Last week was the 2013 Access Data User Conference (ADUC) in Las Vegas, and there were several hundred digital forensic professionals in attendance. There were several good presentations and speakers. Magnet Forensics had a booth there and I had the opportunity to meet many of the attendees. I spent several hours talking to digital examiners and asking questions about their current forensic workflow and for those already using Internet Evidence Finder (IEF), how and when they were implementing it during their investigations.
Not to my surprise, an overwhelming majority of the people I spoke to are using IEF concurrently with their favorite forensic analysis suite. Many are creating their forensic image(s), loading them in IEF and then letting it run while they simultaneously load the same evidence file into their forensic analysis weapon of choice and start their examination looking for non-Internet related artifacts. Almost all of the users expressed they preferred getting the comprehensive report from IEF rather than using the built-in artifact finding features of their forensic analysis suite.
One of the underlying questions was “when should I use IEF?” and/or “my case does not really involve social media, etc.” so I thought I would give a few thoughts on this:
Excluding strictly defined eDiscovery/litigation cases that limit your scope, almost every type of investigation has the potential of touching or recording some type of artifact type that is discoverable by Internet Evidence Finder. For example, Internet Explorer browsing history. Even if the case does not involve websites or Internet related activity, the fact that Internet Explorer records locally accessed files is reason enough to include parsing the Internet history files, at the minimum.
Whether the investigation is employee misconduct, fraud, theft, or intellectual property theft, the use of Internet-related technology is so pervasive in today’s business culture and personal life that it’s almost impossible these days not to leave some type of artifact somewhere.
It used to be said that a computer could be involved in an investigation one of three ways, although today, you could replace ‘computer’ with just about any personal digital device:
-
The digital device is the target of the activity
- i.e. unauthorized access, defacement, etc.
-
The digital device is the tool or method of committing the activity
- Web browser, chat, email, etc.
-
The digital device is a repository of information that may relate to the activity.
- The digital device was not involved at all, but it contains information that relates to the activity being investigated.
A good example of this is the recent arrest of a suspect allegedly involved in sending the toxic substance ricin to the President of the United States. The primary activity had nothing to do with Internet-related activity, although (as it’s been reported) the suspect used eBay to buy the necessary supplies to make ricin and he used PayPal to pay for it.
There are countless other cases where the initial activity/crime/investigation did not appear to be “computer” related at all, but yet communications, document, receipts or other relevant information is later found on a digital device.
So my answer to the original question is that except in rare circumstances where the scope of your examination is legally constricted, an examination of Internet-related artifacts is almost always a good initial step in every type of case. Like other investigative methods, let the artifacts lead you and provide a springboard to move to the next artifact (i.e. web history for PayPal, then identifying the account name, then getting records from PayPal).
As always, if you have any comments, suggestions or questions,
you can contact me directly at: lance (at) magnetforensics.com
