Recap: March Dinner with Jad Saliba

Jad Saliba, March GGD speaker

Lots of new faces out again this month, which was great to see given we ended up accidentally competing with two other fine events (Nerd Nite and Women Who Code – definitely check out both of them in the future!)

As usual, the Taco Farm deliciousness did not disappoint (and yes, their tortillas are made from corn and always gluten-free). Big thanks to Magnet Forensics for sponsoring dinner as well as providing our speaker.

Kudos to Jad, our speaker, for remaining unflappable even with the impromptu photo shoot his team apparently didn’t tell him about. 🙂 He kicked off his presentation with some background on himself and the company – a self-taught programmer in his teens, learning C, QBASIC, and VB6 (which kind of gives away his age, but hey, I learned VB6, too, so represent!)

After a stint at Mohawk College, Jad worked at OpenText for a while in IT/Software. However, he’d always had an interest in law enforcement, so eventually he left the comparatively cushy world of corporate IT. Jad spent seven years with Waterloo Regional Police Service (with its very different kinds of stress than executives not getting their email…)

After some major life changes in 2007, Jad had the opportunity to move into the Technological Crimes Unit with WRPS, which he found suited him and his tech background very well. He also founded JADsoftware as a part-time side project. He’d seen the growing need in police investigations for better tools for digital data recovery, and decided to tackle the challenge.

The resulting product was called Internet Evidence Finder (IEF) (Jad freely admits he’s not the creative talent when it comes to naming things). It addressed the increasingly common pain point of digital evidence in investigations requiring recovery and analysis, combined with a dearth of technical expertise to process it.

In 2011 the software side project had grown to the point where Jad had to make a choice: abandon the project, sell it, or start working on it full-time. He chose the latter, and rebranded the company as Magnet Forensics, since as a company the work would include considerably more people than just himself. (They’re at 39 employees today.) They spent a year working in the Accelerator Centre, and then moved to Uptown Waterloo where they are now. (Across from BeerTown, as Jad noted.)

The company has been growing quickly ever since, and Jad noted he’s found this area to be a great source of technical talent, particularly the University of Waterloo. (He freely admits he likes to hire people smarter than himself.)

So, with that background on Jad and early Magnet Forensics, we dug into the business and the details of what they do. Digital forensics is a branch of forensic science that encompasses recovery and investigation of material in digital devices, often related to computer-based crimes.

These devices can include a lot of different types these days: computer hard drives, smart- or featurephones (simpler cell phones common prior to smartphones), tablets, USB drives, CDs/DVDs/Blu-ray, digital cameras, GPS units, vehicle in-dash systems, and pretty much any other digital system you can think of. These days, we leave digital fingerprints everywhere.

The goal of digital forensics is to recover data in order to find the truth: it can help prove guilt or innocence. To this end, there are two types of data recovery: hard and soft. Hard data recovery is the physical type possible for hard drives and similar devices. It conjures up images of clean rooms and vast expense in trying to get whatever is left intact or semi-intact on that drive of yours that died (and which you probably hadn’t recently backed up).

Soft data recovery is less physical, and a bit more of a “needle in a haystack” endeavour. It involves finding useful, relevant data within much larger “blobs” of data. So, for example, taking the contents of a hard drive or phone – potentially gigabytes or terabytes of unsorted data – and finding text messages, HTML, etc. Data isn’t stored in neat containers on our devices, so data recovery can be a lot like putting a puzzle together.

There are two kinds of data removal from devices: deleted or wiped. When you delete a file on your computer, for example, you are not actually removing that file. You’re removing its record from your computer’s “table of contents”, and removing the pointer to the space where that file’s data is stored. So the data is still there; it’s just harder to find where it is, and where its content begins.

The space where data is stored eventually gets overwritten, typically with new data, and once that happens the old data is gone and not recoverable. However, as Jad noted, with the ever-increasing sizes of hard drives these days, deleted data can remain pretty much intact for years since the drive has lots of empty space to fill up before it has to start overwriting previously used space.

Newer, solid state drives work a bit differently, and do tend to maintain deleted data for less time as they’re overwriting space more often to maintain their speed. But they can still contain valuable and accessible contents.

Wiped data, on the other hand, is that data that has been overwritten. This can be done either automatically as the computer saves new information to its drive, or done intentionally with a program to “clean” the hard drive. (E.g. if you are donating your old computer to a charity, and want to get rid of all your information from it before you turn it over to them.) When data is wiped, the space it occupied on the hard drive is overwritten at least once with zeroes. Some programs promise overwriting as many as seven times, but that’s overkill.

So, what is the workflow for an investigation with a digital component?

Collection: Receive and secure the device (hard drive, phone, etc.), ensuring device hasn’t been tampered with, chain of custody is maintained, and other necessities if any data evidence is to be admissible in court.

Examination: Ideally investigators can get the full physical image from the device (the entire contents of the device, potentially gigabytes or terabytes of data, much of it irrelevant, but at least complete). Alternatively, investigators attempt logical acquisition, which refers to just getting files from the device.

Analysis: Looking for the relevant data, which can include, among other activities, using various tools to recover records, performing keyword searches, analyzing records to determine communications and activities performed on that device, and visualizing resulting evidence.

Reporting: Presenting data to investigators in a way they can understand and use in the course of their investigations. Also presenting data in a way understandable to crown attorneys in court.

A write-blocker is an important piece of hardware for hard drive analysis. A drive would initially be connected to one of these devices, as it ensures nothing can be written to the drive (adding or changing the data on it) in the course of analysis. This provides proof of the integrity of data recovered, ensuring it can’t be compromised.

Magnet Forensics’ software and development focuses on the examination, analysis, and reporting stages of digital forensics investigation workflow. Their clients include many executive organizations: government, military, and law enforcement. They also have an ever-growing list of corporate clients.

These days, manual analysis is becoming increasingly difficult, due to more:

  • more devices (and types of devices, e.g. fragmented variants of smartphone operating systems)
  • more data storage capacity
  • more data generated
  • more online activities
  • more mobile usage
  • more cloud storage.

Automated search has become a necessity. The “Internet of Things” is also becoming an increasingly common element in investigations, and can include accessing data from sources ranging from appliances to cars to wearable tech. (Bet you never thought your fridge could rat out your criminal activities…) Where some of the newer tech is concerned, sometimes analysts need to perform additional testing and experiments to prove in court the value and relevance of data recovered. (A Nest thermostat as a material witness? Perhaps one day…)

Magnet Forensics’ key expertise is in recovering unstructured deleted data, so, for example, finding and reconstructing file formats, metadata, and the content of communications or activities (chats, search strings, etc.) As one example, recovered search keywords can be valuable in proving criminal intent.

IEF can recover a lot of types of data (currently ~430 types of artifacts), including: social media activities, webmail, instant messenger chats, browser histories, cloud stored data, file sharing apps, and more. The software then converts recovered data into a structured report database (organizing random bits into readable text, URLs, etc.) This reporting is suitable for analysis by investigators.

These days, due to the explosion in sources of data, one of the greatest requirements for the IEF software in the future is not for more recovery, but for better analysis and filtering of the data recovered. In short, making it easier for investigators to find the relevant stuff amid gigabytes of irrelevant stuff. (Ever had to scroll through a chat log trying to find a specific URL your friend mentioned? Now multiply that by everything on your hard drive.)

One major challenge for forensic investigators today is Tor (The Onion Router). Tor was originally a project developed by the US Naval Research Lab in 2002. Today it’s supported by the Tor Project, which is a US-based non-profit. Originally developed to protect government communications privacy, today it’s used by a variety of individuals and groups. Tor “directs Internet traffic through a free, worldwide, volunteer network consisting of more than three thousand relays to conceal a user’s location or usage from anyone conducting network surveillance or traffic analysis.”

Needless to say, a network that saves nothing and identifies no one can be very useful, especially those with something to hide. For the demo Jad presented, we headed to the resurrected Silk Road, a notorious online black market founded in January of 2011 by Ross Ulbricht (alias: Dread Pirate Roberts) and hosted and hidden on Tor. At its height Silk Road boasted nearly a million customers and $1.2 billion in annual sales (for anonymity it used Bitcoin as its currency). Need guns, drugs, a hitman, or other sketchy activities? Silk Road was the place.

Silk Road was initially shut down in October 2013 by the FBI and its founder arrested and charged with money laundering, drug dealing, and conspiring to murder a witness. Servers were shut down and assets seized (including 26,000 Bitcoins, worth about $4.2 million at the time).

Of course, this being the Internet, Silk Road was back in business a month later, headed by a new Dread Pirate Roberts. There are (or were) other black markets accessible only via Tor as well, like Black Market Reloaded, and the Sheep Marketplace. We took a casual tour around one of the sites and had a look at various offerings, included “crime free” guns, a lot of cocaine, and, a crowd favourite, an electromagnetic pulse device (EMP), yours for a paltry $36,000USD!

After our tour (alas, we couldn’t find any hitmen on offer), Jad ran an analysis of our shady doings with IEF, which revealed over 7,000 relevant URLs resulting from a single search for “onion” (the suffix for Tor’s domain). And there it was… every page we’d visited, everything we searched for. Busted!

This was a relatively simple analysis, given the data was very “fresh”, the hard drive wasn’t damaged, and we hadn’t done anything to cover our tracks, but it revealed the capabilities of the software in ferreting out activities online and off, and just how hard it is to wipe away our digital fingerprints, even when we take considerable steps to do so.

And with that, Jad finished up his presentation, and we did a bit more Q&A. Some questions included whether different “communities” tend to use different platforms (e.g. Android for open source aficionados). If IEF integrates with PhotoDNA (the software developed in partnership with law enforcement and Microsoft for child pornography investigations to analyze content without requiring human viewing) – it does. And an inquiry about how IEF could have been used in a recent case where phones and BlackBerry Messenger played a key part.

Huge thanks again to Jad for his fantastic presentation, and to Kelly for coordinating everything on the Magnet side, including dinner sponsorship. Big thanks to Communitech as well for providing the space, and to Taco Farm for the delicious tacos.

Stay tuned for the announcement for our April Dinner and registration soon. Hope to see you next month!

Leave a Reply