By Mary Kate AylwardApril 11, 2019
Footprints in the data
Step inside the least understood of the warfighting domains, cyber, where digital detectives analyze data to solve crime, and similar tools and techniques are used to defend against cyberattacks.
In 2015, the U.S. Office of Personnel Management revealed that two major breaches affecting at least 22 million people had occurred the previous year, in which the assailants made off with personnel records and data on SF-86 forms--on which federal employees and contractors applying for security clearances report their addresses and employment history for the last 10 years, overseas travel, contact information for family members and friends, and much more in response to the 127-page questionnaire.
One goal of the background investigations the SF-86 collects data for is to determine whether a candidate could be vulnerable to blackmail, and so it asks for the kinds of information that give blackmailers leverage. Candidates report debts, whether they have ever sought psychological counseling or treatment for alcohol abuse, or whether they've been arrested or charged with a crime or used drugs. That information is now in the hands of hackers.
Apart from the damage to individuals--an SF-86 form provides enough information for a criminal to steal someone's identity, empty bank accounts, ruin credit--there's the risk to national security. The data theft could make it possible for hostile foreign governments to unmask spies or track down relatives of U.S.-based emigres.
Digital or cyber forensics is the process used to figure out which actors are behind a hack like this, and how they did it. U.S. officials speaking privately said that China had stolen logins and passwords to perpetrate the hack, though the Obama administration did not formally accuse China. Considering that data theft on this scale occurs during peacetime, the ability to protect the cyber space where digital data lives, and to analyze attempts to manipulate or steal it, is probably one of the least understood but most necessary components of any future defense strategy.
"When I started, digital forensics was just about looking at hard drives on computers. Now it's everything you touch," said Special Agent Patrick Eller, lead digital forensics examiner with the Army's Criminal Investigation Command, in an interview with Army AL&T. Digital forensics examiners can piece together the movements of persons of interest, place them in a particular location at a particular time, and gather evidence about feelings, motives and more with the aid of powerful software. "Watches, FitBits, phones, tablets, computers, all the way down to the programs on them: the chat applications, like SnapChat, Facebook, WhatsApp"--the universe of data sources is vast, Eller said.
Special agents from the command (known as CID), like Eller, collect, preserve and analyze data from digital devices to "build digital timelines, which is what supports the whole case." Digital forensics examiners don't usually go to the crime scene. Instead, Eller and several other examiners train the CID agents who work the crime scene. "We teach [agents] to identify and collect digital evidence," such as any phones or other devices present, Eller said.
THE SCENE OF THE CRIME
A crime scene can be crawling with digital data that's not immediately visible, because of the proliferation of internet-connected devices and how frequently we interact with them. "Think about what's called the 'internet of things,' everything in your house being connected to the internet," Eller said. "I can turn on lights in my house, I can open my garage, I can start appliances, I can lock doors from my phone.
"For us as examiners, it's a challenge because we have to figure out how to get the data out of these devices in a forensically sound manner," he said. After the agents on scene collect all the sources of digital information, they apply for search authorization, and send the device and a specific request for evidence to the digital forensics examiner.
The laws and precedents covering what digital forensics examiners can look for, and what permissions they need to do so, were established before many of the current tools and techniques became available. But the process still begins with an authorization to search, either a warrant issued by a magistrate or a consent to search given by the device's owner. The authorization generally specifies what can be looked for, as a warrant for a physical search does: It's usually not blanket permission to rifle through a house (or read all the texts on an iPhone) at random, but permission to look for things that might be relevant to a case.
IT'S META, MAN
Detectives in the non-digital realm look for strands of hair, tire tracks or weapons. Digital forensics investigators look for digital data--files, images, video--and metadata. Metadata is information about data, such as when it was created, if it was modified and by whom. The length of a phone call, for instance, is metadata that can be useful even if investigators can't get or can't use the contents of the conversation.
Finding links among the many pieces of data is a key contribution of digital forensics tools. Analyzing those connections can open up new leads to investigate. If an investigator notices that each of the three phones sent to a lab connected to the wireless network at McDonald's on Main Street, that's a new lead: It could place the suspects together in one location, and the agents working the case could try to interview the McDonald's employees working on that day.
IN THE LAB
Army CID now uses upward of 20 forensic tools, each fairly specialized, to investigate and analyze digital devices, according to Eller. Twenty years ago, a case might involve a few hard drives from the suspect's laptop, and one kind of software could do all the necessary analysis. Nowadays investigators might need to search a smartphone, an Amazon Alexa, a tablet and the onboard computers from a suspect's car. The tools available to access and search computing devices for evidence have likewise grown in number and power.
Digital forensics tools on the market include EnCase, the granddaddy of digital forensics. It has been in use since 1998, when it was used primarily to search and analyze hard drives seized during criminal investigations. Now it's a suite of tools that law enforcement can use to search digital devices linked to a possible crime, and that organizations can use to defend against cyberattacks or to collect information about the attacks.
Access Data's Forensic Toolkit can scan a device for "text strings"--groupings of characters--and use those to build a dictionary to decrypt emails or other data that has been encrypted. It can also scan for malware and then analyze what the malicious code could be designed to do, where the infection could have come from, and if the malware is communicating with an outside server or website.
But before forensics examiners can analyze data, they need to be able to see it. Most devices now offer the option of encryption with a passcode, and so there's another set of digital forensics tools that specialize in breaking that encryption.
THE CASE OF THE GRAY KEY
In March 2018, an anonymous source alerted the cybersecurity community to the existence of a gray box, four inches square, that could unlock any iPhone and extract every piece of data from it. Plug an iPhone into the "GrayKey," and anywhere from a few hours later (if the phone is protected by a four-digit passcode) to three days (for a six-digit passcode), the passcode surfaces and the device downloads all the phone's data for investigators to analyze.
The device's maker, a small Atlanta-based company called Grayshift, did not say by what means its device evaded the security features on the phone, which usually erase the phone's data after 10 failed attempts to enter the passcode. Outside security experts said it's "almost certainly" the case that Grayshift found a weak spot in the iPhone's software that lets the GrayKey guess hundreds of passcodes per minute.
By October 2018, Apple had apparently found and fixed the weak spot, and GrayKey devices could no longer break into newer iPhones. (They could still do a "partial extraction" on some older iPhones.)
"Mobile forensics is really taking over the majority of the forensic work we're doing, and it's also one of the largest challenges to overcome security-wise," Eller said. "It's a constant challenge for the companies that make the hardware and software we use to search--it's a cat-and-mouse game" between the forensic software companies and Apple and makers of Android devices.
That game focuses on the security measures that prevent anyone other than a phone's owner from unlocking it. Thousands of devices are in law enforcement custody, locked and unsearchable, because tech companies so far have declined to provide software to override the passcode or fingerprint security, or to leave a "back door" in their products through which digital investigators could get access to the phone's data. The tech companies argue that this would weaken security for all users.
Even so, as GrayKey showed, smartphones aren't impervious to the powers of cash and the smarts of computer engineers. There's a market for phone-cracking hardware and software, and U.S. law enforcement and government agencies are among the customers paying forensic firms anywhere from $5,000 to $30,000 to break into passcode-protected devices.
fter the 2015 shooting in San Bernardino, California, that killed 14 and left the shooter dead, the FBI wanted access to the shooter's iPhone. It asked Apple to create a version of the iPhone's operating system without the "auto-erase" security function. Apple refused, and the FBI paid an outside vendor reportedly close to $1 million to break into the phone. The vendor was believed to be Cellebrite, an Israeli cybersecurity firm.
At a demonstration of the iPhone-unlocking GrayKey, before Apple's security updates partially defeated it, an armed guard stood watch over the company's booth. "It's an arms race," Grayshift CEO David Miles said of the struggle between security features and hackers and purveyors of forensic and decryption technology.
The comparison to armed conflict is apt. Digital forensics of the kind Army CID engages in is about building a case to prosecute crimes. But the tools and skills that digital investigators use--not to mention the knowledge required to understand them--overlap with those used in the cyber domain to spot attempts to infiltrate U.S. government computer systems, and to trace and block them. Whether it's a "gray war" or "multidomain battle," or the continuing struggle for information superiority, hacks, malware, cyberattacks and other attempts to compromise an enemy's ability to communicate are part of the picture.
A Soldier needs tools--sensors, binoculars--to see who's firing at him, and with what kind of weapon. Information systems need cyber forensics tools for the same reason: It's hard to defend against an attack you don't understand, and digital forensics tools can help Soldiers and analysts see the cyber battlefield and what weapons are being deployed there. As the degree to which our lives are online increases, so, too, does the amount of conflict and crime that occurs in cyberspace. Digital forensics is likely to grow even more relevant, as is the smart acquisition of forensics tools and the training and hiring of people skilled in their use.
This article is published in the Spring issue of Army AL&T magazine.