Copies of legal and audit evidence are spreading everywhere. The “syncing” of digital devices and services is revolutionizing the forensic collection of electronic evidence.
Discoverable evidence is no longer confined to islands like an email archive or a hard drive. The evidence is multiplying. It is being copied and copied again. It is backed up here, it is automatically shared there, and it is accessible some other place.
Hence, if relevant text messages have been deleted from a phone, they may still be recoverable from a synced backup on:
Today, when a consumer or a business professional sets up a new device like an Android phone, they are encouraged to sync their
contacts and photos with cloud services and with other devices. Many people do not deeply understand what this means.
Recently I witnessed the surprise of an iPhone user who lost her phone and bought a new one. All of her details, like photos and settings emerged like magic on the new phone. Why? Because they were backed up in the iCloud . . . even though she did not realize they were stored there.
Many modern cell phones automatically back up data to the cloud so that the data can be restored if the user "resets" the phone. See this image from an HTC One phone.
Such cloud backup service is a relatively new development in the smartphone universe. The full implications of this service can vary from one situation to the next and from time to time. Can texts be recovered from this backup? Photos? Log-on credentials for mobile apps like Snapchat? Contents of mobile apps, which may themselves contain sensitive messages, images, geolocation data etc., etc.?
An investigator may need to research and play around with a service to learn what evidence can be recovered from it in any given situation. The investigative process is unpredictable and labor-intensive. Therefore it may be expensive if you are paying an investigator to work by the hour.
The backup functionality can be complex, and hard for even a reasonably educated person to understand. I have been working with a new HTC One phone (July 2014). I've enabled automatic backup, but I am still puzzled about precisely what the backup does. I see this explanation on HTC's web site:
It says my data is at my "Dropbox storage" . . . but I am not aware that I have ever set up a Dropbox account. So far I've not been able to ascertain whether I can access this "Dropbox storage" by any means other than "resetting" the phone . . . or possibly duplicating the contents of the phone onto a different HTC phone.
(I am guessing that somewhere in the setup of the phone and the setup of the backup function HTC created a Dropbox account for me . . . but that is just a guess. I did not notice this happening. I have not noticed a "welcome" message from Dropbox.)
Many people come to this blog seeking to get texts and photos from a telecommunications carrier like AT&T. However, the carriers are often uncooperative. The better path for recovering data may be from the cloud backup, such as HTC's Dropbox storage or Apple's iCloud.
Some cloud services encourage you to make automatic backups because they want you to become dependent on them. Microsoft’s OneDrive gave me three extra free gigabytes of space if I’d set up the CameraRoll on my Windows laptop to upload its contents automatically to OneDrive. Microsoft is hoping I will upload so much (perhaps without thinking about it) that I will need to purchase additional storage.
HTC and Apple provide backup as an incentive for the customer to come back to them when the customer purchases a new device.
Many users will forget about their various backups. Therefore, if they were asked in a legal deposition or interrogatory whether they had backups they’d honestly say no. However, a diligent investigator could find the backup(s).
An effective investigator does not necessarily need special equipment or high technical skills to find the backed up data. Instead, the investigator needs patience and an inquisitive disposition. Computer devices like tablets and online services like OneDrive are emerging and changing constantly. No one can know everything about them. However, their features and behaviors can be researched and intuited by a persistent investigator.
With that said, a trained investigator will know how to order and document his work so it can more readily be established as reliable in court. In a criminal prosecution, a court may expect proof of the “chain of custody” for the evidence. Further, the work of a licensed and/or certified investigator may be perceived as more credible.
What’s more, sometimes special forensic tools are critical to recovering data. For example, a forensic specialist reports he recently used forensic tools to recover deleted email by accessing the “shadow” copy maintained for disaster recovery on the hard drive of a Windows PC.
When a user syncs a device with something else, there’s never a sensational notice like this: “Warning. By syncing your phone, you are creating backup records of photos and text messages that can be discovered by the police or your ex-spouse in a legal investigation.” Users are often presented lengthy (boring) terms and conditions, but few users scroll screen-after-screen on their mobile devices to read and absorb the
implications of the terms. As the adjacent photo shows, the terms may say that nonspecific, neutral-sounding “content” will be stored, but rarely do users cogitate over that word.
When a user sets up syncing, they may create a password that they then forget. Sometimes the only practical way to access the synced backup records is by using the device from which the records originally came. For instance, an app on a phone may be causing records to be stored on a social media or cloud site. The only practical way for the investigator to get credentials for logging onto the site might be to use the app as it is installed and configured on the phone.
With appropriate authority, a talented investigator can reset passwords and recover forgotten accounts. Authority might come from, for example, user consent, a court order or a BYOD agreement between the user and her employer.
Apple's iCloud is notorious for storing records in ways that confuse iPhone or iPad users. This confusion has contributed to a scandal around nude celebrity photos. Remarkably, a user (like a celebrity) can delete photos from his/her iPhone but not realize they are still stored in iCloud, waiting to be discovered by an investigator . . . or a hacker.
Further, even if the user has figured out how to delete the photos from iPhone/iPad and iCloud, they can still be backed up in iPhoto on the user's Mac desktop or laptop. Getting rid of all the data requires extraordinary diligence!
By: Benjamin Wright
Update November 2015: I am a fairly sophisticated user of mobile devices. But I am shocked today to find that Google Photos is automatically uploading photos from one of my devices to its cloud! I truly believe I had that function turned off. And over the months I've been checking to see if any photos were being uploaded automatically. Until recently, no photos were being uploaded automatically. But lo and behold today I discovered that somehow the automatic upload function is uploading photos. The problem is that I recently bought a new, additional device. The new device is a bit different from prior devices, so I did not sync the settings. I did not think through the implications of that decision. I did not cogitate on the fact that if I don't sync settings, then privacy decisions I have made (like no automatic uploads) would be overridden on the new device by the "helpful" default setting that upload stuff automatically to the cloud. The lesson is that commonly users will not realize how much of their stuff is being replicated to the cloud. This unexpected replication creates a potential treasure trove of evidence for official investigators.
Update December 2015: Gadzooks. I am astounded to find recent photos from my smartphone uploaded to the cloud. I have unambiguously turned off sync and backup. But Google is still sending some of the photos to Google's cloud.
Discoverable evidence is no longer confined to islands like an email archive or a hard drive. The evidence is multiplying. It is being copied and copied again. It is backed up here, it is automatically shared there, and it is accessible some other place.
Hence, if relevant text messages have been deleted from a phone, they may still be recoverable from a synced backup on:
- PC hard drive
- enterprise email account
- cloud storage account like Dropbox or Gdrive (cloud storage often enables automated copying to multiple devices; something copied to Gdrive may automatically be copied to your home PC hard drive and the hard drive of your personal laptop)
- wearable device like a smart watch
- dedicated local storage device (a “cloud in your home”)
- television in the living room
- soon . . . your Internet-of-Things refrigerator!
Can You Remember All the Services Enabled on Your Smartphone?
Today, when a consumer or a business professional sets up a new device like an Android phone, they are encouraged to sync their
Recently I witnessed the surprise of an iPhone user who lost her phone and bought a new one. All of her details, like photos and settings emerged like magic on the new phone. Why? Because they were backed up in the iCloud . . . even though she did not realize they were stored there.
Many modern cell phones automatically back up data to the cloud so that the data can be restored if the user "resets" the phone. See this image from an HTC One phone.
An investigator may need to research and play around with a service to learn what evidence can be recovered from it in any given situation. The investigative process is unpredictable and labor-intensive. Therefore it may be expensive if you are paying an investigator to work by the hour.
The backup functionality can be complex, and hard for even a reasonably educated person to understand. I have been working with a new HTC One phone (July 2014). I've enabled automatic backup, but I am still puzzled about precisely what the backup does. I see this explanation on HTC's web site:
It says my data is at my "Dropbox storage" . . . but I am not aware that I have ever set up a Dropbox account. So far I've not been able to ascertain whether I can access this "Dropbox storage" by any means other than "resetting" the phone . . . or possibly duplicating the contents of the phone onto a different HTC phone.
(I am guessing that somewhere in the setup of the phone and the setup of the backup function HTC created a Dropbox account for me . . . but that is just a guess. I did not notice this happening. I have not noticed a "welcome" message from Dropbox.)
Many people come to this blog seeking to get texts and photos from a telecommunications carrier like AT&T. However, the carriers are often uncooperative. The better path for recovering data may be from the cloud backup, such as HTC's Dropbox storage or Apple's iCloud.
Did You Automate and Then Forget?
Some cloud services encourage you to make automatic backups because they want you to become dependent on them. Microsoft’s OneDrive gave me three extra free gigabytes of space if I’d set up the CameraRoll on my Windows laptop to upload its contents automatically to OneDrive. Microsoft is hoping I will upload so much (perhaps without thinking about it) that I will need to purchase additional storage.
HTC and Apple provide backup as an incentive for the customer to come back to them when the customer purchases a new device.
Many users will forget about their various backups. Therefore, if they were asked in a legal deposition or interrogatory whether they had backups they’d honestly say no. However, a diligent investigator could find the backup(s).
Does Investigator Need Training?
An effective investigator does not necessarily need special equipment or high technical skills to find the backed up data. Instead, the investigator needs patience and an inquisitive disposition. Computer devices like tablets and online services like OneDrive are emerging and changing constantly. No one can know everything about them. However, their features and behaviors can be researched and intuited by a persistent investigator.
With that said, a trained investigator will know how to order and document his work so it can more readily be established as reliable in court. In a criminal prosecution, a court may expect proof of the “chain of custody” for the evidence. Further, the work of a licensed and/or certified investigator may be perceived as more credible.
What’s more, sometimes special forensic tools are critical to recovering data. For example, a forensic specialist reports he recently used forensic tools to recover deleted email by accessing the “shadow” copy maintained for disaster recovery on the hard drive of a Windows PC.
Is the User Given Good Legal Disclosure?
When a user syncs a device with something else, there’s never a sensational notice like this: “Warning. By syncing your phone, you are creating backup records of photos and text messages that can be discovered by the police or your ex-spouse in a legal investigation.” Users are often presented lengthy (boring) terms and conditions, but few users scroll screen-after-screen on their mobile devices to read and absorb the
When a user sets up syncing, they may create a password that they then forget. Sometimes the only practical way to access the synced backup records is by using the device from which the records originally came. For instance, an app on a phone may be causing records to be stored on a social media or cloud site. The only practical way for the investigator to get credentials for logging onto the site might be to use the app as it is installed and configured on the phone.
With appropriate authority, a talented investigator can reset passwords and recover forgotten accounts. Authority might come from, for example, user consent, a court order or a BYOD agreement between the user and her employer.
iCloud and iPhoto Pitfalls
Apple's iCloud is notorious for storing records in ways that confuse iPhone or iPad users. This confusion has contributed to a scandal around nude celebrity photos. Remarkably, a user (like a celebrity) can delete photos from his/her iPhone but not realize they are still stored in iCloud, waiting to be discovered by an investigator . . . or a hacker.
 |
| Like pink stain in "The Cat In The Hat Comes Back," data won't disappear. |
By: Benjamin Wright
Update November 2015: I am a fairly sophisticated user of mobile devices. But I am shocked today to find that Google Photos is automatically uploading photos from one of my devices to its cloud! I truly believe I had that function turned off. And over the months I've been checking to see if any photos were being uploaded automatically. Until recently, no photos were being uploaded automatically. But lo and behold today I discovered that somehow the automatic upload function is uploading photos. The problem is that I recently bought a new, additional device. The new device is a bit different from prior devices, so I did not sync the settings. I did not think through the implications of that decision. I did not cogitate on the fact that if I don't sync settings, then privacy decisions I have made (like no automatic uploads) would be overridden on the new device by the "helpful" default setting that upload stuff automatically to the cloud. The lesson is that commonly users will not realize how much of their stuff is being replicated to the cloud. This unexpected replication creates a potential treasure trove of evidence for official investigators.
Update December 2015: Gadzooks. I am astounded to find recent photos from my smartphone uploaded to the cloud. I have unambiguously turned off sync and backup. But Google is still sending some of the photos to Google's cloud.
No comments:
Post a Comment