The Rise (and Risk) of Modern Media
Tablets, smartphones, GPS devices, flash drives, and other devices have
become a way of life, changing the way we acquire forensic evidence.
Modern media is changing the forensic process. We are increasingly seeing the need to acquire forensic
evidence from tablets, smartphones, GPS devices, flash drives, solid state hard drives, and other devices.
They have become a way of life. We use them in business, in our homes, and in our cars.
These kinds of devices store data differently than the traditional computer hard drive. The rotating
platters and magnetic heads of conventional hard disk drives enable us to set up a standardized process for
predictable data acquisition, including recovery of deleted files. They also provide complete metadata logs,
tracking every process that happens. In contrast, these new gadgets, which are so useful and convenient in
everyday life, can be a bane to the forensic technician.
Each of the new storage media has its own logic about how and when it writes, overwrites, moves,
and deletes files. Additionally, while they can be manipulated by external commands—some more than
others—some actions may be performed
automatically that can actually destroy
There is also a significant amount of
variation among these devices. We may
run into a number of operating systems in
dealing with conventional computer hard
drives, but a phone, for example, may have
hundreds, even thousands, of options.
Beyond the multiple brand names, there are
different models, systems, versions, applica-
tions, and other factors, including if they
have been “rooted” or “jailbroken.”
In terms of forensic collection and analy-
sis, these are significant issues that create
the dilemma of not being able to know if all
data has effectively been gathered. Plus, the many differences require that we create and tailor processes
that are customized to each specific device. And still we may lose evidence.
These new and continually changing technologies require constant study and flexibility. Our industry
does a remarkable job of adapting and evolving processes to accommodate new media and provide the
most complete and accurate collection methods possible.
Yet, the biggest issue in collecting data from these devices is not actually associated with the device
itself. The real problem is in determining who has control of the device.
Do You Know Where Your Data Is?
The Bring Your Own Device (BYOD) phenomenon is affecting forensic data acquisition because it creates
crossover between data that is controlled by an individual versus by a company. People are using their
personal devices for work-related tasks because it can seem easier than trying to use typical work resources.
For example, an employee may use a tablet to take notes during an office meeting, or phone to text a work
colleague, or portable hard drive to transport files to be able to work from home. That may be more convenient for the user, but if the data on that device needs to be collected, it may mean collecting personal
information as well.
Forensically, the main problem is the opposite scenario: if the corporation’s data needs to be collected from
a personal device and that company does not have control of or access to the device, it can effectively halt