Feminist Sparks of Reflection About Digital Forensics

The field of digital security for human rights defenders (HRDs) relies on collaboration between technologists, who have advanced technical knowledge, and holistic protection facilitators, who work directly with survivors of technology-facilitated violence (TFV). The gap between groups that share information about digital attacks and those that are "in the middle" between activists and developers is exacerbated when it comes to the ability to perform forensics on compromised devices and publish auditable reports.

I am part of this community through my experiences as a technologist and intersectional feminist working on digital security for organisations and activists in Brazil. I consider myself to be in a privileged position because I have a technical background and previous experience with forensic technologies in companies. Furthermore, as a member of feminist organisations, I participate in our common activity of appropriating and adapting militarised methodologies - 'hacking' them - to bring a feminist perspective that questions the impact of technology on fundamental freedoms, security, privacy and everyday sustainability (Hache et al., 2022). As a result of this trajectory, I will bring individual and collective perceptions to bear on the issue in this article.

In my work, the proximity to the forensic field seems organic and desirable, a feeling we have found to be shared by other groups working in feminist helplines in Latin America. Given the multidisciplinary nature of our work, where a single case may require knowledge of digital, physical and psychosocial security (among others), we often feel like "superheroes" trying to master all these different powers. If the power of forensics were to materialise, we could go further and technically examine compromised devices, either to determine what happened or to assist in the compilation of legally acceptable documentation. At the very least, we would be able to identify more complex cases and better communicate that complexity to our subscribers.

From this desire to learn and share with my companions, I am exploring digital forensics from two points of view.

Since the Brazilian context differs in the use of surveillance practices and tools, and intending to gain more technical knowledge, I decided to approach the subject from the traditional side: a specialisation course in computer forensics. This course introduced me to the conventional view of forensic science and its current application by the Brazilian police. My fellow coursemates were police officers, military personnel, vendors of surveillance tools for the government and several IT professionals working in companies. Some professors were police officers, others judges. One was a woman.

In parallel, I bring up the example of the growing human rights field focused mainly on detecting spyware used against Human Rights Defenders (HRDs), which is a big deal. Since 2016, organisations like Amnesty Tech and Citizen Lab have published relevant reports such as the Pegasus analyses, a spyware developed by the Israeli company NGO Group. Pegasus has become notorious for targeting journalists and HRDs around the world. Our Mexican brothers have been particularly affected by these threats, with cases confirmed in 2017 and again in 2022. They also appeared as a target of the most recent government spyware used against HRDs called 'Reign' from the company Quadrean.

It is not at all surprising that this knowledge is concentrated among men, as the gender gap in technology is well documented. It is estimated that, on average, only 15-20 per cent of women work in ICT fields, and this percentage is even lower for information security professionals.

Regarding Brazil, there is a known "flirtation" of the authorities with the NSO group, but no confirmed activity whatsoever. Research by IP.rec looked into commercial agreements to supply tools for investigative forces in the country, and despite bringing records of several attempts to obtain Pegasus between 2017 and 2018 [1], they concluded that the current use of hacking tools by Brazilian authorities is widespread and centred on commercial forensics tools. The leading vendors are the companies Cellebrite, Verint and Magnet Forensics (IP.rec, 2022).

Cybersecurity: An Old Boy’s Club [2]

With the proposal to train students "to work professionally in large companies, as an expert in court cases or in their own specialised consultancy", the specialisation course I attended lasted ten months and a mixed theory and practice curriculum. The practical sessions were focused on police work or being a commercial forensic expert hired by a company. Some teachers focused exclusively on paid tools such as Cellebrite UFED, whose contracts cost the Brazilian police millions of reais (IP.rec, 2022). They gave demonstrations of these interfaces, most of which were significantly simplified, as they said, "often those who operate these tools within the investigative agencies are not even technicians". Other professors presented free software forensic alternatives, such as IPED, "an open source software that can be used to process and analyse digital evidence", and AVILLA Forensics, a "free mobile forensic tool". Both tools have two things in common: they try to unify free command line tools into one GUI, and they are developed by Brazilian men.

It is not at all surprising that this knowledge is concentrated among men, as the gender gap in technology is well documented. It is estimated that, on average, only 15-20 per cent of women work in ICT fields, and this percentage is even lower for information security professionals (See et al., 2017). Even in the field of human rights, if you look at a list of forensic investigation reports and peer-reviews, there is an undeniable majority of male authors.

On our side, in the field of forensics that is dedicated to the defence of human rights, there are more and more initiatives to socialise knowledge with people from different bodies and backgrounds, such as Amnesty Tech’s digital forensic fellowship, Internews’ monitor scaled project and more recently an initiative by Digital Defenders Partnership for the realisation of a course called Introduction to Forensics of Mobile Devices, Identification of Spyware and Documentation of Digital Threats with a Human Rights and Gender Perspective which is mainly oriented to feminist helplines, RaReNet and CiviCERT members. The course has multiple facilitators, mostly women and gender dissidents, and enrollment is limited to partners related to the projects. Even so, within a few weeks, the maximum number of registrants was exceeded, showing great interest in this subject.

Within my organisation, we also ran an introductory course on digital forensics for partner organisations and social movements. Marialab is an organisation that works at the intersection of hacker culture and knowledge that connects politics, gender and technology, using feminist methodologies that seek to "create safe and welcoming spaces" (Araújo, 2018). The course had eight weekly meetings and focused on a few students (all women and LGBTQIA+), mostly experienced digital security facilitators for human rights. Each session included moments of theory, sharing of experiences, accompanied practices, and others proposed as homework.

Each session included moments of theory, sharing of experiences, accompanied practices, and others proposed as homework.

One difference in these workshops was the ability to schedule meetings to ask questions and do things together online in a relaxed atmosphere. At one point, a participant was having difficulty installing tools on her computer and asked for help. After voluntary one-to-one support, she felt relieved and admitted to the class that she had considered dropping out of the course because she felt like a fraud. "You're not a cheat; you're just using Debian!" - The version of GNU/Linux that free/libre software enthusiasts often adopt but few use without spending hours troubleshooting. We, the facilitators, were on Linux Mint, a much simpler Linux distribution.

What to Expect?

Applying forensic science to human rights advocacy requires more than adapting tools or creating alternatives in free/libre software. Instead, it requires a focus on learning processes.

The tendency to simplify applications and guides is quite understandable, as the technical procedures behind forensic analysis can become quite complex. Even those of us facilitating digital security processes have different capacities and difficulties derived from our diversity and socio-cultural conditions. In Brazil, this community has "a multidisciplinary profile, mixing technical and technopolitical, pedagogical, psychosocial, legal knowledge, etc." (Amarela & Foz, 2022). Despite attempts to simplify procedures, if we take tutorials from tools developed for civil society, such as the Mobile Verification Toolkit (MVT), it is unreasonable to assume that everyone can do it alone.

Let's look at the profile of the participants of Marialab's course. We see people who are mostly "in the middle", bridging the gap between activists and organisations who have experienced technology-enabled violence. Thus, we find in their expectations goals such as "translating" or  "identifying" cases, proving that this knowledge brings, above all, resources for protection:

• Get an introductory idea of the field.
• Learn forensic techniques and practices to use in assisting cases.
• Work with forensic analysis in the future.
• Learn about the architecture of mobile phones, and gain more autonomy in imagining the possibilities for these devices.
• Improve risk analysis to better identify complex referral cases with targeted attacks.
• Being able to "translate" what forensic analysis is. What is it for? When will it be important? What will happen? How long does it take?
• To know the accumulation of practices and tools available for the self-defence of movements, organisations, and activists.
• Familiarise yourself with the ways in which technologies are used against us;
• Self-defence: better avoid or analyse personal situations.

We believe that some of these expectations can be met by expanding training spaces for civil society using feminist and decolonial methodologies (Hache et al., 2022). However, there are contextualised challenges to applying forensic techniques to HRD provision. In the following paragraphs, I will mention three that stand out in my opinion and experience.

1. When we provide emergency support, we care for a person who often experiences actual harm "that not only has consequences at a personal level but also at a collective and social level" (Diego et al., 2020). There is a sense of urgency that is not compatible with the time required to carry out all the procedures of law enforcement agencies or to analyse with the level of detail required to write elaborate research reports. This does not detract from the important role of such work, nor from the right of our field to demand evidence, but in practice, the speed with which we analyse and provide answers is very important for the violated person. Here I highlight the relevance of "quick forensics" tools and methodologies, such as the guide to quick forensics from Security Without Borders and the tool Androidqf.

2. Another characteristic is that our support is almost always remote. This fact severely limits our ability to use traditional forensic tools, as they focus on legally seized devices. It goes without saying that, in our case, the analysis is done voluntarily, and the person receiving support usually needs to continue to use the device for work and activism. This challenge is very specific to the precariousness of human rights work in Latin America (Amarela & Foz, 2022). In our workshops and publications, we often have to emphasise that there are ways to stay safe without having to dispose of their device. In our search for remote methods, we tested Androidqf, which "helps to quickly collect forensic evidence from Android devices to identify potential traces of compromise". The tool makes extracting a backup from a mobile phone much easier and can be fully analysed using MVT.

3. The third challenge is that most of the threats we face are not technically sophisticated. Many cases involve elements of physical and psychosocial violence, and the digital threats often undermine technically simple vulnerabilities such as weak passwords and incorrect account configuration. Forensics can help to understand and resolve these incidents, but it is not appropriate in all cases.

There is one case from our helpline that illustrates this expectation: An activist from a partner organisation was the victim of a financial scam in which social engineering techniques were used to gain remote access to her mobile phone. The victim reported receiving an SMS with the scammer's contact details, which was later deleted. She was tricked into installing the TeamViewer application and believed that spyware had been installed. She was afraid to turn on her phone. We made an online call and showed her how to use the Androidqf tool to extract a full backup of Android and apps. Our intention was to use MVT and investigate if there was any malicious software - but also to get concrete evidence of the SMS deletion and Teamviewer installation to write a technical report. She wanted to use this evidence in a lawsuit against the bank.

When we provide emergency support, we care for a person who often experiences actual harm "that not only has consequences at a personal level but also at a collective and social level."

To our surprise, we found no evidence of SMS deletion or installation/uninstallation of the Teamviewer application (although there were traces of it on the system). We were very surprised by the lack of logs of such everyday activities. Although an Android phone stores less information than a computer, this case made us think that if we only focus on the possibility of spyware, there are things that can be lost along the way. If we had chosen to use a commercial tool, would we have got this information? Logs of uninstalled applications and deleted text messages are simple evidence, but they would make all the difference in supporting this case.

“We are at the mercy of those more technical than we are”

What else does the field of forensics have to offer civil society to support survivors of technology-facilitated gender-based violence? Beyond a more accessible toolkit (which, like any tool, is limited when disconnected from a protection context and plan), what else can we imagine? Reflecting on the aims of this development, we wonder what other, perhaps simpler, analyses are being left out by the focus on detecting advanced spyware.

On the "other side", I see a massive amount of software, operating systems and forensic techniques constantly being developed by the international forensic community. Can we use some of these tools to meet the expectations of the women we work with? Or will they always be inaccessible due to their complexity and development within the capitalist and heteropatriarchal logic, or in the hands of a "tiny, elite group of technologists we trust"?

We believe in the power of adaptation and re-appropriation of technologies. And we also believe in the power of creating knowledge from these appropriations. Therefore, rather than being at the mercy of what the field of forensic science can offer, we seek to influence the field itself so that it opens up the possibilities of understanding these violations beyond the technical challenge they present and more as an opportunity to advance in the defence of human rights.