Digital Forensics: Training Required

June 26th, 2019 by Oleg Afonin
Category: «General», «Tips & Tricks»

If you are working in the area of digital forensics, you might have wondered about one particular thing in the marketing of many forensic solutions. While most manufacturers are claiming that their tools are easy to use and to learn, those very same manufacturers offer training courses with prices often exceeding the cost of the actual tools. Are these trainings necessary at all if the tools are as easy to use as the marketing claims?

We believe so. A “digital” investigation is not something you can “fire and forget” by connecting a phone to a PC, running your favorite tool and pushing the button. Dealing with encrypted media, the most straightforward approach of brute-forcing your way is not always the best.

The tools

Assuming that you have all the tools you can possibly imagine, from UFED Premium or GrayKey boxex to SQLite recovery tools, and assuming you know how to use those tools, is that everything you need? If your answer is “yes”, think again.

There is no single tool or set of tools on the market that can do everything for you. Being an investigator is your job, and the tools are just… tools. When we develop forensic software, we do our best. We make the tools as easy for you to use as we possibly can. We have the entire department dedicated to UI and user experience, trying to think of all possible usage scenarios while working closely with R&D and marketing departments who take your feedback to improve our tools and your usage experience. We discuss every window and every clickable thing. Yet, we are far from thinking our tools can actually handle an investigation.

Encrypted data anyone?

Most of you have encountered encrypted data during an investigation. Be it an encrypted disk or password-protected document or archive, we have a tool to help you break in with as little delay as possible. Throw in a bunch of powerful servers, each with a bunch of up-to-date video cards and you’re good to go! Right?

Not quite; it does not work that way. Bare metal is important, and it could be the only way to brute-force your way if that single encrypted disk or document is everything you have. However, more often than not you’ll have much more evidence than just that one encrypted disk or document. Somewhere in that evidence there might be keys to that encrypted volume and that document. What keys could those be? How do you find them, and where to start from?

Mobile forensics

Yet another iPhone with Telegram chats and a bunch of iMessages. You’ve probably seen the ads with detectives pushing the button and getting everything out in seconds. We have bad news for you: this is not going to happen under anything but ideal conditions. What could be those ifs and buts that could block access to evidence you need, and how to work around those roadblocks?

Worst thing ever, it could be you (yes, you!) who destroys evidence or blocks everyone out. One simple mistake – like just looking at that iPhone or forgetting to check that Wi-Fi toggle after switching the phone to Airplane mode, – could block or erase evidence in an instant. Making an unencrypted backup and missing the keychain, failing to decrypt iMessages or missing encrypted Health data could deprive you of crucial bits of evidence. How do you know what you could be missing?

Trainings to the rescue

In most forensic training programs, students are not just taught to push buttons. A good training is never limited to a particular tool or set of tools. Instead, you’ll be taught to understand the entire workflow. You’ll be learning about the practices allowing you to approach the problem in the most optimal way. As an example, during a course on accessing encrypted data taught by us, we’ll tell you about the differences between the types of encryption and teach to collect the low-hanging fruit by extracting cached passwords and building a custom dictionary. We’ll also teach about using dictionaries made with the most popular passwords obtained from recent leaks. There is a lot more to breaking encryption than simply using even the most powerful tools, and you will get a much higher success rate when employing the right workflow.

When it comes to mobile forensics, you’ll be taught how to handle the device from the very moment it gets into your hands. You will learn about the different states of mobile devices (Before First Unlock and After First Unlock) and how they affect your ability to access and extract evidence. Even with the most secure devices on the market, you’ll know your options, and will be able to access the highest amount of evidence accessible under given circumstances.

ElcomSoft Trainings

We are offering two training programs: Advanced iOS Forensics and Advanced Password Recovery.

Our Advanced iOS Forensics course starts with an overview of common mobile platforms and operating systems, their data protection and encryption features. We’ll teach you the most effective workflow that includes evidence preservation, logical, physical and cloud based acquisition. You will learn how to cope with encryption and password protection and develop skills necessary to successfully obtain evidence from locked devices and password-protected backups.

During Advanced Password Recovery course, you will learn the fundamentals of data protection, encryption and passwords. We’ll teach you to deal with the many types of encrypted information, explain the differences between the many types of protection, encryption and passwords. You will get lots of hands-on experience in breaking passwords to the many common types of data including encrypted volumes, protected documents, archives and backups.