Special guest: Ian Whiffin, Digital Forensic Examiner, Calgary Police Service/Forensics Unit

In this episode, Ian will demonstrate the new features built into Artifact Examiner (ArtEx), his original software solution designed to make your investigations easier.

A Common Problem

At some point, digital examiners may experience difficulty determining how and why an artifact is present on a device and what it means to the investigation. Often this involves acquiring a test device and trying to perform data collection and duplicate the artifact observed on the exhibit to validate its existence.

What is annoying about this process is the number of time examiners need to invest to determine conclusive results:

  1. Creating the test data
  2. Performing the data collection
  3. Downloading and copying information
  4. Parsing
  5. Evaluating the data

Following these procedures on a small test device can take a minimum of two hours when done perfectly. Any errors can require repeating the whole procedure for a total of four hours!

Ian initially tried to address these time-wasting steps by creating the ArtEx to provide faster parsing. However, special hardware or software licenses were still required and the data collection, download, and copying of data were still eating up precious time.

Checkm8 allowed the use of scripts for data collection without special hardware, software, or licenses, but it didn’t address the time-consuming steps needed to collect, download, and copy the data.

The updated ArtEx features ArtExtraction, which has built-in data collection for jailbroken iOS devices. ArtEx now provides three collection options:

1. Full Data Collection: Pulls all data.
Test phone results: ~8GB extraction contains 215,836 objects and took 30 minutes to collect.

2. Quick Data Collection: Pulls user data only

Test phone results: ~2.5GB collected containing 37,206 objects and took 10 minutes to collect.

Note: The test phone was missing the OS files, which resulted in a savings of about 5GBs. This is only significant when dealing with small test devices and would hardly be worth the effort on a 100GB+ device.

3. Live Connection: Pulls the required data in real-time.

Listen to the podcast to find out more.

Share this post