In late 2016, South Korea was rocked by one of its biggest political corruption scandals in history that eventually led to former President Park Guen-hye being impeached and jailed.
A special prosecutor was elected to proceed with the slew of bribery charges. By law, investigators only had 60 days to investigate and prosecute. They had confiscated over 300 smartphones as evidence -- with more in the form of notebooks and desktops -- from suspects and needed to analyse tens of thousands of phone records and chat messages under a tight deadline. A single piece of evidence from any one of them could have been the smoking gun needed for a successful indictment.
The prosecutors called on Hancom GMD, South Korea's largest digital forensic firm, to analyse the smartphones, and the company sent five of its top experts. The team successfully analysed all of the data in the 300 smartphones; not only that, among the data extracted was crucial evidence that helped the prosecutors successfully indict and jail some of the country's most powerful politicians.
"It was a special case not just because of the national attention it received but the deadline," said Jessy Jun, managing director and team leader of Hancom GMD's forensic business. "You need a team that can recover and analyse data from multiple devices simultaneously and correctly."
SMARTPHONE: THE RISE OF DIGITAL FORENSICS
To say smartphones have changed the digital forensic landscape is an understatement. The device has become the core of every criminal investigation and helped propel digital forensics as a serious, scientific investigation tool.
"Today, mobile forensics account for over 80 percent of the total digital forensic that global investigators are performing," said Jun.
A single smartphone contains contacts, memos, call records, text messages, instant messages, pictures, videos, and GPS data of a person. An investigator's dream it seems, but not quite. Smartphones have strengthened in security over the years to include data encryption and biometric authentication. People also change their phones, on average, every two years and there are constant updates to apps and operating systems.
"You need to keep up with the pace of changes in the smartphone to analyse their data correctly," said the managing director.
"For instance, in criminal cases, a lot of the time, you have to find a suspect's old phone and decipher that data to fully understand the context of the data found in his or her more recent phone. And most data is incomplete by itself, so you need to contextualise it with other data you have collected," he said.
"As a digital forensic team, you need a wealth of experience and a lot of registered devices on your database to fully extract data."
The myriad of data types in smartphones have also made digital forensics challenging -- images need to be converted to text, and vice versa. New techniques have also been developed to recover data without damaging the integrity of smartphones.
The company's MD-Live program performs a "screen mirroring" to extract data from a simulacrum device. This is important as smartphones are evidence that need to be preserved by investigators. Drowned phones are the company's staple: the company can extract the damaged hardware, clean them, and move the data to its own storage and restore them.
Hancom GMD has been assisting South Korean investigators since 2005 and has been involved in some 130 major cases locally and globally. One of them included extracting data from a Samsung phone owned by a suspected terrorist. Another famous case was a notorious one in 2016 when a newborn baby died; Hancom GMD extracted the data from phones of the hospital staff which proved that the doctor who claimed they oversaw the birth was not present and instead had unqualified nurses oversee the procedure.
"We now have over 15,000 registered smartphones and tablets by different manufacturers; we have over 900 apps," said Jun.
IOT AND 5G: THE EXPLOSION OF DIGITAL EVIDENCE
5G is expected to be commercialised early this year. This will be a further catalyst for growth in digital evidence. Already, data is being saved through smart home services such as home security and pet monitoring. Drones and autonomous vehicles are producing new video data each day. CCTVs, DVRs, and black boxes in cars among other Internet of Things (IoT) devices are increasingly becoming more sophisticated.
There will be an explosion of data, and digital forensics is evolving further to meet that demand, says Jun.
"Videos are becoming increasingly high resolution and there are a variety of codecs being developed and uses. In CCTVs, each manufacturer uses different media format to save data. The time it takes to recover and analyze data is increasing; there is a demand for recovery algorithms backed by high-performance hardware," the managing director said.
"For investigators, they now have to consider every peripheral device besides the smartphones for evidence. This is a challenge; but it is also a great opportunity."
Data saved on IoT devices is also stored via gateways on the cloud; this data is in turn viewed again by consumers usually through their mobile devices.
"Anyone of these data intersections can be the subject of forensics; the more routes data takes, the higher the possibility to recover that data," Jun added.
Hancom GMD is planning to launch a service that recovers data from the cloud, though privacy regulations in each country are expected to be a challenge to overcome.
"Already we are saving navigation data, driving history, and various data from services that links the car to smartphones. Now we will have sensor data and video data around the cars as well. Autonomous cars will be a center-piece for digital forensics that will help solve a lot of crimes", said Jun.
Drones are also of increased interest in digital forensics; Hancom GMD has hosted classes for investigators that explain its techniques to find shot down drones by analysing wind velocity and their course. It already has 10 drones, including those made by DJI, in its database.
AI, BIG DATA ANALYTICS
The explosion of digital evidence through the rise of 5G and IoT presents another problem, which is how to analyse the immense amount of accumulated data.
"Smartphone forensic market will continue to rise. Drones, vehicles and other IoT devices will further increase uptake for digital. In other words, there is just too much data and too little time for investigator," the managing director said.
"And more and more big data analytics that sort all this data out will be accepted as a scientific investigative method used by investigators."
Keyword search is obviously available already for texts, but more analytics tools are expected to be developed for video.
"We are adding detection summary for our video recovery programs. Next will be adding object detection such face and car plate numbers: users will input, in text, the name of the object and the program will search for the correct target among the available data," he said.
Hancom GMD already offers visual guides, such as "relationship graphs", for investigators to put crimes into context. By analysing the complete set of data available to them involved in a crime, the company can draw a map that shows the relationship, type, and amount of data exchanges between the suspects involved.
"We are already present in 10 countries globally and will meet this growing uptake for digital forensics to expand to 30 countries within three years," said Jun. "Mobile forensics will just get bigger and bigger."