Jess Garcia, founder of One eSecurity, is a senior security engineer and an active security researcher in areas of incident response, computer forensics and honeynets. In this interview he talks about mobile forensics, cyber crime scenes, how forensics experts testify in court, privacy concerns, and more. Garcia will be teaching at SANS Forensics Prague 2012.

Let's say we're looking at a cyber-crime scene comprised of several still powered on computers as well as confiscated smartphones. When the forensic investigator arrives, what does his workflow look like?

Mobile devices are typically the most volatile of all the evidence, because they are constantly exchanging data (via wifi, 3G, Bluetooth, calls/SMS, etc.). The typical first step is to isolate those devices using appropriate measures (such as Faraday bags), to prevent a potential remote wipe or alternative technique directed to alter or destroy evidence in the device.

Certain precautionary measures should also be taken into account, like disabling access passwords or PINs in case the device is unlocked (for preventing re-locking), connecting it to a power source (to prevent battery exhaustion), etc. Similar steps should be taken with computers (in case they are connected to the network).

After that, a traditional forensics process can be carried out: on-site triage and pre-analysis if required, forensic acquisition of memory, hard drives, evidence preservation, etc.


Mobile devices can at times be acquired at the forensic lab, where you work in a more friendly environment with a better signal isolation. In that case, you need to make sure the device is kept connected to a power source at all times, since the signal isolation will quickly drain the batteries.

What forensics tools do you prefer and why?

I literally have hundreds of forensic tools in my "bag", both open source and commercial, Windows, Linux and Mac. Each case typically requires different tools and techniques, and sometimes a specific small utility can save you hours of work. It is important to be up to date with the latest versions, keep an eye on new tools and new features of your current tools.

If I have to mention just one tool, I will mention the SANS SIFT, which is open source and freely downloadable from the SANS website, and which comes with a myriad of forensic tools ready to use in a forensically friendly environment.

What advice would you give to a forensic investigator that needs to present his findings in front of a jury in court?

Court is a weird, confusing and at times hostile environment for technical professionals. In our world things are binary, black or white. Law is all about interpretation.