A recent article published in The Guardian highlighted ‘bias’ on the part of digital forensic examiners when examining seized media. In the original study, the authors found that when 53 examiners were asked to review the same piece of digital evidence, their results differed based on contextual information they were provided at the outset. Interestingly, whilst some of the ‘evidence’ for which they would base their findings was easy to find (such as in emails and chats) other ‘traces’ were not. These required deeper analysis, such as identifying the history of USB device activity.
One of the things that struck me was that the 53 examiners were all provided with a very short brief of what the case was about (intellectual property theft) and what they were tasked to find (or not find), including a copy of a spreadsheet containing the details of individuals who had been ‘leaked’ to a competitor.
This immediately reminded me of my first weeks within the police hi-tech crime unit (or computer examination unit as it was called). I vividly remember eagerly greeting the detective bringing a couple of computers in for examination into suspected fraud. I got him to fill in our submission form – some basic details about the case, main suspects, victims, date ranges, etc. I even helped him complete the section on search terms and then signed the exhibits in before cheerily telling him that I’d get back to him in the next few weeks (this was in the days before backlogs…).
As I returned from the evidence store, I was surprised to find that same detective back in the office being ‘questioned’ by my Detective Sergeant. “John,” as we will call him (because that was his name), an experienced detective with over 25 years on the job, was asking all sorts of questions about the case:
Who were his associates?
What other companies is he involved in?
Does he have any financial troubles?
Is he a gambler?
Did you seize any other exhibits?
Does he have a diary?
How many properties does he own?
The list went on. In fact, it was over an hour before John felt that he had sufficient information to allow the detective to leave. Following the questioning, John took me aside and told me that whilst we used the paperwork to record basic information about the case – it was incumbent on us to find out as much information as possible to ensure that we were best placed to perform our subsequent examination.
My takeway? You can never ask too many questions – in particular, those of the ‘who, where, when’ variety.
HAS DIGITAL FORENSICS CHANGED SINCE THEN?
Given the rapid development in technology since those early days in digital forensics, you would think the way agencies perform reviews of digital evidence would have, well, kept up?
I recently watched a very interesting UK ‘fly on the wall’ TV series (Forensics:The Real CSI) that followed police as they go about their daily work (I do like a good busman’s holiday) and one episode showed a digital forensic examiner tasked to recover evidence from a seized mobile phone and laptop in relation to a serious offence.
“I’ve been provided some case-relevant keywords,” he said, “which the officer feels may be pertinent towards the case.” “Murder, kill, stab, Facebook, Twitter, Instagram, Snapchat … and for those keywords I’ve searched for, there is potentially just under 1,500 artifacts that I’ll have to start scrolling through.”
“Have I been transported back to the 90s?” I thought as I watched in (partial) disbelief and was again transported back and reminded of John’s sage advice all those years ago about asking lots of questions.
Whilst I understand that the show’s director was no doubt using the scenes to add suspense and tell the story in the most impactful way possible, there is no getting away from the fact that the digital forensic examiner was working with limited information about the case and with some terrible keywords.
Yes, they can (and no doubt did off-camera) pick up the phone to the Officer in the Case (OIC) to ask further questions … surely, the OIC is the one who will see a document or email (that perhaps hasn’t been found by keyword searching) and see a name or address within it and immediately shout “Stop! That’s important!” The OIC will recognize the suspect in a holiday photograph having a beer with another suspect who they swear blind they’ve never met.
FOCUSING ON THE RIGHT EVIDENCE
How does this all tie back into the research I mentioned at the outset? The various ‘traces of evidence’ the examiners were tasked to find were both ‘hidden in plain sight’ and required skilled forensic analysis in order to identify and interpret their meaning. If the digital forensic examiner spends most of their precious time reviewing emails and documents – in the real world – will they have the time to perform the skilled digital forensics work to build the true picture of what happened?
If the OIC is only provided with material to review based on such basic keyword analysis or a couple of paragraphs that detail a very high-level overview into the case – will the smoking gun holiday snap make it into the review set?
Expert commentary in the article suggests that “Digital forensics examiners need to acknowledge that there’s a problem and take measures to ensure they’re not exposed to irrelevant, biased information. They also need to be transparent to the courts about the limitations and the weaknesses, acknowledging that different examiners may look into the same evidence and draw different conclusions.”
A spokesperson for the National Police Chiefs’ Council is quoted saying “Digital forensics is a growing and important area of policing which is becoming increasingly more prominent as the world changes … We are always looking at how technology can add to our digital forensic capabilities and a national programme is already working on this.”
Nuix is keen to support this national program and I truly believe that our investigator-led approach to reviewing digital evidence by using Nuix Investigate is the way toward helping to put the evidence into the hands of those who are best placed to make sense of it (the easier ‘traces’ as per the study). Doing so allows the digital forensic examiners to focus on the harder ‘traces’ – such as undertaking deep-dive forensic analysis or ascertaining the provenance of relevant artifacts.
Please note. No digital forensic examiners were harmed in the writing of this blog – and I fully appreciate the hard work they do in helping to protect the public and bringing offenders to justice, often working under significant pressures and with limited resources and budgets.
Since my early days of forensics, like data storage and available devices, data transfer cables were a growth area. To stock a competent digital forensics laboratory, you needed to have the cables and adapters to read all the devices you might find in the wild. These included IDE, the occasional RLL and about 100 different configurations of SCSI cables. Along with these cables, it was important to have the appropriate write blocking technology to enable proper preservation of digital evidence while duplicating it.
Times have naturally changed, as I discussed in part 1 of this series. As storage interfaces grew and changed, the type and number of these write blockers grew at the same time. The investigator needed to show up in the field, confident that no matter the size and configuration of a storage device, they had the equipment to properly interface with it and conduct analysis.
While the need to be prepared and competent has not diminished in the slightest, the sheer volume of digital data found at a given crime scene or under a search warrant has exploded, from a bunch of floppy disks and maybe a hard drive or two in the late 90s to multiple tens of terabytes or more in the 2020s. This dramatic increase in raw data has required the high-tech investigator to learn additional strategies to find key data on-site, possibly before performing full forensic analysis in a lab. Tools like Nuix Data Finder and Automatic Classification can be deployed in the field to find crucial items of digital evidence now, not 6-12 months from now when the laboratory backlog gets to your case.
THE DIFFERENCE IN DECADES
I mention ‘prepared and competent’ because it can’t be overstated that what was required in the 90s is darn near trivial when compared to the massive scope of the digital investigations field today.
In a nutshell, investigators in the 90s required knowledge of:
To a very minor extent, Macintosh/Apple.
The knowledge included how their file systems worked and the technical ability to analyze floppy disks and hard drives using:
While networking could be a factor in business investigations, most people using their computers at home dialed up to their service provider and the records were fairly easy to understand.
Fast forward to today and what investigators need to know dwarfs all past generations:
Windows (multiple flavors)
SATA/SAS spinning disk
SATA/SAS solid state disk
USB 2/3/C hard drives
Wireless hard drives
Home cloud drives
A variety of smaller/foreign cloud services
Digital cameras with and without network connectivity
Internet of Things (IOT)
Encryption – So many impacts on file storage and networking that it deserves its own novel
This list goes on and on. It’s almost impossible to recognize the field of high technology investigations when comparing the decades of development and advancement. It’s hard to imagine how a modern investigator can even be moderately competent given the breadth of knowledge required.
After all this history, I’m sure many readers will have some of the same questions. I’ll try to answer what I know I’d be asking, but I encourage you to reach out if you have others that I don’t cover here!
How Can Our Team Cover The Breadth Of Knowledge You’ve Outlined Here?
Having the properly trained and experienced personnel assigned to the cases involving the skills they are most experienced in is vitally important. Given the amount of available information out there, it is inconceivable that there is a single person in any organization who is best able to handle every type of case.
It’s also important to have the appropriate technical and hardware resources on hand to address the challenge of each type of data (and the platform it lives on).
What’s The Key To Ensuring We Are Focusing On The Right Pieces Of Evidence?
The one constant in my high-tech investigations tenure is the ability to interact competently with all types of people. Learning to interview and interrogate where appropriate and paying close attention to the facts of a case, including environment, are crucial components to locating all the data types required in each scenario to perform a thorough examination.
Secondary to the staff’s personal competence and their ability to ask pertinent questions about the environment they are investigating, is having a deep bench in terms of hardware, software and intelligence that will guide them to all available sources of digital evidence. Further, by having the knowledge and experience to learn all about the environment under investigation, the entire staff will be deeply steeped in the art of triage. This enables them to focus on most-likely-important evidence first and widen the scope needed to obtain all the facts without crushing themselves under the weight of trying to analyze ALL.
Which Tools Do You Recommend As Imperative For An Investigative Team?
This is a slam dunk. Nuix Workstation gives me the single pane of glass to all the evidence types I’m interested in, while Nuix Investigate® allows me to present all the evidence I’ve collected and processed to support staff and case agents, who will perform the detailed review of documents and communications to determine their relevance to the case.
How Do We Fill In The Gaps?
Again, I’ve got the core of most of my needs in the Nuix suite of tools. Where Nuix does not have a solution, like threat intelligence feeds or cooperative intelligence like the ISACS, I can incorporate information from those feeds directly into my Nuix cases and correlate across all the available data to solve the questions posed by the investigation.
EMPOWERING THE MODERN-DAY INVESTIGATOR
We know investigations take on many different forms depending on where you work. While criminal investigations will differ in some ways from, for example, a corporate environment, many of the details remain the same.
I encourage you to visit the Solutions section of our website and see for yourself how Nuix helps investigators in government, corporations, law enforcement, and more.
Digital investigations have undergone a geometric progression of complexity since my first fledgling technology investigations during the 90s. In those early years, a competent digital forensics professional only needed to know how to secure, acquire and analyze the floppy disks and miniscule hard drives that represented 99% of data sources at the time.
Since those halcyon days of Norton Disk Edit for deleted file recovery and text searching, there has been a veritable explosion of methods and places to store data. The initial challenges were focused mainly on training the investigators in a new field and the progression in size of available storage for consumers (and therefore investigative targets). While seizing thousands of floppy disks required immense effort to secure, duplicate and analyze, it was still the same data we were used to, just inconveniently stored and frequently requiring assistance from outside resources (thank you Pocatello, Idaho lab).
Information evolution and explosion has a direct impact on the field of investigations. To set the stage for the second half of this two-part investigations blog, in this article I’d like to look back on some of what I feel are the major changes that have occurred over the past 30-odd years.
LET’S CONTINUE OUR TOUR
By the turn of the century, hard drives, initially as small as 10-20 Mb, grew to a ‘staggering’ 10 Gb in a high-end computer. Flash media in the form of thumb drives and compact flash cards began to hit the market around the same time, becoming quickly adopted as the preferred storage medium for the newly minted digital cameras and tablet computers. Some of this media was small enough to be hidden in books, envelopes and change jars.
Cellular telephones, originally used only for voice communications, quickly advanced to transmit and store data in the form of messages, pictures and even email. As data became more portable, and therefore easier to lose or have stolen, encryption schemes arose that enabled normal consumers to adopt data security strategies that had previously only been used by governments and their spy agencies.
As data speeds increased, so too did the volume of data created and transmitted, necessitating the need for even more novel methods of storage. At about this time, the global adoption of remote computing quickly moved from dial up network services like AOL and CompuServe, to using those services as an entrance ramp of sorts to the internet, to direct internet connections of increased speed that eliminated the need for the AOLs of the world in the context in which they were originally operating, becoming instead a content destination for users connecting to the internet using rapidly growing broadband access.
FOLLOW THE DATA
Each step in this transformation required that the investigators learned the new ways that data moved, was stored and by whom. Just learning who an AOL screen name belonged to required numerous acquisitions and legal action. Compelling service and content providers alike to divulge these small pieces of data was required to determine where connections were being made from and sometimes by whom. High-tech investigators became one of many pieces of the dot com phenomenon.
Data protection services sprung up with the various dot com enterprises; securing data frequently involved transmitting backup data to remote servers. These servers were rented or given away to anyone who wanted them, adding to the complexity of identifying where in the world a given user’s data resided. After determining where the data resided, there were at least another two layers of complexity for the investigator – namely knowing what legal process was required to acquire the remote data and proving who placed the data on the remote servers.
As data quantity exploded, the need for more advanced software to analyze this data was quite pressing. There were several software offerings that sprang up in the early days that, unlike disk edit, were created for the express purpose of reviewing quantities of digital evidence in a manner that was forensically sound. Most early digital forensic tools were expensive, complicated and slow, but they represented an important step in the growing field of digital forensics. The early offerings of both corporate and open-source digital forensic software were anemic compared to today’s digital processing giants.
In some instances, the introduction of 100,000 files was sufficient to bring some tools to their knees, necessitating that forensic cases be analyzed in batches of evidence to avoid taxing the software. Thankfully, this is largely a thing of the past, as products like Nuix Workstation will chew through ten million items without a hiccup, much less a major crash.
Before we knew it, we weren’t just analyzing static data sitting on a local storage device. Network data investigation had to be added to the investigator’s arsenal to determine how data moved across networks, from where and by whom. Along with remote storage services, online communication services exploded across the internet, and suddenly the high-tech criminal had acquired ready access to victims from the very young to the very old for a variety of crimes.
This drastic shift to remote, anonymous communication represented a very new and very real threat that had the added complexity of making not only the criminals difficult to identify, but their victims as well. The traditional transaction involving a citizen walking through the entrance of a police station to report a crime still happened, but new internet crimes meant that when criminals were caught, it was no longer the conclusion of a long investigation. Frequently, it represented the beginning of trying to identify and locate the many victims who either didn’t know where or how to report the crime. This is all because the crimes were facilitated by, or the evidence recorded on, the growing catalog of digital storage.
As digital communication grew, so did the devices used to facilitate it. Cellular phones made the steady shift from plain telephones to a new category referred to commonly as ‘feature phones.’ These phones incorporated digital messaging utilities, including instant messaging, mobile email and access to portions of the internet through basic web browsers.
With the proliferation of feature phones, the real need for mobile device analysis sprang into existence almost overnight. Text messages on a flip phone were easy to photograph and catalog, but feature phones had a much more unique interface, requiring investigators to seek out technical solutions to the problem of megabytes of evidence locked in a device that was as non-standard as you could get.
For each manufacturer of cellular devices, there was a different operating system, storage capability and feature set. None of the existing computer forensic tools could acquire or analyze the wide assortment of available handsets. The cherry on the top of these early ‘smart’ phones was the seemingly random shape, size, placement and pin structure of the cables used to charge them. Many phone models came with dedicated companion software for the home computer that enabled backup or access from the computer.
Those same unique charging cables became unique data transfer cables connected to unique software on the host computer system. It was at this time that the first cellular forensic tools appeared. These systems didn’t appear at all like modern cellular forensic tools. They required extra software, hardware devices called ‘twister boxes’ and a literal suitcase of data transfer cables. Much like the early days of digital disk forensics, cellular forensics was a laborious and highly technical enterprise that required a great deal of training and experience to pull off.
Everything changed again in June 2007 with the release of what many consider to be the first true smartphone: the iPhone. Not long after, the beta Android device was introduced in November 2007 and the cellular arms race was on. If data quantity and location was an issue before, it was soon to become immensely more serious as the public rapidly adopted the smartphone and began carrying essentially an always connected, powerful computer in their pockets and purses.
If the high-tech investigation world was difficult before, it was about to become immensely more so. About the only beneficial thing that smartphones did for investigators was, over a 6-8 year period, they killed the feature phone and with it the suitcase of unique cables. A top shelf cellular forensic professional can safely carry five cables with them to handle the vast majority of phones in use. The original iPhone plug is still found in the wild, the newer Apple Lightning cable, and each of the USB flavors, mini, micro, and USB-C.
But, as you’ll see in part two of this series, that’s about the only positive for investigators. Things have continued to get much more complicated.
Most people in our industry know Nuix has powerful and scalable tools for solving eDiscovery, investigation, information governance, and other problems. What some may not know if that most of this technology can be run remotely, meaning work can continue and people can stay busy and safe all at the same time. Explore with us some of the scenarios and solutions we have at hand to keep the lights on while we navigate through a global pandemic.
Several remote workforce scenarios exist today using Nuix. Some of these use cases exist because of the COVID-19 pandemic, while others were in place well before. Some of these scenarios and solutions include:
The eDiscovery meat/data grinder. The process must keep moving forward; litigants will demand it.
Forensic investigation. Collect remotely and safely in a repeatable fashion.
Insolvency, bankruptcy, and accounting. Who is owed, by whom? How much is left? What contracts are valid or invalid? How will you sort out the mess? The hospitality and retail industries, along with others, have been hit hard. Fair distribution of assets and wealth is required considering the situation.
Fraud. During recovery, it’s an unfortunate reality that investigations into misappropriation of funds from the federal government will be necessary. The old adage “follow the money” holds true here; there’s a lot of money involved, hence a proportionate amount of fraud.
REAL SITUATIONS IN A CHANGED WORLD
We continue to hear about incredible applications of our software from customers faced with significant challenges.
Getting Ahead Of Insolvency And Bankruptcy
One large global customer had over 12 TB of data already collected and placed into the Nuix Discover® SaaS environment as they started to sort through insolvency materials. These materials will allow the firm to properly assign asset ownership and distribution for companies that have unfortunately had to shut down a result of COVID-19.
It will take years of discovery work to properly dispose of assets for thousands of companies affected by the pandemic. Using Nuix Discover in the cloud, the firm can start ranking assets and creditors using the software’s analytics capabilities and continuous active learning (CAL).
Field Work Using A Mobile Forensic Lab
It’s not uncommon for a mobile forensic lab to be “wheeled in” to a location to collect data for a forensic investigation. It is possible however to use the Nuix Portable Collector to make forensically sound images. It’s ideal especially for larger data quantities that can’t be reliably collected over the network in a timely manner and have them shipped to a static forensic lab. Just as clean rooms are often used for forensic investigations, you can adapt similar procedures allowing forensic examiners to ensure their safety while processing and investigation commence via the cloud or the web-based review and analytics interfaces.
Virtual Settlement Conferences
We have a partner that’s processing data centrally and distributing it using Nuix Investigate® to help its clients facilitate virtual legal settlement conferences.
To begin, unstructured data is being downloaded from networked drives at the rate of around 200 GB a day in batches. This data is sometimes custodian-based and sometimes based on matter or data type.
The partner then processes the data with Nuix Workstation and presents it online via a secure login to Nuix Investigate. The end customers—in this case, law firms—can then run various searches; tag, annotate, and redact; and then inform the partner that the data is ready for production. At this point, the partner produces a load file in Nuix Workstation and uploads it to a network drive securely via virtual private network.
Most litigation is settled outside of a courtroom. This fact, and the current environment, lends itself to a virtual remote working process. Many parties are likely to take the attitude of “Let’s just settle quickly rather than take our chances waiting for courts to reopen.”
The recent trend of law firms moving to e-signatures for official documents specifically to meet the needs of this unusual time further pressures the legal services community and legal software companies to ensure a safe and uninterrupted workflow.
Centralization Of Data
Because Nuix tools allow you to work via the web creating a data lake, serving many stakeholders (Legal/Compliance/Risk/Governance/Investigation) makes a ton of sense. Even the inverse sounds better and transparent to users—leave the data where it is, process it where it lives, and form a virtual data lake and manage the data via the web using Nuix Investigate and the functionality to promote data to Nuix Discover to keep the party going.
Running Nuix Workstation In The Cloud? Yes You Can!
A little-known fact, Nuix Workstation and Nuix Investigate both run well in Azure, Google Cloud, or AWS virtual environments. Using the Aspera utility for uploading data quickly to the SaaS environment of your choice, it’s easy to process and enrich data, getting it ready for review and analytics quickly. You can use the same licenses you already have and install the products on cloud-based servers anywhere in the world while pulling licenses for servers in traditionally architected locations behind the firewall or in the cloud for no additional cost.
Nuix Discover SaaS
Nuix Discover SaaS has been available for years, putting linear review, advanced analytics, and so much more at legal teams’ fingertips. With a long, storied tradition of cloud support and continuous performance updates, look no further for your eDiscovery review needs.
The Nuix investigate user and group permissioning allows for incredibly granular separation of duties. Not only can you set up users within groups to have unique logins and access to only specific cases, you can even set specific permissions to operate within a given case. Restrictions to downloading, redacting, printing, and other operations exist for each user and group.
You can also change or elevate permissions at any time as well as changing or deleting logins for temporary users to further ensuring chain of custody. Separation of responsibility is now more important than ever since we can’t easily physically audit data or even the process used to produce it. Being able to demonstrate that a series of people were involved in the virtual chain of custody is increasingly important.
Licensing In The Cloud
Nuix’s Cloud Licensing Server allows high speed expansion to processing capability with no risk and makes burst licensing for when the big jobs land in your lap a reality.
Because Nuix Workstation and Nuix Investigate are now licensed by the Cloud Licensing Server, licenses are distributed via AWS instead of a physical license dongle, removing one more physical obstacle and, incidentally, keeping staff safe. As I mentioned above, if a matter increases in size, we can distribute “burst” licenses for specific timeframes to meet the challenge of unexpected or uncommonly large data sets.
With expectations that litigation will rise steadily in the coming months due to COVID recovery efforts, burst licensing could come in very handy.
Collect From Anywhere
With Nuix Enterprise Collection Center you can push the two flavors of Nuix agents to endpoints easily, drastically expanding your network collection capabilities. You can create collections for forensic as well as eDiscovery use cases and pull the data over the network.
Great news! It’s already sanitized—no hand sanitizer needed! The data (and devices housing it) never need to physically change hands. All this work collecting, processing, and reviewing the data can be “done from home” and work can continue with a highly defensible chain of custody built in.
MORE FLEXIBILITY WITH EVERY RELEASE
We didn’t start down the path toward flexibility through some prescient expectation of a global pandemic. Products like Nuix Discover and Nuix Investigate, along with our cloud licensing and endpoint software, just happen to meet the needs of a distributed workforce.
Let’s face it; modern organizations demand more options and employ more remote workers today than ever in history. I don’t have a statistic for that, but just look around and you can see it for yourself. While this pandemic will pass and many of you will go back to work in an office in the hopefully near future, the need still exists for options in your enterprise software solutions.