Cornerstone Discovery's insights from Techno Security & Digital Forensic Conference
Keeping up with the latest technology and trends in Digital Forensics & Security
Cornerstone Discovery sent its Digital Forensic team to Myrtle Beach, South Carolina this week to attend the Techno Security & Digital Forensics Conference. This conference hosted corporate network security professionals, federal, state, and local law enforcement digital forensic specialists, corporate and private forensic examiners, and industry leaders from the US and around the world. Cornerstone's team was invited by its partner, Cellebrite, the global leader in mobile forensics software.
In attendance from Cornerstone Discovery were Director of Operations, Jason Silva, Certified Forensic Examiners, Brian Stofik (CCME ACE) and Benjamen McCollum (ACE), and Lead Developer and Forensic Examiner in training, Kyle McArdle.
Jason's Key Takeaway: Threat Hunting and Triage
My key takeaway from this conference was the advances in technology to allow Cornerstone to assist clients with proactive threat monitoring, so we can help them avoid costly litigation. Typically we are brought in to assist with incidents after the damage is done, but leveraging the knowledge gained at Techno Security, I hope to consult with our corporate clients to detect and mitigate threats real time, to avoid data breaches, intellectual property theft, and costly remediation.
Other interesting notes include investigative techniques that focus on P.O.L.E: People, Objects, Location, and Events. This train of thought allows our digital forensic investigators to relate data from multiple sources such as computers, phones, and social media to build a comprehensive understanding of the people involved, what digital assets are in question, and when and where relevant events occurred. Continuing education for our examiners and organization as a whole, like here at Techno Security Conference, is important for us to provide our clients with the best possible forensic investigations with cutting edge techniques and analytics.
Brian's Key Takeaway: Collection at a Mass Crime Scene: The Pulse Nightclub Tragedy
This seminar focused in on the investigation and collection of over 300 mobile devices related to the terrorist attack at Pulse Nightclub in Orlando, Florida last year. During this seminar, the panel discussed the importance of organization and leadership with clear procedures in place. Unfortunately, this was a tragic event with over 50 fatalities and 58 non-fatal injuries. The Orlando PD with the help of the FBI, the Secret Service and other agencies were able to create a collection plan and implementing it quickly. Creating localized “command centers” at the club, hospital and morgue with appointed leaders to ensure the proper collection of digital evidence was key for a successful investigation. As a forensic examiner at Cornerstone Discovery, I am responsive for overseeing and organizing both criminal and civil forensic collections ranging from one cell phone up to terabytes of data. The fast response and careful organization of the forensic collection during the pulse nightclub investigation was critical to law enforcement's efforts to track down the perpetrator of this horrible crime. I hope to utilize the methodology and insights gained from their experience in my own forensic collections.
Kyle's Technical Review: Encryption is a Problem
Going into Techno Security first and foremost as a nerd (and secondly as a “developer”) and just beginning my formal forensic training, I had no idea what I was getting myself into. I was hoping to expand my knowledge of mobile operating systems, specifically Android, and learn more about the underlying technology that some of these forensic companies (including Cornerstone) use to extract and unlock data from today’s mobile operating systems. My number one question was simple: how do you decrypt a fully encrypted Android phone when you cannot unlock the bootloader? Three days of talks later and I found the answer.
Spoilers: You can’t.
Encryption was the number one topic discussed throughout the conference. Almost every seminar I attended touched on the subject (with some talks specifically about encryption.) Encryption on the PC side of things has always existed. However, even today in 2017, it has never really become mainstream for many reasons. Complexity to the end user, hardware requirements, and cost have all deterred full disk or file based encryption on both Windows, MAC, and Linux for the layman for years. With the rapid advancement of hardware, software, and sheer volume of smartphones being produced today. Encryption is now enabled by default on almost every single Android and Apple device being sold today. Over the next few years both law enforcement and the private sector are going to have to overcome some gigantic hurdles if they expect to continue using mobile devices in legal cases without the user’s authorization.
Apple has been using hardware and file based encryption for a long time now since they control all the hardware aspects of their devices. This contrasts Google who simply have been providing Android to Original Equipment Manufactures (OEMs) who can then do whatever they want. However, this is changing. With Android 7.1 every phone shipping with the newest OS must enable encryption by default, or risk losing their access to the Google Play Store. This shift in the industry standard is a direct reaction to end user’s call for privacy.
All that said, the cat and mouse game of breaking encryption hasn’t changed since the codebreakers of World War II. Where there is a will (and several millions of dollars) there is a way. Can the NSA or FBI get into your brand-new Galaxy S8 with Android 8.0? Perhaps. Will they spend the millions of dollars and thousands of man hours to do so for a white-collar crime? Absolutely not. The next few years are going to be very interesting as forensic companies like Cornerstone will need to innovate their data collection methods. One thing is certain; the entire industry is finally realizing that this will become an issue down the road, and being proactive is the best approach for success in the future.
Benjemen's Dive into the Darknet:
The darknet (sometimes called the darkweb) is here to stay, and it's only going to get bigger. The darknet is a network running across the "public" internet that is hidden from normal view, and only accessible using specialized software to ensure all traffic is private and anonymous. This makes the darknet attractive for criminals and unsavory persons to conduct illegal activity, but not all darknet activity is criminal in nature!
Legitimate users include whistle-blowers, journalists, and oppressed citizens in countries where free speech is a punishable offense. With trends in net neutrality going the way they are, more and more mainstream users will venture over to the "darkweb". While there are ways to track and discover this hidden internet, social engineering and old-fashion spy work is still the best way to get in. Social engineering involves creating false identities on the dark net, back-filling social profiles, and crafting a story to infiltrate network, blogs, and private sites. Darknet investigations can be complex and activity on the darknet is hard to track, but with time, effort, and good old-fashioned investigative skills, there are ways to access the darknet.