The nature of data storage device evolution requires rethinking many aspects of security such as data concealment, law enforcement searching, parental controls/monitoring, and academic testing. The size and form factor of data storage devices is virtually unlimited, so security professionals need to eliminate specific recognizable objects as a means to detect data storage. In my opinion data locations need to be determined by following the flow of data back to the source, instead of trying to identify the source initially.

Forensic analysis of the main PC or laptop to track file transfer history is the first step. However, removable drives of unknown appearance makes it harder to find them even if their existence is discovered.

Making this process more difficult is the increase in cloud-based storage (and even cloud processing), where the storage and use of data is performed using a remote service. Barracuda and Carbonite are the most commonly known by the public, but hundreds of online storage venues exist. An app popular on iPhones and iPads is Dropbox, where a user can syncronize and store files online for use anywhere.

Again, the best investigative strategy is to look for activity first, and then use that to point towards possible data sources. As the presentation described, there is no way to search every possible physical location for data in advance when it can be located in a keychain or stylized thumbdrive.

Financial investigative techniques are applicable to data investigations. Financial forensics use the process of following the money trail, rather than trying to identify all accounts up front. Data investigations will need to migrate to this approach, following the flow of data to trace all the locations it lands upon. Once the locations (drives, chips, USB’s, gaming devices, online storage, emails, etc.) each of those can then be investigated further to develop other evidence.