Locard’s Exchange Principle sates that in forensics “every contact leaves a trace”. This most fundamental of principles holds true just as well in the world of digital forensics, but increasingly we must consider more carefully both what these points of contact are; and when contact is made, where these traces may be found.
Digital forensics is concerned with examining the traces left by a person or other entity in the digital landscape; that landscape is ever widening. 15 years ago, the ubiquitous personal computing device was the eponymous PC: a single, mostly self-contained unit, which if it connected to the web, was likely involved primarily with passive consumption of data rather than active participation.
Today’s digital lives are instead made up of a complex web of interconnected data sources; actions taken sending ripples out and leaving their imprints across many of these different sources. Without carefully considering the sources of data and the interactions between them, we risk missing, or misinterpreting crucial information in a case.
In this article, I want to explore some of the issues that we need to take into consideration when examining digital evidence to help us better understand what these data sources might be and how they may interact.
Head in the Cloud
It is probably one of the least controversial statements you can make, but it’s worth stating nevertheless: the high availability of high-speed internet connections has altered the context in which we consider our computing devices. As recently as the late 1990s, a fast internet connection was a novelty afforded to enthusiastic early adopters willing to shell out a significant premium for the privilege. An offline household with no access to the web would not be considered strange in the slightest and the suggestion that one could wander along the road accessing video, on demand, at a quality and resolution much higher than terrestrial broadcasts would be borderline farcical.
Today though, an “always-on” connection to the internet is a baseline expectation for many people, and nothing strikes fear into the hearts of this generation of users like a downed 4G connection, and a non-functioning broadband connection is mere inches away from being a human rights crisis. Of course, this universal provision of high-speed internet provides near instant access to information and entertainment at a moment’s notice but there’s a subtler change that has been happening over the last few years that (by the very nature of this speed) if implemented correctly is almost entirely transparent to the user: our devices, though ever more powerful, are doing and storing less.
Cloud computing, put simply is the idea that large powerful computers connected to the internet can do things better than our own comparatively puny devices, and with this high-speed, always-on internet connection we needn’t even know that these powerful, internet connected computers are involved at all. There are other benefits as well, most prominently, it means that our experience of these services is consistent across our ever-growing range of devices, and this is never more obvious than in the case of cloud storage.
Cloud storage is a type of service that allows people to store their files and data not on their own devices but rather in a remote location available on the internet. This has a number of benefits from a user’s perspective, such as: saving storage space on their devices; allowing access to these files from multiple internet connected devices concurrently and different locations; automatic back-up of important files; and simplified sharing of data with third-parties.
On modern computing devices, the use of cloud storage approaches ubiquity. All of the major mobile and desktop operating systems currently come with cloud storage services pre-installed (Microsoft OneDrive on Windows; iCloud on Apple devices; and Google Drive on Android) and signing up to these services is either a requirement when first setting up the device, or at the very least presented in such a way that an average user would interpret it as such. Once signed-in, unless a user specifically configures the device to do otherwise, the use of these cloud storage services happens in a largely transparent manner, with files being synchronised to the cloud automatically without user interaction.
This presents a new challenge for digital investigations as files and data which we might previously have expected to be stored locally on a device, may instead be stored in a remote location; a location which may very likely fall within a different legal jurisdiction. What’s more, the owner of this data may not even be aware of this. Specialist tools and skills are required to acquire this data; to make sense of the gaps that are left or analyse the point of origin for data which may have struck out a path across the cloud.
There are opportunities that the wide use of cloud synchronisation present to us as well: a user may not be aware that data that they have deleted on their device may still be readily available on the cloud. Cloud storage also often stores multiple revisions of a file so we may be able to consider the changes that the data have undertaken over time and the entities that enacted those changes.
Riding on the back of the proliferation of cloud technologies, there has been a prevailing push towards providing a consistent experience for users across the whole range of their devices. What this means in practice is that an action taken on one device can be mirrored, automatically on another.
To give a practical example: someone making use of the popular Chrome browser from Google can choose to "log in" to the browser on multiple devices (their phone, tablet, home PC, work laptop). Browsing activities such as open tabs, websites visited, bookmarks, etc. will be made available on all devices. Browse the web on your phone on the journey to work, and when you sit down at your desk, all those sites you were making use of are already open and waiting for you.
This synchronisation can also be integral to the functionality of a device’s operating system as is the case with Apple’s iOS and macOS operating systems with messages, contact information etc. all being synchronised between devices via the iCloud services; even phone calls received by an iPhone can be answered on a MacBook sharing the same iCloud account login.
This creates a new range of challenges when examining data extracted from multiple devices. When examining information which has the possibility to be synchronised between multiple devices we have new questions to answer around the provenance and attribution of the data: did it originate on the device, or did it arrive there transparently through a synchronisation operation?
The Internet of All the Things
So far, we have primarily spoken about what might be considered “traditional” computing devices (smart phones, PCs, etc.) but it is commonplace these days for everyday household items (fridges, televisions, vacuum cleaners, lightbulbs, cars, etc.) to also contain their own computing platform and connect to the internet. The name given to this new craze is “the internet of things” (usually styled as “IoT”).
We’ll leave aside the question of exactly why we’re suddenly so keen to connect everything to the internet with reckless abandon whilst seemingly risking our online privacy and security, but suffice to say that the allure of controlling and automating every aspect of our existence is too strong to resist for many - this technological trend is set to grow and grow.
And there are real benefits to consumers here. It’s hard to argue that being able to turn on your home’s heating system from your smartphone as you travel home on a particularly chilly evening is comforting; remote monitoring of your house security system gives peace of mind and telling your house by speaking out loud to dim the lights down to mood lighting mode is surely the future we’ve always been promised.
Of course, with every new device that we add to our own digital lives, we create new digital traces for actions which would never previously have done so. When considering a person’s patterns of life, every time a light is switched on, a television program viewed, the heating turned up or the carpets vacuumed, they can be a new witness to that person’s activities.
This brave new frontier of evidential possibilities is somewhat complicated though: although a lightbulb may be the point of contact that Locard spoke of, the trace left may very well not reside with the lightbulb itself. The communication between elements in the internet of things is a complex network – we might use our smart phone to control a lightbulb, but that request may flow onto the internet and into the cloud, before arriving back at our home, into a hub device which manages our lightbulbs before finally arriving at the bulb itself. Traces of this action may be stored in any or all of those locations (although, in a cruel twist, the lightbulb will likely be the least complicit witness of them all in this example). Because of this, making sense of evidence from the Internet of Things requires a great deal of understanding of the infrastructure used when these everyday household items start talking to one another. It cannot be denied, though that the intelligence that these items can provide should not be understated.
Taking in the bigger picture
CCL is the UK’s largest digital forensics laboratory and a leading provider of Digital Forensics, e-Disclosure, and Cyber Security services. From our beginnings as an independent IT consultancy in 1986, we have grown through market demand to:
• develop our digital forensic services
• develop our cyber security strategy/offerings
• embrace advances in new technology with internal R&D
• handle large volumes of multi-channel digital evidence
• provide a training academy to develop IT forensic and cyber awareness skills
CCL provide digital forensics services to organisations in the UK and internationally, from law enforcement agencies, civil and criminal law firms, to corporate and private clients. CCL use standard commercial forensic tools; but excel in situations that require more complex forensic capabilities and their broad experience. Together with their strong R&D capability, CCL extract and analyse data from the most obscure and unsupported technology and apps.
CCL’s e-disclosure and collection services are underpinned by over a decade of experience in digital forensics. A forensic approach ensures that crucial data is not overlooked and that evidence is defensible in court. It also ensures that metadata is preserved, which can prove critical to subsequent processing, indexing, and the time line production of the data during review.
CCL understand that data is increasingly central to businesses, so effective cyber security is key to protecting its assets, including reputation, intellectual property, staff and customers. There is a common misconception that investment in sophisticated technical solutions will by itself ensure protection from cyber-attacks. However, this is only one part of an effective defence. CCL’s cyber strategy takes organisations through the three stages of building an effective strategic response:
1. Assess the threat and risk –against organisational strategy to identify vulnerabilities
2. Take protective action – prioritisation of mitigation against identified vulnerabilities to enhance security infrastructure and incident response
3. Monitor and evaluate – initiate protective monitoring, testing and exercising to support effective remediation
CCL’s services are methodology and governance driven to comply with their quality and compliance standards. Working internationally, they provide a broad range of ISO 17025 accredited digital forensics services to law enforcement and government, the legal profession and private sector organisations. CCL have been recommended for accreditation to the Forensic Science Regulator’s Codes of Practice. They also have ISO 9001 (quality) and ISO 27001 (information security) certifications.
Alex Caithness, Principal Analyst