Digital forensics 101

Problem No. 1 for the digital investigators working the Justin Ross Harris case is that each of his six devices, and each communication platform he used, requires an expertise and attention that is specialized and separate from the others.

More broadly, you can think of the work as occurring on two parallel tracks. First, the examination of Harris’ mobile devices: an iPhone and iPad. And, second, the examination of his home computers and work computers: a Dell desktop, a Mac laptop and a Lenovo laptop. (The sixth device is a Google Chromecast.)

“Different devices store browser and app information in a variety of ways,” Doug White, who teaches cyber security at Roger Williams University in Rhode Island, told the AJC in an email.

In some cases, the material in question may simply be “cached,” or stored away deep within the recesses of a phone or computer for future use. That data can be recovered simply. In other cases, especially with smartphones, apps may use databases, encrypted files, binary objects or another means of storage.

You can get at all this information in several different ways, White said.

Investigators might first employ a tactic called manual scroll, just looking through the phone’s or the computer’s logs. Easy, like prepping for a trip to Russia by listening to tapes of commonly used phrases.

The second method, logical extraction, involves recovering the material that is in the cache or the hard drive by interfacing with the device’s operating system. Harder, like learning the basics of Russian grammar and syntax.

The third technique, physical extraction, is a process of copying the lowest level of the device and then reconstructing the materials there. By far the hardest, like reading War and Peace in Russian.

There are, for sure, nuances to all these approaches, but you get the drift.

In essence, you can think about the relatively young science of digital forensics as hacking in reverse, performed by the good guys. Investigators are digging into computer systems in the same way criminals attempt to break into our machines.

Both are grabbing at pieces of our private lives that we didn’t originally mean them to get their hands on. Our pictures, whom we call and who calls us, what websites we visit, and whom we, ahem, sext.

Virtually everything is gettable — with, of course, the proper time and resources.

Investigators can employ a wide range of tools, from commercial software that require scant computer expertise, to tool kits that experts can work with to write their own specialized software. Both criminal and civil investigators use those tools to get a handle on evidence.

There are also simpler tactics. Here’s one:

Open up your Windows desktop, hit the start button and type in “regedit” in the box labeled “search programs and files.” (On second thought, don’t, unless you want to risk eventually landing on the Blue Screen of Death.)

In a moment, you’ll find the registry editor (a directory that keeps track of your activity).

Investigate further and you’ll eventually come across the serial numbers of USB drives you’ve plugged into your machine, a list of the all the recent documents you’ve opened and a locally stored database of URLs documenting all the websites you’ve looked at, naughty ones included.

In the past, entire cases have been solved using just that procedure. They could be still, given an inexperienced suspect who made no efforts to cover his tracks.

Deleted files may be harder to locate, but in most cases, they’re still there. Until, that is, they’re overwritten on your hard drive by new activity.

And there is no way to know for sure, as a layperson, when that file truly goes away. Different devices and operating systems employ different allocation strategies that deal with with deleted files in different ways.

To put it another way, although that compromising photo has been emptied out of the recycle bin and is not findable through, let’s say, an icon on your desktop, it still lives. Like a zombie, sort of.

Even if it’s actually gone from your device, traces of your cyber-life can survive on other devices and services you might use, just waiting for an investigator with a warrant or a subpoena to think to look there.

In the Harris case, “with the police being involved, they could get anything,” said Andrew Case, a New-Orleans-based core developer with the Volatility project, who specializes in computer forensics.

“Facebook … Twitter, Instagram, they could see that. If he was sending pictures and text messages, they could even be queried for, depending on his provider and then his email.

“And if his computer had something like Dropbox or other cloud storage servicing, that can provide additional historical context into his files. Because if you deleted it locally, they hold on to it for a specific amount of time.”

That data trail can make or break a digital forensics investigation where someone is accused of looking at kiddie porn or texting while causing a fatal accident.

At the same time, however, Microsoft, Apple and other device manufacturers are constantly making investigators’ jobs more difficult — not deliberately, but in order to keep up with the increasing sophistication of online criminals.

In the case of later-generation iPhones, for example, Apple employs a level of encryption — you can think about it like a type of mathematical proof that unlocks information — that’s tough, but not impossible, to break into.

You can also download software, such as TrueCrypt and FileVault, that use similar encryption tactics. The software locks information using special digital keys sometimes stored on USB drives and protected by passwords.

This is an arena where the ground is constantly shifting, however. Only Friday, the tech world was abuzz over reports that Apple has quietly slipped some forensic tools, including one that bypasses some encryption features, into the latest iPhones. If true, that should make it easier for digital cops to retrieve a user’s private data.

Figuring out how to crack the never-ending parade of security upgrades to various devices and operating systems fills up the time of specialized researchers who analyze them on behalf of law enforcement and corporations.

Of course, criminals do the same. And there are ways to make incriminating data very hard to find.

The most effective, of course, is to physically destroy the device.

Other methods range from using a device’s features to clean up your trail, to using downloaded tools to painstakingly wipe the hard drive and purge a device’s memory.

To hide one’s internet usage, there are “anonymous” web browsers such as the Orbit and Onion browsers, which use the service IP masking service Tor and store no cache or cookies.

“I would use a phone with no storage card, Onion browser, and some anonymous texting service, and even then I would certainly be ready to pull the sim card from my phone for quick disposal, and maybe have a means of hard wiping it ready to go,” White said in his email.

“Destruction, (however), would be the best bet.”