The First Commandment of Computer Forensics: Thou Shalt Not Touch
A friend recently went into a automobile repair shop and saw a sign similar to the one above. It was cute, but the point was well taken- that a well meaning customer can create more work (and expense) than is necessary if he takes a shot at fixing their car first.
In working with hard drives, cell phones, USB flash drives, etc., the concern isn’t so much about creating additional work for the analyst, but rather it is all about potentially tainting evidence. The simple act of powering on a computer poses risks of overwriting deleted data, and viewing existing files on a computer creates metadata issues.
It is clear that many are still unaware of what to do if there is a potential that electronic evidence exists. We get cases quite often where the owner of the computer will have tried to search for and view the evidence first. Or had his IT person, computer consultant, son-in-law, etc. take a look at it.
To answer that concern, we wrote a white paper last year to assist our clients, who are primarily attorneys and business owners. A lot of headaches and heartburn can be avoided if a few simple things were observed with respect to digital evidence. Send us an email if you would like a copy: v at verdict.net.
Many of us can do easy things like change the oil or brakes on our cars, but if tempted to look at electronic data, remember the commandment, “Thou shalt not touch.”
Maxwell Smart’s high tech mobile phone was a fun concept back in 1965. The idea that people could carry around a portable phone wasn’t even on the grid yet. Now there are over 4 billion mobile phones in use around the world. In America, 53% of all cell phones are smart phones, and 90% of Americans use mobiles to text or send pictures. Texting is the #2 use of cell phones. (#1 is checking the time.)
The average teen sends 3339 text messages per month, and 42% of teens can text blindfolded. Those over 65 are getting into the act too, but they send only 32 text messages per month at this point. (Siri may help change that!)
Microsoft completed a study last year that indicates by 2014, mobile internet usage will exceed usage by desktop computers. 91% of mobile internet access is used to socialize, compared to 79% on desktops.
What does this mean? Should be pretty obvious . . . the cell phone must be an element of investigations, as they often contain evidence. The computer is still the best starting point, as well as the richest source of electronic evidence, since the desktop computer can do much and store a ton of information. However, it is important to note that those little phones we carry around in our front pockets have more power and storage capacity than the Apple Mac Plus computer with the 20MB hard drive we had back in college.
Remember when Blackberries started to gain popularity? They were known as “Crackberries,” due to the silly addictive-like behaviors of their owners. (Seeing that blinking red light indicating a new message was enough to give some people the shakes.) Now it is the norm with iPhones, Androids, etc.
The amount of use on these little devices continues to make them an evidentiary treasure trove.
As much as I enjoy being surrounded by smart people, stupid pays the bills!
On a recent case, our client, a bleeding edge tech firm in Los Angeles, had some employees quit and venture out on their own. They started a competing company, and soon, several of firm’s clients started to migrate over to the start up. We soon got a call from the firm’s attorney to see if we could uncover any evidence on these former employees’ computers showing if any proprietary or protected data was used by these guys.
We grabbed the several computers used by the former employees, as well as some backup media, and initially found nothing of real value. (People are getting pretty smart these days about what can be recovered from a computer. Luckily, most remain ignorant of what we can snag off of a cell phone.) One of the employees’ computers had no evidence on it, but while combing through deleted files on another of the computers, we found one file that certainly caught our eye . . . a business plan!
This business plan was written on the firm’s computer, during the work day as identified by the metadata, and the writer spared little in the way of details. The marketing portion of the plan indicated how they would use their current firm’s client list as a basis for their marketing efforts. The firm’s client list contains information such as names of contacts, direct lines and cell numbers, and other client data that the firm had developed over the many years they’ve been in business.
Our client is positioned to now go after these former employees, no longer armed with a pea shooter, but with a bazooka.
Life is hard; it’s harder if you’re stupid. John Wayne
Well, while the above logo is a bit polarizing, recent efforts by the ACLU did yield some pretty helpful information for cases where cell phones / PDAs are involved. (Do people still use the term “PDA?”)
A couple months ago, 35 ACLU affiliates filed 381 requests with law enforcement agencies in 32 states to identify how they use location data from cell phone companies to track citizens. Part of the results of their efforts yielded a chart that indicates what information is kept by the carriers and for how long.
This chart was created by the US Department of Justice and was intended to be used for law enforcement purposes only, but this will be helpful for criminal defense and civil matters as well.
E-mail is used more than the U.S. Postal Service, and unlike regular mail, the sender keeps a copy and the receiver keeps a copy, even if they toss it in the trash!
I listened to a terrific presentation this morning by Liz Danziger of WorkTalk that detailed some of the things people should do to be more effective when using email, and that included many of the pitfalls involved with that mode of communication. The only thing I can say is . . . thank goodness most people have not seen this presentation! I really can’t overstate the level of stupidity that I see sometimes when analyzing electronic data, in fact, I depend on it! Presentations like this will make my work harder- their ignorance is my bliss.
Well, that is all tongue-in-cheek, of course. Learning how best to handle electronic data is critical, and I have clients that regularly speak to groups on things like what to do with electronically stored information (ESI) when one has employee issues, legal concerns when investigating an employee, how to deal with social networking, etc. I would be happy to put anyone in contact with them- just shoot me a note.
I also regularly speak to groups on workplace investigations specific to ESI from a “bag and tag” as well as analysis standpoint, including what type of evidence can be expected and how to preserve it.
If you do find yourself with an investigative need, do not overlook the computer. Nearly all communication originates on one, and most of those can be recovered by an expert using forensically accepted tools and practices.
I was recently called to analyze a home PC owned by a couple going through a divorce, on behalf of the wife who believed that the PC may contain evidence of her husband’s online trading accounts. She did not want to bring the computer to our office to get it copied and analyzed, for fear that her husband may recognize that she’d done something with the computer. She was extremely nervous about getting caught, so I went to her home to copy the hard drive. Her husband had a business lunch meeting in a city over an hour away, which provided a nice window of opportunity for us to get in, get the data, and get out. At least in theory . . .
As I had the computer open and was removing the hard drive, we heard the unexpected yet familiar sound of the electric garage door starting to open, and she exclaimed, “Oh NO! He’s home!”
She was pretty nervous at the beginning, but by now her anxiety was going through the roof. We heard the kitchen door open, followed by footsteps across the tile floor, and she looked completely desperate. By this time I was in full flight or fight mode, (hands sweaty, mouth dry, adrenaline pumping), when she hissed, “Quick! Take your clothes off!”
Well, maybe that last part didn’t happen exactly that way, but this experience underscored the need to maintain tight controls over the environment. Similar to the client who called us in to image a computer, and then let the opposing litigant and his attorney be present and dictate how the data was to be captured. Forfeiting control of the situation is a recipe for failure.
Sometimes there are hardware or software challenges that require work arounds, and maybe even a call to technical support, which does not inspire confidence when capturing the data with several parties present. There is an unrealistic expectation that if an expert is involved, then the process will always be flawless.
The best case scenario is for us to bring the computer or storage device into our office so we can capture and analyze in a controlled environment. If that is not possible, then we often go onsite to capture the data, but we still control how we access the device as well as the method of data acquisition. If there is an issue with the owner of the computer attempting to assert controls over the procedure, then we will work with the owner’s trusted IT person, who can set the owner at ease. Beyond that we will consider the environment too difficult to be successful and will exit the case.
Greater control increases the likelihood of a successful outcome.
We’ve Discussed Ways Evidence Can Be Hidden and How to Permanently Destroy Data . . . Here Are Some Tips on How to Recover Deleted Information
Due to our expertise in computer forensics, we are often called on to help recover files that have been accidentally deleted. It has happened to every one- deleting a file and emptying the trash before realizing we needed to keep something in there. What a sinking feeling, but all is not lost.
The first thing to do in this situation is to not write any new data to the computer. There is an excellent chance of recovering that data, as long as the hard drive space where that data resides is not overwritten. So stop what your are doing . . . do NOT use the computer.
Probably one of the best ways to proceed is to take the computer in to a competent IT professional, who will have some industrial-strength tools in his bag of tricks. But there are some terrific tools that are easy to use if you want to try it on your own. Probably a trip to Staples or Frys and getting their recommended products is all you need, in addition to having a friend that it is at least a little tech savy help out. Here are a few proven applications to consider:
1 - Recuva: Not the most powerful, but it is free, and does a pretty darn good job.
2 - DiskInternals NTFS Recovery: The gold standard for recovering files, and pretty cheap at $100.
3 - DiskWarrior: If you have a Mac, then this is the one for you, and also runs a c-note.
One thing you should consider is an online backup service. We use Carbonite, but there are others that do a great job. If you have ever opened up a file intending to use it as a template for a new file, and accidentally altered the original, these backup services often will keep multiple backups over time so you have a choices on which versions of the file to restore. This has been a lifesaver!
Many thousands of dollars are spent on protecting our computers from outside threats, but studies show that the greatest problems are on the inside of the firewall. Consider this:
1 – 85% of company information, your proprietary data, is at the end point.
2 – Employees spend an average of 75 minutes a day on non-work related activity. That is 25 hours a month.
3 – 70% of porn is accessed during the 9-to-5 workday.
4 – 82% of all e-crimes are by employees.
Below are a couple recent cases involving employees’ illicit use of their computers:
1) Employee Sends Risqué Photo of Herself?
We recently investigated an incident that occurred at a law firm. One of the workers, a woman, had posed for a very risqué photograph, which she appeared to have sent to everyone in the law firm. The originating email was from a Yahoo! email address that was a derivative of her name. The email’s header yielded the IP address, confirming that the email originated from within the law firm. The Internet logs on the network were then reviewed to determine which computers were on Yahoo! at the time the email was sent, and four were identified, none of which was her’s. A forensic analysis was conducted of the person’s computer who seemed most likely to have sent the email, a paralegal. He was successful in covering most of his tracks, but irrefutable evidence showed that offending email’s account was created on his computer, leading to his termination. How dumb can you be?
2) CFO in Collusion with the Opposition
Our client’s company was involved in litigation, and the opposition had information that indicated there was a leak high up in the company. Forensic analyses were conducted on several computers, including the Chief Financial Officer’s. Discovered on his system was a deleted file that showed he had provided confidential information to opposing litigants. He created a three-page file in Microsoft Word, listing in great detail perceived offenses by his employer, emailed it from a personal Hotmail account through his browser, then deleted it. We found it. Associated metadata indicated he was the author, when it was created and how many times he edited it. Interestingly, this CFO was aware of our involvement early on in the case, before he created the document; which proves that stupidity is not limited to low level employees!
An Obvious Place to Look
The computer is an obvious starting point when investigating workplace activities, especially when considering that most communications and all information is derived and/or stored on a computer, 95% of which will never get printed. As in the above examples, sometimes it is the only place.
We were recently engaged to identify inappropriate communications by a subject, and none were identified on the subject’s computer. We analyzed data from the subject’s iPhone and struck gold, and identifying dozens of illicit text messages that unquestionably showed the subject’s guilt. Many people are becoming aware of email recovery, and thus are more cautious in their communications, but they are much less guarded when it comes to their cell phones. Like computers, a cell phone can both facilitate the act and store the evidence, so they should be an obvious place to look for information.
Some have predicted that mobile devices will one day replace our computers. Many professionals are already shedding their notebooks when traveling, opting for the convenience of communicating by Blackberry, iPhone, etc. More functionality is a certainty, which creates an increasing need for mobile forensics.
Verdict Resources, Inc. and Mobile Phone Investigations, Inc. announces strategic alliance.
Because of this, Verdict Resources, Inc., a provider of computer forensics services, has allied itself with Mobile Phone Investigations, owned by Kevin Martin, to conduct all forensics on mobile devices. Kevin has served many years in law enforcement conducting examinations on both computers and cell phones, including PDAs, and has spent the last several years teaching advanced cell phone forensics and conducting forensics examinations for Paraben Corporation.
Computer technology is an ever changing environment, but it is MUCH more so with mobile devices. There is a new device introduced every day, and this is seen more in the cell phone/PDA world than in any other technology. Businesses and private citizens continue to feed the frenzy by continually upgrading to the latest and greatest of these technologies.
Tools and Methodologies
Because computers and mobile devices are built differently, one can not apply the same examination techniques nor use the same tools. Today there is no standard in the construction of mobile devices or in their operating systems. One must have an ever-growing collection of cables and drivers to facilitate a connection between the software and the target device, as well as several court-tested forensics applications that work with most phones.
Training is equally critical in mobile forensics as computer forensics, so mobile forensics has become its own discipline. An example of different approaches would be a hard drive analysis focuses on the physical side of the device, while mobile forensics focuses first is on the logical files. You might get one shot at analyzing a mobile device, so choosing the right provider is essential.
What evidence is available?
If an investigation includes both a computer and a mobile device, then examine the mobile first. More current data is there and people communicate much more casually on their mobiles. Additionally, the limited storage capacity of a mobile device means that data is overwritten more readily, a concern for obtaining evidence. Also, analyses can occur within hours of acquisition, while a computer can take several days. A contact list in a cell phone is very helpful when subsequently searching a computer as well, so cell phone and computer forensics compliment each other.
Not only do can a list of contacts be obtained, also recoverable is-
· Text messages and MMS (picture/video) messages
· Call logs
· Email
· Chat
· Pictures
· Videos
· Internet activity
· Some back up files from computers
· Some deleted text messages and pictures can be recovered.
We know that simply hitting the “Delete” key doesn’t quite cut it when removing data from your computer. So can data effectively be wiped from an active hard drive? You’d hate to think that sensitive client information, especially that which was deleted, can be captured by opposing counsel’s computer forensics expert. Well, thanks to a couple clients who had a need for consistently securing their data, we’ve identified a couple tools that you may find useful in securing data on your computers. One addresses active hard drives while the other is for securing entire hard drives.
A protocol to secure the deleted data, as well as entire hard drives, should be a part of your office’s routine IT maintenance.
ERASER
A free program that is easy to install and even easier to operate. Eraser will allow you to schedule routine wipes of unallocated space (also called “deallocated”) on your hard drive, which is that area where deleted files reside. We set our computers up here at VRI to wipe the unallocated space weekly in the evenings, and we use this to wipe portions of hard drives that may contain multiple images. Our clients rest assured that their data is secured when it is with us, and yours should too. Start a program for routinely securing your deleted data. Get the application here: http://eraser.heidi.ie.
DBAN
This stands for Darik’s Boot & Nuke, a terrific wiping program. It is a little more sophisticated of a utility than Eraser, but not real difficult once you use it once or twice. DBAN can be downloaded, again for free, and then you make a bootable CD-ROM. Simply place the CD into the computer, turn it on, and it will walk you through wiping the entire contents of hard drives that are connected to the machine. When using this in our offices, we disconnect the “C” drive’s cables to make sure that our important data is not accidentally destroyed. We then will attached numerous hard drives to the PC, (wiping 5 at a time isn’t uncommon,) boot it up with the DBAN disk in the CD drive, and then come back a few hours later after every bit of data is scrubbed from the drives. We have been using this utility for quite a while to sanitize hard drives that contained images, so we can put them back into rotation. As mentioned, this application is a bit more involved, so reading the directions is a must, which you can do when you download it from here: http://www.dban.org.
There are many other applications out there that can do the same things, some even do more. But coming from a long time subscriber to the K.I.S.S. principle, and a dyed-in-the-wool penny pincher, both these programs come tested and recommended.
Step aside, Google.com, the most visited site by Americans is now Facebook.com. Google held that spot since September 2007, but in May 2010, Facebook outpaced Google (not including Google’s other sites such as Gmail, YouTube, etc.) Some interesting facts:
60 million daily status updates, of 465 million users
3 billion photos uploaded monthly
Average user has 130 friends
Average user spends 55 minutes a day
77% of Facebookers access it while at work31% of the user base are between 35 and 54
Number of users over 55 yrs grew 923% in 2009Australia now serves legally binding court notices via Facebook
We are regularly find cached social networking pages while analyzing computers, but to get to the best evidence, Facebook needs to be involved. Facebook procedures and policies are continuously modified and are changed without notice. Facebook will provide the latest information on how to obtain information by sending them a request at subpoena@facebook.com.
A request for records can be sent to the above email, but also it can be faxed to 650-644-3229, as well as by USPS to Facebook, Inc., Attn: Security Dept/Custodian of Records, 1601 California Ave., Palo Alto, CA 94304. The following types of requests are accepted:
Preservation Requests. For requests that identify an account by User ID, Username or email address, Facebook will preserve then-existing account records for 90 days, pending service of formal legal process.
Formal Legal Requests. For requests pursuant to formal compulsory legal process issued under U.S. law, Facebook will provide records as required by law. Response times vary depending on case complexity and records requested.
Emergency Requests. Emergency requests must be made using an Emergency Request Form, and will only receive a response if Facebook believes in good faith that serious bodily harm or death of a person may occur if Facebook does not respond quickly.
The request must including the following:
Requestor’s (i.e. Law Enforcement Department, Law Office) full contact information (Point of contact name, physical address, phone number and e-mail).
Response Date Due (Please allow 2-6 weeks for processing)\
Full name of user(s):
Full URL to Facebook profile(s):
School(s)/network(s):
Birth date(s):
Known e-mail address(s):
Instant Messenger Account Id(s):
Phone number(s):
Address:
Period of activity at issue (specific dates will most likely expedite your request):
Subpoenas and court orders are sent to the same above email address and/or fax number. State court subpoenas must issue from a court within that state or must be issued pursuant to the proper state court commission. Federal civil subpoenas seeking the production of documents must issue from the court in the district where the production is to be made.
Facebook requires a $150 processing fee per User ID. Checks can be made payable to Facebook, Inc. and can be sent to the attention of Facebook Security at the above address, bearing the name and number of the case for which the fees are paid.
Note that users’ data is protected by the Electronic Communications Privacy Act (ECPA). See 18 USC section 2701 et. seq. ECPA is a federal statute that prohibits Facebook from producing any “content” without notarized user consent or a Search Warrant. Different information is available in response to a subpoena or a search warrant, so contacting Facebook in advance of your efforts is recommended.
Well, I actually don’t hate Facebook, it has been a great way to reconnect with old friends. Being able to quickly share kids’ Christmas or baseball photos is a lot of fun, not to mention staying up to date on what is going on the lives of my friends. Notwithstanding Facebook having enough members to qualify as the world’s 3rd largest country, it still makes one’s personal community feel small, familiar and intimate. And therein, as the Bard would tell us, lies the rub.
A recent study by Loyola University Health System identified social networking (primarily Facebook, with MySpace a distant 2nd) as responsible for 1 out of every 5 divorces. And according to the American Academy of Matrimonial Lawyers, 81% of the nation’s divorce attorneys have seen an increase in divorce cases due to social networking. Divorce-online in the UK found that 20% of divorce petitions contained the word “Facebook.”
Actress Eva Longoria announced she was divorcing NBA star husband Tony Parker. Why? Because he cheated on her with a woman with whom he maintained contact on Facebook.
One of the first things we search for on family law matters is social networking evidence on the computers. IllicitEncounters.com, UK’s largest extra-martial website, said 41% of its members that have been caught cheating were found out through social networking evidence.
Years ago, communication was letters, faxes and the telephone. Now it is email, chats, text messages, Skype calls, etc. Technology provides people many more options, and from our standpoint, that means more opportunities to obtain evidence. We’ve seen an increase in cases where social media was used inappropriately, and we’ve obtained the evidence from the computers. Much of that use occurs at work, with our clients who have concerns about employees, but we also have seen the signs mentioned above in divorce matters.
Bank robber Willie Sutton was on the FBI’s 10-most wanted list, known as Slick Willie, robbed a lot of banks during the 1930s, and he was known to do it with style, sharply dressed in tailored suits, or in disguise. He posed as a mailman, a telegraph messenger, and a policeman. He was an innovative bank robber.
Wanted flyers were circulated to all the tailor shops in NYC, and it was a tailor’s son who recognized and turned him in. When he was finally captured by the FBI, he was asked by an agent why he robbed banks. He simply answered, “Because that is where the money is.”
Why do we need to analyze computers? Because that is where the evidence is.
1. Virtually every transaction & communication involves a computer.
2. Computers are no longer a luxury item, but standard appliances at home and at the office.
3. People don’t need to know how a computer functions to set it up or operate it correctly. That used to be the case, but now it is like driving a car.
4. And there is much less risk when doing inappropriate or illegal things in the cyberspace than in the real world.
We may not have bank robbers in our midst, but we do have people who do things they shouldn’t, and they too are innovative. Sometimes they are called employees! And a good portion of the time, a computer is involved. Most records are created electronically and do not exist in hard copy, which means there is a duty to address issues of evidence on computers, cell phones/PDAs, iPads, GPS devices, etc. To paraphrase James Carville, “It’s the evidence, stupid!”
Deciding whether to analyze computers typically comes down to budget, as sometimes the cost exceeds the potential gain. The failure to pursue electronic evidence produces unknown consequences. One often finds a treasure trove, yet sometimes he finds a dry hole; but consider the words of Wayne Gretzky, “You miss 100% of the shots you don’t take.”
The Office of Counsel to the Inspector General of the Department of Health and Human Services just released a 28-page March 2011 report indicating that 92% of nursing homes employ at least one worker with a criminal conviction. The report is a useful reference to consider for matters involving pre-employment, elder abuse, and healthcare investigations. The direct link to the report is: https://www.documentcloud.org/documents/71242-nursing-facilities-employment-of-individuals.html
Perhaps the best way to stop elder abuse is to control who is involved in their care. The online “Nursing Home Abuse Resource” indicates that 30% of facilities are cited for instances of abuse, which runs the range of physical abuse to neglect. Additionally, more than 50% of all nursing homes are short staffed, leaving existing staff overburdened, which in turn leads to neglect and also abuse. The National Center on Elder Abuse indicate that only 1 in 14 incidents of elder abuse, excluding self-neglect, ever come to the attention of authorities. It is far more prevalent than statistics show.As shocking as that may be, it is more significant to note that only 4 percent of the elderly reside in nursing homes, so most elder abuse takes place at home. The vast majority of abusers are family, other household members or paid caregivers. There is no question that services focused on the elderly have not kept pace with the needs of this fastest growing segment of society. In fact, the one thing that has kept pace are the opportunities to exploit them.
Providing for the needs of of our elderly citizens has been of particular interest to VRI principal Larry Troxel, who has served on the Camarillo Hospice board of directors: ”Consideration for the protection of dependent adults is increasing. Law enforcement and regulators cannot alone be their protectors.”
VRI is positioned to help stop elder abuse it when in happens.
iPhones and iPads Track Your Every Movement . . . So what?
Apple, Inc., “is deeply committed to protecting the privacy of our customers who use Apple mobile devices, including iPhone, iPad and iPod touch,” a company representative told a Senate Judiciary subcommittee on May 10, 2011. “Apple does not track users’ locations — Apple has never done so and has no plans to do so,” Dr. Guy Tribble, VP at Apple Inc., said in testimony before the Subcommittee on Privacy, Technology and the Law.
Last year, Apple updated its privacy policy to say that it could “collect, use, and share precise location data, including real-time geographic location of your Apple computer or device.” That got the attention of Congress, and Apple responded, indicating that it collects data “anonymously in a form that does not personally identify you and is used by Apple and our partners and licensees to provide and improve location-based products and services.”
Apple may not be tracking the specific movements of its customers and reporting it back to the mother ship, but its devices are certainly recording that data in a file called “consolidated.db.” The contents of that file can be obtained through forensicanalysis, and can yield important evidence relating to where people have been at certain dates and times.
Why it is Stored? One big reason is to allow customers access to location-based information for things like mapping and targeted search results. There are applications that allow people to share their locations with friends and family. In other words, one of the main purposes is to improve their users’ experience, sort of like cookies on a PC. (Remember how folks used to preach against cookies?)
While Apple may claim that it uses its powers for good, there is no doubt of the potential for the company to sell the data, and the possibility of it being used by third parties for nefarious purposes cannot be overlooked.
That being said, there is a potential treasure trove of information here, such as analyzing geolocation data when investigating employee activities. In fact, for needs that require tracking as opposed to forensic analysis, there are many applications to be found online to install on any Apple device that you may own. Ronald Reagan might have said it best when citing this Russian proverb, “Doveryai, no proveryai.”
What to do with Electronically Stored Evidence (ESI)
It’s fairly well known by our clients, nearly all of whom are attorneys, how they should address ESI. However, we hear stories quite often of people or companies, that our clients represent, who continue to mishandle ESI. Data is evidence, and should be handled in the same way. Below are some basic points to share with them:
1 – Don’t touch a thing!If the computer is on, leave it on; and if off, leave it off. Computer forensic protocols require that no changes be made to the evidence, which in this case, is the hard drive. Powering up the system writes to hundreds of files, and possibly overwrites data crucial to an investigation. Computer forensics analysts can obtain the data without booting up the computer. A critical advantage to leaving it on is the option to copy the RAM, or memory, which may have important information.
2 – Don’t search it!Resist the urge to look at the data on the computer. Each file has dates indicating when it was created, last modified, and last viewed, so there is a danger in changing those dates when viewing it on a live system. Computer forensics requires that the hard drive be copied in a forensically sound manner, and that copy be searched; thus leaving the original hard drive intact as best evidence.
3 – Don’t copy it!A Windows or DOS copy will copy files, but will change some creation dates and will not capture the deleted data. Plus, this violates rule #1! Well meaning IT personnel may think they are being helpful when ghosting a drive, but there is too much at stake for someone not trained in forensic tools and methodologies to handle the data. A forensic analyst will write-protect the original hard drive so no changes will be made, and will create a bit-by-bit copy (or image) in a format that can be appropriately analyzed.
4 – Hire a professional.Having someone handle the ESI who is not trained in forensic protocols is sometimes done in haste to assist in the investigation, but it is definitely a hindrance. Red Adair said, “If you think hiring a professional is expensive, try hiring an amateur.” We’ve come on scene after in-house IT personnel or other company workers have tried to be helpful, and found in some cases where the data’s evidentiary value has been destroyed, or at the very least, compromised. A forensic analyst should be employedimmediately upon learning that there may be ESI to provide guidance.
If you or your clients will follow the above suggestions, and especially Rule #1, you will go a long way to ensure the best possible outcome.
We hope the above information is helpful, and feel free to forward this to your clients or copy out the above. Give us a call if we can assist with these types of investigations: 805-445-1997.
“Our adversaries are trolling social networks, blogs and forums, trying to find sensitive information they can use about our military goals and objectives. Therefore, it is imperative that all Soldiers and Family members understand the importance of practicing good operations security measures.”-Sgt. Maj. of the Army Kenneth O. Preston
The above was taken from the newly published U.S. Army Social Media Handbook, which encourages the use of social networking within some common sense safety guidelines. Some of the advice includes turning off the GPS function of smartphones, closely reviewing the contents of photographs, do not reveal sensitive information, and asking oneself, “Could this compromise the safety of myself, my family, or my unit?”
The same logic should be extended to employees when establishing a social media policy in the workplace.
There are numerous instances we’ve come across of employees using social media at work. In fact, sites like MySpace, Twitter and Facebook often yield treasure troves of electronic evidence. While they are incredible time suckers at the office, (with 77% of all users accessing those types of sites while at work), they have helped provide the magic bullet in several of our computer forensics matters. Like the girl who was threatening he employer with a sexual harassment lawsuit, who had a MySpace page showing pictures of her in simulated sex acts.
Helping clients secure their systems and establish acceptable policies is outside of our expertise, but the sheer volume of social media we are seeing on clients’ computers indicates that stronger controls are needed.
However, from an evidentiary standpoint, we love those sites!
Verdict Resources, Inc. was hired by a local service oriented business where one of the principals of the company was a celebrity- a well known professional athlete. The owners of the business were threatened with a sexual harassment lawsuit by a young 19-year old female worker. The owners were suspicious that she was using her computer for non-work related activities, so they hired us to see if there was anything that could be useful to them on her hard drive.
We went in after the workers had gone home for the day, copied the hard drive from the company-owned computer used by this young woman, and took the copy back to our office for analysis. What we found was quite interesting.
1) This worker had conducted online searches in attempt to locate nude photos of celebrity owner, i.e., “john doe nude.”
2) We identified emails that showed her using profane and sexually promiscuous language with her friends.
3) Lastly, we found that she had a MySpace page, which although private, had those private pages cached (saved) to her hard drive, that showed photographs of her in various poses that were sexually suggestive.
Needless to say, her threats disappeared, and so did she!
MySpace, Facebook and other social networks might be time-killers, but this was an obvious case where the employer was glad his employee was on MySpace.
Analyzing the computer should be an element of many types of investigations.
Helpful tip: When an employee leaves a company, do not put their computer back into circulation without first making a copy of that hard drive. Archive the original and put the copy into the computer. We recommend a bit stream image in case there is a legal need. We’ve had cases where the company’s IT Dept reformatted the computer and then let someone else use it for many months before determining that they needed information off that hard drive pertaining to a previous worker. Hard drives are cheap!
The following thoughts are given so you can be aware of what some folks may do to get rid of evidence.
So, the preservation letter comes across the bad guy’s desk . . . what is he to do? Here are a few things that he just might have in mind:
1 – Load up unallocated space with new stuff. Files are obviously not removed from the hard drive when hitting the Delete key, they just end up in that drive area known as unallocated space. They will stay there, fully recoverable, until the operating system needs those storage clusters in which to put other data. A person could overwrite nearly all their deleted files by downloading a bunch of their favorite movies through iTunes, so that there is very little unallocated space left. No unallocated space, no deleted files . . . voila!
2 – Edit Outlook emails. Try this: Double click on any Outlook email file, sent or received, opening it in a new window. If using Outlook 2007, then go to the menu and click on “Other Actions,” and drop down to “Edit Message.” Make whatever changes you want, hit “Save,” and at that point, there will be no way to determine what the original message said without examining the message on the computer on the other end of the communication. There is no modification date on individual emails, as they are simply entries in the Outlook database.
3 – Have an automated purge procedure in place. Our offices uses a free little program called Eraser, which does a nice job of wiping files. When deleting a file, we right click on it, hit “Erase,” and the storage clusters holding that data is overwritten, making recovery impossible. We also overwrite all our unallocated space as a standard practice once a week. We set up Eraser to initiate the wipe every Wednesday at midnight.
4 – Changing a file’s appearance. Giving a file a different extension will make it appear differently to the casual user. For example, try replacing a Word document’s “.doc” extension with “.gif,” and see how the icon changes. Double clicking also presents a problem. However, forensic applications are not fooled as they read file headers instead of extensions. FTK, our forensic application of choice, goes a step farther and will show any files that have the wrong extensions.
Timing is critical when getting at the subject’s hard drive, as anti-forensic tools and methodologies are becoming more common to circumvent analysts’ efforts in the recovery of digital evidence.
The practice of interacting with information facilitates early case assessment by allowing access to documents and correspondence that meet specified criteria. Finding critical information early saves you and your clients money. Processing a hard drive can quickly provide information to evaluate how to proceed with a case, and sometimes, whether to proceed at all. For example, the existence or absence of the words “Enron,” “Madoff,” or “cement shoes” in email correspondence on a computer may make a difference in the direction of a case. This triage process is intended to quickly allow the potential evidence, or in this case, containers of evidence (hard drives), to be quickly included, eliminated, or ranked in order of importance to the overall case. The earlier days of computer forensics allowed for casting a wider net when fishing for digital evidence, as the ponds were much smaller. It wasn’t that long ago when 20-gigabyte drives were the norm.
Now that we are dealing with oceans of data, (Terrabyte size drives are not uncommon), a process must be employed to quickly verify:
1. If there is relevant data;
2. Whether or not the data is actually useful;
3. Its importance to the overall case.
The focus must be on genuine investigation as opposed to data review, and be outcome-specific, instead of process-oriented. The expected result would be a more focused pool of files with greater evidentiary value, instead of a large-scale production of documents that simply meets keyword criteria. The relative ease of access to data today is challenged by the rate at which data is created and stored, even that which is relevant. The potential for reducing overall case costs is in the triage process of inclusion, elimination and ranking.
Another tip for saving money in computer forensics is to have the hard drive copied in your analyst’s office, but sometimes that is not possible. We imaged a 500GB hard drive yesterday that we billed just an hour to remove from the computer, hook up to ours for imaging, verify the image and reinstall in the case. All the imaging was being done in another room while we were employed on other matters. In the field, that would have taken seven or more hours on site, plus any travel time and expenses.
