Forensic Pattern Of Life Analysis
Pattern of life analysis isn’t a new concept to anyone who’s ever been involved with intelligence, in particular surveillance. It’s all about the habits that people — suspects, persons of interest, crime victims, or those connected to any of the above — carry out in day-to-day life.
When it comes to digital devices, how users interact with them can tell a very detailed story about any given timeframe. There are two reasons for doing this. One, as Brett Shavers outlined in a blog post last year, is to tie a particular device to a user — more of an issue for a computer or tablet than a smartphone.
The second reason is to show what’s normal, so that investigators can key in on what’s not normal. Those departures are a starting point for why a person did something differently on a given day. For example, in a 2019 Florida case, health data, time-stamped photos, call logs, and GPS coordinates extracted from an iPhone XR refuted two suspects’ alibis.
Corroborated with evidence from the suspects’ social media accounts, the iPhone data placed the suspects at the crime scene in the same timeframe the murder took place. This enabled police to lay second-degree murder charges against the pair.
In a forensic context, pattern of life analysis is coming more front and center as investigators realize how much data — battery usage; device connections to Bluetooth, wireless networks, and vehicles; data consumption; health information; and more — is available to plot a virtually minute-by-minute description of how a person spent a given day or even week.
The investigative value of this kind of information is profound — and so are its privacy implications. What do you need to know?
Analyzing patterns of life
In a SANS Institute webcast Sarah Edwards, senior digital forensics researcher at BlackBag Technologies and a SANS Senior Instructor specializing in Apple product forensics, described different kinds of data and how it might be useful to specifically criminal investigations, such as distracted driving incidents, harassment, drug overdoses, dumped bodies, and literal smoking guns, as well as evidence deletion or antiforensic measures such as adding a passcode after deleting evidence.
- Health data such as heart rate and steps or distance can show exercise patterns or suspect movements, as well as correlating weather and geolocation information at a given day and time. Edwards cautioned that sampling might include data from the Apple Watch and/or the phone’s pedometer.
- The RoutineD database tracks where a user is located at any given point in time, showing which places a user visits often. These can be mapped and are granular, but Edwards cautioned that the data is only fairly accurate — possibly enough to introduce reasonable doubt.
- The KnowledgeC database offers about 4 weeks’ worth of information about what apps have been used at any given point in time — even if they were deleted — and for how long. This data can be correlated to other databases, and media usage is tracked here too.
- Apple CarPlay-related data is also tracked, including steps walked through a garage or parking lot, vehicle connection, location and routine information, and even health data such as an increase in heart rate in heavy traffic.
- Wallet transactions through Apple Pay could be tracked, associating locations with transactions (though Edwards cautioned that transaction information isn’t specific). These can be more historical than other databases, tracking significant data points potentially over several years.
Pattern of life analysis can be useful for corporate investigations, too. For example, Edwards says, exfiltration of corporate data could involve a string of actions. “If I’m on their iOS device and I see that they took a picture with the camera, they saved the picture, they maybe uploaded it to Dropbox, [and] sent a message to a competing company over whatever secure chat messenger there might be… you’re putting that series of events together to tell a story,” she explains.
Problem solving with patterns of life
Link analysis is a concept some vendors including Oxygen Forensics, MSAB, and Cellebrite integrate in their tools. But the kind of pattern-of-life analysis Edwards researches extends far beyond communications and contacts, to device usage — effectively extending the concept outside of smartphones, to include the Internet of Things: connected vehicles, smart homes, and personal health devices among others.
“I see pattern of life analysis as a logical extension of [timeline creation and analysis in] digital forensics,” says Alexis Brignoni, a digital forensics researcher and blogger. Mobile device-specific artifacts, he adds, “… can tell investigators about intent and purpose, the truthfulness of an alibi, or a clear understanding on what happened and when.”
Brignoni is quick to point out that pattern of life analysis can be used to exonerate as well as to incriminate. “It is impossible to commit assault when the accused is hundreds of miles away at the day and time of the alleged event,” he explains.
On the technical side, Edwards’ research began as a way to tell a case story through analyzing many databases at one time. Analyzing only one database at a time, she explained, means the investigation can lose context, missing important connections.
“I was spending too much time querying 20-something databases [with] a million-plus different records…. That is too much for any single person to go through, you’re not going to be scrolling through [it],” she says.
In contrast, combining the records — the actions the user took —“… can really tell a story about how the user uses their device,” Edwards says. “You can look at third-party apps all day long, but how does the user use that app? Are they using it once [or] are they using it consistently?… Just getting that context can bring a lot into different investigations.”
It also doesn’t limit investigations only to communications or links between people. What people do when they aren’t in touch with others can have enormous investigative value. “If they’re using an application all the time and then all of a sudden they stop… that anomaly is not part of their pattern anymore, so that would be perhaps significant to an investigation,” says Edwards.
Brignoni agrees. “[A] murder victim’s work from home pattern of activity on a computer can be key since a lack or stop of expected digital activity might be indicative of a possible time of death,” he says. The absence of data in general, whether consistent or inconsistent demonstrating periods when the device isn’t being used at all, can be more broadly important.
Answering those questions is what determines the usefulness of a particular database or databases to a given case. “It’s figuring out… what pieces of data can help move [your investigation] forward, what questions do you need to answer,” says Edwards.
For example, locations could be recorded in different databases, but not all for the same time period. A database might also only store some locations, but not all; or the location itself might not be precise. Edwards also cautioned that Apple’s algorithm, which runs to determine what events are significant, could fragment data further across different databases.
To help with all of these issues, Edwards developed the Apple Pattern of Life Lazy Outputter (APOLLO), to access the most useful queries, which Edwards says is a matter of what the investigator needs to answer their questions — even if seemingly trivial, like whether the flashlight was used, or the device was plugged in.
Examiners can further filter down by time, app, or scenario. This is important because of the millions of records. “You’re going to be pivoting off some piece of data: a contact, an application, a moment in time,” Edwards says.
As a SQLite utility, APOLLO isn’t meant just for iOS. It’s also possible to run Android or Microsoft databases through it, as long as they’re written in SQL and you can write query for it. Edwards built it this way to make it easy to contribute to, and in fact, APOLLO ingests and normalizes Android XML UsageStats data, along with additional artifacts, from Brignoni’s Android Review Timeline Events Modular Integrated Solution (ARTEMIS).
Although APOLLO isn’t “pretty” and doesn’t offer visualizations, it’s available as a BlackLight plug-in, which makes it easier to look through columns and records. The plugin can be reloaded into BlackLight with each update, without having to download a new version of BlackLight.
Technical and legal issues to watch out for
On the technical side, Edwards’ SANS webcast outlined the problems she encountered:
- Getting to the data. The kinds of data needed for a solid pattern of life analysis requires a specific type of data extraction — not an iTunes backup, which offers only limited data such as a health database, sysdiagnose dump, and powerlog information — but rather, extractions available from third-party labs, GrayKey, or jailbreaks, including the recent Checkra1n exploit available in forensic tools.
- Data correlation. A full file system extraction from an iOS system results in data from so many databases, correlating them all can take time — as can researching each database to learn how to interpret the data within them. In addition, says Brignoni, when a key database is missing, “[H]aving additional sources of data that mirror UsageStats becomes key.”
- Analysis time. The databases, said Edwards, are “consistently inconsistent; you never know what you’re going to get.” For example, depending on the database:
- Timestamps could be offered in Unix, Mac, or epoch format, or offset.
- Most databases are temporal, enabling the examiner to sort their records by time. Others, like the aggregate dictionary, aren’t temporal, but contain valuable data nonetheless — for example, how many times touch ID was used on the device.
- Units of measurement are sometimes documented, but sometimes not. In these cases, rather than guess, Edwards stresses the importance of research and testing.
- 1’s and 0’s don’t necessarily mean “on” or “off” respectively; Edwards said sometimes she’s even seen a data value of 2 on occasion!
- Usage stats don’t track content, so for example, the KnowledgeC database will show “intent and activities” such as composing a message, but not what its content was. For that, an examiner would have to go into the artifacts for the specific app.
Moreover, said Edwards, database schemas change every year, which changes queries as a result. That’s a problem vendors have, too, but open-source tools like APOLLO and ARTEMIS have the chance to be updated much more rapidly with community support.
Most of all, both Edwards and Brignoni stress the need to test database information because some information might be misleading. In his KnowledgeC blog post from October 2019, Mike Williamson highlighted how this could be the case with “Now Playing” media as an example.
Tool testing and validation takes time, of course, and the processes are likely to differ between criminal and corporate forensic labs. But Brignoni offers two solutions.
First, he says, “Having a dedicated testing program can speed up validation where the individual examiner tasked with a case can then dedicate her validation efforts to only the most critical parts of the digital examination process and artifacts at hand.
“Another way of speeding the artifact testing process is to use multiple tools to both validate and deepen analysis,” he adds. “The purpose again being the narrowing of manual verification by the examiner to those key artifacts in the investigation.”
On the legal side, Brignoni calls out pattern of life artifacts’ inherent intrusiveness. “How wide or narrow the artifact collection window will be depends on a combination of legal authority and investigative needs,” he says.
Even then, where legal authority lands could be in question. Following a 2012 case, United States v. Jones, 565 U.S. 400 (2012), and later, as Carpenter v. United States, 585 U.S. (2018) made its way through the courts, legal experts debated whether a search of the “mosaic” of personal data could require a search warrant of its own.
The crux of that argument was the fact that even within a limited timeframe, police can’t differentiate between the activities they’re investigating, and constitutionally protected activities such as attending church.
Matthew Osteen, General Counsel and Cyber and Economic Crime Attorney for the National White Collar Crime Center (NW3C), says Carpenter embraces data aggregation — but only for a single type of data. At the heart of the issue, he adds, is “third-party doctrine,” or the notion that users give up certain privacy rights when they use a third-party service, like a utility company.
That’s why U.S. law enforcement historically hasn’t needed to get a search warrant for phone records, for instance — only a court order or subpoena, depending on the level of information they need.
Carpenter, says Osteen, “is being treated as a categorical exception to the third-party doctrine” because of the degree of pattern-of-life data that cell towers can offer. Many federal, state, and local agencies in the U.S. advise investigators to obtain a search warrant for all CSLI, even if the aggregated data falls below the seven-day threshold defined in Carpenter.
When it comes to aggregating multiple data sources, Osteen says, “It may be that courts will look at all types of data collected in totality as a single collection or it might view each type of data collected as distinct collections.”
Either way, the data collection time period makes a difference. One hour of heart rate and location information data — treated as distinct collections — might not be enough for an exemption from third-party doctrine, but a week’s worth of the same data likely would be.
On the other hand, a court looking at one hour’s worth of aggregated heart rate and location information might conclude that “mosaic” is a violation of privacy. “At this juncture it’s hard to say how a court would view that data,” says Osteen, “especially when some types of data, i.e. health data, is more voluntarily turned over to service providers than [CSLI or] other types.”
These issues highlight the importance of talking regularly with prosecutors in your jurisdiction, not only around geolocation information, but also around the degree of information you’re working with.
For more detailed technical information about APOLLO and its artifacts, Edwards’ mac4n6 blog lists the entire series of her initial research. You can also listen to her archived SANS webcast or her on-demand BlackBag webinar on the topic.
ChatGPT Powered Malware Bypasses EDR
In research by Jeff Sims at HYAS, he creates “Blackmamba,” an “AI synthesize polymorphic keylogger” that uses python to modify its program randomly. The basic components of this polymorphic keylogger require a LLM, large language model like ChatGPT. The malicious...
Comparing vulnerability assessment with MITRE ATT&CK based gap analysis
Mar 20, 2023 | blog
The title of this blog post may not be entirely correct, as it is difficult to compare vulnerability assessment with MITRE ATT&CK based gap assessment in objective measures. However, this post aims to evangelize the joint raison d'être of vulnerability assessment...
Windows zero-day & Outlook zero-day resolved
Mar 17, 2023 | blog
The company corrects actively exploited vulnerabilities that affected Microsoft Outlook and the Windows OS in this month's batch of security updates. Microsoft plugged two zero-days, one affecting Windows systems and another in Microsoft Outlook, for March...