Digital Evidence does not exist in a vacuum
Locard’s Exchange Principle is one of the fundamental ideas in forensic science which states that: “every contact leaves a trace”. This most fundamental of principles holds true just as well in the world of digital forensics, but increasingly we must consider more carefully both what these points of contact are; and when contact is made, where these traces may be found.
Digital forensics is concerned with examining the traces left in the digital landscape; that landscape is ever widening. 15 years ago the ubiquitous personal computing device was the PC: a single, mostly self-contained unit. If a PC connected to the web, was likely involved primarily with passive consumption of data rather than active participation in it.
Today’s digital lives are instead made up of a complex web of interconnected data sources; actions taken sending ripples out and leaving their imprints across many of these different sources. Without carefully considering the sources of data and the interactions between them, we risk missing, or misinterpreting crucial information in a case.
In this blog, I want to explore some of the issues that we need to take into consideration when examining digital evidence to help us better understand what these data sources might be and how they may interact.
Head in the Cloud
It is probably one of the least controversial statements you can make, but it’s worth stating nevertheless: the high availability of high-speed internet connections has altered the context in which we consider our computing devices. As recently as the late 1990s, a fast internet connection was a novelty afforded to enthusiastic early adopters willing to shell out a significant premium for the privilege. An offline household with no access to the web would not be considered strange in the slightest and the suggestion that you might wander along the road accessing video, on demand, at a quality and resolution much higher than terrestrial broadcasts would be farcical.
Today though, an “always-on” connection to the internet is a baseline expectation for many people, and nothing strikes fear into the hearts of this generation of users like disconnected 4G, and a non-functioning broadband connection is mere inches away from being a human rights crisis. Of course, this universal provision of high-speed internet provides near instant access to information and entertainment at a moment’s notice but there’s a subtler change that has been happening over the last few years that (by the very nature of this speed) if implemented correctly is almost entirely transparent to the user: our devices, though ever more powerful, are needing to do and store less.
Cloud computing is essentially the idea that large powerful computers connected to the internet can do things better than our own comparatively puny devices, and with this high-speed, always-on internet connection we needn’t even know that these powerful, internet connected computers are involved at all. There are other benefits as well, most prominently, it means that our experience of these services is consistent across our ever-growing range of devices, and this is never more obvious than in the case of cloud storage.
Cloud storage is a type of service that allows people to store their files and data not on their own devices but rather in a remote location available on the internet. This has many benefits from a user’s perspective, such as: saving storage space on their devices; allowing access to these files from multiple internet connected devices concurrently and different locations; automatic back-up of important files; and simplified sharing of data with third-parties.
On modern computing devices, the use of cloud storage is approaching ubiquity. All major mobile and desktop operating systems currently come with cloud storage services pre-installed (Microsoft OneDrive on Windows; iCloud on Apple devices; and Google Drive on Android) and signing up to these services is either a requirement when first setting up the device, or at the very least presented in such a way that an average user would interpret it as such. Once signed-in, unless a user specifically configures the device to do otherwise, the use of these cloud storage services happens in a largely transparent manner, with files being synchronised to the cloud automatically without user interaction.
This presents a new challenge for digital investigations as files and data which we might previously have expected to be stored locally on a device, may instead be stored in a remote location; what’s more, the owner of this data may not even be aware of this. Specialist tools and skills are required to acquire this data; to make sense of the gaps that are left or analyse the point of origin for data which may have struck out a path across the cloud.
There are opportunities that the wide use of cloud synchronisation present to us as well: a user may not be aware that data that they have deleted on a device may still be readily available on the cloud. Cloud storage also often stores multiple revisions of a file so we may be able to consider the changes that the data have undertaken over time and the entities that enacted those changes.
Riding on the back of the proliferation of cloud technologies, there has been a push towards providing a consistent experience for users across the whole range of their devices. What this means in practice is that an action taken on one device can be mirrored, automatically on another.
To give a practical example: someone making use of the Chrome browser from Google can choose to “log in” to the browser on multiple devices (their phone, tablet, home PC, work laptop). Browsing activities such as open tabs, websites visited, bookmarks, etc. will be made available on all devices. Browse the web on your phone on the journey to work, and when you sit down at your desk, all those sites you were making use of are already open and waiting for you.
This synchronisation can also be integral to the functionality of a device’s operating system as is the case with Apple’s iOS and macOS operating systems with messages, contact information etc. all being synchronised between devices via the iCloud services; even phone calls received by an iPhone can be answered on a MacBook sharing the same iCloud account login.
This creates a new range of challenges when examining data extracted from multiple devices. When examining information which has the possibility to be synchronised between multiple devices we have new questions to answer around the provenance and attribution of the data: did it originate on the device, or did it arrive there transparently through a synchronisation operation?
The Internet of All the Things
So far, we have primarily spoken about what might be considered “traditional” computing devices (smart phones, PCs, etc.) but it is commonplace these days for everyday household items (fridges, televisions, vacuum cleaners, lightbulbs, cars, etc.) to also contain their own computing platform and connect to the internet – “the Internet of Things” (IoT).
We’ll leave aside the question of exactly why we’re suddenly so keen to connect everything to the internet with reckless abandon whilst risking our online privacy and security, but suffice to say that the allure of controlling and automating every aspect of our existence is too strong to resist for many – this technological trend is set to grow and grow.
And there are real benefits to consumers here. It’s hard to argue that being able to turn on your home’s heating system from your smartphone as you travel home on a particularly chilly evening is comforting; remote monitoring of your house security system gives peace of mind and telling your house, by speaking out loud, to dim the lights down to mood lighting mode is surely the future we’ve always been promised.
Of course, with every new device that we add to our own digital lives, we create new digital traces for actions which would never previously have done so. When considering a person’s patterns of life, every time a light is switched on, a television program viewed, the heating turned up or the carpets vacuumed, they can be a new witness to that person’s activities.
This brave new frontier of evidential possibilities is somewhat complicated though: although a lightbulb may be the point of contact that Locard spoke of, the trace left may very well not reside with the lightbulb itself. The communication between elements in the internet of things is a complex network – we might use our smart phone to control a lightbulb, but that request may flow onto the internet and into the cloud, before arriving back at our home, into a hub device which manages our lightbulbs before finally arriving at the bulb itself. Traces of this action may be stored in any or all of those locations (although, in a cruel twist, the lightbulb will likely be the least complicit witness of them all in this example). Because of this, making sense of evidence from the Internet of Things requires a great deal of understanding of the infrastructure used when these everyday household items start talking to one another. It cannot be denied, though that the intelligence that these items can provide should not be understated.
Taking in the bigger picture
The jigsaw puzzle that is digital forensics is only getting more complex as newer devices come to market and get added to the growing ecosystem of people’s digital lives. CCL has over 15 years of experience in putting these pieces together so if you want to get in touch and discuss how we can help you make sense of the bigger picture then contact CCL on (+44) 01789 261 200 or by email: firstname.lastname@example.org.
Principal Analyst (Research & Development)
(This is an edited version of an article which appeared in The Expert Witness Journal. You can find the original version here: http://www.expertwitnessjournal.co.uk/more/past-issues/956-issue-22).