25 years of Digital Forensics, what has changed? We asked Hans Heins.
It is clear that the world of Digital Forensics is not standing still. The field has evolved from handwritten letters to e-mails and from physical crime to cybercrime. How have all these changes impacted the methods and work of the Digital Forensic Investigator? We asked an old friend: Hans Heins.
Who is Hans Heins?
Hans is a Digital Forensic Investigator at heart. He started his career with the Police as a Sports Instructor but soon found himself in the position of Tactical Investigator. After working for several years for Rijkspolitie Hollands-Midden, he moved on to the Computer Crime Unit in The Hague as an IT Forensics Specialist in 1994, eventually ending up at the Police Academy as a lecturer/developer of Computer Forensics. He became a familiar face to many police officers due to his work there. In 2005, it was time for something new, and Hans worked at several private investigation firms. After 12 years at Hoffmann Corporate Investigations, he retired from the company as of October 2022.
22 years ago, when Hans was working as a Digital Investigation Specialist at the Police Training National Selection Centre for 2.5 years, we already had the opportunity to interview Hans. In the interview, he told us how he introduced EnCase to the Police as one of the first Digital Forensics tools. 22 years later, he looks back with DataExpert's André Hakkers at all the changes that have taken place since then.
Developments in Digital Investigation
When Hans started working as a Digital Investigator in 1994, all investigators had in their fight against computer crime was a big bulky laptop. Software packages such as EnCase, FTK, AXIOM and Intella were not available at that time. Consequently, due to the large number of different computers and systems you encountered back then, backing up found evidence on the spot was anything but easy.
Yet Hans indicates that not that much has changed in the way you investigate as a Digital Investigator. ‘For more than 30 years, a computer has been a very important witness to question. That hasn’t changed. The traces you can find on computers are different, of course. For example, Microsoft Word now stores different information than it used to. Now you have the autosave feature, and in the Registry and various other system files, you can find out at what times the document was worked on. You can also check in an Excel file where the cursor was at a specific time.’ One change that Hans does say has made a big difference is the ability to work remotely. Because not everything is local anymore, there is now more flexibility.
The definition of digital evidence has also remained the same, according to Hans. You can only call it evidence from the moment it has been completely and forensically correctly secured and properly handled on the front end. Of course, the structures and properties of files have evolved, but the tools have evolved with them. Ultimately, however, it is the investigator who determines the quality of the investigation, not the tools used.
Hans: ‘I once worked on a case where one of the two parties brought a WhatsApp conversation, saved as a pdf, into court as evidence. The other party immediately indicated that the content of the conversation was not authentic, i.e. manipulated. In such a case, you start checking the presented evidence more closely.
Three consecutive dots in the text (…) caught my eye. These dots were too close together compared to the other text. Zooming in indeed showed that it did not match and it could be concluded that the WhatsApp text must very likely have been modified in a word processor, possibly Microsoft Word. It was not revealed what exactly was changed, but at least it could be demonstrated that the WhatsApp conversation brought in could not possibly be authentic. The burden of proof was reversed by the judge and the presented WhatsApp conversation was eventually brushed aside’.
The skills and curiosity needed to notice anomalies such as those described above are no different from, say, 25 years ago. It is essential that you have the right experience to recognise such cases to then articulate them appropriately towards the court.
Hans acknowledges that the amount of data to be investigated has increased enormously over the years. Even so, he says, it is important that you still copy all data, despite the large amount of it. Securing can often only be done once, and you don't know what you are missing if you don't get everything. A good example here is log files from a web server. If you limit your log data retrieval to a few days before and after a specific event, you are missing the mark. Within a large number of investigations of log files carried out by Hans, it turned out that the person concerned had left traces much earlier, sometimes as much as two months earlier, which turned out to be crucial for solving the cases at hand.
Between his work with the Police and his work with private organisations like Hoffman, Hans did not really notice a difference over the years. Hans: ‘Although the subject matter of a case often differs between civil or criminal cases, you still do the same work. You investigate the same types of computers with the same resources and forensic tools. At the end of the line, it is all about the zeros and ones, finding the evidence and preparing a legally viable report’.
Use of tooling over the years
In 1998, a colleague of Hans brought a graphical investigation tool back from America to the Netherlands. Back then, that tool, EnCase 1.99, fit easily on a floppy disk and could be used in an offline digital forensic investigation. It really was a pioneering tool at the time, with all the possibilities it offered, and it opened up a whole new world for Digital Investigators. Before the advent of EnCase, the Police used command line tools such as Snapback for backing up data to tape and Disksearch which allowed searching for up to 128 words at a time. With Encase, computer data could be secured, processed offline and made searchable in a Graphical Windows environment. This allowed investigations to be completed significantly faster and also simplified analysis. For example, zip files no longer needed to be manually extracted.
After EnCase, other, mainly US, vendors soon came up with tools that the rest of the world as Hans describes it, ‘sucked up like a sponge’. Examples include the tools from Accessdata. Even then, FTK was capable of indexing all words in an offline copy, allowing you to get answers to all search queries at lightning speed. PRTK was at the time (and still is) a very convenient tool for password recovery.
By now, tooling is an integral part of a Digital Investigator's work. Hans: ‘As a Digital Investigator, you need to have a full toolbox. There is no single tool that can do everything. Each tool has its own specific functionality. In doing so, it is also important to compare the outcomes of tools’. Hans stresses the importance of knowing exactly what your tools can do and what the limitations are. According to him, this should be checked with every new tool update. Something that is sometimes skipped in practice.
So what should be in the toolbox? According to Hans, this depends entirely on the type of investigation. If you are dealing with an investigation where communication is key (think of an e-mail exchange), then Intella, for example, is a good tool. Especially with the advent of OCR (Optical Character Recognition), Intella offers excellent options for searching communication data. Hans does emphasise: 'If you search for the word invoice, you may very well find no or too little relevant data. You should look for a notation used by an unknown third party. They may have used a diminutive form, or a synonym such as ‘bill’ or ‘receipt’ may have been used. So with tools, you do still have to be smart about how you use them’.
Furthermore, Hans mentions AXIOM as a very suitable software solution for understanding a lot of Windows Artefacts. In addition EnCase still a very suitable tool for cases where, as a Digital Investigator, you really want to make a 'deep-dive' into the data. For Mobile Forensics investigations, Hans thinks Cellebrite and Oxygen Forensic Detective are wonderful solutions. However, getting access to mobile phones is still a challenge. Investigative agencies these days are lucky to have GrayKey for that, but private organisations like Hoffman do not.
What could be improved in the future?
In civil cases in particular, digital evidence that is introduced is quickly accepted as evidence. Even if it was not obtained, handled and/or presented in a forensically correct manner. Hans is not okay with that. This is where the court should be more critical. Actually, for both civil and criminal cases, a certified Digital Forensic Investigator should secure the evidence, examine it and report the findings. ‘There are plenty of people out there who know how to use a computer to create or forge evidence. If the stakes are high enough, cheating often happens. It goes undetected 9 times out of 10, because lawyers and judges, with all due respect, are too ignorant when it comes to digital evidence', says Hans.
It would be good if Digital Forensic Investigators had both the technical knowledge and the mindset of a Tactical Investigator. Today, Hans still often sees them having one of the other. Precisely by combining both, the right questions can be asked in the search for evidence.
Hans also finds it regrettable that cooperation between organisations is far too infrequent in practice. Especially when private and public organisations are involved. It is precisely by exchanging certain information that you can see the big picture.
Tips from Hans
One tip Hans would like to impress on all Digital Investigators is: ‘Keep working thoroughly! Get confirmation for one thing, then ask yourself what else has happened’.
Sometimes you just have to get lucky too. Hans: ‘In a stalking investigation, anonymous e-mails received by an executive of a medium-sized company were investigated. Given the content of the stalker's e-mails, it could be determined that the e-mails must have been written by an employee within the company. The stalker had information about the executive that was very private and also directly related to the company. While we were still busy doing extensive digital investigation on the company's computer network, at one point the cleaning lady found a bubble envelope in a waste bin and asked her manager if she could take it with her to reuse privately. The sender of that envelope was a company called Keelog from Poland. Fortunately, the executive latched on to the word ‘keelog’ because I had dropped the term Key Logger during a discussion with her. After visiting that company's webpage, it turned out that Keelog sells usb key loggers, among other things. One plus one makes two, and indeed, after further investigation, the addressee turned out to be the employee we were looking for. It wasn't just about stalking now. After extensive digital investigation, it was found that a key logger had been connected to the office computers of almost all female employees. Thanks to the cleaner, this case could be solved’.
Also, according to Hans, you should always keep thinking out of the box. ‘Many tools out there now offer support for the most popular/used apps, such as WhatsApp. However, you can also communicate via the chat function of Wordfeud, for example. If forensic software does not support a particular app, the database of that app is not processed, and the content is not presented separately as it is actually always the case with WhatsApp. In such cases, potential evidence is likely to be overlooked. Actually, in addition to analysing the beautifully presented data of commonly used apps, you should always manually visualise which apps are installed and which of them may contain valuable information. This is a particularly time-consuming and cumbersome task, which is why this step is sometimes ‘forgotten’. Sometimes you also need to use multiple tools. A Cellebrite copy of an iPhone can be read into Intella. With Intella, you can search for relevant search terms much easier, and all images are OCRed as well. Many a time, thanks to OCR, we have found search terms in images/screenshots that turned out to be crucial.’
Besides suggestions on the ideal working method, Hans also gives some tips on handy, inexpensive, or free tools that can come in handy during a Digital Forensics investigation:
- KAPE– Kroll Artifact Parser and Extractor: automates the retrieval, processing and insight of Windows artefacts. Can also be used perfectly well as a triage tool.
- Zimmerman tools: the man behind KAPE, Eric Zimmerman, has made numerous useful tools available on Github for digital investigation.
- Diff doc: is not a forensic tool, but can e.g. very quickly show the differences between apparently similar Excel files. Super convenient, as this is almost impossible to do manually/visually.
- USB Detective: an excellent tool for investigating USB artefacts that goes beyond e.g. AXIOM.
- Forensic Explorer: is very similar in use to EnCase. Can very easily view all Volume Shadow Copies and show only the abnormal files.
Like Hans, the Digital Forensics experts at DataExpert like to think with you about how Digital Forensics can be simpler and better and what tools can support in the process. Would you like to have a discussion about this? Then be sure to contact us.