Episode 2: Carved From Unallocated – Digital Forensic Workflow
In this episode, we’ll cover what everyone agrees to disagree on, which is digital forensic workflow. Two facets that we’ll look at are the pre-extraction workflow, which I know for the most part is standardized but there have been some changes. We’ll also look at post-extraction workflow, which deals with where we should begin an investigation.
Workflow is something that everybody handles differently because everyone’s needs are different, and everyone’s training is different. In this podcast we will cover:
- Vendor and vendor-neutral training.
- Best forensics practices to extract data from a mobile device.
- How to carve to hex code.
- How to validate your findings.
- Where to click to find call logs, SMS messages, or whatever you’re looking for.
One thing that I was never taught and that I found myself struggling with concerning digital forensic workflow is where to start the investigation. So, listen-in to get empowered.
Also, Cellebrite is working on a new Capture the Flag (CTF) event. It is going to include several players and devices, covering everything from the mobile extraction, cloud data, sync data, and external components. We may even include some computers and vehicle forensics. We’re leaving it open.
We have a scenario currently in the works and I’m one of the players in this. I’ve never been a player in a CTF, so I’m excited to get to take on a second persona. We also have a few things up our sleeves regarding prizes.
We plan to include clues that will be dropped through Cellebrite UFED and on Twitter and LinkedIn. Follow us on those channels to get clues and hints because we realize everyone has different levels of expertise when it comes to mobile forensics.
Look forward to t-shirts and stickers as prizes. I may go rogue and try to drop some hints in this podcast from time to time, so pay attention.