Methodology

Digital Forensics and ‘self-tracking’

by Dr Chris Hargreaves, lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK

This month’s article is based very loosely around a recent 5-minute talk from Gary Wolf (link here) which explores the concept of ‘self-tracking’ (the trend for people to record aspects of their life) and how this can now be performed to a much greater extent than was previously possible due to changes in technology. The talk discusses the monitoring of heart rates, sleep patterns, consumption of caffeine, food and alcohol etc. While many of these could be recorded simply with a pen and paper, the talk also introduces a variety of new digital devices that automate the collection, recording and in some cases transmission of this ‘self-tracking’ data. This article ponders the implications of such devices for digital forensics.Several technologies are mentioned in the referenced TED talk, including general purpose technologies such as Twitter and iPhones that can be used for ‘self-tracking’ of diet or exercise, but it also discusses dedicated devices. This includes technologies such as such as Nike+ (tracking distances and times), Fitbit (for fitness and sleep monitoring), Polar WearLink+ (heart rate) and Zeo Sleep Tracker (sleep monitoring). Outside of those covered in the talk, additional technologies that are already commonly in use that record information about our lives include games consoles such as the Nintendo Wii (amount of time playing a particular game or using other features such as the web browser) and GPS devices (locations visited). There are also other upcoming technologies, for example those which capture and record the total electrical power consumption of your home.

It does not require too much imagination to foresee how data from such devices could be potentially useful (particularly as evidence related to alibis, for example). Really, any additional source of potential digital evidence should be welcomed, and this is particularly true for devices that are difficult to tamper with (there is not yet an evidence eliminator for electricity usage monitors as far as I am aware). There is also an additional benefit from using digital evidence in this way – rather than relying on digital evidence from a single PC or device, multiple, independent devices can be examined for evidence that supports (or refutes) the current working hypothesis of what events occurred. More data sources can only increase the accuracy of any inferences drawn from the evidence.

While there are potential benefits of using digital evidence from such devices, there are significant challenges in doing so. Assuming for the purpose of this article a reasonably simple digital investigation process model (identification, acquisition, extraction, analysis and presentation), the identification at a scene of physical evidence on which digital evidence could reside is much more difficult than in the past – this article has mentioned only a small subset of the devices that could contain relevant digital evidence. It is therefore important to remember that the question to ask when seizing evidence is not ‘where is the computer?’ but ‘what devices are here that could contain relevant digital evidence?’

With the devices identified and collected, the problem of acquisition remains. Acquisition of data from non-standard devices can be challenging, often due to the data storage components being integrated to the device and non-standard interfaces to the device itself. The current offerings of mobile phone acquisition products (as an example of non-traditional computer evidence) include a range of adaptors for compatibility with the large variety of devices and interfaces. Could this sort of approach extend in future to include acquisitions from other non-traditional computer based digital evidence sources?

Assuming that data can actually be acquired from these devices, an additional challenge remains — the extraction of digital artifacts (in this context meaning the transformation from the raw data into usable information i.e. how are the binary patterns to be correctly interpreted?). A new file format on a traditional computer usually involves experimentation in order to reverse engineer the format to understand it and extract information. These experiments can involve (amongst other things) feeding known data into a test system and inspecting the data object in which it is stored. If the acquisition of the device is difficult or destructive then this can make this experimentation process much harder, slower and cumbersome. In addition, there does seem to be a trend for traditional computer applications to make use of more standard data formats e.g. SQL, XML etc; however, for low power, low resource devices these formats may not necessarily be appropriate and therefore bespoke formats more common. This increases the challenge of artifact extraction.

Like all new technologies, small dedicated devices for ‘self-tracking’ present new challenges and new opportunities for digital forensics. It remains to be seen if this trend moves beyond early adopters, but the idea that potentially relevant digital evidence is present in far more devices than the traditional computer is fairly uncontroversial. The first step for addressing this challenge is probably at the identification stage; it is to raise awareness that such devices exist and the sort of artifacts they could contain. Hopefully this article has at least contributed to that first step.

Click here to discuss this article.

Read Chris’s previous columns

Chris Hargreaves is a lecturer at the Centre for Forensic Computing at Cranfield University in Shrivenham, UK. Chris is involved to some extent in all of the Centre’s core activities: Education, Research and Consultancy. Chris’s main focus is research (publication list available here), but he also teaches on several of the modules within Cranfield’s MSc programme including Advanced Forensics, the newly revamped Programming for Practitioners, and also some of the new courses planned for next year. Before taking on a lecturing position, Chris obtained his PhD at Cranfield on the topic of “Assessing the Reliability of Digital Evidence from Live Investigations involving Encryption”.

Discussion

No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 955 other followers

%d bloggers like this: