During the dramatic surge of technological developments over recent years, the world has changed in innumerable ways. As our lives become digitised and automated with the assistance of modern gadgets, we see significant shifts in social behaviours and personal interactions – our lives are intertwined with technology, specifically smartphones.
Essentially the world has become smaller. Certain groups are thriving in the digital ecosystems and sadly, many of these have malicious plans and intent. Cyber-related crime is booming and becoming an increasing concern across the globe, as highlighted in recent editions of the IOCTA reports from Europol.
Thankfully, there are also many people with positive intentions balancing the scales. Connected forces of digital enthusiasts are constantly cooperating and supporting one another to drive forward many of the solutions we have integrated into our modern systems and ways of working.
The Open Source phenomenon has enabled considerable developments across multiple domains, including several solutions we regularly use for business and leisure like Linux, Mozilla Firefox and LibreOffice. Besides, programming languages Python and PHP underpin many of the tools and technologies we also frequently use.
How Open Source is Relevant to Digital Forensics
The Digital Forensic Incident Response (#DFIR) community is a growing example of the collaborative trend, and FORMOBILE is playing its role in community-based improvements.
Digital Forensics is a fast-paced field, and its Mobile Forensics subdomain personifies this fluid environment. New devices and software are continually released across worldwide markets and the applications and online platforms utilised proliferate at a staggering rate. Although forensic companies are at the cutting edge of innovations to help support law enforcement, it is unrealistic to expect them to match progress step for step. This is where bands of digital enthusiasts can help.
Through open source platforms such as GitHub, scores of people contribute to new features and functions that are leveraged by various domains.
What is FORMOBILE Creating?
Consider an example such as online cloud providers. Such cloud platforms benefit from creative customers that develop new applications that extend the value and usefulness of their services. Besides, users explore opportunities to backup their data or move it from one cloud provider to another, meaning there are always individuals contributing to continual improvements, which are frequently achieved through APIs like REST.
Likewise, the DFIR community can benefit from the same approach and create solutions that allow digital investigators to explore data within the cloud that may be integral to a case and help prove someone’s innocence or guilt.
The FORMOBILE project has embraced this strategy and is working hard to provide LEAs with access to cloud platforms not currently accessible through technology partner MSAB’s XRY solution. The newest release of XRY allows for integration of the CLOUDxTRACTOR into XRY’s existing Cloud solution.
It is also important to emphasise that this function could also be leveraged by different licensed forensic companies as it originated - and will remain - an open-source feature. Of course, although the scripts are open source in nature - they cannot be used in isolation and without professional, licensed digital forensic tools that are rigorously controlled by export controls.
The current CLOUDxTRACTOR (Task 4.2) is a result of collaborative effort between the FORMOBILE coordinator, HSMW and MSAB. The activities were driven forwards by Martin Bochmann’s and Sebastian Zankl’s respective teams.
What is the CLOUDxTRACTOR?
The FORMOBILE CLOUDxTRACTOR is an extension of an existing tool in MSAB’s portfolio – XRY Cloud. The existing tool allows LEAs to:
“Recover data beyond the mobile device itself from connected cloud based storage by using the tokens on mobile devices that enable apps to function without the need for users to re-enter their login details.”
Find out more: https://www.msab.com/products/xry/xry-cloud/
As part of FORMOBILE, the team has extended this further by introducing Cloud Extract Scripts that will connect to new cloud services not covered by MSAB. For example, the first of these scripts was created for PCloud - referenced as Europe’s most Secure Cloud Storage.
How Many Cloud Services are Covered?
“By the end of the project, 8-10 cloud services will be added via the CLOUDxTRACTOR”, says FORMOBILE’s technical coordinator Dirk Pawlaszczyk from HSMW. “This increases options for cloud services not covered by main tool vendors. This is useful for smaller, niche solutions. The scripts created by FORMOBILE are ‘door openers’ that can be utilised through MSAB’s tools and could also be leveraged in other Digital Forensic tools. Encase also has a plugin feature, as do other tools available from other suppliers”, Dirk continued.
Why is this so Useful?
“This is a growing trend; Mobile Phones are highly volatile, new smartphones are constantly available. A community approach to fixing issues is the best solution. DFIR is a very active community across the globe. Importantly, it is not just LEAs, but includes developers, scientists and researchers.
Extracting data from the cloud is not just of interest to LEAs. There are many benefits of automating the backup, resorting and utilisation of cloud data. Of course, forensic investigations have more steps, and the process is more rigorous, but the concepts are similar. The new CLOUDxTRACTOR is going to be open-source - therefore, everyone in the industry can benefit; also other professional DF tool providers.” Pawlaszczyk states.
How Does it Work?
As mentioned above, the CLOUDxTRACTOR is an extension of an existing product and we asked Sebastian Zankl to explain in more detail how it works.
“Daniel Helsing from MSAB’s Core Team is responsible for extending the current Python Decoder to integrate the new solution into XRY’s existing Cloud solution. The Python API solution enables investigators to run specific pre-written scrips from within XRY that can give access to the cloud data.
In theory, licensed users will also be able to create new scripts to access different cloud services beyond the 10 planned in FORMOBILE”. Sebastian continued, saying “LEAs have increased options for extraction and the existing scripts provide samples that can speed up the process of writing new versions that may be required in an investigation to access a particular cloud service. Moreover, MSAB has a technical forum where customers can interact and share scripts and information to help further speed up the process”.
Is Open Source the Future for Digital Forensic Tools?
As Dirk and Sebastian both highlighted, working with existing scripts and leveraging aspects of current tools and solutions can speed up the process of creating new tools to support a legally authorised investigation.
Dirk Pawlaszczyk also went on to say:
“from my point of view, it makes an important difference whether an investigator only uses a product or they are part of a living community. In this community, you give something and you get something back. As a member, you help develop the product and make it better. It takes on a completely different meaning. It is no longer just one forensic tool among many. You identify yourself with it. This is an experience that tens of thousands of developers worldwide have every day when they make their programs available to everyone on portals like GitHub”.