In this lesson, you’ll learn about: • The purpose and scope of mobile forensics
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- Introduction to the course structure, online training logistics, and preparation for the Certified Mobile Forensic (CMF) exam.
- Overview of provided resources such as forensic report templates, chain-of-custody forms, and research platforms like Packetstorm and Exploit-DB.
- Why mobile forensics is inherently less forensically sound due to unavoidable data alteration when powering on or connecting devices.
- The constant arms race with advanced device encryption and OS security patches that can rapidly render expensive forensic tools (e.g., GrayKey) ineffective.
- Legal and procedural risks of using exploits: though sometimes necessary, they violate the Daubert standard and require meticulous documentation to avoid evidence dismissal.
- The CFE oversees the entire forensic process from evidence seizure (“tag and bag”) to courtroom testimony.
- Understanding the scope of authority through search warrants (under the Fourth Amendment) or corporate policy.
- Search warrant requirements: establishing probable cause and clearly describing both the place to be searched and the specific items to seize—including hidden storage devices (micro SD cards in coins, poker chips) and altered devices like jailbroken consoles.
- Situations where the Patriot Act may override the Fourth Amendment in terrorism investigations.
- Securing evidence and documenting every action—ideally using methods such as video recording.
- Preparing systems for acquisition, which often involves shutting down the device and removing storage media.
- Preventing evidence alteration by using write-blockers, especially with operating systems like Windows that modify metadata upon connection.
- Performing bitstream (forensic) copies whenever possible, reserving logical copies for time-critical scenarios.
- Importance of peer review, standardized reporting formats, and consistent workflows to ensure reliability in forensic results.
- Risks posed by untrained first responders—such as system administrators—who may unintentionally alter timestamps or damage critical evidence when attempting to “fix” systems.
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
Mark as Played
Transcript
Episode Transcript
Available transcripts are automatically generated. Complete accuracy is not guaranteed.
Speaker 1 (00:00):
Welcome back to the deep dive. You know, if you're
like most of us, the most critical evidence of your life.
I'm talking financial records, conversations, where you've been, it's all
right here, encrypted, patched and sitting in your pocket. The
days of finding some smoking gun and a filing cabinet
are pretty much over.
Speaker 2 (00:18):
They're absolutely over.
Speaker 1 (00:20):
So our mission today is to step into the incredibly complex,
really high stress world of the computer forensic examiner or CFE.
We're going to dive deep into the legal tight ropes
and the well the technological quicksand they navigate every single day.
Speaker 3 (00:37):
It's a genuine race against time and the integrity of
the evidence. It starts the second and investigation.
Speaker 1 (00:42):
As launched from the very beginning, From the.
Speaker 3 (00:43):
Very beginning, a CFE is responsible for everything starting with,
you know, the physical seizure of an item, what's often
called the tag and bag, which is all about documenting
and ceiling. But that responsibility, it goes all the way
to the end to the.
Speaker 2 (00:55):
Public speaking part.
Speaker 1 (00:56):
You mean presenting a core.
Speaker 3 (00:58):
Exactly presenting that evidence under oath in a courtroom.
Speaker 1 (01:01):
And the challenge isn't just about finding the data, is it.
It's making sure every single step you take meets these
rigid legal and technical standards, because if you miss just
one tiny procedural beat the whole case, no matter how
strong the evidence is, it could just be thrown out.
Speaker 3 (01:19):
That's right, because its integrity is compromised. We're exploring how
these experts navigate all that, the legal, the procedural, the technical,
to make sure digital evidence is actually admissible in a
world where the tech changes faster than the rules can
even be written.
Speaker 1 (01:33):
So let's start with that central conflict. It really begins
with the devices we all use every day. We all
know a modern cell phone is basically a computer, But
what makes it so different or maybe so much more
challenging than investigating some dusty old desktop PC.
Speaker 3 (01:48):
It really comes down to two things, volatility and connectivity.
When we talk about traditional dead box forensics, the computer's
usually off, it's frozen in time. But a modern phone
is perpetually live. The second you turn it on, or
plug it in, or even just pick it up. It's
updating logs, changing timestamps, connecting to networks, so.
Speaker 1 (02:06):
The evidence is literally changing under your nose.
Speaker 3 (02:09):
It is that volatility means mobile forensics is inherently working
with evidence that's just less stable than what we're used to.
Speaker 1 (02:16):
And this is where it runs into this huge legal
and technical wall. I mean, we've seen new laws designed
to protect us that stop federal authorities from demanding encryption backdoors,
which is a.
Speaker 3 (02:27):
Huge win for privacy for individual security.
Speaker 1 (02:31):
Absolutely, but for forensics it.
Speaker 3 (02:33):
Creates a massive hurdle and this leads directly to a
huge problem for any forensic lab tool obsolescence.
Speaker 1 (02:40):
The sources mentioned tools like the old IP box that
were made to bypass phone pis. Can you explain what
these things actually do?
Speaker 2 (02:48):
Sure?
Speaker 3 (02:49):
So, these tools are basically their high speed brute force
attack machines, or sometimes they use a known software bug
to get around the security, like the PI in or
the screen lock.
Speaker 1 (02:59):
And the budget pain comes from the fact that they're not.
Speaker 3 (03:01):
Cheap, not at all. We're talking twenty thousand dollars or more.
And the problem is they have the shelf life of milk.
Speaker 1 (03:09):
So a few months, a few months.
Speaker 3 (03:12):
Maybe if Apple or Google pushes out a routine security patch,
the very exploit that tool relies on is instantly fixed.
Speaker 1 (03:21):
And your twenty thousand dollars investment.
Speaker 2 (03:23):
Is a paperweight.
Speaker 3 (03:25):
A CFE management team has to budget for that. That
incredibly fast appreciation that.
Speaker 1 (03:31):
Forces examiners into a really tough spot because to do
their job they have to rely on exploits. Yeah, which
you are. I mean, let's be honest, they're.
Speaker 3 (03:38):
Hacker tool And this is where we run straight into
that brick wall of legal admissibility. When you use an
exploit to get into a locked system, you are by
definition altering that system.
Speaker 1 (03:49):
You're changing the evidence, You're.
Speaker 2 (03:50):
Changing the evidence, and that breaks the Dauber standard.
Speaker 1 (03:53):
Okay, what is the Dauber standard Exactly?
Speaker 3 (03:55):
It's the test a judge uses to decide if scientific
or technical evidence is reliable enough to be admitted in court.
So he is going to argue that the evidence.
Speaker 1 (04:07):
Is tainted and it gets thrown out.
Speaker 2 (04:09):
There's a very very high risk it gets thrown out.
Speaker 1 (04:11):
So using an exploit is like the nuclear option.
Speaker 3 (04:14):
It is, and if you have to use it, you
had better be prepared to document everything, everything, everything exhaustively.
Why was this the only way in? And crucially, you
have to aggressively look for a second way to get
that same data.
Speaker 1 (04:27):
Like from a cloud backup.
Speaker 3 (04:28):
A cloud backup, another linked device, anything. So if the
exploit route gets thrown out, you still have a shot
with your second clean route.
Speaker 1 (04:37):
That issue of integrity leads us right to the legal
side of things. Before an examiner even touches a keyboard,
they have to know their scope of authority. Where does
that power even come from?
Speaker 3 (04:49):
It generally flows from two channels. For law enforcement, it's
a legal warrant. For a private investigation, it's corporate policy.
Speaker 1 (04:57):
And for law enforcement it all starts with a Fourth
Amendment right.
Speaker 3 (05:00):
The protection against unreasonable search and seizure. To get around that,
law enforcement needs a court order, a search warrant that's
based on probable cause. That's the red flag that justifies
looking at someone's private data.
Speaker 1 (05:12):
But our sources mentioned that protection can be bypassed.
Speaker 2 (05:15):
It can. The most common way is just consent.
Speaker 3 (05:18):
If a suspect voluntarily says sure, you can look, they
wave their Fourth Amendment rights right there in the second way.
The second is for national security cases under something like
the Patriot Act, those protections can be superseded to get
rapid access to information.
Speaker 1 (05:33):
Wow, okay, so how does that compare to say, an
internal investigation at a company.
Speaker 3 (05:38):
It's simpler, but the rules are just as strict. If
the company owns the device a company laptop, a company phone,
and an employee breaks policy, the company can authorize.
Speaker 1 (05:49):
The search, no fourth amendment needed.
Speaker 3 (05:51):
Not on company property, the employee doesn't have the same
expectation of privacy. But and this is a huge butt,
the second that investigation touches a person device, a private car,
or their home, the company has to stop full stop.
Then it becomes a law enforcement matter and you need
a warrant.
Speaker 1 (06:07):
And this work is happening inside this web of major regulations.
Speaker 3 (06:11):
Absolutely, you're often dealing with Sarbin's Oxley for financial cases,
high PATAE for health information, and now increasingly.
Speaker 1 (06:19):
Global laws like in the EU.
Speaker 3 (06:21):
Exactly, the EU's privacy laws are much much stricter than
in the US, and if any data involves an EU citizen,
those rules kick in.
Speaker 1 (06:29):
So when they do need that warrant, the sources said,
the physical details are incredibly important, like why do you
need to write down the color of the house trim?
Speaker 3 (06:37):
Because defense attorneys live on ambiguity. A warrant has to
describe the particular place to be searched. If it just
says one twenty three Main Street and there are two
buildings on the.
Speaker 1 (06:46):
Lot, the defense will argue it's invalid.
Speaker 3 (06:48):
They'll argue it's overbroad and invalid. But if you say
one twenty three Main Street, the blue house with white trim,
and the whale shaped mailbox, there's no ambiguity.
Speaker 1 (06:57):
And the same goes for the things you're seizing. It's
not just a PC town anymore.
Speaker 3 (07:01):
Not even close. The warrant has to list the particular
things micro SD cards, smart watches, an Xbox an Xbox
oh yeah, a gaming console can be a surprisingly effective
file server, and you have to expect the bizarre. We've
seen USB drives hidden inside milled out poker chips, micro
SD cards glued inside hollowed out coins.
Speaker 1 (07:21):
So the CFE has to think like someone who is
trying to hide data in plain sight all the time.
So once they have the authority and they're on site,
what's the actual evidence thereafter? Is it the hardware itself
or the information on it?
Speaker 3 (07:35):
In almost every modern case, it's the data the information.
You rarely want the hardware if.
Speaker 2 (07:39):
You can avoid it.
Speaker 1 (07:40):
Why is that?
Speaker 3 (07:41):
Well, imagine the key evidence is on a company's main
file server. If you seize that hardware, you could shut
down the entire victims organization.
Speaker 1 (07:50):
So it's better to just copy the data.
Speaker 3 (07:52):
Almost always now there are rare exceptions, like the old
red box devices for telecom fraud. In that case, the
physical box was the evidence, but today it's the data.
Speaker 1 (08:03):
And the first thing you do when you get to
that data is.
Speaker 3 (08:06):
Secure it make sure it cannot change. That means documentation,
video recording, and locking down the chain of custody. If
the system is off, we call that post mortem forensics.
It's simpler, and if it's running, that's life forensics, and
it's much harder. The contents are changing by the millisecond.
The examiner has to document the state of the system
and try to minimize their own footprint.
Speaker 1 (08:27):
And this is where that non negotiable tool comes in,
the right blocker. Why is this one piece of hardware
so fundamental to the whole process.
Speaker 3 (08:38):
It's mandatory because of how operating systems are built. If
you plug an evidence drive into a normal Windows machine,
for example, that OS is designed to immediately interact with it.
How So, it'll create new system folders, it'll update the
last access timestamp, it might change the recycling bin.
Speaker 2 (08:54):
Even those tiny changes.
Speaker 3 (08:55):
Destroy the case from a forensic perspective. Yes, the defense
will argue you tampered with the original evidence. A right
blocker physically prevents that. It sits between the evidence and
your machine and enforces read only access period.
Speaker 1 (09:09):
It's a one way street for data.
Speaker 3 (09:11):
Perfect analogy. Not a single bit can be written back
to the original.
Speaker 1 (09:15):
So with the drive secured by the blocker, how do
you actually copy the data?
Speaker 3 (09:19):
The gold standard is a bitstream copy. You can think
of it like a perfect bit for bit forensic image
of the entire drive.
Speaker 1 (09:25):
Like a forensic xerox exactly.
Speaker 3 (09:27):
It gets everything, deleted files, hidden partitions, all the empty space.
It's the whole picture.
Speaker 1 (09:32):
What if you're out of time.
Speaker 3 (09:33):
If you're really pressed for time, you might be forced
to do a logical copy that's basically a copy and
paste of the visible files and folders, but you miss
all the deleted data, the hidden stuff. It's a fallback,
not a strategy.
Speaker 2 (09:45):
You know.
Speaker 3 (09:45):
Connecting all these legal and technical pieces. It takes a
ton of preparation. Effective forensics is never a one person show.
Speaker 1 (09:53):
It takes a team.
Speaker 2 (09:54):
It does.
Speaker 3 (09:54):
You need your subject matter experts, your legal team, prosecutors,
a case agent, and that relationship with the legal side.
That communication has to be rock solid.
Speaker 1 (10:04):
I can just imagine the frustration when the legal team
gives a vague order like just find everything.
Speaker 3 (10:09):
Oh that's the worst. Yeah, it's a recipe for disaster.
You're just wasting time. A CFE needs clear goals, a
defined scope based on that probable cause, find financial records
from this date range, or find emails between these two people.
Speaker 1 (10:23):
And you have to have a strategy. Yeah, because Plan
A probably isn't going to work.
Speaker 3 (10:27):
Plan A almost never works. You have to go in
expecting to hit roadblocks, encryption, corruption, you name it. You
should be ready to go to Plan F or Plan
G before you get what you need. That foresight is
what makes a great examiner.
Speaker 1 (10:40):
Let's talk about that moment before the CFE even shows up.
Who is the person most likely to accidentally destroy the evidence.
Speaker 3 (10:48):
It's almost always a well intentioned system administrator who doesn't
have forensic training. Why them, because they're trained to fix problems.
They see an issue, they log in, they run diagnostics,
they re start the server to try and figure out
what went wrong, and in doing so, they trample all
over the evidence. They change time stamps, they overwrite volatile memory.
(11:09):
Their attempt to help is from a forensic standpoint just destructive.
Speaker 1 (11:14):
Which really highlights the need for standards and quality control.
Speaker 3 (11:17):
Oh, absolutely, pure view is non negotiable. You need a
second set of eyes on every report to catch simple mistakes,
a typo, a technical error, anything an opposing attorney can
use to question your competence. And standardizing reports using templates
isn't just about saving time. It makes them easier for
a judge or jury to understand, and it makes it
(11:37):
much easier to train new people.
Speaker 1 (11:38):
So beyond just crime solving, cfes are really valuable across
the board.
Speaker 3 (11:43):
They are the skills are directly transferable data recovery, like
using data carving to retrieve a deleted thesis paper e
diiscovery for huge lawsuits, and meeting with witnesses to help
the legal team understand the technical side of the evidence.
They are that bridge between the technology and the legal world.
Speaker 1 (12:01):
This deep dive has really laid bare this central conflict,
hasn't it. We need robust security on our phones, but
justice sometimes requires access to that information. We've covered the
legal guardrails like incredibly detailed warrants and the absolute technical
mustas like the right blocker that literally stops a computer
from destroying its own evidence.
Speaker 3 (12:21):
The central tension for every organization is that the law
demand stability, but technology just delivers constant, rapid change. So
given the budget pain, we talked about those expensive tools
becoming obsolete overnight. Here's a final strategic question for you
to think about. What should an organization do today to
future proof it's investigative ability. Should they focus on policy
(12:42):
and documentation to make their legal standing stronger, or should
they be diversifying, developing their own internal tools that aren't
tied to one platform. Because this technological arms race, it
is not slowing down.
Welcome back to the deep dive. You know, if you're
like most of us, the most critical evidence of your life.
I'm talking financial records, conversations, where you've been, it's all
right here, encrypted, patched and sitting in your pocket. The
days of finding some smoking gun and a filing cabinet
are pretty much over.
Speaker 2 (00:18):
They're absolutely over.
Speaker 1 (00:20):
So our mission today is to step into the incredibly complex,
really high stress world of the computer forensic examiner or CFE.
We're going to dive deep into the legal tight ropes
and the well the technological quicksand they navigate every single day.
Speaker 3 (00:37):
It's a genuine race against time and the integrity of
the evidence. It starts the second and investigation.
Speaker 1 (00:42):
As launched from the very beginning, From the.
Speaker 3 (00:43):
Very beginning, a CFE is responsible for everything starting with,
you know, the physical seizure of an item, what's often
called the tag and bag, which is all about documenting
and ceiling. But that responsibility, it goes all the way
to the end to the.
Speaker 2 (00:55):
Public speaking part.
Speaker 1 (00:56):
You mean presenting a core.
Speaker 3 (00:58):
Exactly presenting that evidence under oath in a courtroom.
Speaker 1 (01:01):
And the challenge isn't just about finding the data, is it.
It's making sure every single step you take meets these
rigid legal and technical standards, because if you miss just
one tiny procedural beat the whole case, no matter how
strong the evidence is, it could just be thrown out.
Speaker 3 (01:19):
That's right, because its integrity is compromised. We're exploring how
these experts navigate all that, the legal, the procedural, the technical,
to make sure digital evidence is actually admissible in a
world where the tech changes faster than the rules can
even be written.
Speaker 1 (01:33):
So let's start with that central conflict. It really begins
with the devices we all use every day. We all
know a modern cell phone is basically a computer, But
what makes it so different or maybe so much more
challenging than investigating some dusty old desktop PC.
Speaker 3 (01:48):
It really comes down to two things, volatility and connectivity.
When we talk about traditional dead box forensics, the computer's
usually off, it's frozen in time. But a modern phone
is perpetually live. The second you turn it on, or
plug it in, or even just pick it up. It's
updating logs, changing timestamps, connecting to networks, so.
Speaker 1 (02:06):
The evidence is literally changing under your nose.
Speaker 3 (02:09):
It is that volatility means mobile forensics is inherently working
with evidence that's just less stable than what we're used to.
Speaker 1 (02:16):
And this is where it runs into this huge legal
and technical wall. I mean, we've seen new laws designed
to protect us that stop federal authorities from demanding encryption backdoors,
which is a.
Speaker 3 (02:27):
Huge win for privacy for individual security.
Speaker 1 (02:31):
Absolutely, but for forensics it.
Speaker 3 (02:33):
Creates a massive hurdle and this leads directly to a
huge problem for any forensic lab tool obsolescence.
Speaker 1 (02:40):
The sources mentioned tools like the old IP box that
were made to bypass phone pis. Can you explain what
these things actually do?
Speaker 2 (02:48):
Sure?
Speaker 3 (02:49):
So, these tools are basically their high speed brute force
attack machines, or sometimes they use a known software bug
to get around the security, like the PI in or
the screen lock.
Speaker 1 (02:59):
And the budget pain comes from the fact that they're not.
Speaker 3 (03:01):
Cheap, not at all. We're talking twenty thousand dollars or more.
And the problem is they have the shelf life of milk.
Speaker 1 (03:09):
So a few months, a few months.
Speaker 3 (03:12):
Maybe if Apple or Google pushes out a routine security patch,
the very exploit that tool relies on is instantly fixed.
Speaker 1 (03:21):
And your twenty thousand dollars investment.
Speaker 2 (03:23):
Is a paperweight.
Speaker 3 (03:25):
A CFE management team has to budget for that. That
incredibly fast appreciation that.
Speaker 1 (03:31):
Forces examiners into a really tough spot because to do
their job they have to rely on exploits. Yeah, which
you are. I mean, let's be honest, they're.
Speaker 3 (03:38):
Hacker tool And this is where we run straight into
that brick wall of legal admissibility. When you use an
exploit to get into a locked system, you are by
definition altering that system.
Speaker 1 (03:49):
You're changing the evidence, You're.
Speaker 2 (03:50):
Changing the evidence, and that breaks the Dauber standard.
Speaker 1 (03:53):
Okay, what is the Dauber standard Exactly?
Speaker 3 (03:55):
It's the test a judge uses to decide if scientific
or technical evidence is reliable enough to be admitted in court.
So he is going to argue that the evidence.
Speaker 1 (04:07):
Is tainted and it gets thrown out.
Speaker 2 (04:09):
There's a very very high risk it gets thrown out.
Speaker 1 (04:11):
So using an exploit is like the nuclear option.
Speaker 3 (04:14):
It is, and if you have to use it, you
had better be prepared to document everything, everything, everything exhaustively.
Why was this the only way in? And crucially, you
have to aggressively look for a second way to get
that same data.
Speaker 1 (04:27):
Like from a cloud backup.
Speaker 3 (04:28):
A cloud backup, another linked device, anything. So if the
exploit route gets thrown out, you still have a shot
with your second clean route.
Speaker 1 (04:37):
That issue of integrity leads us right to the legal
side of things. Before an examiner even touches a keyboard,
they have to know their scope of authority. Where does
that power even come from?
Speaker 3 (04:49):
It generally flows from two channels. For law enforcement, it's
a legal warrant. For a private investigation, it's corporate policy.
Speaker 1 (04:57):
And for law enforcement it all starts with a Fourth
Amendment right.
Speaker 3 (05:00):
The protection against unreasonable search and seizure. To get around that,
law enforcement needs a court order, a search warrant that's
based on probable cause. That's the red flag that justifies
looking at someone's private data.
Speaker 1 (05:12):
But our sources mentioned that protection can be bypassed.
Speaker 2 (05:15):
It can. The most common way is just consent.
Speaker 3 (05:18):
If a suspect voluntarily says sure, you can look, they
wave their Fourth Amendment rights right there in the second way.
The second is for national security cases under something like
the Patriot Act, those protections can be superseded to get
rapid access to information.
Speaker 1 (05:33):
Wow, okay, so how does that compare to say, an
internal investigation at a company.
Speaker 3 (05:38):
It's simpler, but the rules are just as strict. If
the company owns the device a company laptop, a company phone,
and an employee breaks policy, the company can authorize.
Speaker 1 (05:49):
The search, no fourth amendment needed.
Speaker 3 (05:51):
Not on company property, the employee doesn't have the same
expectation of privacy. But and this is a huge butt,
the second that investigation touches a person device, a private car,
or their home, the company has to stop full stop.
Then it becomes a law enforcement matter and you need
a warrant.
Speaker 1 (06:07):
And this work is happening inside this web of major regulations.
Speaker 3 (06:11):
Absolutely, you're often dealing with Sarbin's Oxley for financial cases,
high PATAE for health information, and now increasingly.
Speaker 1 (06:19):
Global laws like in the EU.
Speaker 3 (06:21):
Exactly, the EU's privacy laws are much much stricter than
in the US, and if any data involves an EU citizen,
those rules kick in.
Speaker 1 (06:29):
So when they do need that warrant, the sources said,
the physical details are incredibly important, like why do you
need to write down the color of the house trim?
Speaker 3 (06:37):
Because defense attorneys live on ambiguity. A warrant has to
describe the particular place to be searched. If it just
says one twenty three Main Street and there are two
buildings on the.
Speaker 1 (06:46):
Lot, the defense will argue it's invalid.
Speaker 3 (06:48):
They'll argue it's overbroad and invalid. But if you say
one twenty three Main Street, the blue house with white trim,
and the whale shaped mailbox, there's no ambiguity.
Speaker 1 (06:57):
And the same goes for the things you're seizing. It's
not just a PC town anymore.
Speaker 3 (07:01):
Not even close. The warrant has to list the particular
things micro SD cards, smart watches, an Xbox an Xbox
oh yeah, a gaming console can be a surprisingly effective
file server, and you have to expect the bizarre. We've
seen USB drives hidden inside milled out poker chips, micro
SD cards glued inside hollowed out coins.
Speaker 1 (07:21):
So the CFE has to think like someone who is
trying to hide data in plain sight all the time.
So once they have the authority and they're on site,
what's the actual evidence thereafter? Is it the hardware itself
or the information on it?
Speaker 3 (07:35):
In almost every modern case, it's the data the information.
You rarely want the hardware if.
Speaker 2 (07:39):
You can avoid it.
Speaker 1 (07:40):
Why is that?
Speaker 3 (07:41):
Well, imagine the key evidence is on a company's main
file server. If you seize that hardware, you could shut
down the entire victims organization.
Speaker 1 (07:50):
So it's better to just copy the data.
Speaker 3 (07:52):
Almost always now there are rare exceptions, like the old
red box devices for telecom fraud. In that case, the
physical box was the evidence, but today it's the data.
Speaker 1 (08:03):
And the first thing you do when you get to
that data is.
Speaker 3 (08:06):
Secure it make sure it cannot change. That means documentation,
video recording, and locking down the chain of custody. If
the system is off, we call that post mortem forensics.
It's simpler, and if it's running, that's life forensics, and
it's much harder. The contents are changing by the millisecond.
The examiner has to document the state of the system
and try to minimize their own footprint.
Speaker 1 (08:27):
And this is where that non negotiable tool comes in,
the right blocker. Why is this one piece of hardware
so fundamental to the whole process.
Speaker 3 (08:38):
It's mandatory because of how operating systems are built. If
you plug an evidence drive into a normal Windows machine,
for example, that OS is designed to immediately interact with it.
How So, it'll create new system folders, it'll update the
last access timestamp, it might change the recycling bin.
Speaker 2 (08:54):
Even those tiny changes.
Speaker 3 (08:55):
Destroy the case from a forensic perspective. Yes, the defense
will argue you tampered with the original evidence. A right
blocker physically prevents that. It sits between the evidence and
your machine and enforces read only access period.
Speaker 1 (09:09):
It's a one way street for data.
Speaker 3 (09:11):
Perfect analogy. Not a single bit can be written back
to the original.
Speaker 1 (09:15):
So with the drive secured by the blocker, how do
you actually copy the data?
Speaker 3 (09:19):
The gold standard is a bitstream copy. You can think
of it like a perfect bit for bit forensic image
of the entire drive.
Speaker 1 (09:25):
Like a forensic xerox exactly.
Speaker 3 (09:27):
It gets everything, deleted files, hidden partitions, all the empty space.
It's the whole picture.
Speaker 1 (09:32):
What if you're out of time.
Speaker 3 (09:33):
If you're really pressed for time, you might be forced
to do a logical copy that's basically a copy and
paste of the visible files and folders, but you miss
all the deleted data, the hidden stuff. It's a fallback,
not a strategy.
Speaker 2 (09:45):
You know.
Speaker 3 (09:45):
Connecting all these legal and technical pieces. It takes a
ton of preparation. Effective forensics is never a one person show.
Speaker 1 (09:53):
It takes a team.
Speaker 2 (09:54):
It does.
Speaker 3 (09:54):
You need your subject matter experts, your legal team, prosecutors,
a case agent, and that relationship with the legal side.
That communication has to be rock solid.
Speaker 1 (10:04):
I can just imagine the frustration when the legal team
gives a vague order like just find everything.
Speaker 3 (10:09):
Oh that's the worst. Yeah, it's a recipe for disaster.
You're just wasting time. A CFE needs clear goals, a
defined scope based on that probable cause, find financial records
from this date range, or find emails between these two people.
Speaker 1 (10:23):
And you have to have a strategy. Yeah, because Plan
A probably isn't going to work.
Speaker 3 (10:27):
Plan A almost never works. You have to go in
expecting to hit roadblocks, encryption, corruption, you name it. You
should be ready to go to Plan F or Plan
G before you get what you need. That foresight is
what makes a great examiner.
Speaker 1 (10:40):
Let's talk about that moment before the CFE even shows up.
Who is the person most likely to accidentally destroy the evidence.
Speaker 3 (10:48):
It's almost always a well intentioned system administrator who doesn't
have forensic training. Why them, because they're trained to fix problems.
They see an issue, they log in, they run diagnostics,
they re start the server to try and figure out
what went wrong, and in doing so, they trample all
over the evidence. They change time stamps, they overwrite volatile memory.
(11:09):
Their attempt to help is from a forensic standpoint just destructive.
Speaker 1 (11:14):
Which really highlights the need for standards and quality control.
Speaker 3 (11:17):
Oh, absolutely, pure view is non negotiable. You need a
second set of eyes on every report to catch simple mistakes,
a typo, a technical error, anything an opposing attorney can
use to question your competence. And standardizing reports using templates
isn't just about saving time. It makes them easier for
a judge or jury to understand, and it makes it
(11:37):
much easier to train new people.
Speaker 1 (11:38):
So beyond just crime solving, cfes are really valuable across
the board.
Speaker 3 (11:43):
They are the skills are directly transferable data recovery, like
using data carving to retrieve a deleted thesis paper e
diiscovery for huge lawsuits, and meeting with witnesses to help
the legal team understand the technical side of the evidence.
They are that bridge between the technology and the legal world.
Speaker 1 (12:01):
This deep dive has really laid bare this central conflict,
hasn't it. We need robust security on our phones, but
justice sometimes requires access to that information. We've covered the
legal guardrails like incredibly detailed warrants and the absolute technical
mustas like the right blocker that literally stops a computer
from destroying its own evidence.
Speaker 3 (12:21):
The central tension for every organization is that the law
demand stability, but technology just delivers constant, rapid change. So
given the budget pain, we talked about those expensive tools
becoming obsolete overnight. Here's a final strategic question for you
to think about. What should an organization do today to
future proof it's investigative ability. Should they focus on policy
(12:42):
and documentation to make their legal standing stronger, or should
they be diversifying, developing their own internal tools that aren't
tied to one platform. Because this technological arms race, it
is not slowing down.
Popular Podcasts
Stuff You Should Know
If you've ever wanted to know about champagne, satanism, the Stonewall Uprising, chaos theory, LSD, El Nino, true crime and Rosa Parks, then look no further. Josh and Chuck have you covered.
My Favorite Murder with Karen Kilgariff and Georgia Hardstark
My Favorite Murder is a true crime comedy podcast hosted by Karen Kilgariff and Georgia Hardstark. Each week, Karen and Georgia share compelling true crimes and hometown stories from friends and listeners. Since MFM launched in January of 2016, Karen and Georgia have shared their lifelong interest in true crime and have covered stories of infamous serial killers like the Night Stalker, mysterious cold cases, captivating cults, incredible survivor stories and important events from history like the Tulsa race massacre of 1921. My Favorite Murder is part of the Exactly Right podcast network that provides a platform for bold, creative voices to bring to life provocative, entertaining and relatable stories for audiences everywhere. The Exactly Right roster of podcasts covers a variety of topics including historic true crime, comedic interviews and news, science, pop culture and more. Podcasts on the network include Buried Bones with Kate Winkler Dawson and Paul Holes, That's Messed Up: An SVU Podcast, This Podcast Will Kill You, Bananas and more.
Dateline NBC
Current and classic episodes, featuring compelling true-crime mysteries, powerful documentaries and in-depth investigations. Follow now to get the latest episodes of Dateline NBC completely free, or subscribe to Dateline Premium for ad-free listening and exclusive bonus content: DatelinePremium.com