Wednesday, June 14, 2017

iPhone - TDEL034 Tool Testing


Many discussions take place during training which unearth useful guidance for practices and procedures. Also, tips and tricks are also revealed. From the MTEB Tool Testing training papers 2015 - iPhone TDEL034 (test device entry level) strategies and pre-planning - it is used to illustrate potential stages for obtaining images that produce a baseline test data to enable repeated testing to identify possible changes in the working operation of forensic tool suites importing a pre-existing test image.

However, TDEL034 is, as stated above, for strategies and pre-planning. Acquisition tools and Analysis (reader/reveal) tools are dealt with later in the training. What is uncovered during discussions are peoples perceptions given their involvement within the examination process. 

It is in these sessions during training the reality dawns as to the time and expense it takes just to deal with one brand-name 'Make' of smartphone and then adding into the equation the various models that have been created and may be created in the future. If that isn't enough, there is then the various versions of OS implemented in various models (https://en.wikipedia.org/wiki/IOS_version_history).

The discovery doesn't end there. Tasks involving removal of barriers and revelation equally may impact when discussing discovery (https://en.wikipedia.org/wiki/IOS_jailbreaking).

Digital forensics is a reality and not a junk science. This field of endeavour is unlike traditional sciences incl. many forensic sciences. How many traditional sciences can you identify evolve and update rapidly e.g. every 6mths-12mths? It is against this backdrop that digital forensics is expected to function and operate across a digital arena of many makes/models of devices and services. Understanding the fantastic job that people do working in digital forensics and battling with constant change illustrates how digital forensics is highly unique.

Generic standards do not work as well with digital forensics as would 'specific' standards. That is because with generic standards they are tantamount to informing everyone this is what has been created and it is your responsibility to make it work. This is analogous to an organisation purchasing a SATNAV and Driving Route System which when operational fails to inform the driver of 'No Entry' roads, dead end roads, instructing a driver to take the action even when the sign states 'No Left Turn' or using as-the-crow-flies navigation so the driver is placed at a point e.g. x-miles from true destination, because the system doesn't understand vehicles cannot drive through people houses, gardens or buildings to get to the other side. The organisation then expects the driver to workout the problems so that when reaching the destination it looks like the SATNAV and Driving Route System was working correctly.

This is why training is essential not just at the tool level, but also at the conceptual level to assist in the design of an examination approach that fits the need of the device and at the same time relieve the pressure placed on the tools that are expected to, alone, get it right. Having the right digital forensic standard should provide the baseline and should define process approach to assist achieve results.

I will return to this subject to offer observations a little later, but for now other matters are now pressing and need attention.

No comments: