May 23, 2017: A Primer on Current Android Device Forensics (Enfuse)

Enfuse Conference 2017

Rene Novoa, DriveSavers Sr. Manager of eDiscovery and Digital Forensics, will be joining Ronen Engler, Cellebrite Sr. Manager of Technology and Innovation, to speak at the Enfuse Conference in Las Vegas.

Title: A Primer on Current Android Device Forensics
Date/Time: Tuesday, May 23, 2017 11:00AM – 12:00PM
Location: Caesars Palace, Las Vegas, NV

With Android devices compromising a majority percentage of the smartphone market it is critical to stay advised of the current state of Android device forensics. This session will cover current extraction technology, potential additional sources of data to supplement extraction limitations, encryption issues and challenges facing mobile device examiners specific to Android devices. Topics covered will be an Android workflow starting with pre-seizure all the way through to advanced analysis overview. Participants will be provided with a current breakdown of options for devices running the most recent version of Android, including obtaining a physical extraction, bypassing locked devices, and identifying and handling device encryption to obtain the most data possible.

Click here to learn more or to register to attend.

Digital Forensics Process—Identification


By Rene Novoa, Senior Manager of eDiscovery and Digital Forensics

Forensic Process: Identification

This article is part of a series that delves into each step of the digital forensic process. If you missed the introduction to the series, which provides a synopsis of the process as a whole, you can click here.

Identification is an extremely important first step in the forensic examination process. It directly impacts efforts to develop a plan of action and ultimately the success of the project. It also allows the customer to control cost.


Before any digital forensic examination begins, the scope of actions must be identified. Who are the key players and custodians? What are the best sources of potential electronic evidence that will need to be accessed for collection? This information is needed for many reasons, including:

  1. So that no essential evidence is missed that might affect a case
  2. So costs can be estimated in advance and the scope of the case can be adjusted to fit actual needs
  3. So potential sources of evidence identified later will have smaller impact in cost increases


Conducting interviews is a very important early step in a successful digital forensic examination. When determining relevant devices from which to collect data for a case, these individuals must be interviewed at a minimum:

  1. Custodians
  2. Site administrators
  3. Users—when available


Look at the range of variables and determine what factors are at play in the case, including:

  1. To what extent does legal authority exist to make a search?
  2. Is there an administrator who can identify devices and custodians?
  3. How many and what type of devices may be involved?
  4. Are any peripheral devices involved, such as flash drives, printers, scanners or memory cards?
  5. What types of electronically stored information (ESI) are potentially involved? It could be photographs, documents, spreadsheets, emails, text messages, databases and many other types of ESI.
  6. How was ESI communicated and who was communicating? We may be looking for email addresses, text numbers, IP addresses and other similar information.
  7. Has information been stored in an offsite location? On backup media? In the cloud? In remote locations?
  8. Are there devices involved that have potential remote login capabilities?
  9. What different operating systems may be involved?
  10. Do any devices require continuous electric power to operate?
  11. Other variables?


  • Interviews, including:
    • Names and titles of interviewees
    • The number and types of primary and peripheral devices to be included in the collection and search
  • Any locations from which peripheral devices may have been removed or where they were found
  • Whether or not any kind of network is present
  • File types involved
  • Any off-site storage that is used
  • What different types of software are present, including any proprietary software

Revise if Necessary

If it is determined that additional electronic evidence (not included in the original plan) needs to be gathered, it’s important to determine if there is a need for a legal warrant, amended consent form or any other changes to the original scope of work.

Measure Twice, Cut Once

Digital evidence needs to be thoroughly assessed with respect to the scope of the case. The scope of a forensic examination cannot include “everything.” At least, not unless there is unlimited time and budget involved.

It is important to spend time at the very beginning to more accurately determine the true scope of the examination, narrow down what digital evidence is needed for a case and where to find it. Otherwise, costs will grow and grow as the investigation moves forward, as will the amount of time required for the investigation.

Taking the extra time and attention to accurately determine necessary devices and custodians prior to proceeding with the next steps in the forensic process will dramatically impact the investigation as a whole and, therefore the outcome of the case.

Stay tuned for your lesson in preservation and collection!

Digital Forensic Process—Introduction

By Rene Novoa, Senior Manager of eDiscovery and Digital Forensics

DriveSavers Digital Forensic Process

More and more aspects of our daily lives are being monitored, tracked and recorded by electronic devices.

Today, computers, smartphones and tablets can be found in almost every home and have already become obvious sources of electronically stored information (ESI) useful in both criminal and civil cases. Email, texts, documents, pictures and more wait on each of these devices to tell their stories.

Every day, more electronic devices are being added to this list. Fitness trackers, smartwatches, thermostats, video doorbells, children’s toys, air quality monitors and just about anything else you can imagine are now being used to automate, secure and entertain.

We have already seen fitness trackers used in workplace injury cases, wifi-enabled children’s toys in child custody cases and Amazon’s Echo used in a murder case. ESI from these various data recording systems has unlimited potential as electronic evidence.

The danger is that ESI is extremely fragile and can easily be tampered with, modified or lost entirely. Any of these scenarios can occur and has occurred both with and without intention. Following an established protocol that finds and protects digital evidence is essential for successful admissibility of that evidence.

This is the introduction of a five-part series focusing on proper process for digital forensics. These articles will:

  • Define each step along the digital forensic path
  • Explain responsibilities for a digital forensic expert
  • Explain what actions your agency, firm or company can take with each step in mind to ensure the best outcome for your case, while also minimizing cost and time

Here are the steps of the digital forensic process that we will be explaining in detail in coming articles:

  1. Identification
  2. Preservation / Collections
  3. Analysis
  4. Presentation
  5. Returning evidence

Stay tuned for your lesson in Identification!

March 15–18: ABA TECHSHOW Conference and Expo Booth #917

Chicago, IL • March 15–18 • Booth #917

The ABA TECHSHOW Conference and Expo is where lawyers, legal professionals and technology all come together. For three days, attendees learn about the most useful and practical technologies available. The variety of CLE programming offered provides a great deal of education in just a short amount of time.

DriveSavers will be exhibiting at booth #917. Stop by to talk with Rene, senior manager of eDiscovery and digital forensics.

Learn more about the ABA TECHSHOW or register to attend this conference.

Warning: Internet of Things Holds Hidden Dangers

By Rene Novoa, Senior Manager of eDiscovery and Digital Forensics

Internet of Things (IoT)

Law enforcement and civil litigators now have another source of evidence—searching for clues and ESI in the Internet of Things (IoT) universe where “always-on” smart devices may collect and store evidence of criminal behavior or civil liability.

Police are investigating an Arkansas murder where clues to the crime may have been stored on the victim’s Amazon Echo, a free-standing personal assistant device that responds to verbal commands for information.

The victim was found in a hot tub and police say that another smart device, a water meter, could also hold clues to what happened at the crime scene.

Staying One Step Ahead

DriveSavers is one step ahead of the IoT curve. Our engineering team has done extensive research on how smart devices collect and store data. More importantly, we are developing the best techniques for data recovery and forensic investigation of a wide range of IoT devices.

Based on cases such as the U.S. Supreme Court’s opinion in Riley v. California, information from smart devices is likely protected by the owner’s right to privacy. In this case, Amazon rejected police requests for data that may have been collected by the Amazon Echo:

Amazon will not release customer information without a properly served and valid warrant or subpoena. Amazon objects to over-broad or otherwise inappropriate demands as a matter of course.

The Echo, which you address as Alexa, doesn’t store each voice request permanently on the device itself, but it sends a copy of each inquiry to the user’s mobile phone or tablet, according to our research.

Just the Start

In addition to being a legitimate target for legal discovery, the IoT is an expanding frontier where your personal data may be inadequately protected and susceptible to theft.

Tech-savvy hackers now may be able to get to your bank account via your garage door opener, refrigerator or virtual helpers like the Amazon Echo and Google Assistant.

Hackers can take control of large networks of IoT devices and use them to make debilitating Distributed Denial of Service (DDoS) attacks on commercial websites.

Last fall, Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix were among the websites that sustained DDoS attacks using commandeered smart devices—like DVRs, remote controlled cameras and even garage door openers—in an attempt to overload the sites with massive requests for information.

Personal Assistants, Personal Problems

Many smartphone users are already familiar with Apple’s Siri and Google’s Assistant, which, similar to Alexa on the Google Echo, are programs that respond with answers to verbal questions via smartphone. Data collected by these devices and others is not normally encrypted, making it a potential target for high-tech thieves.

Devices that are connected to the Internet can also lead hackers, law enforcement and civil litigators to other devices with even more sensitive, valuable and private information like bank accounts, credit cards and virtually anything else of value that’s in a digital format.

What You Can Do

Technology is an everyday part of life today and is necessary in school, career and at home. It’s important for you, your family and your employees to be familiar with how to use current devices as modes of communication.

Here are three ways to be safer when using electronic gadgets.

  1. Understand Your Devices

You should know the answers to these questions:

  • Does the device have a camera?
  • Can it transmit or receive pictures?
  • Does it have a phone book or contact list?
  • Can it download apps? What do the apps have access to (photos, contacts, etc.)?
  • Can you communicate with other people through the device?
  • Does the device post to the web?
  • Does the device have a dashboard? If so, is the dashboard part of the installed software or is it online?
  • What kind of information can be shared with other people online?
  1. Keep Up with Device Updates

Updates often include new security protocols and patches for security loopholes. Stay on top of these.

  1. Add Wi-Fi Security

Make sure your home Wi-Fi is password protected so that outsiders cannot easily access it.

For more cybersecurity safety tips, check out 6 Ways to Protect Yourself from Hackers.

Cybercrime Forecast: Upswing in 2017

By Michael Hall, Chief Information Security Officer


Computer security threats aren’t going away this year. They’re going to get worse.

And, they’re likely to create bigger and nastier problems for big and small companies alike as hackers create new pathways into even highly secure environments.

Google the term “security threat” for 2017 and you’ll get millions of hits with lists of threats expected to occur during this year.

Ransomware is Growing

Extortion is getting worse. You can expect more and better targeting of businesses through ransomware schemes that will demand higher extortion fees to unlock important data.

If that wasn’t bad enough, the hackers’ weapons keep improving.

There are many “off the shelf” programs that high-tech thieves can use to target your data. Once a solution is found to defeat one ransomware program, the bad guys can just buy a slightly different tool (created by a specialist) and continue to attack unprotected targets.

Trickle-down Effect

As big companies increase security protections, expect some hackers to shift their focus to midsize and smaller companies, which are easier targets because they do not have the cybersecurity expertise or budgets of their larger counterparts.

More Sophisticated Thievery

Steve Durbin, managing director of the Information Security Forum (ISF), told CIO magazine that we can expect bigger and more sophisticated attacks as the criminal enterprises mature.

“I originally described them as entrepreneurial businesses, startups,” Durbin said. “What we’re seeing is a whole maturing of that space. They’ve moved from the garage to office blocks with corporate infrastructure. They’ve become incredibly good at doing things that we’re bad at: collaborating, sharing, working with partners to plug gaps in their service.”

DDoS Attacks on the Upswing

Distributed Denial of Service (DDoS) attacks will also ramp up this year.

These criminal acts are designed to overwhelm a company’s website and shut it down by sending massive requests for information from armies of compromised Internet-connected devices. By co-opting growing numbers of these machines—like garage door openers, security cameras and other tools that are part of the Internet of Things (IoT)—hackers can knock a company’s website offline through the sheer volume of requests.

A huge DDoS attack last Fall took down a company that provides Domain Name Services (DNS) for several major U.S. businesses, thereby taking down the websites of those businesses. Expect more events like this.

Third-party Entry

Expect more attacks using third-party vendors. Even companies with excellent protection sometimes don’t account for the threat of a hacker who compromises the security of an outside maintenance provider with access to the company’s system. It’s much easier to get inside a company’s computer system if you can hitch a ride with someone who’s already got access, like a vendor or partner.

Security Skills Shortage

The IT worker shortage is real and could be getting worse in the cybersecurity area. According to a report from Cisco, there may be 1 million unfilled cybersecurity jobs around the world, including 200,000 in the United States.

The challenge now is to figure out how to get students interested in this area and train them.

DriveSavers CTO Joins USC Information Technology Advisory Board

Industry leader helps shape the future of data recovery and eDiscovery through an advisory role at the University of Southern California

University of Southern California

NOVATO, Calif. (May 24, 2016) DriveSavers, the worldwide leader in data recovery, eDiscovery and digital forensic solutions, further strengthens its commitment to helping shape the future of data recovery and eDiscovery practices through a new advisory role with the University of Southern California.

DriveSavers Chief Technology Officer Chris Bross was recently invited to represent the company as a member of the University of Southern California, Viterbi School of Engineering, Information Technology Program Industrial Advisory Board (IAB). The 38-member board consists of leaders from computer and storage industries and helps determine strategic direction for the Information Technology Program. Bross’ role includes participation in discussions surrounding courses and curriculum offered.

“I am very humbled and honored to be invited to join the USC, Viterbi School of Engineering, Information Technology Program IAB,” said Bross. “Our field is ever-growing and changing, and I look forward to sharing DriveSavers perspective on the industry and how students best prepare themselves for future employment.”

DriveSavers commitment to data recovery and eDiscovery education also extends outside of higher education, including speaking engagements and involvement in learning tracks at various conferences, as well as continuing education opportunities. Members of the team recently acted as facilitators for a continuing education event for law enforcement officials held by the Silicon Valley Chapter of High Tech Crime Investigation Association (HTCIA). During the event, Bross and DriveSavers Senior Manager of eDiscovery and Forensics Rene Novoa conducted a two-hour training session on Advanced Mobile Forensics, specifically recovering data from damaged smartphones for use in forensic criminal investigation.

Bross will also be presenting a one-hour track focused on SSD forensics at the upcoming Enfuse 2016 conference in Las Vegas. This session will take place on May 25 at 4:30pm. Bross will be presenting alongside Jeff Hedlesky, Forensic Evangelise-FBU at Guidance Software.

To learn more about DriveSavers services and upcoming speaking engagements, visit or

About DriveSavers

DriveSavers, the worldwide leader in data recovery, eDiscovery and digital forensics, provides the fastest, most reliable and only certified secure data recovery and eDiscovery service in the industry. All of the company’s services meet security protocols for financial, legal, corporate and healthcare industries, and it is the only company that posts proof of its annual SOC 2 Type II audit and HIPAA data security and privacy compliance. DriveSavers adheres to U.S. government security protocols, the Gramm-Leach-Bliley Act (GLBA) Data Security Rule, the Data-at-Rest mandate (DAR) and the Sarbanes-Oxley Act (SOX). DriveSavers engineers are trained and certified in all leading encryption and forensic technologies and operate a Certified ISO Class 5 Cleanroom. Customers include: Bank of America, Google, Lucasfilm, NASA, Harvard University, St. Jude Children’s Research Hospital, U.S. Army and Sandia National Laboratories.

CTO Chris Bross Speaking at Enfuse 2016 May 23–26 Booth 223

Enfuse Conference 2016

CEIC is now Enfuse! This conference will take place May 23–26 in Las Vegas.

Enfuse is a three-day security and digital investigations conference where specialists, executives, and experts break new ground for the year ahead.

On Wednesday, May 25, Chris Bross, DriveSavers Chief Technology Officer, alongside Jeff Hedlesky, Forensic Evangelist-FBU at Guidance Software, will be speaking about solid-state drives and new challenges they pose to forensic practitioners. More information about their session below.

DriveSavers will be at booth #223. Stop by to speak with Chris Bross and to hear some fascinating stories about how our digital forensic service has aided legal and criminal investigations.

Learn more about Enfuse 2016.

SSD Forensics

Wednesday, May 25
4:30PM – 5:30PM
Intermediate | Lab


Solid-state drive (SSD) storage is rapidly replacing traditional rotational media drives. Explore how technologies involved with SSDs pose new challenges to forensic practitioners, the inner workings of the newest classes of SSDs and best practices for extracting as much forensically sound information as possible. Updated and expanded for 2016.


Develop a better understanding of how forensic imaging of SSDs (and other flash memory devices) is both similar to and different from forensic best practices for traditional rotating media.


Basic understanding of digital forensic concepts, including some experience with DF hardware and software.


Jeff Hedlesky

Forensic Evangelist-FBU, Guidance Software

Jeff has been involved in the Technology Sector since 1983, and has worked in and around digital forensics since 2004. His role at GSI is ‘Forensic Evangelist’ for the Forensic Business Unit of Guidance Software. The FBU is responsible for EnCase® Forensic, EnCase® Portable and the Tableau line of digital forensic hardware products. Jeff’s focus is primarily on marketing and business development. He travels far and wide (recently to China, Japan, Mexico, Australia and New Zealand) to recruit and train Guidance authorized distributors and resellers, and to make joint calls on key customers. He also frequently visits the DC area to spend strategic time with our customer community within U.S. Federal agencies, listening as well as speaking.

Chris Bross

CTO, DriveSavers

Chris Bross is the Chief Technology Office at DriveSavers data recovery. Since joining DriveSavers engineering team in 1995, Bross has recovered data on all types of failed storage devices. Today, he manages the R&D team for emerging storage and solid-state devices, and guides the development of new tools and technologies for the forensic and data recovery labs.

WPBF: Special Report: Can information be retrieved from Austin's cellphone?

Originally published by ABC News affiliate WPBF 25 News.

Teens missing at sea since July 24

TEQUESTA, Fla. —The iPhone at the center of a missing persons investigation is now in the hands of Apple.

Tequesta teens Austin Stephanos and Perry Cohen disappeared during a fishing trip nine months ago.

Their boat was recovered off the coast of Bermuda in mid-March, along with Austin’s iPhone 6.

That phone is considered the only communication device that was on board the 19-foot SeaCraft when the boys vanished.

Both families agreed to send the iPhone to Apple on April 29, where it will be analyzed by experts.

Florida Fish and Wildlife officials describe the phone as “significantly and severely” deteriorated, and pictures show the phone damaged and waterlogged.

Is it possible to extract any information from this key piece of evidence? Experts say it’s possible.

Austin's iPhone
Austin’s iPhone

Mike Cobb is the director of engineering at DriveSavers, a California company that specializes in extracting data from damaged phones.

“We had a capital murder case which was thrown into a river and the iPhone was recoverable by us after law enforcement was able to get that,” Cobb told WPBF 25 News anchor/reporter Sanika Dange.

Not only does DriveSavers work on criminal cases, the company is frequently referred to customers by Apple.

When we asked Cobb about the chances of recovering data from an iPhone that was once submerged in water, he responded, “Well one thing that we think of right away is was this phone submerged for the full eight months or was it in some sort of package or plastic?”


Cobb says that distinction could make all the difference.

Phones need to be restored to a semi-functional state to extract information. The good news is that once an engineer is able to access some information, all the information should be available, including text messages, photos, videos and GPS locations.

However, there is one major hurdle. Austin Stephanos’ cellphone had been in saltwater for eight months.

“When it goes into the water,” Cobb explained, “it’s going to be starting the corrosion process immediately.”

So what are the first steps when dealing with corrosion? You start by taking the iPhone apart and micro-cleaning certain key components.

Cobb showed WPBF an example of a waterlogged phone that had been dropped in saltwater. Corrosion can be seen on several areas.


The process of retrieving data may sound complicated, but former Apple CEO John Sculley told WPBF it can be done.

“There is precedent for devices that have been severely damaged to recover if not all its information, some information,” he said.

Sculley is close friends with Perry Cohen’s parents, Pam and Nick. Though he has never met the Stephanos family, he told WPBF he feels deeply for both families.

“I think it was important for them to find out as much as they can of the last moments of Perry’s life and bring conclusion to this tragic situation,” he said.

There’s no timeline on when Austin Stephanos and Perry Cohen’s families may have to wait. Cobb says the process of extracting data from phones can be anywhere from a few hours to a few days.

Read more: