Exploring the world of digital forensics
by Mirko Zorz - Tuesday, 10 July 2012.
Jess Garcia, founder of One eSecurity, is a senior security engineer and an active security researcher in areas of incident response, computer forensics and honeynets. In this interview he talks about mobile forensics, cyber crime scenes, how forensics experts testify in court, privacy concerns, and more. Garcia will be teaching at SANS Forensics Prague 2012.

Let's say we're looking at a cyber-crime scene comprised of several still powered on computers as well as confiscated smartphones. When the forensic investigator arrives, what does his workflow look like?

Mobile devices are typically the most volatile of all the evidence, because they are constantly exchanging data (via wifi, 3G, Bluetooth, calls/SMS, etc.). The typical first step is to isolate those devices using appropriate measures (such as Faraday bags), to prevent a potential remote wipe or alternative technique directed to alter or destroy evidence in the device.

Certain precautionary measures should also be taken into account, like disabling access passwords or PINs in case the device is unlocked (for preventing re-locking), connecting it to a power source (to prevent battery exhaustion), etc. Similar steps should be taken with computers (in case they are connected to the network).

After that, a traditional forensics process can be carried out: on-site triage and pre-analysis if required, forensic acquisition of memory, hard drives, evidence preservation, etc.

Mobile devices can at times be acquired at the forensic lab, where you work in a more friendly environment with a better signal isolation. In that case, you need to make sure the device is kept connected to a power source at all times, since the signal isolation will quickly drain the batteries.

What forensics tools do you prefer and why?

I literally have hundreds of forensic tools in my "bag", both open source and commercial, Windows, Linux and Mac. Each case typically requires different tools and techniques, and sometimes a specific small utility can save you hours of work. It is important to be up to date with the latest versions, keep an eye on new tools and new features of your current tools.

If I have to mention just one tool, I will mention the SANS SIFT, which is open source and freely downloadable from the SANS website, and which comes with a myriad of forensic tools ready to use in a forensically friendly environment.

What advice would you give to a forensic investigator that needs to present his findings in front of a jury in court?

Court is a weird, confusing and at times hostile environment for technical professionals. In our world things are binary, black or white. Law is all about interpretation.

If you need to testify in court, just be objective, translate to normal words any non-technical person can understand your findings and conclusions, in a professional and scientific way.

There is an excellent book, A Guide to Forensic Testimony, which I love and I always recommend to my students. It is a must read if you are going to testify in court, as it will open your eyes to how things work. A perfect case can be a lost case if the expert witness is not able to properly translate the findings for the audience.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th