Digital Forensic Process—Introduction

By Rene Novoa, Senior Manager of eDiscovery and Digital Forensics

DriveSavers Digital Forensic Process

More and more aspects of our daily lives are being monitored, tracked and recorded by electronic devices.

Today, computers, smartphones and tablets can be found in almost every home and have already become obvious sources of electronically stored information (ESI) useful in both criminal and civil cases. Email, texts, documents, pictures and more wait on each of these devices to tell their stories.

Every day, more electronic devices are being added to this list. Fitness trackers, smartwatches, thermostats, video doorbells, children’s toys, air quality monitors and just about anything else you can imagine are now being used to automate, secure and entertain.

We have already seen fitness trackers used in workplace injury cases, wifi-enabled children’s toys in child custody cases and Amazon’s Echo used in a murder case. ESI from these various data recording systems has unlimited potential as electronic evidence.

The danger is that ESI is extremely fragile and can easily be tampered with, modified or lost entirely. Any of these scenarios can occur and has occurred both with and without intention. Following an established protocol that finds and protects digital evidence is essential for successful admissibility of that evidence.

This is the introduction of a five-part series focusing on proper process for digital forensics. These articles will:

  • Define each step along the digital forensic path
  • Explain responsibilities for a digital forensic expert
  • Explain what actions your agency, firm or company can take with each step in mind to ensure the best outcome for your case, while also minimizing cost and time

Here are the steps of the digital forensic process that we will be explaining in detail in coming articles:

  1. Identification
  2. Preservation / Collections
  3. Analysis
  4. Presentation
  5. Returning evidence

Stay tuned for your lesson in Identification!

March 15–18: ABA TECHSHOW Conference and Expo Booth #917

Chicago, IL • March 15–18 • Booth #917

The ABA TECHSHOW Conference and Expo is where lawyers, legal professionals and technology all come together. For three days, attendees learn about the most useful and practical technologies available. The variety of CLE programming offered provides a great deal of education in just a short amount of time.

DriveSavers will be exhibiting at booth #917. Stop by to talk with Rene, senior manager of eDiscovery and digital forensics.

Learn more about the ABA TECHSHOW or register to attend this conference.

Warning: Internet of Things Holds Hidden Dangers

By Rene Novoa, Senior Manager of eDiscovery and Digital Forensics

Internet of Things (IoT)

Law enforcement and civil litigators now have another source of evidence—searching for clues and ESI in the Internet of Things (IoT) universe where “always-on” smart devices may collect and store evidence of criminal behavior or civil liability.

Police are investigating an Arkansas murder where clues to the crime may have been stored on the victim’s Amazon Echo, a free-standing personal assistant device that responds to verbal commands for information.

The victim was found in a hot tub and police say that another smart device, a water meter, could also hold clues to what happened at the crime scene.

Staying One Step Ahead

DriveSavers is one step ahead of the IoT curve. Our engineering team has done extensive research on how smart devices collect and store data. More importantly, we are developing the best techniques for data recovery and forensic investigation of a wide range of IoT devices.

Based on cases such as the U.S. Supreme Court’s opinion in Riley v. California, information from smart devices is likely protected by the owner’s right to privacy. In this case, Amazon rejected police requests for data that may have been collected by the Amazon Echo:

Amazon will not release customer information without a properly served and valid warrant or subpoena. Amazon objects to over-broad or otherwise inappropriate demands as a matter of course.

The Echo, which you address as Alexa, doesn’t store each voice request permanently on the device itself, but it sends a copy of each inquiry to the user’s mobile phone or tablet, according to our research.

Just the Start

In addition to being a legitimate target for legal discovery, the IoT is an expanding frontier where your personal data may be inadequately protected and susceptible to theft.

Tech-savvy hackers now may be able to get to your bank account via your garage door opener, refrigerator or virtual helpers like the Amazon Echo and Google Assistant.

Hackers can take control of large networks of IoT devices and use them to make debilitating Distributed Denial of Service (DDoS) attacks on commercial websites.

Last fall, Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix were among the websites that sustained DDoS attacks using commandeered smart devices—like DVRs, remote controlled cameras and even garage door openers—in an attempt to overload the sites with massive requests for information.

Personal Assistants, Personal Problems

Many smartphone users are already familiar with Apple’s Siri and Google’s Assistant, which, similar to Alexa on the Google Echo, are programs that respond with answers to verbal questions via smartphone. Data collected by these devices and others is not normally encrypted, making it a potential target for high-tech thieves.

Devices that are connected to the Internet can also lead hackers, law enforcement and civil litigators to other devices with even more sensitive, valuable and private information like bank accounts, credit cards and virtually anything else of value that’s in a digital format.

What You Can Do

Technology is an everyday part of life today and is necessary in school, career and at home. It’s important for you, your family and your employees to be familiar with how to use current devices as modes of communication.

Here are three ways to be safer when using electronic gadgets.

  1. Understand Your Devices

You should know the answers to these questions:

  • Does the device have a camera?
  • Can it transmit or receive pictures?
  • Does it have a phone book or contact list?
  • Can it download apps? What do the apps have access to (photos, contacts, etc.)?
  • Can you communicate with other people through the device?
  • Does the device post to the web?
  • Does the device have a dashboard? If so, is the dashboard part of the installed software or is it online?
  • What kind of information can be shared with other people online?
  1. Keep Up with Device Updates

Updates often include new security protocols and patches for security loopholes. Stay on top of these.

  1. Add Wi-Fi Security

Make sure your home Wi-Fi is password protected so that outsiders cannot easily access it.

For more cybersecurity safety tips, check out 6 Ways to Protect Yourself from Hackers.

Cybercrime Forecast: Upswing in 2017

By Michael Hall, Chief Information Security Officer


Computer security threats aren’t going away this year. They’re going to get worse.

And, they’re likely to create bigger and nastier problems for big and small companies alike as hackers create new pathways into even highly secure environments.

Google the term “security threat” for 2017 and you’ll get millions of hits with lists of threats expected to occur during this year.

Ransomware is Growing

Extortion is getting worse. You can expect more and better targeting of businesses through ransomware schemes that will demand higher extortion fees to unlock important data.

If that wasn’t bad enough, the hackers’ weapons keep improving.

There are many “off the shelf” programs that high-tech thieves can use to target your data. Once a solution is found to defeat one ransomware program, the bad guys can just buy a slightly different tool (created by a specialist) and continue to attack unprotected targets.

Trickle-down Effect

As big companies increase security protections, expect some hackers to shift their focus to midsize and smaller companies, which are easier targets because they do not have the cybersecurity expertise or budgets of their larger counterparts.

More Sophisticated Thievery

Steve Durbin, managing director of the Information Security Forum (ISF), told CIO magazine that we can expect bigger and more sophisticated attacks as the criminal enterprises mature.

“I originally described them as entrepreneurial businesses, startups,” Durbin said. “What we’re seeing is a whole maturing of that space. They’ve moved from the garage to office blocks with corporate infrastructure. They’ve become incredibly good at doing things that we’re bad at: collaborating, sharing, working with partners to plug gaps in their service.”

DDoS Attacks on the Upswing

Distributed Denial of Service (DDoS) attacks will also ramp up this year.

These criminal acts are designed to overwhelm a company’s website and shut it down by sending massive requests for information from armies of compromised Internet-connected devices. By co-opting growing numbers of these machines—like garage door openers, security cameras and other tools that are part of the Internet of Things (IoT)—hackers can knock a company’s website offline through the sheer volume of requests.

A huge DDoS attack last Fall took down a company that provides Domain Name Services (DNS) for several major U.S. businesses, thereby taking down the websites of those businesses. Expect more events like this.

Third-party Entry

Expect more attacks using third-party vendors. Even companies with excellent protection sometimes don’t account for the threat of a hacker who compromises the security of an outside maintenance provider with access to the company’s system. It’s much easier to get inside a company’s computer system if you can hitch a ride with someone who’s already got access, like a vendor or partner.

Security Skills Shortage

The IT worker shortage is real and could be getting worse in the cybersecurity area. According to a report from Cisco, there may be 1 million unfilled cybersecurity jobs around the world, including 200,000 in the United States.

The challenge now is to figure out how to get students interested in this area and train them.

DriveSavers CTO Joins USC Information Technology Advisory Board

Industry leader helps shape the future of data recovery and eDiscovery through an advisory role at the University of Southern California

University of Southern California

NOVATO, Calif. (May 24, 2016) DriveSavers, the worldwide leader in data recovery, eDiscovery and digital forensic solutions, further strengthens its commitment to helping shape the future of data recovery and eDiscovery practices through a new advisory role with the University of Southern California.

DriveSavers Chief Technology Officer Chris Bross was recently invited to represent the company as a member of the University of Southern California, Viterbi School of Engineering, Information Technology Program Industrial Advisory Board (IAB). The 38-member board consists of leaders from computer and storage industries and helps determine strategic direction for the Information Technology Program. Bross’ role includes participation in discussions surrounding courses and curriculum offered.

“I am very humbled and honored to be invited to join the USC, Viterbi School of Engineering, Information Technology Program IAB,” said Bross. “Our field is ever-growing and changing, and I look forward to sharing DriveSavers perspective on the industry and how students best prepare themselves for future employment.”

DriveSavers commitment to data recovery and eDiscovery education also extends outside of higher education, including speaking engagements and involvement in learning tracks at various conferences, as well as continuing education opportunities. Members of the team recently acted as facilitators for a continuing education event for law enforcement officials held by the Silicon Valley Chapter of High Tech Crime Investigation Association (HTCIA). During the event, Bross and DriveSavers Senior Manager of eDiscovery and Forensics Rene Novoa conducted a two-hour training session on Advanced Mobile Forensics, specifically recovering data from damaged smartphones for use in forensic criminal investigation.

Bross will also be presenting a one-hour track focused on SSD forensics at the upcoming Enfuse 2016 conference in Las Vegas. This session will take place on May 25 at 4:30pm. Bross will be presenting alongside Jeff Hedlesky, Forensic Evangelise-FBU at Guidance Software.

To learn more about DriveSavers services and upcoming speaking engagements, visit or

About DriveSavers

DriveSavers, the worldwide leader in data recovery, eDiscovery and digital forensics, provides the fastest, most reliable and only certified secure data recovery and eDiscovery service in the industry. All of the company’s services meet security protocols for financial, legal, corporate and healthcare industries, and it is the only company that posts proof of its annual SOC 2 Type II audit and HIPAA data security and privacy compliance. DriveSavers adheres to U.S. government security protocols, the Gramm-Leach-Bliley Act (GLBA) Data Security Rule, the Data-at-Rest mandate (DAR) and the Sarbanes-Oxley Act (SOX). DriveSavers engineers are trained and certified in all leading encryption and forensic technologies and operate a Certified ISO Class 5 Cleanroom. Customers include: Bank of America, Google, Lucasfilm, NASA, Harvard University, St. Jude Children’s Research Hospital, U.S. Army and Sandia National Laboratories.

CTO Chris Bross Speaking at Enfuse 2016 May 23–26 Booth 223

Enfuse Conference 2016

CEIC is now Enfuse! This conference will take place May 23–26 in Las Vegas.

Enfuse is a three-day security and digital investigations conference where specialists, executives, and experts break new ground for the year ahead.

On Wednesday, May 25, Chris Bross, DriveSavers Chief Technology Officer, alongside Jeff Hedlesky, Forensic Evangelist-FBU at Guidance Software, will be speaking about solid-state drives and new challenges they pose to forensic practitioners. More information about their session below.

DriveSavers will be at booth #223. Stop by to speak with Chris Bross and to hear some fascinating stories about how our digital forensic service has aided legal and criminal investigations.

Learn more about Enfuse 2016.

SSD Forensics

Wednesday, May 25
4:30PM – 5:30PM
Intermediate | Lab


Solid-state drive (SSD) storage is rapidly replacing traditional rotational media drives. Explore how technologies involved with SSDs pose new challenges to forensic practitioners, the inner workings of the newest classes of SSDs and best practices for extracting as much forensically sound information as possible. Updated and expanded for 2016.


Develop a better understanding of how forensic imaging of SSDs (and other flash memory devices) is both similar to and different from forensic best practices for traditional rotating media.


Basic understanding of digital forensic concepts, including some experience with DF hardware and software.


Jeff Hedlesky

Forensic Evangelist-FBU, Guidance Software

Jeff has been involved in the Technology Sector since 1983, and has worked in and around digital forensics since 2004. His role at GSI is ‘Forensic Evangelist’ for the Forensic Business Unit of Guidance Software. The FBU is responsible for EnCase® Forensic, EnCase® Portable and the Tableau line of digital forensic hardware products. Jeff’s focus is primarily on marketing and business development. He travels far and wide (recently to China, Japan, Mexico, Australia and New Zealand) to recruit and train Guidance authorized distributors and resellers, and to make joint calls on key customers. He also frequently visits the DC area to spend strategic time with our customer community within U.S. Federal agencies, listening as well as speaking.

Chris Bross

CTO, DriveSavers

Chris Bross is the Chief Technology Office at DriveSavers data recovery. Since joining DriveSavers engineering team in 1995, Bross has recovered data on all types of failed storage devices. Today, he manages the R&D team for emerging storage and solid-state devices, and guides the development of new tools and technologies for the forensic and data recovery labs.

WPBF: Special Report: Can information be retrieved from Austin's cellphone?

Originally published by ABC News affiliate WPBF 25 News.

Teens missing at sea since July 24

TEQUESTA, Fla. —The iPhone at the center of a missing persons investigation is now in the hands of Apple.

Tequesta teens Austin Stephanos and Perry Cohen disappeared during a fishing trip nine months ago.

Their boat was recovered off the coast of Bermuda in mid-March, along with Austin’s iPhone 6.

That phone is considered the only communication device that was on board the 19-foot SeaCraft when the boys vanished.

Both families agreed to send the iPhone to Apple on April 29, where it will be analyzed by experts.

Florida Fish and Wildlife officials describe the phone as “significantly and severely” deteriorated, and pictures show the phone damaged and waterlogged.

Is it possible to extract any information from this key piece of evidence? Experts say it’s possible.

Austin's iPhone
Austin’s iPhone

Mike Cobb is the director of engineering at DriveSavers, a California company that specializes in extracting data from damaged phones.

“We had a capital murder case which was thrown into a river and the iPhone was recoverable by us after law enforcement was able to get that,” Cobb told WPBF 25 News anchor/reporter Sanika Dange.

Not only does DriveSavers work on criminal cases, the company is frequently referred to customers by Apple.

When we asked Cobb about the chances of recovering data from an iPhone that was once submerged in water, he responded, “Well one thing that we think of right away is was this phone submerged for the full eight months or was it in some sort of package or plastic?”


Cobb says that distinction could make all the difference.

Phones need to be restored to a semi-functional state to extract information. The good news is that once an engineer is able to access some information, all the information should be available, including text messages, photos, videos and GPS locations.

However, there is one major hurdle. Austin Stephanos’ cellphone had been in saltwater for eight months.

“When it goes into the water,” Cobb explained, “it’s going to be starting the corrosion process immediately.”

So what are the first steps when dealing with corrosion? You start by taking the iPhone apart and micro-cleaning certain key components.

Cobb showed WPBF an example of a waterlogged phone that had been dropped in saltwater. Corrosion can be seen on several areas.


The process of retrieving data may sound complicated, but former Apple CEO John Sculley told WPBF it can be done.

“There is precedent for devices that have been severely damaged to recover if not all its information, some information,” he said.

Sculley is close friends with Perry Cohen’s parents, Pam and Nick. Though he has never met the Stephanos family, he told WPBF he feels deeply for both families.

“I think it was important for them to find out as much as they can of the last moments of Perry’s life and bring conclusion to this tragic situation,” he said.

There’s no timeline on when Austin Stephanos and Perry Cohen’s families may have to wait. Cobb says the process of extracting data from phones can be anywhere from a few hours to a few days.

Read more:

DriveSavers Teaching at HTCIA Training Event May 11–13

timthumb (1)

Silicon Valley HTCIA 2016 “Back to the Basics” Training Event

Milpitas, CA • May 11–13

The Silicon Valley chapter of the High Tech Crime Investigation Association (HTCIA) will be holding a continuing education training event for law enforcement May 11–13 in Milpitas, CA.

Chris Bross, DriveSavers Chief Technology Officer, and Rene Novoa, DriveSavers Senior Manager of eDiscovery and Forensics, will be teaching a 2-hour session at this continuing education event for law enforcement.

This training event is open to all law enforcement. HTCIA members receive special pricing.

Learn more about the Silicon Valley HTCIA Back to the Basics Training Conference.

NBC News: Families Cling to Hope That iPhone Holds Clues to Florida Teens Lost at Sea

Originally published by NBC News.

Missing Florida teenagers on boat
Video released by the Florida Fish and Wildlife Conservation Commission Law Enforcement Division shows two missing teens in a boat heading out of Jupiter Inlet to the Atlantic Ocean in July 2015. Image: Florida Fish and Wildlife

An iPhone found stashed inside a compartment of the boat shared by two teenagers who vanished off the Florida coast last summer could hold clues in a confounding mystery: How did the boys — both skilled boaters — disappear at sea?

Data-recovery experts say that while salvaging data from the barnacle-encrusted iPhone 6 — which apparently spent an extended period submerged in saltwater — isn’t impossible, the circumstances suggest extracting any information is a long shot.

The parents of the two teens — friends Perry Cohen and Austin Stephanos, both 14 at the time — are clinging to hope that it could help explain their disappearance. The two families even waged a legal fight over preservation of the cellphone, although that apparently was settled on Friday.

DriveSavers, a data recovery company based in California, says it typically receives more than 300 phones a month in various state of ruin — including some damaged after being dropped in the ocean.

“Most of the phones were in the ocean for short periods, but there were several weeks to months before the customer sent the phones to us for recovery,” said DriveSavers spokesman John Christopher. “That makes a huge difference because the saltwater speeds up the corrosion process and can make the data recovery difficult to impossible.”

Even so, the company has been able to resurrect data in some scenarios, he said.

In the case of Perry and Austin, the phone they were using could have been in the water for eight months, based on the barnacles found on the cracked device when it was recovered.

Another expert, Robert Heller, a digital forensics expert with CKC Consulting in Texas, told NBC News that if the phone can be revived, the contents could include text messages that were never sent, call logs, pictures and possibly GPS-related information.

“At the end of the day, if you have a shred of information that’s recoverable, it can be helpful to painting a better picture of what may or may not have occurred,” he said.

The capsized boat was discovered March 18 by a Norwegian supply ship about 100 miles off the coast of Bermuda. The boys, who remain officially classified as missing persons, were not with it.

The phone was found with two fishing rods and two small tackle boxes on board the 18-foot, single-engine Seacraft vessel, the U.S. Coast Guard said.

The friends had set out on a fishing trip the morning of July 24 from the Jupiter Inlet, just north of West Palm Beach, as severe weather approached. New video released Friday by investigators shows the boys as they cruised around the inlet before heading out to sea that day.

The video was taken by a home with a security camera ahead of their ill-fated trip.

When they didn’t come home after 4 p.m., the Coast Guard was dispatched. They found the abandoned boat two days later. A personal flotation device and the boat’s cover were gone.

A marine salvage company was later sent to tow the vessel back, but by then it had drifted away.

At the time, officials said, they were focused on finding the teens and didn’t have the resources to locate the craft. About two weeks later, the search for the pair was called off.

Read more: