EVEN 5 MORE Bloopers of a Digital Forensic Investigator (Part 3)

In the previous two articles of this series, "5 Bloopers of a Digital Forensic Investigator" and "5 MORE Bloopers of a Digital Forensic Investigator", we reviewed some of the most common DFIR mistakes. Both articles have created a lot of good feedback and discussion. In response, we have decided to create one last article and conclude the series with even five MORE mistakes.

You can help improve these articles by sending your ideas of bloopers (and how to avoid or mitigate them) to sales@belkasoft.com.

Mistake #11: Not being ready for a data acquisition or device seizure

The entire DFIR investigation starts with two things: device seizure, followed by the acquisition of data stored on said device. It is a mistake not to know what things may invalidate any collected evidence.

In a perfect world, a DFIR expert would accompany all non-DFIR trained officers to a crime scene. Unfortunately, this just is not realistic as there are not enough good, experienced DFIR specialists available to be on scene every time a crime is committed. This can be a location, timing or resource issue (i.e. not enough DFIR specialists available or free) or sometimes all of the above.

Another example would be a non-DFIR law enforcement (LE) officer leaving the crime scene without recognizing the presence and availability of a viable device for digital evidence collection because they saw "only a TV" or "just a monitor". As you might have guessed, what they saw as just a TV or monitor could actually be an All-in-One computer, such as an iMac computer. Today, smart devices come in all shapes and sizes, and missing such a device means a lost opportunity for evidence collection.

Another similar blooper is failure to acquire a memory dump from a currently running computer. Pulling the plug on a running device means a loss of all decryption keys and other volatile data stored in memory (see Mistake #6). This is a very common mistake amongst non-DFIR officers often responsible for device seizure

In trickier situations, even a DFIR specialist can make this mistake if they are not vigilant and always on the alert. For example, a computer may have self-erasing or even self-exploding data storage, which is triggered by the opening of the system unit cover.

Hint: While nothing can replace a digital investigator on-scene, tools like Belkasoft T may facilitate acquiring data even when being operated by a non-expert. Such triage tools are portable and can be run from a special dongle for memory acquisition that is easy to operate and can even store important data on the same dongle for analysis later by a specialist in the lab. These tools help to significantly reduce the error rate with device seizure and data acquisition.

Mistake #12: Not using write blockers and Faraday bags

This blooper sounds impossible to a digital investigator, but it is still one of the most common mistakes being made today.

Obviously, one has to connect a hard drive to a write blocker before performing any operations, and any mobile devices should be stored in a Faraday bag first. Failure to use a Faraday bag is a severe blooper, and may cause evidence invalidation due to not assuring a proper chain of custody/evidence integrity, or even troubles introduced by a potential remote data erasure.

See also: Chain of custody and evidence integrity in digital forensics

There are some more subtle nuances though to be mentioned here:

• A write blocker must be hardware-based. Software-based write blockers are a joke. You simply should not use them (see Chain of custody in digital forensics)
• Even hardware write blockers will not save your SSD drive from performing its internal erasure routine caused by TRIM and garbage collection. SSD drives are special, see our series of articles on SSD forensics. Written in 2012-2016, these articles are still applicable)
• For mobile phones, the proper routine includes more than just Faraday bags. There are many more things to take into account like keeping the phone charged, keeping (or not keeping) the SIM card inserted, operating in airplane mode, toggling Bluetooth and/or Wifi, not looking into the phone’s camera and not touching the fingerprint sensor… and many more do’s and don’ts. For more details, we recommend you read: 'Practical Mobile Forensics' book

Mistake #13: Not using available software and hardware effectively

Another frequent mistake is thinking 'more is better'. Is expensive hardware faster or more efficient than inexpensive hardware? Is software that costs $15,000 three times better than one for $5,000? Would your processing end quicker if you used a 96-core computer rather than a 48-core one?

More is not necessarily better. To give an easy example, many digital forensic software packages rarely involve heavy CPU/GPU utilization (unless performing a password recovery). This means that the CPU is typically not a performance bottleneck and adding more CPU horsepower may only bloat your budget for hardware unnecessarily. What can be a bottleneck is typically your hard drive. Every byte inside an image you are investigating, will be read by your DFIR software. This means the transaction speed of the storage device where the image is hosted has a profound impact on performance and the time required to complete analysis.

This also means that using multiple cores may even… slow things down! If your software reads the hard drive in multiple concurrent sessions, this will make the drive and techniques used by the operating system—like caching—ineffective. As a result, the overall time for the analysis will increase, which is the exact opposite of what you expect!

We once had a case when a customer had a very fancy, shiny 96-core computer, but was complaining about the Belkasoft product performance. After studying his configuration, we gave a recommendation to limit the product to just 48 cores—such an option is available to Belkasoft X users in the product settings. A bit counter-intuitive, but the performance grew significantly—just because the bottleneck was indeed the hard drive.

On many occasions, effectiveness will also depend on the amount of RAM installed. For Belkasoft X we recommend having 2Gb of RAM for each core used. The product also has a memory limitation setting, which is intended to help customers use the product more effectively, regardless of the hardware configuration in use.

Mistake #14: Not cross-validating results

In the modern world where everyone is in a rush, and when high-tech crime laboratories have tremendous backlogs, this mistake rears its ugly head more often than not. The investigation may consist of ingesting an image into an investigator's favorite tool, browsing through results and generating a report.

Can it work? It can. However, this is not always the case. It is a common point in our industry that no single DFIR software solution is a silver bullet to finding any and all possible evidence. Every software package has strengths and weaknesses and inevitably has flaws. Using multiple DFIR software tools is the best approach to ensuring all possible evidence is found.

What exactly is the cost of an error? See our article on 'The Case of Casey Anthony'.

This case is a classic example as to why manual or cross-tool validation is a must, and why trusting results of only a single tool is a blooper.

Here are a few ideas illustrating how Belkasoft can help you validate your results:

• Manual validation. If you would like to check results shown by Belkasoft, we have many tools to facilitate manual validation, such as origin path property for every artifact, built-in viewers for specific formats such as SQLite, Plist, Registry; and there is a binary Hex Viewer for analysis of raw data behind every artifact
• You can also use Belkasoft X as an excellent secondary tool to cross-check another tool’s results. Belkasoft X supports both computer and mobile forensics, and is ideal to complement a variety of other tools.

See also:

• Where did this chat come from? The 'Origin path' concept in Belkasoft X
• Six steps to successful mobile validation

Mistake #15: Not having Belkasoft in the toolset

As you might have guessed, this chapter is intended to be a little lighter and more tongue-in-cheek to conclude our series.

Despite our walk on the lighter side, we understand that using the right tool is no laughing matter. Given its affordable price and the ability to analyze multiple data sources (including both computer and mobile data sources), as well as the ability to perform memory analysis and cloud forensics, Belkasoft X is excellent as both a primary and cross-check DFIR tool for every digital forensic investigator and incident responder.

A costly sub-type of this blooper is buying separate tools for computer versus mobile phone data acquisition and analysis. You end up paying for two tools when you could have bought just one—Belkasoft X which supports both device types (and many more)—at a lower price!

To avoid these mistakes and many others, here is a secret link where you can learn more on the tool and even download a free trial.

Did you like the article?

See also

• Part 1: 5 bloopers of a digital forensic investigator
• Part 2: 5 more bloopers of a digital forensic investigator
• Where did this chat come from? The 'Origin path' concept in Belkasoft X
• Browser forensics and the case of Casey Anthony
• Six steps to successful mobile validation
• Preserving chain of custody in digital forensics