There are lots of myths around what can be done with the help of specialized software by analyzing digital media. Some of these myths are derived from movies, others come from general misunderstanding of how software and hardware work. Since general—non-DFIR—investigators can also be considered regular persons, their expectations of what a DFIR examiner can do could be unrealistic.
Here is an example of a request, received by one of Belkasoft customers:
"Can you recover information from this device?"
This may sound funny, but this is the reality of digital forensic experts' everyday work.
Give us some real magic
What types of difficulties can digital forensics deal with? "Give us some examples of what can be perceived as magic"—one of the journalists asked us.
There are a number of tricks, which do not look magic to DFIR examiners, however some of them look miraculous even to most experienced folks.
Speaking about the former, it is not a magic to recover deleted or partially damaged data from a hard drive (though it becomes more complicated with the spread of built-in encryption). Corresponding techniques include carving (looking for specific 'signature' on a raw data level), recycle bin analysis, parsing of file system snapshots and others. Less common, but it is sometimes possible to recover data deleted on a mobile device. For that, SQLite freelist analysis can be employed; sometimes remnants of user data can be found in various caches on a mobile device.
Though it is commonly believed that special police units can unblock any mobile device, this is not the case for any make and model. This becomes harder and harder for new devices and versions of operating systems. However, for some of them there are some tricks available.
It is also possible to decrypt encrypted data: depending on the encryption method employed, password strength and resources available. Use of specialized hardware (like Passware's Decryptum), rainbow tables and features like 'Create keyword dictionary' in Belkasoft X can significantly improve changes to break even strong passwords, which in general case will take a billion years to brute-force.
Speaking of cases where only luck helped investigators to recover data, let us mention two cases.
Completely burnt out car
The car does not look good, does it? Being a digital forensics expert, would you promise your fellow investigator that you will recover data from its on-board computer?
In real life the expert was able to do so. Look at the pictures below for storage devices:
Pure luck, but the drive was readable even though everything else was burnt out. (courtesy of Patrick Eller)
Shot laptop
Another story was told by Deepak Kumar. How big are the chances that this laptop can be analyzed?
Fortunately for an investigator, the hard drive was intact in this case. This still falls under the 'miracle' case classification.
Unreal magic
What cannot be done with digital forensics, even with the help of a rare coincidence called 'miracle'?
- Data cannot be recovered from ashes like in the very first photo.
- It is not possible to get data from a device, if they are never stored on it (though it is a very popular request, like 'how do I get all versions of Word document and all editors and their corresponding edits' or 'how do I see all occurrences of a USB device plugging into a computer along with all files copied'—though some of this info can be retrieved, there is no full record on both).
- You cannot remotely acquire an arbitrary computer or mobile device.
- You cannot login to an arbitrary computer system in seconds by connecting a magic box to it. Even if such a box exists, most systems will block you from guessing passwords after a few attempts.
You will be shocked, but it is even impossible to read a secret document by enlarging a human's iris reflection from a surveillance video.
Digital forensic software is not a magic wand, regardless of miracles shown in movies. However, it is capable of doing minor magic (from a regular person point of view). Of course, this magic is not magic at all. Whatever DFIR software can do, is based on scientific approach, mathematics, and meticulous programming.
About Belkasoft X
Belkasoft X is a world-renowned tool used by thousands of customers for conducting computer, mobile and cloud forensic investigations. In the previous years, Belkasoft X was pronounced top-3 DFIR commercial tool per Forensic 4:cast Awards, being nominated to the finals of this prestigious competition 5 times out of 6 latest years (2018, 2020, 2021, 2022, and 2023).
Belkasoft X can automatically acquire, extract, and analyze evidence from a wide range of sources, including mobile phones, tablets, computers, drones, cloud, memory files and dumps.