How do you manage e...
 
Notifications
Clear all

How do you manage evidence storage after phone extractions?

7 Posts
6 Users
0 Likes
2,324 Views
(@jvaldez225)
Posts: 12
Active Member
Topic starter
 

Some background of how we manage it now. PLEASE PLEASE PLEASE! Any advice or suggestions that you would change, do differently let me know! I want to get us headed in the right direction with this since I won't be here much longer maybe another year, and I want to make it right for the next bunch that takes over.

Brief Background
I work in a Correctional environment and typically all we do are mobile phone extractions on a daily/weekly basis. Honestly I don't even remember how I got roped into this. I was always that guy to everyone here that can fix or resolve issues with someone's phone or computer. I later met with someone else here that was already kinda doing cell phone forensics for the department and needed help since the amount of work was getting to be too much, and it just took off from there. We've been up for over 4 years now and due to not having a policy in retaining our evidence, we just save everything on external backup drives. Our phone cases jumped up 400% since 2014, so storage is getting out of control right now. We literally started out of a closet back in 2014 with two computers and two 1 TB's external drives, one was the main backup and the other was the backup to that drive. Fast forward to present time we have an office with a window D and now 3 to 4 staff members. I came to these forums a few times for some help or had a question on something, and you guys keep amazing me with the amount of experience you have in this field. Honestly anything outside of Cellebrite and IEF goes over my head here lol… Anyways back to our storage delema.

I'll start with this, Cellebrite is our go to software for just about 90% of our cases up to now. (UFED4PC) IEF is basically our backup if the cellebrite dongle is tied up on another workstation or sometimes comes in clutch on some weird Android phones for images.

Our setup currently
3 workstations - one for each staff member. We assign the phones to whoever is available first. Once their done, the Cellebrite dongle gets passed around to the next person that's waiting for it and so on. If there's another solution to that other than coughing up another 8 or 10K for another license, let me know.

We each have 8TB's of space on our workstations setup as so.

500GB C Windows OS with Cellebrite and IEF installed.

2TB E Extraction data is stored here then moved to F drive for storage. (Question here Should we format this drive after every case? Is it even necessary to do that? If so what's a suitable format; quick, full or other?) This topic comes up a few times here.

6TB (External) F Storage for all the case files for that workstation. (No backups oops ) Once storage is full we'll generate a file with all the cases on that drive, and we'll file the log with the drive in our evidence locker. If I scared you guys already, I apologize in advance… But with a limited budget that's what we have to do. With no backups of any of the Fdrives we're running on luck basically every time we save a case. Good news is at some point this year some funds will be coming our way, about 3k. Any storage suggestions in that budget??? Oh and we run off wireless hotspots throughout the office for internet and software updates. The state IT unit doesn't want the forensic workstations to possibly infect the network if malware was on a phone. So if we have to print something we have to save it on a flash drive and run to a dedicated state workstation and print from there. Hopefully if a storage solution isn't much we can spare some cash on a network to our workstations with a printer.

Okay…
So with the Cellebrite extractions, we generate the report in PA and save it in UFEDReader format, and we'll work off the Reader from there building the case for the people involved to review. We save both the cell phone extraction and the generated report folder and files to the F drive.

Finally my question
Can we just save the UFEDReader folder with all the working files and delete the extraction folder after we're all done? That would save us quite a bit of storage if we could do that. Also can we zip the case folders after we're done or just leave them alone as is? I'm bringing this up now because lately some of the offenders have tried to take the cell phone evidence findings to court, and I'm not sure what else I would need in the extraction folder or even having to go back to it, that I couldn't already get in the UFEDReader report. When we get a request to hand over the report we open UFEDReader and generate a PDF report from that case and that's it. We don't hear or see anything back from anyone, so that's what brought up all this.

Sorry for the lengthy read. Was trying to get all the details out. I'm interested in knowing how you guys manage storage similar to our situation, also anyone else here in Corrections? What's your setup?

 
Posted : 11/01/2019 5:46 am
jpickens
(@jpickens)
Posts: 130
Estimable Member
 

TLDR, Please?

Regardless of where the evidence comes from (mobile, PC, etc…), how you handle evidence should always follow a best practice. Its up to you how that best works in your environment but for my 2 Cents, I'd summarize it like this… "Always maintain data integrity".

An Example If you image in Cellebrite then store your image files and hash them. Perhaps you want to make a copy and place it into FTK or Imager or a ZIP container to keep it together so it cannot be modified easily and is a valid copy of the original.

From there, how you move data around should be less of a worry since you have taken steps to keep a copy of the original data in tact. As for saving space, drives are getting cheaper, but if its someone else's data, (IMO) you need to make a valid investment into storage space and redundancy of some kind.

 
Posted : 11/01/2019 2:19 pm
kastajamah
(@kastajamah)
Posts: 109
Estimable Member
 

As far as deleting the original extraction and just working with the UFED Reader, I would highly discourage this. You should keep the original extraction. If your department has an evidence unit, you can generate the UFED Reader report, transfer it to a disk (I would recommend transferring it to 2 disks (optical disks, USB flash drives, etc) in case one of them fails), and store the report in your evidence unit.

The original extraction should be preserved. That also might fall under best evidence rules depending on your jurisdiction. Also, that extraction can be opened in a newer version of UFED Physical Analyzer, and newer artifacts could be parsed out that Cellebrite PA could not parse in a previous version when the extraction was made.

If you are concerned about storing old cases that are not needed anymore, I would recommend contacting the prosecutor (if the case was charged) or the original investigating detective/officer (if the case was never charged). Confirm if the data is still needed. I would recommend doing this via email for paper trail purposes. If they say it can be deleted, delete the extraction, and that will open up the storage space you need. I would do this on a 2 to 3 year basis. So if its 2019, I would look at cases from 2016/2017 and prior, contact the officials mentioned above, and start deleting as they give you permission.

Of course, you will want to run any suggestions by your superiors to get them on board.

 
Posted : 11/01/2019 4:03 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

My 2 cents (actually 3).

1) Don't even THINK of saving only the "report" part of case, you NEED to to have the original extraction.
Imagine for one moment that there could be a bug of some kind in Cellebrite that makes some assumptions in the report invalid or that misses some relevant parts of the extraction.
If you have the original extraction you can re-process it with the newest (updated/corrected/etc.) Cellebrite or with *any* other tool.
If you don't have it, you open the way (IF such a bug exists and it is demonstrated) to invalidate a number of cases and, even outside the case of the hypothetical bug you would be essentially transforming a "repeatable" test into a "non-repeatable" one (to give you an example, and of course it depends on local Law, in more traditional "wet" forensics if a sample is enough to carry only one test, special provisions are made to make sure that the test is performed in such a way that it cannot be later invalidated, like having a defense expert assisting or some other legally "fail-proof" way)

2) Of course you can compress the folder into a compressed archived (possibly in a format that is known to be surely lossless AND "somehow" documented AND "somehow" recoverable in case of minor issues).
Even if they surely give better compression, I would personally avoid .rar format and .7z formats for such a "delicate" compression and use good ol' .zip or .gzip formats.

3) Data retention time is a BIG issue.
Of course, if the Law or whatever directive is applicable to your department does not state this retention time, you need to have a definite input by someone in charge of the case, keeping in mind that since - essentially - it is not their problem I wouldn't be surprised if they would tell you that you have to keep the data available for 5, 10, 15 or 20 years 😯 or until you are notified in writing that you can delete them (from personal experience in other fields, *somehow* these notifications are never sent wink unless you ask for them in a very insistent manner).

jaclaz

 
Posted : 11/01/2019 6:03 pm
gungora
(@gungora)
Posts: 33
Eminent Member
 

I can imagine that your budget and other practical issues may prevent you from doing things the way you wish—such as getting more software licenses. That said, it sounds like there are a few minor adjustments you can make to improve your workflow. A few thoughts

1. Let's say you have software A and software B to do the same forensic work. You prefer software A because it does X, Y, and Z consistently better. I think a scenario where you occasionally switch to software B because your license of software A is tied up is problematic. You are using a less than ideal tool for the job—based on your own determination and/or preference at least—due to logistical and budgetary challenges on your end. This could open you up for trouble. I think software B should be your backup for scenarios where software A failed to do what it was designed to do.

2. I see the entirety of your extraction as part of the evidence, including the file system on the storage medium where you performed the extraction. If your extraction is questioned, the hashes of the acquired data should match with your chain of custody documentation and the file system timestamps of the acquired data should line up with your case documentation.

Additionally, if your extraction is questioned, it is not ideal for the original copy of the extraction to reside on a medium shared with other extractions, other evidence or your work product. If you are required to make the medium available for inspection, you would have to either expose the other data on the shared medium or fight to prevent that from happening (thinking of a legal battle here, not UFC).

3. Hard drives fail all the time. I would strongly recommend making at least two copies of the collected evidence. You could do something along these lines

* Use a storage medium that's dedicated to the extraction (e.g., an encrypted external hard drive)
* Sterilize it to make sure no other data is on the drive, and in order to exercise the drive to make any defects apparent
* Do a SMART check to make sure the drive is in good working condition
* Label it
* Perform the extraction
* Write protect this master drive for any subsequent steps
* Make at least one additional working copy as soon as possible
* Validate the working copies by cryptographic hash comparison

4. Needless to say, you should store the original extraction. Storing reports generated from the extraction and discarding the original sounds like a recipe for disaster. Jaclaz has already made some great points as to why.

 
Posted : 11/01/2019 7:10 pm
(@jvaldez225)
Posts: 12
Active Member
Topic starter
 

Sorry for the long delay. A LOT HAS HAPPEN!!! I read everyone's response's and armed myself with that information and emailed everyone! I got an answer finally on the retention of evidence (7 Years), lingo was added into some directives to include digital storage and media etc… Saved the email, print and filed it along with the new directives… I was surprised at how many people didn't even know that we existed… The storage process is still ongoing, waiting on the drives to come in. I'll run this by you guys and please let me know if this works or if there's something else we can do.

Right now each workstation (3 workstations) has 1-6TB external drive storing all the cases they ever worked on.
I was thinking once we get the other three 6TB drives, I would go to each workstation with one of the drives and start copying over cases from 2017 from each machine, repeat on another drive for the 2018 cases, and then image those two drives.

The cases from the previous years we had already filed and backed up. The 2017 and 2018 cases filled up our current drives and we currently don't have a backup of any those cases. That's how I'm thinking of tackling this situation, so that we have a backup copy of those years. There has to be a better way but right now I can't think of any other way to sort and backup the case files, so that it's easier to manage.

Jpickens said

Perhaps you want to make a copy and place it into FTK or Imager or a ZIP container to keep it together so it cannot be modified easily and is a valid copy of the original.

Going to use FTK Imager to make the image of the drives.

jaclaz said

Of course you can compress the folder into a compressed archived (possibly in a format that is known to be surely lossless AND "somehow" documented AND "somehow" recoverable in case of minor issues).
Even if they surely give better compression, I would personally avoid .rar format and .7z formats for such a "delicate" compression and use good ol' .zip or .gzip formats.

Would I .gzip both original and backup drives?

gungora said

Additionally, if your extraction is questioned, it is not ideal for the original copy of the extraction to reside on a medium shared with other extractions, other evidence or your work product. If you are required to make the medium available for inspection, you would have to either expose the other data on the shared medium or fight to prevent that from happening (thinking of a legal battle here, not UFC).

I believe I can get each year on one 6tb drive with it's own backup. But are you saying to keep each case separate from each other? We create a folder in the formatted drive with the case number, we then point the Cellebrite extraction to that folder, open Analyzer and generate the UfedReader report to that folder as well. After that we copy that folder to the external drive and work from there. This is where I need to start validating the extractions and I need some insight on how to do that on each extraction, so that we get this right going forward.

 
Posted : 23/01/2019 3:17 am
Styers
(@styers)
Posts: 27
Eminent Member
 

I am a fan of simplicity.

I make two copies of the report and extraction. then Burn them both to a Blu-Ray disc, or Discs if necessary due to size.

Give one the the officer/investigator handling the case and place another in our CD filing cabinet in our evidence storage room.

No hard drives to crash, no servers to hack. If i need it i just walk to the evidence room and pull it from the drawer.

I rarely have to retrieve a stored copy, when i do it usually because the investigating officer lost his copy for court. then i just duplicate him one from my evidence copy. Plus its the cheapest way to store large amounts of data.

 
Posted : 28/06/2019 12:17 pm
Share: