Digital Forensic Specialist
Grayshift
Matthew Fullerton is a Digital Forensic Specialist at Grayshift and a subject matter expert in mobile device forensics. Before joining Grayshift, Matthew served in Law Enforcement for 13.5 years as a Police Officer and Police Detective. Most recently, Matthew retired from a suburban police department in the Denver metro area, where he was a Police Detective and Digital Forensics Examiner. Matthew possesses several certifications and is a court-qualified expert witness in Digital Forensics.
In this post, Fullerton opens up about his previous life as a Police Detective, the difference data extraction tools make when working cases, and the sense of humor he brings everywhere he goes.
It’s obvious you’re a #nerdcop. What’s your favorite type of technology you love to use everyday?
With the constant evolution of the internet of things (IoT), I love to find ways to make my life easier and more efficient. I’ve got many smart home items throughout my house – smart bulbs, cameras, etc. – that are connected to my little ecosystem. I love having full connectivity and the ability to check things out as they happen. I also like to find ways to make mundane tasks brainless.
For instance, I would always forget to turn off the outside lights in the morning, so inevitably, they would be on throughout the day. Now, I’ve got a smart bulb ecosystem that I can program, ranging from on/off times to varying colors for different holidays and functions. I’ve also got a smart watering system for my lawn sprinklers, which uses weather data to help plan and change the timing and frequency based on the conditions. These small things ensure that these mundane tasks are taken care of and are done more efficiently, which helps save a few bucks on those utility bills. Of course, the coolest part for me is that I can check and control all of this with my smartphone from anywhere in the world.
When you were a digital forensic investigator, what types of cases did you typically encounter?
Everything from property crimes to homicides. Over my career, I worked for two (2) different Police Departments, which were in different locales and served different demographics. This exposed me to all kinds of crime and different methods of investigation. As I gained experience, I learned that almost any crime could contain digital evidence, so I would try to apply in any way possible. For every success there is at least one failure. So, having that in mind, there were some cases wherein I tried to leverage electronic evidence, and it didn’t work out, but as a good investigator, I learned how and why it didn’t work and made a point to do it better the next time.
Is there an example of a case you investigated with GrayKey? Can you tell us how GrayKey could have helped?
If anyone reading this has attended my class on leveraging the keychain and password list, they have heard this story. I worked on a case before GrayKey was available that involved an allegation of stalking. The victim worked at a bank and suspected that the behavior was being perpetrated by a particular customer but didn’t have proof. Nonetheless, the behavior was concerning and was seemingly starting to escalate. In particular, the suspect would tamper with the victim’s car in various ways, so I figured identifying the perpetrator was a good place to start. Some remote surveillance confirmed that the person the victim suspected was likely the culprit. Fast forward to the point wherein I interviewed the suspect and seized his phone; I thought that would be just the evidence I needed to prove this person had committed all the stalking behavior and I’d have a solid case to present to the Court. I wrote a search warrant for the phone, and once approved, used the available tools to obtain data extraction. At the time, the only option available was an “advanced logical” extraction – essentially an iTunes backup. The data extraction was successful, and I started to parse it our in an extraction tool as soon as it finished. Once I started the process, I was prompted to enter the “backup encryption password.” I didn’t know that password, so the data extraction was effectively useless.
The State Supreme Court had already ruled that Law Enforcement cannot compel a person to provide such a password, even with legal process, so I researched different ways to obtain it. I learned that I could find the password on a computer via a PLIST – a special text file that contains data in the Property List format. So, being a diligent Detective, I obtained a search warrant for the suspect’s computer. After analyzing the computer, the PLIST I was looking for was gone and unrecoverable. Without this digital evidence, I couldn’t build a solid enough case to charge the suspect.
Knowing what I know now, I desperately wish I had GrayKey back then and this case would not have gone cold had I been able to use GrayKey. Unfortunately, the statute of limitations has long expired, so this knowledge does me no good. Plus, I’m not a cop anymore!
Editor’s note: Fullerton’s video courses are available on the Investigators Corner (login credentials are required to access these videos).
What is one thing you wish people understood about the job?
It’s tedious and takes time. The CSI effect was real, especially in the beginning of Digital Forensics. People would have unrealistic expectations about what kinds of data we could find and how quickly we could find it. This held true in all aspects of electronic evidence. For instance, I once worked a high-dollar jewelry store burglary, during which we obtained several types of video surveillance. Some were good quality; some would’ve been better as a VHS tape.
Even so, I was able to locate a suspect vehicle, but we could not see the identifying features, let alone a license plate. One of my superiors said something along the lines of, “Well, then do that nerd stuff! Enhance it! We need a plate.” In response, I gave them a less-than-satisfactory answer, which was not what they wanted to hear. Then, I realized I needed to set the expectations: identify and educate what capabilities were available, and what was not. This made moving forward a lot easier because people had clearer expectations and understanding.
What was the most challenging crime you solved with GrayKey?
I did not have a GrayKey when I was an active-duty detective.
What challenges did you regularly face as a mobile forensics examiner?
See answers to questions three and four.
What advice would you give new digital forensic specialists to help them overcome similar challenges?
Don’t be afraid to screw up. Most people learn better by doing. Find an old device – buy a cheap one online if you have to – and try some things out! Attempt different methods to extract data, take it apart, and see how it works; try to break it so you can learn how not to break an evidence device. When smart bulbs first came out, I had heard that they might passively collect IMEIs of devices in range, but to collect the data, you had to dismantle the bulb, rendering it unusable. I thought this could be helpful in a burglary case or something. So, naturally, I bought a six-pack of smart bulbs and stashed them throughout my house. After a few months of “testing,” I attempted to get data from them. I went through four bulbs before I figured out exactly how to dismantle them to obtain the small chip inside. Then I had to figure out how to obtain the data. In the end, I only got partial data from one of the chips, but it worked! All that to say don’t be afraid to fail, as it could always lead to success.
What do you know now that you wish you knew when first starting out?
So many things! On a technical level, I wish I knew how to leverage some of the data the way I do now. I feel like there have been some things I missed over the years that could have potentially made a difference.
What’s a secret about one of your teammates that most people don’t know but should?
If you’ve seen the movie The Hangover then you’re familiar with the blood oath scene. I was party to a similar ceremony at Grayshift HQ, so I’m sworn to secrecy. Hint: the ringleader’s name rhymes with Schmosh Schmarder.
What superpower do you bring to Grayshift?
I don’t take life too seriously, try to have fun, be humble, and am always up for learning something new. For those of you that have met me in person, you also know I’m incredibly tall and outrageously funny. While I’m really not that tall, I was once called a “local giant” by a newspaper in college, so there’s that.
Fullerton’s digital forensics knowledge and personality shine anywhere he goes. If you’re interested in learning more about the technical capabilities of GrayKey, he has a host of how-to videos and on-demand webinars available in the Investigators Corner (IC). You can access the Investigators Corner here using your login credentials or contact us to request access.
Other posts you might be interested in:
- From The Lab: DFS Josh Carder on GrayKey and the Rules of Fight Club
- Full Access to Grayshift Digital Forensic Specialists: Josh Carder and Matt Fullerton
© 2023. Grayshift, LLC. All rights reserved. Proprietary and confidential.
