Lars E. Daniel, EnCE, ACE, AME, CTNS Digital Forensics Examiner Digital Forensics for Attorneys Overview of Digital Forensics Digital Forensics For Attorneys Overview of Digital Forensics Types of Digital Evidence Acquisition (Collection) and Preservation Experts, Evidence and Analysis Understand Forensic Experts vs. Computer Experts Digital evidence: discovery and usage Analysis Challenging Digital Evidence In The Beginning 1
2
Digital Footprints Digital evidence in 80% of cases 5+ billion cell phone subscriptions By 2013 there will be over 1 trillion devices connected to the Internet Digital Forensics Not Only Computers Computer Forensics Computers and Data Storage Devices Hard drives, USB thumb drives, Backup Tapes, Media cards Social Media Forensics Facebook, Twitter, Chat, MySpace, Internet Presence on Blogs, Message Boards Email Forensics Back tracking emails Email recovery Email authentication 3
Digital Forensics The Sub-Disciplines Peer to Peer Forensics File sharing via Limewire, BitTorrent, Gigatribe, itunes, others Cell Phone Forensics Call logs, contacts, text messages, pictures, movies, geo-location Cellular Evidence Forensics Cell phone record analysis, Cell phone ping analysis, Cell tower mapping Typical Case Types: Murder, Kidnapping, Drugs Digital Forensics The Sub Disciplines Digital Video and Image Forensics Security Video, Camera Video, Pictures Audio Forensics Police Interviews, Police Radio Recordings, Wiretaps GPS (Global Positioning Systems) Data from GPS units, Logs from GPS tracking, House Arrest Some Basics 4
Common Mistakes Calling these monitors, CPUs, Hard Drives, etc. CPU CPU Central Processing Unit Only performs calculations. Stores nothing. The brain of the computer. Inside The Computer RAM Random Access Memory Only contains data while the computer is turned on. Temporary processing storage only used while operating the computer. Is cleared when the computer shuts down or re-starts. 5
Inside The Computer The Hard Drive stores the evidence... Inside The Computer Hard drives today can store millions of Pictures Music files Movies Passwords Emails Web Pages Chats These are hard drives too. 6
Digital Evidence Digital Evidence Digital Evidence 7
Digital Evidence Overview Digital Forensics Four Primary Areas of Focus Acquisition (Collection) Obtaining the original evidence items Making forensic copies of original evidence Preservation Protecting the original evidence items Analysis Finding evidence Presentation Reporting findings and testimony Digital Forensics Foundations The foundation of digital forensics is the ability to collect, preserve and recover data in a forensically sound manner. Forensic Processes and Tools must be: 1. Predictable 2. Repeatable 3. Verifiable Forensic Documentation must include: Unbroken Chain of Custody Documentation of all actions taken 8
Digital Forensics The Sub-Disciplines Computer Forensics Computers and Data Storage Devices Typical Case Types: All Social Media Forensics Facebook, Twitter, Chat, MySpace, Internet Presence on Blogs, Message Boards Typical Case Types: Infidelity, Libel and Slander, Employee Wrongdoing Email Forensics Back tracking emails Email recovery Typical Case Types: Murder, Rape, Infidelity, Sexual Harassment, Child Pornography Digital Forensics The Sub-Disciplines Peer to Peer Forensics File sharing via Limewire, BitTorrent, others Typical Case Types: Child Pornography, Copyright Violations, Data Theft Cell Phone Forensics Call logs, contacts, text messages, pictures, movies, geolocation Typical Case Types: Murder, Sexting, Infidelity, Rape, Kidnapping, Drugs Cellular Evidence Forensics Cell phone record analysis, Cell phone ping analysis, Cell tower mapping Typical Case Types: Murder, Kidnapping, Drugs Digital Forensics The Sub Disciplines Digital Video and Image Forensics Security Video, Camera Video, Pictures Typical Case Types: Murder, Theft, Employee Misconduct, Wrongful Death Audio Forensics Police Interviews, Police Radio Recordings, Wiretaps Typical Case Types: Murder, Conspiracy, Wrongful Death GPS (Global Positioning Systems) Data from GPS units, Logs from GPS tracking, House Arrest Typical Case Types: Murder, Parole Violations, Kidnapping 9
Acquiring (Collecting) and Handling Digital Evidence Digital forensics requires forensically sound acquisitions. Defensible Practices Proper Chain of Custody Verification of evidence Proper documentation Acquisition (Collection) First contact with the original evidence. Most critical time for protecting the originals. Most likely time for police or others to damage or change evidence. General rules MUST be followed to preserve and protect evidence during this critical first response period. First point in establishing chain of custody. Polices for Law Enforcement are published by the National Institute for Justice Acquisition (Collection) First responders should be trained to handle this type of evidence. Digital evidence is fragile. Digital evidence is easily altered if not handled properly. Simply turning a computer on or operating the computer changes and damages evidence. 10
What Is Forensically Sound? This is Not Forensically Sound 11
This is Forensically Sound Verification Must Be Done 12
Organization of Logical Data on a Hard Drive Physical Acquisition A complete mirror image of the physical storage media, also referred to as a bit-stream copy. Gets everything, including deleted data and unallocated space Collected in forensic format that is easily verifiable Meets the standards for original evidence Supports full chain of custody Cannot be contaminated. 13
Two Types of Deleted Data 14
Preservation Once digital evidence is seized it must be handled carefully to preserve and protect the evidence. Everything should be tagged. No one should operate or preview any evidence on writable media without proper tools and training. Forensically sound copies of all original evidence must be made before analysis. Records must be kept. Fragile Nature of Digital Evidence The simple act of turning a computer on can destroy or change critical evidence and render that evidence useless. Maryland State Police - Criminal Enforcement Command -Computer Crimes Unit Even the normal operation of the computer can destroy computer evidence that might be lurking in unallocated space, file slack, or in the Windows swap file. Computer Forensics, Computer Crime Scene Investigation, 2nd Ed. John R. Vacca 15
Fragile Nature of Digital Evidence The next 3 slides demonstrate what happens when you operate a computer. Evidence is modified. Evidence is destroyed. Source: Preservation of Fragile - Digital Evidence by First Responders - Special Agent Jesse Kornblum -Air Force Office of Special Investigations Files In Original Condition Files After Opening and Viewing The last accessed date and time changes any time a file is opened and viewed while the computer is in operation. Exception is Windows Vista and Newer 16
Files After Saving The last written (Last modified) date and time changes any time a file is saved or copied while the computer is in operation. And for other reasons, Other Digital Evidence Global Position Systems (GPS) Units (location data) Vehicle Black Boxes (trucking industry) ipods (employee theft) Digital Cameras (sex crimes) Security Cameras (robberies, wrongful death) Audio Recordings (wrongful death, terrorism, murder, defendant interviews) Game Consoles (murder) Security Systems (murder) Back up Tapes (data recovery, fraud) Experts 17
Defendant as Expert Why a Forensics Expert? Computer Forensics Expert Should have comparable or better training and experience than the other expert. Should have specific training and experience as a digital forensics expert Should have access to the same tools as the opposing expert Must be able to qualify as a forensic expert in court 18
Technical Expertise Comparison Legal Expertise Comparison Investigative Expertise Comparison Computer Experts No training in examination or investigation Get caught up in what-ifs that have no bearing on the case Do not know where to look for evidence Digital Forensics Experts Examination is targeted to the device, operating system and type of case 19
Selecting a Digital Forensics Expert Certifications Forensic Tools Do they have appropriate forensic tools and know how to use them? - Required to perform many digital forensic functions - Computer Forensics (EnCase, FTK) - Cell Phone Forensics (CelleBrite, Paraben, Susteen) - Almost always needed to perform forensically sound acquisitions and examinations. 20
Selecting an Expert: Overview 1. Actual training in digital forensics and sub-disciplines? 2. Digital Forensics certifications? Or just computer based certifications? 3. Actual case experience? 4. Recommendation letters from other professionals, particularly attorneys? 5. Background check? 6. References? Selecting an Expert: Overview RALEIGH (WTVD) -- The defense asked for a mistrial Tuesday in the Brad Cooper murder trial. The move came as the first witness for the defense endured a withering examination by the prosecution on his qualifications to testify as an expert. James Ward of WireGhost Security told the court he was an expert in computer network security, but the prosecution questioned his qualifications to testify about Cooper's computers as a forensics expert. Defense computer expert James Ward (WTVD Photo) Selecting an Expert: Overview Arguing before Gessner Tuesday, the prosecution said Ward lacked the proper education and experience to say there was evidence of computer tampering. "He has a home lab. He borrowed his tools from Cisco. He doesn't know what software he used," said prosecutor Boz Zellinger. Zellinger said the prosecution and defense should be held to the same standards on expert witnesses, and Ward falls short. "I would be laughed out of this building," said Zellinger. Gessner ruled that Ward could testify about network security, but he could not testify about the FBI reports on Cooper's computers. 21
Spotting a Problem Expert Attitude: How does the expert interact with your team? 1. Arrogant or superior? 2. Does he or she take the time to explain to properly explain technical concepts in easy to understand language? The Bull Factor 1. If an expert does not have the answer to a question, does he or she try to convince you that they do anyway? 2. Great risk when testifying. 3. Use of jargon to cover up ignorance. Expectations of a Forensics Expert Computer Forensics Expert Expected to Anticipate testimony of opposing expert based on the forensic reports and discovery Duplicate and verify the opposing expert s work Assist the attorney in preparation for trial Advise the attorney as to the merits of the case in regards to the digital evidence presented. Write direct and cross exam questions Analysis 22
Analyzing the Case Always work the case like you are the primary examiner. Never assume anything. Check all the points in the case where mistakes are normally made: Chain of custody. Examination standard procedures. RTC verified for all evidence containing clocks. Evidence handling at the scene. Was everything examined. Claims made in the forensics report. Pay particular attention to keyword search results, internet history results, link files, etc. Placing the defendant at the computer. Performing the Analysis Step one: Verify the accuracy of their findings Did they represent their findings correctly? How thorough was the examination? Verify the completeness of their report Is everything they found in the report?» Why or why not? Was exculpatory evidence ignored or missed? Establishing a framework for analysis Reading discovery documents Reading the computer forensics reports What claims are being made? What statements were made? What facts support the claims and which do not? 23
What clues can lead to a more thorough digital analysis? Defendant's statements Witness statements Police statements and interviews Call center records Search warrants and subpoenas Other supporting documents Law Enforcement's computer forensics report Case Analysis Examples Document Metadata Example 24
Picture Metadata Example Picture Metadata Example Internet History Before Clearing 25
Internet History After Clearing Challenging the evidence What the heck is unallocated space?» Unallocated space is areas on the hard drive that are available to store data.» When a file is deleted, it is only marked as deleted, so the old data remains on the hard drive in the unallocated space.» Forensic tools can recover files from this unallocated area of the hard drive.» Files recovered from unallocated space do not contain:» Dates or times.» Original file names» Original location on the hard drive. Contact Information: Email: Lars@guardiandf.com Web: www.guardiandf.com Phone: 919-868-6281 Book: Digital Forensics for Legal Professionals Syngress Publishing Amazon.com (Print and Kindle) Larry E. Daniel and Lars E. Daniel Questions? 26