Interview with Luca Cadonici: computer and mobile forensics towards a proactive approach against cybercrime

Olivia Terragni : 11 November 2024 20:21

Nowadays, the Digital Forensics is not just a weapon to fight crime but a scientific discipline that “is no longer limited to reactive post-incident analysis but has evolved towards a proactive approach, aimed at prevention and threat intelligence”. Specifically, Mobile Forensics, commonly used to recover evidence in connection with a criminal investigation, today is applied to any type of crime, thanks also to the fact that digital technologies play an increasingly important role in our lives. 

Mobile Forensics investigations range from traditional crimes “in which the IT aspect is a continuation of the crime itself” to “fraud, cyberstalking, sextortion, but also murder, drug trafficking, theft and sexual violence”. However, investigators do not limit themselves to extracting and analysing data, but many of them are constantly engaged in identifying new vulnerabilities – a stimulus for manufacturers to strengthen security – and developing effective solutions to acquire data. Among them Luca Cadonici, who for his investigations has developed specific solutions to respond to particular needs.

His work has led, among other things, to a Python script presented at the SANS DFIR Summit & Training 2023, designed to recover information on deleted WhatsApp chats on iOS devices.

We interviewed him and among the many questions we analysed the state of Digital and Mobile Forensics, including cryptography, case studies, advanced mobile forensics and much more. We talked about cryptophones, the Encrochat and Cellebrite cases, the extraction of Mobile data from the Cloud, artificial intelligence and automation, which offer “decisive support in cases that require the management of huge amounts of data, such as in large-scale investigations involving companies or multinationals”. Finally, we asked Luca how to secure our smartphones and he gave us excellent advice.

Luca Cadonici, Member of ONIF – National Observatory for Computer Forensics, is a Computer and Mobile Forensics Consultant with over ten years of experience in supporting the Italian Police and Judicial Authorities, which he combines with intense training activities in Italy and abroad. Lecturer in Mobile Forensics at the University of Perugia and the ISF Corporate College in Italy, he is Programme Leader of the Master in Cyber ​​Security, Digital Forensics and Crime Analysis at the European Forensic Institute (Malta).

In 2024, he is an international Senior Non-Key Expert for the collection and management of digital evidence at the Special Investigation Service (SIS) in Tbilisi, within the European Union project “Support to External Security Sector Oversight in Georgia.” He collaborates with the magazine L’Europeista, where he deals with Cyber ​​Security and sector regulations.

Luca Cadonici, the evolution of Mobile Forensics: challenges and increasingly advanced investigative strategies

1 – O: Hi Luca and thank you for taking the time to discuss your experience in this interview.. First of all, I would like you to explain what the role of a digital forensics expert is and the importance of this figure in the fight against crime and above all why it must be based on solid scientific methods.

LUCA: Hi Olivia, thank you for the invitation and for the opportunity to talk about a topic that is very close to my heart. It’s really a pleasure! 

The Italian Code of Criminal Procedure has already allowed the possibility of appointing auxiliaries who are experts in various fields of knowledge to meet the needs of justice, well before information technology took on the central role it has today. In recent years, we have witnessed both an increase in cybercrime, as business moved from the physical to the virtual space, and an increase in the use of digital media, to the point that now every individual has several associated devices, not only a computer, but also a smartphone or multiple mobile devices.

This pervasive diffusion has generated a greater demand for expert consultants who, in compliance with the regulations, are able to acquire and preserve a digital evidence. This is where the figure of the Digital Forensic Consultant comes in, that is, an expert who operates according to the provisions of the Code of Criminal Procedure and who assists the Police and the Judicial Authority, especially in the delicate phase of preliminary investigations.

The importance of this role is constantly growing, as are the skills required, which is why today we are witnessing an increasingly refined specialisation, with internal subdivisions such as Digital Forensics, Multimedia Forensics, Network Forensics, Computer Forensics and Mobile Forensics. The latter discipline, in particular, is one of the most requested in the judicial field in Italy, given the privileged role of the smartphone in the personal and communicative life of each individual.

At the same time, organised crime has also evolved, often at a faster speed than the State, starting, for example, to use VoIP for less interceptable communications while there was still discussion about eliminating the fax. In recent years, fortunately, attempts have been made to fill this gap, investing in the training and technological equipment of the Police Force, but the work is still in progress.

A book that describes this dichotomy very well is Il grifone, written by Antimafia Prosecutor Nicola Gratteri and Nicola Nicaso. The griffon, a mythological figure with the dual nature of an ancient and majestic animal, well represents the nature of mafia associations: ancient in their rites and modern in technology. It is a reading that I highly recommend to anyone interested in the topic.

2 – O: Repeatability and unrepeatability: can you illustrate different scenarios in which it is possible to collect digital evidence from mobile devices, while maintaining their legal value intact?

LUCA: There is still much discussion in Italy about the repeatability and unrepeatability of investigations on mobile devices – regulated respectively by articles 359 and 360 of the Code of Criminal Procedure. I observe a lack of univocal and definitive guidelines on this matter, which is why, in my opinion, it would be desirable for a commission of jurists, supported by technicians, to draw a clear line on what is meant by unrepeatability in access to mobile devices. Unlike more traditional PCs, in fact, these devices inevitably undergo modifications, even minimal ones, during the analysis, due to the need to turn them on to proceed with forensic acquisition.

Juridical aspects aside, it’s important to consider that mobile devices are generally equipped with advanced security measures and are particularly sensitive in terms of protection. They are designed with systems such as full data encryption, application isolation and controls on running apps, often including mechanisms that limit or prevent direct access to data, a feature less common in traditional computers.

They are not designed to be acquired, rather, through encryption and controls on running apps, they do everything to prevent forensic tools from obtaining system privileges and acquiring a copy of the data. The Brick risk (total blocking of the device) or malfunctions are always present and must be carefully assessed. It is therefore essential to adopt forensic procedures and tools that minimise this risk.

That said, it should be noted that, unlike PCs or external storage media, the amount of data that can be acquired from mobile devices varies depending on numerous factors, including the unlocking capability of the acquisition tool, the security patches present on the device, the operating system version, the brand and model, as well as the date of production of the device.

3- O: Encryption: on the one hand it is highlighted how it is used to spread child pornography (CSAM) or for criminal operations, on the other hand how it protects private communications, financial operations or the collection of information and the protection of journalists’ sources. To bypass the problem in Europe, pre-crime operations (‘upload-moderation’ or ‘client-side scanning’) have been thought of: however, in an open letter, Signal CEO Meredith Whittaker, highlighted how client-side scanning would be dangerous and threatened to withdraw the app from the UK if the Online Safety Act banned encryption. The widespread use of encryption on mobile devices has created significant challenges for forensic investigations: can you talk about the current challenges in light of the encryption of social network messaging in particular and where the availability of this data is needed for law enforcement?

LUCA: The widespread use of encryption on mobile devices has posed significant challenges to forensic investigations, especially with the increasing adoption of end-to-end encryption in social media messaging services. This is a delicate issue, that requires a balance between the right to individual privacy and the need for law enforcement to access data for investigative purposes. This balance should be addressed at the policy level, with a continuous collaboration between service providers, law enforcement and forensic experts.

There have been some emblematic events in this regard in the past year: at the end of 2023, Meta made end-to-end encryption mandatory for all Messenger chats, following the WhatsApp model. In April 2024, Europol and the heads of police forces of the European Union nations launched a “call to action” to the European Union to urge action on these issues. Added to this is the case of Pavel Durov, CEO of Telegram, arrested and then forced to give up on the data to be provided in the event of a request by national judicial authorities.

I believe that the adoption of end-to-end encryption will continue to spread, not only for security reasons, but also to relieve providers like Meta from the burden of responding to requests for access to communications by judicial authorities around the world. Durov was in fact accused of not having provided the authorities with the data of Telegram groups and channels which, like ordinary chats (cloud chats) on the device, use the MTProto encryption protocol (not end-to-end and developed specifically by Telegram) while end-to-end encryption is supported only for “secret chats”.

Two main issues emerge: the encryption of physical memories of devices and the end-to-end encryption of communications. The first issue was the subject of heated debate in the Apple case VS FBI after the San Bernardino massacre, when Apple refused to unlock an iPhone 5c and insert a backdoor into its devices. The second concerns end-to-end encryption, which officially prevents providers from accessing content because they do not possess the private keys, which reside exclusively on the devices themselves.

This complex and multifaceted challenge for those working in the field of Digital Forensics must be seen as a stimulus towards continuous improvement. Advanced security measures not only protect criminals, but are essential to protect citizens from criminal activities, defending personal data from possible abuse.

Then there is an important political issue: we live in a democratic part of the world and we are lucky. In other contexts, encryption of communications and devices, as well as the use of VPNs, represents an essential tool for protecting those who do not enjoy the same freedoms as us. It is therefore essential that these security measures can be guaranteed.

4 – O: Social Networks: a research has highlighted how a significant amount of data from social network apps (including Instagram) has been successfully extracted from the internal memory of the smartphone examined in compliance with NIST standards with tools such as Magnet AXIOM, XRY and Autopsy. However, extracting and identifying useful information can be complex to identify relevant information and focus on what really matters.

Can you explain what are the relevant elements for the purposes of an investigation?

LUCA: It depends a lot on the type of investigation. Analysis of PCs or servers is often oriented towards real cyber crimes, such as data exfiltration, ransomware, or system compromise. In these cases, in-depth knowledge of operating system mechanisms, such as ShellBags, the Windows Registry, the properties of the NTFS file system, and equivalents for other systems such as Linux and macOS, is essential.

In the case of mobile devices, however, investigations mostly concern traditional crimes, in which the device may have played a role or contain useful traces. Conversations on messaging apps, such as WhatsApp, and multimedia files, especially those in the device’s gallery, are among the most requested data. For crimes related to drug trafficking, for example, messaging applications considered “safer,” such as Signal, Session, WickrMe or Telegram, often play a central role.

There are, however, specific cases in which it is necessary to establish the use of the device at a specific time, such as in investigations for homicide, suicide, death by overdose or road homicide. In other cases, it may be essential to verify if the camera was activated at a certain time, a thorough and detailed analysis is essential, which involves manually querying log files and internal databases, using specific search terms and targeted queries.

5 – O: In an investigation, which scenario do images, videos and voice recordings occupy, what relationships can be obtained for the purposes of an investigation – that is, the collection of evidence from a network of individuals – and how is their authenticity and integrity determined in the forensic field?

LUCA: Determining the authenticity and integrity of images, videos and voice recordings is one of the most delicate challenges in the forensic field. Authenticity depends primarily on the ways in which the data is acquired. It is essential that the acquisition is performed by a digital forensics specialist, using tools and procedures that guarantee the collection of data in an unmodified manner, without alterations or contamination. Validation of the integrity of the acquired data is carried out by calculating hash values ​​(such as MD5, SHA1, SHA256), which allow the data to be “crystallized” in their original form and subsequently compared to verify any changes.

However, with the emergence of technologies such as Deep Fakes, which allow the manipulation of images, videos and audio in an extremely convincing way, the authenticity of these materials has become even more difficult to guarantee. The forensic and developer community are working to develop solutions capable of detecting and verifying the authenticity of photos, videos and recordings, identifying any possible manipulations. Despite these difficulties, the forensic acquisition of a device, which also includes the associated metadata, provides a context that helps establish the veracity of the data and correlate the content with the time and place in which it was created, thus making an important contribution to shed light during the investigative phase.

6 – O: To which cases – and sectors – does mobile forensics apply and if you want, could you tell us a case study that led you to the discovery of other methods to apply in your investigations? 

LUCA: Mobile Forensics applies across any type of crime, since today any criminal sector can include the use of mobile devices. However, in most cases, these are “traditional” crimes, in which the cyber aspect is a continuation of the crime itself: fraud, cyberstalking, sextortion, but also murder, drug trafficking, theft and sexual violence.

Ho creato una query SQLite personalizzata per analizzare un database specifico di iOS che evidenziava l’attivazione della fotocamera nel periodo di interesse, fornendo una prova concreta della possibile creazione di un video nel periodo di interesse.

In some investigations, I have developed specific solutions to meet particular needs. As an example, in a case of alleged sexual violence, it was necessary to prove that a video had been recorded with the camera at a specific time of night and then deleted. I created a custom SQLite query to analyse a specific iOS database that highlighted the activation of the camera during the period of interest, providing concrete evidence of the possible creation of a video in the period of interest. 

In another drug-related case, I explored iOS databases and discovered where iCloud keeps a record of WhatsApp messages containing media files intended for deletion. This discovery led to a Python script that I presented at the SANS DFIR Summit & Training 2023, designed to recover information about deleted WhatsApp chats on iOS devices.

7 – O: Let’s go back to cryptography and specifically to the Encrochat case, a company that provided modified and encrypted mobile phones that were often used by criminals and believed to be unhackable: however, either a leak or the French police, that was able to install a Trojan software on the terminal devices – via a simulated update – made it possible to read the chat messages of thousands of users in real time. In some cases, these cryptophones – protected from Man In The Middle attacks – would have as an essential feature a wiping function and a server infrastructure located in “offshore” countries, such as Costa Rica.

Can cryptophones be “violated”? And what useful information can be obtained in this case? 

LUCA: Cryptophones can only be hacked with extreme difficulty, and usually not in a timely manner for investigation, unless the access password is obtained. 

From personal experience, these devices, which can be based on Android, iOS or more secure systems such as GrapheneOS, are quite common in the drug courier sector. GrapheneOS, in particular, is an open-source operating system based on Android, specifically designed to ensure high levels of security and privacy. It offers advanced protection and control functions, which make the device extremely resistant to unauthorised access attempts.

It is increasingly common to find couriers – i.e. people who are not professional criminals but are paid to transport drugs – with a double set of smartphones: their personal one and a second device with advanced security measures, called a cryptophone, which can have both software and hardware protections.

These devices are particularly difficult to unlock, even with the use of the most advanced tools available. If, however, you manage to obtain the password, it is essential to immediately put the device in offline mode, isolating it from cellular and Internet connections, and film the contents as quickly as possible. This procedure is indispensable, since one often comes across devices modified to automatically delete data in the event of unauthorised USB connection attempts or after a certain period of time. The same applies to the messages contained, which, depending on the application used, can be programmed to automatically delete after a predetermined period.

8 – O: Mobile and Cloud: what are the opportunities to extract useful information, to track events – and their history – and thus preserve evidence against crimes through the cloud? Are there difficulties in tracking where useful data is physically located and what is the impact on the workload? 

LUCA: I consider the Cloud as a natural extension of Mobile Forensics, as the cloud – especially for iOS – is an ecosystem where the mobile device is tightly integrated with the accounts and data associated with them. Once the device is unlocked, it is relatively easy to get the related cloud data, using the right software solutions.

The collaboration of the various providers, however, varies greatly. It depends both on the policies of the provider – with examples such as Telegram, which until 2024 maintained a strict confidentiality line – and on the type of encryption implemented. If end-to-end encryption is used, the provider is not technically able to provide the data, since, at least officially, it does not have the decryption keys.

Each service provider still has a dedicated portal that law enforcement can access to request information, along with a list of “communicable” data that varies depending on the provider. An interesting aspect is the possibility, introduced by the GDPR, to request a backup of one’s personal data, which can be used in a forensic context without having to access the law enforcement portal. An example is Google Takeout, which allows you to obtain information about your connections or your geolocation at a given moment.

Access to the cloud therefore offers the opportunity to extract useful information and reconstruct histories of events with greater precision, but it also presents challenges. The physical location of the data is not always clear, as servers can be distributed across different jurisdictions, which complicates the time and methods of access. Furthermore, the process can significantly increase the workload, requiring cross-checks and in-depth analysis to ensure that the data collected is usable and valid for the purposes of the investigation.

9 – O: The Cellebrite leak (2023) – and the leak of its Swedish competitor MSAB, seems to have highlighted that access to several types of blocked smartphones – specifically some iPhone models on the market since April 2024 – was still ‘In Research’. However, access to information on any device is only a matter of time, because if criminals exploit the ubiquity of mobile devices, on the other hand forensic investigators research, identify and develop new opportunities for increasingly efficient technologies.

What are the possibilities of data acquisition from blocked devices and how does Mobile Forensics work in terms of research and development?

LUCA: The ability to acquire data from locked devices depends on many factors, such as the brand, model, security patches, operating system version and hardware components. In particular, for Android, the type of chipset can drastically influence the unlocking options, as different chips require specific approaches.

Companies that operate in Mobile Forensics, not only those mentioned but also Compelson to stay in Europe, have robust research and development teams made up of experts and developers. These teams are constantly working to identify new vulnerabilities in mobile devices and to develop effective solutions for data acquisition. This continuous search for unlocking solutions, on the one hand, opens up new possibilities for forensic acquisition and, on the other, represents an incentive for manufacturers to continuously strengthen security measures. In this way, the evolution of Mobile Forensics also contributes to improving the overall level of protection of mobile devices, raising security standards for the benefit of all users.

10 – O: Advanced Mobile Forensics: to address the various challenges in the field – technical, legal and ethical – more and more advanced technical capabilities and resources are needed, to detect, decode, decipher and correctly interpret the evidence recovered from mobile devices.

Can you tell us, as a technician, the current state of mobile forensics, what are the most complex and significant challenges, the advanced techniques to address them and can you also anticipate something about the future and the fundamental directions of research? 

LUCA: The main issues concern three key areas: the ability to unlock devices, the complete acquisition of content (so-called physical acquisition or Full File System), and the ability to analyse the growing number of applications. The quality of reporting is another area of ​​great interest, as it represents the way in which the collected data is interpreted and presented for use in the investigations. 

The introduction of Artificial Intelligence is one of the most interesting directions. In the field of Mobile Forensics, AI is already used for the analysis and automatic recognition of photos and videos associated with CSAM, weapons and violence content. Recently, voice recognition has also been introduced for the transcription of audio files, a feature that saves precious time and makes investigations more efficient.

Furthermore, it is expected that developers will increasingly focus on the possibilities of cloud acquisition, which is now a fundamental extension of Mobile Forensics, and on devices less common than classic smartphones and tablets, such as smartwatches. Smartwatches, in particular, are already proving their usefulness, as they allow for the acquisition of vital signs and the reconstruction of essential details, such as the time of death or signs of sudden illness. As connected devices become more widespread, from IoT devices to wearables, this trend will continue to grow, expanding the areas of digital forensics.

11 – O:  Can AI tools  – that analyse massive data sets – and automation help forensic analysts speed up investigations and improve the quality of data produced? 

LUCA: Absolutely. The use of artificial intelligence and automation offers decisive support to forensic analysts, especially in cases that require the management of huge amounts of data, such as large-scale investigations involving companies or multinationals.

In Mobile Forensics, AI has been used for years to recognize specific elements within multimedia files. Among its main applications we find facial recognition, which allows to quickly filter large amounts of images to identify subjects with specific characteristics (such as gender, presence of glasses, ethnicity, and other distinctive characteristics). This technology greatly facilitates the analysis, allowing investigators to focus on the elements most relevant to the investigation and reducing the time needed to manually examine the visual material.

12 – O: The digital forensics has become more dynamic by becoming predictive, that is, moving from reactive post-incident analysis to proactive crime prevention and strategic threat intelligence. How do you comment on this statement? 

LUCA: Here we go a bit beyond Mobile, entering in the Cyber ​​Threat Intelligence realm. The statement is absolutely correct and reflects a fundamental trend in digital forensics, which is no longer limited to reactive post-incident analysis but has evolved towards a proactive approach, aimed at prevention and threat intelligence. This change represents a natural evolution of the discipline, especially in relation to Cyber ​​Threat Intelligence, which is one of the most advanced and dynamic areas in cyber security.

13 – O: I have to ask you: how did you develop an interest in digital forensics, when exactly did it start and why, and how many devices did you open and study to improve your skills? 

LUCA: I have always liked the idea of ​​putting my skills and qualities at the service of the community, especially in support of law enforcement. After university, I took a European course in network security, and from there my journey in this sector began. 

14 – O: What does the word hacker mean to you?

LUCA: “Pioneer” in its original meaning. From the hacker world was born everything that today we define as Information Security. Even if the first hackers I met were, for those who remember, those of the legendary X-Files. 

15 – O: How important is it to understand emerging trends and threats in the mobile space or to have knowledge of the hardware and software parts of the devices? 

LUCA: In Mobile Forensics, constant updating is essential: an operating system update, a change to an app, the introduction of a security patch or an update of the acquisition software are enough to radically change the possibilities of acquisition and analysis. For this reason, it is essential to stay informed through your own network of colleagues, following specialised blogs, LinkedIn, newsletters and participating in webinars from manufacturers. 

16 – O: A question that everyone asks – even the most expert technicians – is: “is my cell phone spied on or hacked?” Can you give some answers to help identify the problem or advice to protect the data on the devices?

LUCA: The problem exists, but in my experience, it is mostly a matter of suggestion. Unless you are a high-profile target (such as a politician or a corporate executive), it is very rare that anyone will be willing to invest in remote spying software, given the complexity and cost of such operations. It is more likely that a cohabitant or someone with physical access to the device could disable the security options and install spy apps on the phone.

If you are suspicious, it is advisable to consult an expert, who may suggest a thorough analysis of the device. However, this procedure can be expensive and sometimes more expensive than the value of the phone itself; in these cases, it may be better to simply format the device. Another important consideration is to distinguish between the risk of spying through the device itself, which is usually well protected, and that through your accounts. Accounts such as iCloud, Google or Facebook can provide a lot of information to an attacker if compromised. Analysis of social media (comments, posts, photos and stories) can also reveal much more sensitive details than you might normally imagine. Through this information, a potential attacker can track habits, contacts, places visited and even private moments, creating a detailed profile of the person.

Practical tips for protecting your data are essentially common to all cyber security and include:

• Use a password manager to generate and store unique and complex passwords for each account.
• Activate, where possible, two-factor authentication (2FA) to add an extra layer of security.
• Avoid the unlock pattern on your smartphone and prefer complex PINs or passwords, paying attention to shoulder surfing, or the risk that someone can observe your unlock credentials.
• Avoid writing down passwords on unsafe media and keep them away from easily accessible places.
• Regularly check your privacy settings on social media and limit the personal information that is publicly visible.
• Constantly update software and applications to benefit from the latest security patches and vulnerability fixes.

Adopting these practices reduces the risk of unauthorised access and effectively protects your data on both mobile devices and online accounts.