Asking the Right Questions: Forensic Analysis of Data, or How to Make BlackBerry Data Hearsay

(February 25, 2009) Interhack Founder C. Matthew Curtin and Senior Analyst Lee T. Ayres show the critical difference between data types encountered in forensic computing. Showing where BlackBerry data fall in the mix, they demonstrate how easily BlackBerry data can be falsified such that an investigator using available tools wouldn't be able to tell.

Interhack founder C. Matthew Curtin and Interhack Senior Analyst Lee Ayres demonstrate how easily BlackBerry data can be falsified such that an investigator using available tools wouldn't be able to tell.

Abstract

Tutored by television crime dramas, many people have come to assume that electronic information is always what it appears to be on its face. This is, in fact, the forensic version of a longstanding tendency that people have to believe anything that comes from the computer, no matter how absurd.

We will consider a brief history of the forensic analysis of data, showing what is and is not possible with various types of electronic information. Drawing from our own practice in high-stakes criminal and civil adjudication, we will illustrate the difference between knowledge and understanding—and how failing to recognize the difference can prove disastrous.

In the second half of this presentation, we focus on the forensic analysis of mobile devices, with particular emphasis on BlackBerry devices. We will present for the first time original research undertaken at Interhack and perform a demonstration showing how standard forensic tools, including Secure View and Paraben, will fail to detect implanted and backdated data in BlackBerry devices.

Appearances

December 12, 2008—Cleveland, Ohio chapter of Infragard: This meeting is open to the public.
February 25, 2009—Central Ohio chapter of Infragard: This meeting is open to the public. It will be held from 9:00AM-12:00PM at Highlights for Children, 1800 Watermark Drive, Columbus, Ohio 43215. Please RSVP if you would like to attend.

Schedule This Program in Your Organization

Interhack delivers presentations for CLE and CJE credit. If you would like to schedule this or another Interhack presentation in your association or law firm, please contact us for rates and availability.

About InfraGard

Information about the mission of InfraGard can be found at www.infragard.net.

About Interhack

Based in Columbus, Ohio, Interhack Corporation is a professional services firm with clients all over North America. Founded in 1997 by a team of information security researchers, Interhack accepted the mission to make global computing and communications infrastructures worthy of trust. Interhack's two practice areas, Information Assurance and Forensic Computing, support that mission.

Established in 2000, Interhack Forensic Computing helps in-house counsel, incident response teams, law enforcement agencies, and law firms establish facts that can be used in litigation or criminal prosecution.

Interhack is a supporting member of The Usenix Association. Additional information about Interhack is available at web.interhack.com.