Check out my YouTube interview with Dana Mantilia!

I was recently interviewed by Dana Mantilia who provides cybersecurity information on her cool website Identity Protection Planning. You can view the interview on YouTube here but I figured I would write a transcript for people who prefer to read. We discuss how digital forensics has changed in the last 10 years and how cybersecurity has evolved from it.

How has digital forensics changed in the last 10 years?

My background is with policing in Canada with the national police. When I started working in “tech crime” about 12 years ago there was no “cyber crimes unit”. I was lucky to get in this field when digital evidence was really just starting to get very important. As things developed with the internet and cyber crime, there was really a crossroads. Examining a computer hard drive or a cell phone was not quite the same as crimes that were happening online. For example, on the “dark web”, people were drug trafficking and selling guns. Over the years, cyber attacks and ransomware became more prevalent, things that didn’t exist 15 years ago. As time went by there was a need to divide the tech crime unit between classical digital forensics and cybercrimes.

What is a cyber crime anyway?

One of the main issue was, who is responsible for what? Who investigates cyber crime? Is it the digital forensics unit or is it the drug unit or the fraud unit? There is a great concept that explains the difference between traditional crime and cybercrime. If the internet was a light switch and you could “turn off” the internet with this switch, anything that you can still do with the internet off are classical crimes. Crimes like frauds or drug trafficking. But if you cannot commit the crime when the switch is off, when the internet is off, then that is a cyber crime. That really became the standard for separating the two fields. With the RCMP now there are two units, the digital forensics units and the cyber crime unit.

How is computer forensics different than mobile forensics?

Things have changed quite a bit since the days of the old flip phones. They were quite simple devices and I think everybody would agree that today’s mobile devices are like mini computer. In fact, in Canada, under the law (the criminal code) a mobile device is a computer by definition. So when you’re writing your search warrants and other legal authorizations, for all intensive purposes a mobile device is a computer. That being said, a mobile device operates differently because of the platform used and the operating systems obviously are different. Technically you need to treat them differently especially with regards to encryption. Although computers can be encrypted, usually computers are not encrypted by default.

With phones these days, especially with Apple devices, encryption is on by default so you need to pay specific attention to that. You need to analyze a mobile differently and always consider encryption. There’s a lot of crossover between computers and mobiles and it’s not strictly computer forensics or mobile forensics, it’s what we call digital forensics. This is why our field is now called digital forensics, because we handle all kinds of devices like tablets and smart watches. New devices are kind of integrated now with even fridges having connection to the internet. The other big difference is the way computers and mobiles handle deleted files as discussed in the next section.

Is deleted data gone forever?

That’s the classic question! This topic often comes up in court and is a common question clients have when they are considering a forensic examination. Can you recover deleted files? In all things digital, usually the answer is “it depends”. It seems like an easy answer but it is true. it depends on what kind of device you have, a laptop or a desktop, or if you’re running Windows or Mac OS or Linux. It depends if you have mobile device or a tablet, if it’s an Android device or an Apple device. Apple has been pushing for security and they’ve wanted to take over from blackberry which were very secure. Apple is trying to move into the business security field so they’ve made their devices very secure including encryption and making deleted files very difficult to recover. That being said, we can sometimes recover deleted files with ease and sometimes it’s impossible.  The examiners at Alphafox Forensics have the right training and tools and can find many files that were deleted.

Tricks of the trade

One area where we have great success is when the user deletes a file but there are actually multiple copies of the same file on the device. On a mobile phone for instance, when you delete a picture, that picture is gone, yes. But if you sent that picture by email or sent it through an app like WhatsApp, then there will be multiple copies of the picture on the device. Because the operating system requires those copies there’s good possibilities of recovering the image. It may not be the original image but you can recover a copy and often that is just as good as the original. The cloud is also a great source of information. If you delete files from your device, these files may sill be present in your cloud backup. You can throw your phone into the river if you committed a crime with it! But if it’s got a backup on the cloud, often times there’s ways to access the cloud and get the backups or get some copies of the evidence.

What is the difference between computer forensics and eDiscovery?

When you’re working with law firms they refer to e-discovery (electronic discovery) which differentiated it from “paper documents” discovery. It’s an old term because everything is electronic now but it’s very well known so we all still use it. The way I explain it is that digital forensics includes eDiscovery but eDiscovery is not digital forensics. What I mean by that is that digital forensics is more of a technical, scientific method to obtain and examine the evidence, and I would say that someone who has the proper digital forensics training will do a better collection or acquisition of the data.

Someone who is trained in eDiscovery may be able to do a very good job at analyzing the data but for the data collection they would use automated tools and not necessarily understand exactly what’s going on behind the scenes. They’ll be able to do a great job analyzing the data and there’s great software and tools now for e-discovery. It’s a volume issue, if you’ve got 50,000 emails to go through you don’t need to be a full digital forensic examiner to review those emails. However, I really push for having the data collection done by a forensic examiner for best results. Then it’s up to the client to decide if they want to do the examination in-house or have the forensic examiner do it.

How long should service providers keep user data and logs?

Take a company like Verizon or Telus for example, are they keeping everybody’s text messages and emails and for how long? I’m not familiar with Verizon but it is probably handling data in a similar manner than other services. I know that Telus does NOT keep the message content, only the metadata (ie ip addresses or phone numbers, date, time, etc). 2 years of data retention is the most that I have seen in the past and currently 90 days is the industry standard in Canada.

It’s a volume issue again since logs need server space or computer space to store it all. In the end it’s a financial issue since server space needs hardware (hard-drives). Some countries have tried to enact laws to force companies to keep logs forever but it’s just not possible. The UK tried it and what happened is some ISP services moved to France. You need to reach a balance between the company’s need to make money and keep legal purposes satisfied. 90 days is not a long time so speed is crucial for investigations. Contact us ASAP!

How can digital forensics help with cybersecurity?

Although both fields are separate and have separate goals and methods, they cannot work in a silo. You can do digital forensics work without “cyber security”, imaging a computer hard drive for example. But it’s hard to do cybersecurity without some digital forensics. A basic hacking attack will require the computer server hard drive to be imaged using digital forensics methods. There is quite a bit of overlap. Digital forensics training can help with prevention and penetration testing. Understanding digital forensics and how data is recorded is very important when you have a cyber incident to investigate.

If you want to get back to work the next day maybe you don’t need a full digital forensics examination. If you’re looking at prosecution or lawsuits then the information that you will collect needs to be examined using digital forensics tools and software. Therefore understanding both fields really helps you to get a successful prosecution or lawsuit outcome. Especially since a lot of attacks are done by insiders or employees. Examining the computer systems and imaging the computers used by the employees is critical to a successful investigation.

If you have any questions, contact me on LinkedIn. It is the best place to reach me.

https://www.linkedin.com/in/alain-filotto