Full Access by Grayshift Grayshift

Digital Forensics is about finding the truth. Something that isn’t discussed often is how sometimes the evidence doesn’t add up, and people are exonerated. Data either exists or doesn't exist. Or, data existed at one point and doesn’t exist now. Very rarely can something happen outside of those facts. What digital forensics can prove or disprove is crucial to the truth.
E-discovery is a collaborative effort with multiple parties involved. Various stakeholders have a role to play in the whole process. People working in digital forensics need to be able to explain some of the technical terminologies in layperson’s terms so that everyone can understand why an artifact is presenting itself a certain way or why something exists or doesn’t exist on a device.
[00:46] Profile of this episode’s Guest: Teagan Kavanaugh - Digital Forensic Examiner for TransPerfect Legal Solutions
Teagan decided to pursue a career in criminal justice/law enforcement in college.
During his senior year at Colorado State University, he interned with the Longmont Police Department, which jumpstarted his law enforcement career.
Teagan had always been interested in tech, building his own PCs since he was a teenager. He didn’t realize how much that experience could apply to his law enforcement career until it was needed.
He utilized some of the many free resources available for law enforcement, such as a network investigations class where he learned to do router interrogations, break down IP addresses, and find hidden networks.
[06:26] Teagan’s role at TransPerfect Legal Solutions
As Digital Forensic Examiner, Teagan works in the forensic technology and consulting branch of the legal solutions side of the company.
The forensics division is a small part of the overarching e-discovery branch.
In e-discovery, Teagan’s job is primarily data preservation and collection from various digital data sources.
[07:42] Digital forensics in the private sector vs. law enforcement
Teagan’s first job outside law enforcement was with a smaller, forensics vendor, Defense Forensic, where he worked with other former law enforcement.
He then had an opportunity to work with TransPerfect Legal Solutions(TLS), and that seemed like the next logical move for his career.
 TLS has a good mix of both law enforcement and not. Some of the team is former law enforcement, while some went to school for digital forensics and went directly into a corporate job after school.
Digital forensics in the private sector works almost exclusively based on consent rather than seizing a phone and writing search warrants.
When dealing with hardware, both sectors use the same tools and analyze artifacts in the same way.
[13:48] Overcoming instances where someone isn’t willing to provide information
Trying to get a device away from somebody for longer than an hour is challenging, especially without knowing how long the process will take. 
Large-scale preservation or collection matters involve over 100 devices. Coordinating time windows for each person to come in to image their devices requires a lot of logistics.
Having forensics involved from the beginning of the process helps obtain the correct information to set accurate expectations later.
The project is set up for failure if expectations aren’t managed upfront. Managing expectations is vital to getting the job done efficiently.
[20:17] The biggest challenges facing technology-related investigations
With multiple parties involved, explaining some technical terminology in layperson’s terms is critical to understanding.
Many people have multiple phones nowadays. Sometimes those are old phones, and sometimes they are work or personal phones, and any of those could fall under the scope of the investigation.
When someone buys a new device, they often transfer data from their old phone to the new one. Repeatedly doing that means more and more data must be processed.
[33:20] Advice for those starting in digital forensics and those

One of the biggest challenges in helping victims of human trafficking is reiterating the importance of a victim-centered approach. When law enforcement agents are new to human trafficking, they must remember that someone is not in a sex-trafficking position because they want to be. A lot of manipulation is behind the situation, along with prior trauma that may have led that individual to their awful situation. 
These cases differ from other investigations, such as drugs, guns, and gangs. They affect human lives, and these individuals will be the key to making the case. When working with these human trafficking cases, there needs to be an element of compassion while also being careful about removing biases.
[01:09] Profile of this episode’s guest: Alia El-Sawi - Victim Assistance Specialist at Homeland Security Investigations
Alia has been a Victim Assistance Specialist with Homeland Security Investigations since 2010.
Before her work with HSI, she served as the Anti-Human Trafficking Program Coordinator for a nonprofit organization called Tapestri.
She has received many awards and recognitions, including Georgia Trend’s “Top 40 Under 40” Georgians, Islamic Speakers Bureau of Atlanta’s “Top 40 under 40”, and the Immigration and Customs Enforcement Directors Award. 
[02:29] What is human trafficking?
While human trafficking and human smuggling can be related, they are different. Both may involve movement of some sort. However, smuggling generally is done with the goal of the person having a better quality of life. Human trafficking consists of an ulterior motive by the trafficker to exploit the individual.
With human trafficking, the individual may not understand or fully know they’re being brought somewhere for an exploitative purpose. They may have been promised a job, but that job ends up looking very different.
Labor trafficking is a form of human trafficking that uses force, fraud, or coercion to recruit individuals for some particular employment where the individuals end up in servitude.
Sex trafficking involves commercial sex, where an individual is forced into what some refer to as forced prostitution.

[11:25] Alia’s role at Tapestri and journey to Homeland Security Investigations
Alia started working in the anti-human trafficking field with Tapestri, a nonprofit, nongovernmental organization based in Atlanta, Georgia.
At Tapestri, Alia provided direct services for survivors of both labor trafficking and sex trafficking of juveniles and adults, specifically within the various immigrant and refugee communities.
Because of her work with Tapestri, Alia spent a lot of time building connections with local, state, and federal law enforcement. She referred case after case that agents could successfully present to the U.S. Attorney’s Office, which successfully prosecuted.
When the role of Victim Assistance Specialist opened in Atlanta, the supervisor and Assistant Special Agent in Charge approached Alia about the position.
[19:00] Services available to those who have been victims of human trafficking
Most of the time, Alia relies on the networks and resources she’s built over the years that continue with the nonprofit world, direct service providers, child advocacy centers, and expands into the medical realm.
Alia works with many medical professionals, such as behavioral health and substance abuse facilities. 
Many faith-based communities are willing and eager to help the efforts by providing volunteers.
Sometimes services look like anything from food banks to language access through English as a second language classes for an individual.
[26:35] Staying motivated in difficult cases
People ask Alia how she keeps from being depressed about such a heavy topic. She hangs on to the success stories because she knows people can escape their darkest days and walk into the light.
There was one case that followed Alia as she moved from Tapestri to HSI. She saw the young lady go through the process and get t

Our listeners want to know more about Grayshift, our mission, and the knowledgeable people who work here creating powerful digital forensics tools. Our guest today is Bernie Lampe, Vice President of Research at Grayshift, and we’re talking about all things Android. 
GrayKey has developed as a standout, game-changing leader in iOS access and extraction, but many people don’t realize that Grayshift also supports Android devices. So this episode is dedicated to talking about the Android capabilities related to GrayKey.
[01:53] Profile of this episode’s guest: Bernie Lampe, Vice President of Research - Grayshift
Has experience in both government and the private sector
Joined the Air Force in 1999
He has presented at conferences and universities, and his research has been published.
For the last several years, he has been working with government organizations on various projects, including remote sensing and vulnerability research
[10:54] When did Grayshift first release support for Android devices?
Bernie was hired in May 2020, and in January 2021, Grayshift released the S20
Android is meant to be more flexible than iOS. While iOS has a lineage version number, Android spider webs
Since the S20, Grayshift has focused on Samsung because the company is the biggest provider of vendor Android phones
Grayshift has also made its way into the Moto space
[17:16] How to find good vulnerability researchers
A good vulnerability researcher has to have reverse engineering skills.
Code auditing experience is essential.
Many people have the right things on their resumes, but they don’t necessarily have a practitioner's level of working knowledge.
The best people at this job are creative thinkers.
[24:29] Attack surfaces have become more complicated over time
A researcher has to invest a lot of time and effort into understanding a particular narrow problem set that is complicated.
While there is some crossover between Android and iOS, understanding each well requires individual focus.
Encryption schemes are constantly changing, and the work people did years ago is less relevant now.
Someone must be deeply invested in understanding what’s going on with one particular attack surface to devise techniques that no one else would know.
[35:23] Some of the biggest vulnerabilities in Android
Vendors have added various security and ad hoc security mechanisms that have been poorly implemented and have become sources of vulnerabilities themselves.
Android has a lag time between finding a bug and perfectly patching it because of infighting between different companies or the company itself.
One of the biggest problems with computer science in general in the software industry is that there are no standards.
[41:07] Strategies for learning new devices
The first step is finding the firmware and understanding the different pieces.
The next step is researching by trying to find any open-source documentation, looking at the data, and looking at other online information about how people have approached this technology.
One of the biggest challenges is knowing where to spend time in research. If a lot of information is available online, that route might not be a fertile attack surface because it has been vetted.
If you can ask a question that no one has asked before, then typically, asking the right question leads to an answer quickly.
[50:21] How long does it take to research and develop a solution for Grayshift to add a phone to its support matrix?
The timeframe can vary from months to years. While bugs are constantly found, the bugs aren’t necessarily usable.
Grayshift’s exploit engineering team has done an amazing job of building automated systems to port-forward bugs.
If some phones are similar, they might have bugs that are portable. Support for those phones might be almost immediate. Because of fragmentation, each phone is configured differently, so they won’t have the same bugs and won’t be supported as quickly.
The time between finding

The relationship between prosecutors and law enforcement is crucial to success. Nothing goes perfectly in a criminal trial; something crazy always happens. Trust is important so that whatever happens can be corrected in the run-up or during the trial itself. While law enforcement and prosecutors sometimes disagree, they are on the same team.
When a relationship is developed between prosecutors and local and federal agents, they feel like they can call on each other for advice. If an agent is on a scene or going to be involved in an arrest and something unusual happens, the agent can call a prosecutor and ask how that would impact the prosecution later. That collaboration is critical on so many levels.

After his tenure as a U.S. Army Ranger and Special Operator, Shannon Krieger was introduced to the field of Digital Forensics through the USSOCOM Warrior Care Program (Care Coalition). 
In this conversation with Shannon, we talk about the creation of the Human Exploitation Rescue Operation (HERO) Child-Rescue Corps Program, how Shannon became involved in combating child exploitation, and his experience during the last nine years as a Computer Forensic Analyst.

What do you do when a phone is damaged and you can’t access important information that will aid in solving a case? More often than not, you’ll be told that the data isn’t recoverable. But Jessa Jones believes that 99% of the time, that isn’t the case. 
In this episode, Jessa shares why phone manufacturers shy away from data recovery and how her business—iPad Rehab—steps in to fill the gap. Jessa has recovered data from phones chewed up by lawnmowers, blown up in airplane crashes, and water-logged while deep-sea fishing. 
Jessa also offers law enforcement the necessary training to troubleshoot and repair mobile devices to extract the data they need.