Reducing Backlog:Mobile Forensic Previews

Lee Papathanasiou Cellebrite: Sales Engineer, Forensics

Mobile Device Proliferation

*As of January 2014:

90% of American adults have a cell phone

58% of American adults have a smart phone

32% of American adults own an e-reader

42% of American adults own a tablet

Multi-Device Environment

Source: Pew Research Center http://www.pewinternet.org/

Volume & Complexity of Data

Volume & Complexity of Data

Mobile Device Exams Increase Statistics from three cities in

North America anecdotally* show a steady increase in the ratio of mobile forensic exams to computer exams starting from 2005 to present.

*No standards exist for the tracking of forensic lab statistics, so not all labs report the same way. In addition, labs’ own reporting may be inconsistent from year to year. Other variables, such as trends in investigations themselves, have not been accounted for.

Mobile Forensics:A Team Effort

Today’s model of mobiledevice evidence collection

■ Forensic Examiner performs extraction & analysis at the Lab

■ First Responder Secures Scene

■ Investigator Seizes Evidence: “Bag and Tag”

Limitations of Current Model

■ Actionable information NOT available to First Responder

o Result: Opportunity for time-sensitive decisions is missed which could mean the difference between Life and Death

■ Evidence becomes more vulnerable the longer it sits at scene

o Result: Evidence on the device is remotely Wiped/Deleted

■ The importance of evidence is not identified or qualified at scene

o Result: Lack of insight leads to collection of unnecessary evidence and directly contributes to EVIDENCE BACKLOG!

■ Field personnel are not being utilized to their full capacity

o Result: The inefficient use of resources is an unnecessary Waste of Money

■ Forensic Examiners are spending valuable time on basic evidence collection

o Result: Less time available to focus on the deeper/complex examinations which can yield important evidence & deleted information. This amounts to a Waste of Talent.

Mobile Forensics: Multi-Tiered Model

Location Hierarchy

Least Most

Gradient Scale

Personnel Hierarchy

Least Most

Gradient Scale

Function Hierarchy

Least Most

Gradient Scale

Multi-Tiered Model Reduces Backlog!

■ Increases Quality of evidence in lab

■Empowers existing personnel with mobile forensic technology

■Enables rapid evidence collection & preview in field

■Decreases Quantity of evidence in field

■Result: More Leads in Less Time

Use Cases that can Benefit■Monitoring Probation/Parole

■Child Abuse Image Investigations

■Drug Interdiction

■Substantiate Victim Claims

■List goes on…

Implementation Requirements: EEE

■Education ■Engineering■Enforcement

■Data collection & review contributes to officer/civilian safety

Education: Academy Level

■Eliminate & Prevent Intimidation

■Academy Curricula needs to be prioritized & updated

■SOP & Training need to compliment each other

Education: Field Level

■Evidence Handling & Collection

■Establish guidelines for escalations to lab

(i.e. Prosecution over Intel, Felonies over Misdemeanor)

■Incorporate 15 min hands-on training during briefings

■Keep current with warrant templates, preservation letters, etc.

■Types of Evidence Collected: Textual Data and/or Media Files?

(Dictates bandwidth & storage capacity needed)

Engineering: Data Management Infrastructure

■Decide on method of transferring and/or storing evidence

■Need to maintain Chain of Custody and Integrity of data

■Remote Storage: Secure 4G/WiFi connection. VPN Tunneling.

■Local Storage: Hard Drive/ Flash Drive/ SD Card – Logistics

■Software must have built-in reviewing & basic analysis capabilities

Engineering: Mobile Forensic Solution

■Mobile forensics software solution needs to be flexible & easy to use

■Software needs to be able to support extraction from an immense variety of mobile devices in order to be effective

■A laptop/tablet or stand-alone forensic device will be required. Preferably semi or fully ruggedized with relatively small footprint

© 2014 Cellebrite Mobile Synchronization LTD, All rights reserved

• Purpose built

• Closed for other applications

• No User maintenance

• Extraction only

UFED Touch

• Multiple tools single platform

• Full Cycle capabilities

• HW upgrade at your own pace

• Chose your platform –Flexibility

UFED 4PC

• Single source

• Multiple tools single platform

• Full Cycle capabilities

• No user installation

• Standalone and ruggedized

UFED TK

© 2014 Cellebrite Mobile Synchronization LTD, All rights reserved

UFED: Extract & Preview

■SOP should set clear expectations for everyone involved including when to escalate devices to a forensic specialist

Enforcement

■Controls need to be in place to prevent abuse

■Establish Policies as well as SOP to enforce training & evidence collection methodologies

■Software solution needs to of facilitate these requirements.

User & Permission Management, Logs, Training verification

Enforce: UFED Permission Manager

User Authentication and Permission Management■ Profile defines authorized actions

■ By action

■ By data type (where applicable)

■ Profiles are assigned to Users

■ Import / Export Users list

■Examples:

Search Warrant

Consent

Probation/Parole

Exigent Circumstances

Search Incident to Arrest

Plain Sight

Enforcement: Rules of Engagement

■Laws vary from state to state and are in constant flux

■Consult legal authorities to ensure adherence to law

Data Triage & Public Safety

Data Triage & Public Safety

Traffic Accidents – Was the driver distracted by their phone? Where were they last?

Time sensitive situations that can significantly benefit from mobile device collection at scene of incident:

Active Shooter – Did they have accomplices?

Abductions – Who was their abductor? Where were they last?

Bomb Threats – Where is the bomb located? What is the detonation device?

This is only the Beginning!!

■Decision making in the field can be improved even further

• Imagine collecting evidence from a mobile device on scene and then running that data against a database….

FugitivesAbducteesDrug TermsGang MembersTerroristsExplosivesStolen VINsEtc…..

■State & Local Fusion centers will have more diverse datasets to utilize which will increase situational awareness.

Impact on Crime Prevention■Mobile Device Evidence also has value downstream

■Intel & Crime Analysts benefit from high quality data

■The variety of data on mobile devices can contribute significantly to predictive analytics & crime prevention efforts

THANK YOU!!Lee Papathanasiou

lee.papa@cellebrite.com201-848-8552 Ext. 106