Tag Archives: Digital Forensics

Unlocking the code to success – SYTECH Graduate talks about role as Digital Forensic Analyst

Matt Davies - SYTECH
Matt Davies – SYTECH
If you are interested in an exciting role at SYTECH, then please get in touch: recruitment@sytech-consultants.comor visit SYTECH Employment.

 

Matt is a graduate of the BSc (Hons) Computer Forensics course and is now working for SYTECH as a Digital Forensic Analyst.

 

Why did you decide to study computer forensics?

“I was looking for a change of career and thought computer forensics sounded very interesting. I wanted a career that was challenging and non-repetitive. During the practical tutorials in the dedicated forensic lab I began to really enjoy the topic, but when it really clicked for me was during my final year project. I became obsessed and would stay in the labs as late as I possibly could, often being asked to leave by campus security so that they could lock the building!”

Why did you decide to study at the University of South Wales?

“The University of South Wales has an outstanding reputation within the industry and I wanted to maximise the value of my degree. Had I not been able to study computer forensics at the University of South Wales, I would not have pursued a career in digital forensics.

“The University of South Wales works closely with the industry of digital forensics in creating its course content. Exposure to advanced forensic techniques such as CCTV reconstruction, forensic data recovery, and chip-off and J-TAG analysis provides students with skills vastly exceeding those of other institutions and a solid foundation upon which to build their careers.”

How did the course challenge and inspire you?

“Dr Huw Read is an excellent lecturer and instilled a new method of thinking within me. Digital forensics is about thinking outside the box, it’s looking at new devices and seeing beyond their hardware capabilities and understanding the functionalities available to the user. It’s about working around the challenges presented by security measures and providing solutions to complex problems. Trust me when I say that there is no greater feeling than that moment when you have overcome a significant challenge. Only when we push ourselves do we discover what we are truly capable of!”

Tell us a bit more about your research?

“My final year project involved creating a forensically sound method of analysing an 8th generation games console. I was given access to a dedicated postgraduate research lab and became obsessed with overcoming the challenges presented by the device. I established a method that does not alter any data during the analysis process. I was awarded a mark of 76% and invited by University lecturers to continue my research during the summer period. In October 2014, I submitted an academic paper at the Digital Forensics Research Conference (DFRWS) Europe’s largest digital forensics conference. In March of 2015, I became a published author and travelled to Ireland to present my work in front of over 200 attendees.”

What does the day-to-day role of a Digital Forensic Analyst entail?

“On a daily basis, I conduct both prosecution and defence examinations of embedded devices, such as mobile phones, tablets, Satellite Navigation Systems, games consoles, etc. The nature of the cases I am involved in range from indecent images of children to missing persons and murder investigations. The role also involves travelling around the country conducting on-site extractions of mobile devices and providing expert witness testimony in a court of law.”

How do you feel your course helped prepare you for your job at SYTECH?

“Although I enrolled on the MComp (Hons) Computer Forensics course offered by the University, I withdrew from the course early, as I was offered my position at SYTECH after graduating with the BSc (Hons) Computer Forensics. I now provide lectures at the University of South Wales to provide guidance on the skills required by industry.”

What are your next steps?

“The next step in my career is to undertake further study at the University of South Wales. I am currently in the process of preparing my PhD research proposal and aim to begin my studies in January of 2016. My aspirations are to make a significant impact in the field of digital forensics and for my name to stand for integrity, honesty and professionalism.”

What advice would you give to someone considering studying a degree?

“If you feel as though you are not ‘brainy’ enough, just remember that when I started out I didn’t have any qualifications, I was never any good in school and I’m dyslexic. Now, I’m a graduate, a published author, employed as a Digital Forensic Analyst at a fantastic organisation that believes in me and has faith in my abilities; so much so that they have offered to fund my PhD studies.”
Matt was interviewed by industry publication, Forensic Focus earlier in the year. Read the article to find out more about Matt’s research on the forensic analysis of a Sony PS4 and how he thinks the industry will evolve over the next few years.

If you are interested in an exciting role at SYTECH, then please get in touch: recruitment@sytech-consultants.com or visit SYTECH Employment.

 

Source: http://www.southwales.ac.uk/story/1995/

From Masters student to Digital Forensic Analyst

From Masters student to Digital Forensic Analyst

“My Masters helped me prepare for this role”

Rachael Medhurst graduated from the MSc Computer Forensics course and now works for SYTECH – Digital Forensics. She tells us how her course helped prepare her for her career.

“I’ve always had an interest in ICT and became particularly interested in the forensics side of computing after completing my BTEC National Diploma at college. I decided to start researching careers in the forensics field and then looked into universities that offered a forensic computing degree.

“I decided to study at the University of South Wales after attending Open Days, where I discovered they offered access to the computing equipment and labs that I was looking for, along with a supportive team of staff.

“I gained a 2:1 at degree level and then decided to take my studies a step further by completing a postgraduate course. I felt this would allow me to gain more skills and experience, such as mobile phone forensics – including chip-off forensics and malware analysis – and ultimately make me more employable. The University offered job fairs where I met ICT companies looking for forensic computing graduates, which gave me lots of information in preparation for my graduation from the course.

“There were certain aspects of the course that I found challenging and it is hard work, especially as I was working full-time alongside my studies. However, talking to lecturers about their previous experiences of forensic work, and those of the visiting professional who also came in to talk to us about their involvement in the industry was inspiring. This enabled me to remain focused, as I saw the end result that is possible if you’re prepared to work hard enough.

“I now work for SYTECH – Digital Forensics (Systems Technology Consultants) as a Graduate Digital Forensic Analyst. I’ve just completed three months training in Stoke-on-Trent and will now fulfil the rest of my role in Newport. SYTECH offer expert assistance with all technologies and work with both prosecution and defence for a range of police forces across the country.

“Throughout my time at SYTECH so far, I’ve been trained in the imaging department, where devices are checked in and then taken apart to get to the hard drive, which is imaged using FTK (Forensic Toolkit). Once the hard drives have been imaged, they are then extracted. I have also now progressed to the analysis stage, where I am able to use a range of software to analyse the hard drive. My role also involves reading through paperwork provided by the police force about cases, to gain a full understanding of the potential criminal offence. I’m looking forward to gaining further training in report writing and courtroom training next, as well as potentially completing my EnCase Certification (EnCE) with an external trainer, which is valued in this field.

“My Masters course helped me prepare for this role by enabling me to develop further skills that I feel helped me to stand out at interview. In particular, my experience on the course with imaging, the use of industry software such as FTK and EnCase, plus the ability to maintain the integrity of hard drives by following the correct policies and procedures.”

Rachael Medhurst - SYTECH

Rachael Medhurst – SYTECH

http://www.southwales.ac.uk/story/1903/

 

SYTECH Case Study – Digital Forensic Investigations in Cases Against Child Predators and Co-Conspirators

How Cellebrite’s UFED Link Analysis Strengthens Cases Against Child Predators and Co-Conspirators – Mobile Phone Forensic Examinations

 

Who:

Simon Lang, Senior Digital Forensic Consultant / Digital Forensics Manager, SYTECH – Digital FOrensics, Stoke-on-Trent, England

 

What:

Use of Cellebrite UFED Link Analysis to attribute suspect handsets and assess and identify victims

 

Why:

Investigating rings of criminals who produce child exploitation materials

 

Results:

UFED Link Analysis saves time and effort associated with connecting suspects and victims on child exploitation, illegal money lending and drug conspiracy cases

 

Child exploitation can be one of the hardest crimes to prosecute. Victims are often too scared or ashamed to admit any connection to a suspect, and paedophiles go to great lengths to protect one another. To make their cases, police need ways to tie suspects and victims to one another via the frequency, type, and mode of their communications. Often this evidence is found on their mobile phones and GPS devices.

 

Simon Lang, Digital Forensics Manager at SYTECH – Systems Technology Consultants Ltd., England, has put UFED Link Analysis to work on several such cases in recent months. In the United Kingdom, law enforcement agencies frequently outsource digital forensics to ­rms like SYTECH. That’s because when a case goes to trial, the courts require an independent review of the work police did. High pro­le or complex cases with multiple devices often end up in court, so teams like Lang’s need tools that enable them to explain digital evidence simply and concisely at trial.

 

Lang himself has been a mobile device forensics examiner since about 2008, and he and his team have used Cellebrite systems since 2011. However, when faced with multiple mobile devices on a single case, they faced the time-consuming process of running data through spreadsheet software.

 

“Creating custom ­filters in Microsoft® Excel® and looking for common contacts, usernames and IDs, and incriminating content [such as text messages] can take a few hours when comparing the results from iPhones etc.,” says Lang.

 

That’s because of the sheer amount of data that iPhones and other smartphones can store. UFED Link Analysis provides an almost instantaneous graphical representation of the common contacts with the click of a button. “It is easier using these diagrams than looking at rows of text,” says Lang.

 

Why is this important? Lang and his team work on large cases involving multiple defendants across the United Kingdom, including child exploitation and drug conspiracy cases. “This tool comes in extremely handy in child exploitation and grooming cases, which are becoming more common in the UK,” Lang explains. “There are large ‘rings’ of individuals who have been targeting vulnerable people across the country.”

 

One of the most common ways his team uses UFED Link Analysis is for attribution of handsets, when the suspect denies ownership. Investigators can corroborate text messages or instant messaging, call logs, contacts and found on the suspect’s handset with like data found on victims’ or other suspects’ handsets.

 

Lang’s investigators also use UFED Link Analysis to compare “clean” and “dirty” phones. In these scenarios, suspects use one device for everyday noncriminal activities, and a second or more devices for their criminal activities. Common contacts and locations between the two can show which devices are used by the same suspect(s) and thus, can tie otherwise “innocent” suspects to the crimes they commissioned or committed.

 

The software is also handy for assessing multiple victims on these cases. The “Links-Mutual” view shows whether victims all had one or more suspects in common on their devices; patterns in keywords or timelines—days of the week or times of day—can help corroborate the evidence.

 

Once the evidence is collected and analysed, Lang uses the snapshot option to show common contacts within cases, placing these within his report. Put together, the links and patterns strengthen the Crown’s case and lead to what Lang believes will be a higher likelihood of conviction.

 

About Cellebrite Founded in 1999, Cellebrite is known for its technological breakthroughs in mobile forensics. Its Universal Forensic Extraction Device (UFED) is used internationally by law enforcement, military, intelligence, corporate security, and eDiscovery agencies to extract data from legacy and feature phones, smartphones, portable GPS, tablets and phones manufactured with Chinese chipsets.

 

SYTECH – UFED Link Analysis – Child Exploitation Case Study

Forensic analysis of a Sony PlayStation 4: A first look – Presentation Slides – Matt Davies – SYTECH

To accompany the fantastic research carried out by Matt Davies (SYTECH) et al. from:

http://sytech-consultants.com/forensic-analysis-of-a-sony-playstation-4-a-first-look-matthew-davies-digital-forensic-analyst-sytech/

The presentation slides from the DFRWS (Digital Forensics Research Conference) Europe 2015 Annual Conference are now available below:

Forensic analysis of a Sony PlayStation 4 – Matt Davies – SYTECH

Forensic Focus Interview – Matt Davies – Digital Forensics Analyst – SYTECH

Matt, you’re a digital forensics analyst at SYTECH. Tell us a bit about your role and what it involves.

My role at SYTECH predominantly involves the extraction and analysis of embedded devices, such as mobile phones, tablets, satellite navigation systems, games consoles, unknown devices etc. The examinations I am involved in vary considerably and range from indecent images of children (IIOC) to providing assistance in murder investigations. Working for a private organisation, such as SYTECH, allows me to experience both prosecution and defence based cases.

What first made you interested in digital forensics as a field?

It was the varied nature of the work accompanied by the opportunity to make a difference that attracted me to the field of Digital Forensics.

I really didn’t want a mundane or repetitive job; I wanted a career that would provide both challenges and stimulation, so far I have not been disappointed! I have a real passion for forensics and love what I do.

At DFRWS you presented some research on forensic analysis of a Sony PS4. Could you briefly outline this for our readers?

The Sony PlayStation 4 is the most powerful 8th generation games console on the market. As of March 2015, there are over 20,000,000 devices in worldwide circulation. The console’s security features, such as encryption, face recognition technology and passcode protection, make this device the perfect weapon for criminals. Therefore it was essential that an analysis method be devised for this device. The proposed best practice methodology is the result of over 50 experiments conducted upon the PlayStation 4 over a 12 month period.

In the first instance the console’s hard drive is removed, imaged and restored upon a duplicate HDD using a Linux based system. A shadow drive is then inserted between the console and the duplicate drive, which receives all write requests and as such prevents the alteration of data stored upon the HDD. The operational effectiveness of the shadow drive was evaluated in the following manner: The duplicate HDD was imaged and verified. An online analysis of the console’s Internet web browser was conducted and the HDD removed and verified. A comparison of both the MD5 & SHA-1 hash values concluded that no alterations were made to the HDD during the analysis.

A technique that can be exploited by the user enables images viewed online to be stored upon the device. These images are stored as screen captures and can easily be copied to a USB pen drive for evidential purposes. Image and video content acquired via the console and saved to an alternative device (under a different file name) contain metadata that includes the device make & model, firmware version used, original file name and the date and time created. This information can be correlated to the suspected device responsible for creating the artefacts.

One of the greatest challenges with the PlayStation 4 is the continuous updating of system firmware. It has been observed that firmware updates take place at around 8 week intervals and provide additional features as well as “system stability” updates (suspected updating of encryption keys). For each firmware update where the experiments were repeated, the results differ considerably between firmware versions.

You mentioned that one investigative challenge is that Sony is now storing the majority of PlayStation data on the PlayStation Network rather than on each device. Talk us through the unique challenges associated with this, and how they might be addressed.

Having previously evaluated the operational effectiveness of the shadow drive when viewing non PlayStation Network (PSN) dependent content, a second experiment focusing upon PSN was conducted. The experiment involved connecting the console to PSN and sending a single message to a friend, whilst utilising the shadow drive. The console was then rebooted and the message content analysed. The first iteration demonstrated that the message was not visible upon rebooting the console. For validity reasons, the experiment was repeated. On this occasion both the initial and second messages were visible. The experiment was repeated a final time and it was apparent that all messages sent whilst connected via a shadow drive were visible. Therefore, the shadow drive does not prevent data stored in PSN being altered. This presents a significant challenge as data stored in the PSN is duplicated, in part, upon the console’s HDD, meaning that an investigator accessing PSN content without a shadow drive could potentially overwrite existing data or unintentionally delete vital evidence.

The best solution is to use a secondary console to view PSN content. Creating a basic user account without any data will result in that account being populated with the user’s content upon logging into PSN, including unique PSN gamer ID, profile information, messages, party, friends, What’s New, Notifications etc. In addition, an investigator can also access partial PSN data by logging into the suspect’s account via a PC browser. The Sony Entertainment Network (SEN) can be used to prove ownership and contains the user’s real name, address, credit card details etc.

Additional challenges are presented by the console’s remote access features: such options should be disabled, the console restarted and the changes verified prior to conducting an online analysis of the device. In addition, investigators should disable the PSN automatic login feature in order to prevent the alteration of PSN content.

How do you think the world of digital forensics will change over the next few years?

Security Features
The industry trends seem to indicate a significant increase in the use of security features such as encryption, biometrics and passcode protection. Over the coming years such features are likely to become more widely utilised, and as a result present greater challenges to forensic investigators.

Technological Evolution
It has been said for many years that the line between personal computers and embedded systems is becoming increasingly blurred. The technological advancements, accompanied by larger storage capacities, will continue to present significant problems for digital investigators. According to Sony, the PlayStation 4 possesses 43 times the processing power of the PlayStation 2 and 10 times that of the PlayStation 3. One can’t help but wonder what the PlayStation 5 will have in store for us!

Social Media
The sharing capabilities of the PlayStation 4 enable social media websites such as Facebook, Twitter and Youtube to be synced with the device. Tablets and mobile phones also encourage users to share content via social media applications, the whole area seems to be expanding at an alarming rate.

We only need look at the development in mobile phone forensics over the past 5 years to see how far the field of digital forensics has already come. The challenges faced by investigators in the coming years will greatly surpass those seen in previous years, providing a solution to these is far from impossible. Perhaps the greatest change to the field of digital forensics will be the operational requirement for dedicated Research & Development teams within every organisation. We might also see a significant shift from traditional forensic techniques and the reliance upon industry standard tools. There has been a great deal of debate in this area and as to whether or not the whole forensics process is becoming automated. I think it’s an interesting discussion and one that is likely to continue in the future.

I am currently continuing further research into game console forensics and intend on presenting the results at DFRWS 2016, Switzerland.

Matt Davies is a Digital Forensics Analyst at Sytech, who work on digital investigations across all areas including criminal justice, civil litigation and corporate.

Forensic Focus interviewed Matt at DFRWS, the annual Digital Forensics Research Workshop, which took place in Dublin from the 23rd-26th of March. The next workshops will be held in Philadelphia in August 2015, and Switzerland in March 2016. You can find out more and register here.

Original Forensic Focus Article