB 2/3/C hard drives
    • Wireless hard drives
    • Home cloud drives
    • Cloud storage
      • Azure
      • AWS
      • A variety of smaller/foreign cloud services
  • Connectivity
    • IPv4 networking
    • IPv6 networking
    • Bluetooth
    • Wi-Fi
    • 3G/4G/5G
  • Devices
    • Digital cameras with and without network connectivity
    • Tablets IOS/Android
    • Raspberry PI
    • Drones
    • Internet of Things (IOT)
    • Data centers
  • Security
    • Encryption – So many impacts on file storage and networking that it deserves its own novel
    • Multi-factor authentication

This list goes on and on. It’s almost impossible to recognize the field of high technology investigations when comparing the decades of development and advancement. It’s hard to imagine how a modern investigator can even be moderately competent given the breadth of knowledge required.

After all this history, I’m sure many readers will have some of the same questions. I’ll try to answer what I know I’d be asking, but I encourage you to reach out if you have others that I don’t cover here!

How Can Our Team Cover The Breadth Of Knowledge You’ve Outlined Here?

Having the properly trained and experienced personnel assigned to the cases involving the skills they are most experienced in is vitally important. Given the amount of available information out there, it is inconceivable that there is a single person in any organization who is best able to handle every type of case.

It’s also important to have the appropriate technical and hardware resources on hand to address the challenge of each type of data (and the platform it lives on).

What’s The Key To Ensuring We Are Focusing On The Right Pieces Of Evidence?

The one constant in my high-tech investigations tenure is the ability to interact competently with all types of people. Learning to interview and interrogate where appropriate and paying close attention to the facts of a case, including environment, are crucial components to locating all the data types required in each scenario to perform a thorough examination.

Secondary to the staff’s personal competence and their ability to ask pertinent questions about the environment they are investigating, is having a deep bench in terms of hardware, software and intelligence that will guide them to all available sources of digital evidence. Further, by having the knowledge and experience to learn all about the environment under investigation, the entire staff will be deeply steeped in the art of triage. This enables them to focus on most-likely-important evidence first and widen the scope needed to obtain all the facts without crushing themselves under the weight of trying to analyze ALL.

Which Tools Do You Recommend As Imperative For An Investigative Team?

This is a slam dunk. Nuix Workstation gives me the single pane of glass to all the evidence types I’m interested in, while Nuix Investigate® allows me to present all the evidence I’ve collected and processed to support staff and case agents, who will perform the detailed review of documents and communications to determine their relevance to the case.

How Do We Fill In The Gaps?

Again, I’ve got the core of most of my needs in the Nuix suite of tools. Where Nuix does not have a solution, like threat intelligence feeds or cooperative intelligence like the ISACS, I can incorporate information from those feeds directly into my Nuix cases and correlate across all the available data to solve the questions posed by the investigation.

EMPOWERING THE MODERN-DAY INVESTIGATOR

We know investigations take on many different forms depending on where you work. While criminal investigations will differ in some ways from, for example, a corporate environment, many of the details remain the same.

I encourage you to visit the Solutions section of our website and see for yourself how Nuix helps investigators in government, corporations, law enforcement, and more.

source: https://www.nuix.com/blog/state-contemporary-digital-investigations-part-2

The State of Contemporary Digital Investigations – Part 1

Digital investigations have undergone a geometric progression of complexity since my first fledgling technology investigations during the 90s. In those early years, a competent digital forensics professional only needed to know how to secure, acquire and analyze the floppy disks and miniscule hard drives that represented 99% of data sources at the time.

Since those halcyon days of Norton Disk Edit for deleted file recovery and text searching, there has been a veritable explosion of methods and places to store data. The initial challenges were focused mainly on training the investigators in a new field and the progression in size of available storage for consumers (and therefore investigative targets). While seizing thousands of floppy disks required immense effort to secure, duplicate and analyze, it was still the same data we were used to, just inconveniently stored and frequently requiring assistance from outside resources (thank you Pocatello, Idaho lab).

Information evolution and explosion has a direct impact on the field of investigations. To set the stage for the second half of this two-part investigations blog, in this article I’d like to look back on some of what I feel are the major changes that have occurred over the past 30-odd years.

LET’S CONTINUE OUR TOUR

By the turn of the century, hard drives, initially as small as 10-20 Mb, grew to a ‘staggering’ 10 Gb in a high-end computer. Flash media in the form of thumb drives and compact flash cards began to hit the market around the same time, becoming quickly adopted as the preferred storage medium for the newly minted digital cameras and tablet computers. Some of this media was small enough to be hidden in books, envelopes and change jars.

Cellular telephones, originally used only for voice communications, quickly advanced to transmit and store data in the form of messages, pictures and even email. As data became more portable, and therefore easier to lose or have stolen, encryption schemes arose that enabled normal consumers to adopt data security strategies that had previously only been used by governments and their spy agencies.

As data speeds increased, so too did the volume of data created and transmitted, necessitating the need for even more novel methods of storage. At about this time, the global adoption of remote computing quickly moved from dial up network services like AOL and CompuServe, to using those services as an entrance ramp of sorts to the internet, to direct internet connections of increased speed that eliminated the need for the AOLs of the world in the context in which they were originally operating, becoming instead a content destination for users connecting to the internet using rapidly growing broadband access.

FOLLOW THE DATA

Each step in this transformation required that the investigators learned the new ways that data moved, was stored and by whom. Just learning who an AOL screen name belonged to required numerous acquisitions and legal action. Compelling service and content providers alike to divulge these small pieces of data was required to determine where connections were being made from and sometimes by whom. High-tech investigators became one of many pieces of the dot com phenomenon.

Data protection services sprung up with the various dot com enterprises; securing data frequently involved transmitting backup data to remote servers. These servers were rented or given away to anyone who wanted them, adding to the complexity of identifying where in the world a given user’s data resided. After determining where the data resided, there were at least another two layers of complexity for the investigator – namely knowing what legal process was required to acquire the remote data and proving who placed the data on the remote servers.

As data quantity exploded, the need for more advanced software to analyze this data was quite pressing. There were several software offerings that sprang up in the early days that, unlike disk edit, were created for the express purpose of reviewing quantities of digital evidence in a manner that was forensically sound. Most early digital forensic tools were expensive, complicated and slow, but they represented an important step in the growing field of digital forensics. The early offerings of both corporate and open-source digital forensic software were anemic compared to today’s digital processing giants.

In some instances, the introduction of 100,000 files was sufficient to bring some tools to their knees, necessitating that forensic cases be analyzed in batches of evidence to avoid taxing the software. Thankfully, this is largely a thing of the past, as products like Nuix Workstation will chew through ten million items without a hiccup, much less a major crash.

Before we knew it, we weren’t just analyzing static data sitting on a local storage device. Network data investigation had to be added to the investigator’s arsenal to determine how data moved across networks, from where and by whom. Along with remote storage services, online communication services exploded across the internet, and suddenly the high-tech criminal had acquired ready access to victims from the very young to the very old for a variety of crimes.

This drastic shift to remote, anonymous communication represented a very new and very real threat that had the added complexity of making not only the criminals difficult to identify, but their victims as well. The traditional transaction involving a citizen walking through the entrance of a police station to report a crime still happened, but new internet crimes meant that when criminals were caught, it was no longer the conclusion of a long investigation. Frequently, it represented the beginning of trying to identify and locate the many victims who either didn’t know where or how to report the crime. This is all because the crimes were facilitated by, or the evidence recorded on, the growing catalog of digital storage.

DEVICES TOO

As digital communication grew, so did the devices used to facilitate it. Cellular phones made the steady shift from plain telephones to a new category referred to commonly as ‘feature phones.’ These phones incorporated digital messaging utilities, including instant messaging, mobile email and access to portions of the internet through basic web browsers.

With the proliferation of feature phones, the real need for mobile device analysis sprang into existence almost overnight. Text messages on a flip phone were easy to photograph and catalog, but feature phones had a much more unique interface, requiring investigators to seek out technical solutions to the problem of megabytes of evidence locked in a device that was as non-standard as you could get.

For each manufacturer of cellular devices, there was a different operating system, storage capability and feature set. None of the existing computer forensic tools could acquire or analyze the wide assortment of available handsets. The cherry on the top of these early ‘smart’ phones was the seemingly random shape, size, placement and pin structure of the cables used to charge them. Many phone models came with dedicated companion software for the home computer that enabled backup or access from the computer.

Those same unique charging cables became unique data transfer cables connected to unique software on the host computer system. It was at this time that the first cellular forensic tools appeared. These systems didn’t appear at all like modern cellular forensic tools. They required extra software, hardware devices called ‘twister boxes’ and a literal suitcase of data transfer cables. Much like the early days of digital disk forensics, cellular forensics was a laborious and highly technical enterprise that required a great deal of training and experience to pull off.

Everything changed again in June 2007 with the release of what many consider to be the first true smartphone: the iPhone. Not long after, the beta Android device was introduced in November 2007 and the cellular arms race was on. If data quantity and location was an issue before, it was soon to become immensely more serious as the public rapidly adopted the smartphone and began carrying essentially an always connected, powerful computer in their pockets and purses.

If the high-tech investigation world was difficult before, it was about to become immensely more so. About the only beneficial thing that smartphones did for investigators was, over a 6-8 year period, they killed the feature phone and with it the suitcase of unique cables. A top shelf cellular forensic professional can safely carry five cables with them to handle the vast majority of phones in use. The original iPhone plug is still found in the wild, the newer Apple Lightning cable, and each of the USB flavors, mini, micro, and USB-C.

But, as you’ll see in part two of this series, that’s about the only positive for investigators. Things have continued to get much more complicated.

Source: https://www.nuix.com/blog/state-contemporary-digital-investigations-part-1