Silicon Prairie Cyber Services' Blog

  Why is being a dispassionate scientist one of the core traits of a digital forensics examiner? ✔ We must objectively analyze all of the evidence ✔ We must clearly present the facts of the case ✔ Our opinions are informed by the facts, not by our personal feelings or judgments Being a dispassionate scientist allows us to follow the evidence to find all the facts in the case. Good or bad.

  AI has its place. But it's not conducting my digital forensic exam for me. It's not writing the report for me either. It's not doing homework for students either. You have to have a fundamental knowledge of a subject to leverage AI in any meaningful and accurate way. We're starting to see some big pitfalls in those organizations that dumped people and went all in on AI to do work. Hopefully, that's your big hint to double down on learning and increasing your own knowledge instead of being a copy-paste pro. Otherwise, if we don't use our brains, we survived Judgement Day in 1997 / 2004 only to submit to the machines a few decades later.

  I keep hearing people say you need to use multiple forensic tools for your examination and to validate your findings. Most conversations center around the use of two different big forensic tools suites like Axiom and EnCase or Cellebrite and Oxygen, and I have to disagree.  You don't need two expenses software packages to get the job done. Think differently. Got SQLite Databases? Look at in a native SQLite DB app. Need EXIF data? Try exiftool. I could go on and on.  You don't need two pricey tools. IMO, you need one primary tool that can do your heavy lifting that provides a nice overview of the artifacts and, thus, a starting point. But then once you've found the good stuff that's where you're going to move onto something different for the raw data and the validation, and it's going to consist of some native apps, some free tools, and probably a few tools that a small price tag.  Maybe it's because I'm old, but this is how I roll.

  Digital Forensics 101: Hash your forensic images / files. Let's not forget the basics. It's important to hash your forensic images and files to generate hash values. Then when you copy those images / files somewhere else (oh, I don't know, perhaps to another HDD for discovery) make sure to hash those files again to make sure the hashes still match. Finally, provide the hash values to whoever you are providing said files to so they can verify the hash values. This is especially important when the hash values are not contained within the forensic image or any logs that are automatically generated or provided. On another note let's talk about why it's so important to generate hash values... Any guesses? If you answered "to maintain and verify the integrity of evidence," you win! Remember, the goal of what we're doing is to find and explain the facts of the case. You can't share the facts if you can't get your evidence admitted. You can't g...

The cost of mobile forensics is increasing, and it's not just the price of the software to blame. As mobile phones continue to become more complicated and capable of doing more super cool things, the ability to retrieve and analyze data takes longer because it's all become more complicated. Gone are the days of the quick, 16-hour examination of an iPhone. If your client only cares about the content of texts, emails, and pictures, then, sure, you could grab that for them in 16 hours. But if you need anything more in-depth (and you will), it will take a lot more analysis and time than that. Things change in every update, which means the examiner must spend more time analyzing, testing, and validating the data. Even IF something has NOT changed with an update, many mobile device exams require some testing and validating of the data. All of this increases the prices passed to the clients in three ways. First, the cost of the software is passed along. Second, the longer it takes t...

 "Time is the longest distance between two points."   These words by Tennessee Williams resonate deeply, considering the fragility of our memories and the challenges they pose in crucial moments. Imagine finding yourself on the witness stand, desperately grasping for recollections from the distant past. In this crucial moment, the true weight of time becomes evident.   The importance of detailed case notes cannot be overstated in legal proceedings. They are a vital link that connects our present selves with our past actions. Without them, our memories may falter, we have nothing to refresh our memory, and the quest for truth becomes an arduous struggle.   Case notes are the guardians of our actions, meticulously capturing what we did, discovered, what we found, and even what we didn't. They are the tangible records that safeguard the integrity of our recollections, preventing them from slipping away into the abyss of time.   Picture yourself in ...