Thursday, January 7, 2021

Cellebrite Reader: You Don’t Know What You’re Missing!

January 7, 2021

Cellebrite Reader:  You Don’t Know What You’re Missing!

As a digital forensic practitioner who logs approximately 70% of cases in the mobile device forensics arena, it has become the norm for us to receive discovery in any number of forms from opposing counsel, law enforcement agencies, etc.  Being one of the most commonly used mobile forensic tools on the market (particularly by law enforcement), Cellebrite has wisely developed a way for people who wish to view the data on a particular device to do so, also with the capability of generating their own report.  This pared-down or lightweight version of the Cellebrite Physical Analyzer program, called the Cellebrite Reader, is a great free way to browse the 30,000-foot view of the data, particularly for laypersons who may just want to get text messages, pictures, videos, etc.  These are traditionally the “high points” of the data on the phone or tablet and can sometimes include deleted items, but a serious warning should accompany the Cellebrite Reader file:  You don’t know what you’re missing!



Who Should Use The Cellebrite Reader?

The Cellebrite (or UFED) Reader is a lightweight version of the paid version of the analysis tool that accompanies a full Cellebrite product license called Physical Analyzer.  To say it’s a “lightweight version” of Physical Analyzer is a bit of an understatement.  At first glance in the user interface, the two applications look very similar, but as with most things in digital forensic analysis, the devil is in the details.  So then who should use the Cellebrite/UFED Reader?  If your case involves any of the “basic” data areas, such as undeleted text messages, photographs and some location data, then the UFED Reader tool is probably fine.  The tool is best for on-staff investigators, paralegals, private investigators and other mostly non-technical support staff.  If you have absolutely no need to dig into the data at all, the UFED Reader program should serve your purposes just fine.  The issues emerge when we dive into how the data is generated and what is included, or rather not included, by the person who generated the Reader file.


The “Analyzed Data” portion provides a great overview of the simple data areas decoded automatically by Cellebrite, including *some* deleted data (red parentheses)


How Is a Cellebrite Reader File Generated And What Is Included?

A Cellebrite/UFED Reader File is generated within the larger licensed tool called Cellebrite UFED Physical Analyzer.  Many times, because of case backlog or by specific request, the person doing the data extraction from the device(s) will create a “data dump” report, viewable in the UFED Reader.  This creates a .UFDR file, which is only able to be opened and read in the UFED Reader program, which accompanies the UFDR file at no cost to the user.  In the case of a data dump report, ostensibly all of the readily viewable and automatically decoded data on the device is included in the UFDR file. 

However, one strong warning about UFDR files is that they can easily be generated by the analyst cherry-picking or selectively choosing the data to include in the UFDR file, which is NOT a data dump.  For example, the person responsible for generating the Cellebrite Reader file can choose only certain picture file types or certain text messages or message strings to include in the Reader file. This could *look* the same as a data dump within Cellebrite Reader, but would have far less data than the 100% dump of everything available from the device.  There is no clear indication that a data dump file has been generated versus one that is selectively created by the analyst and exported into a UFDR and Cellebrite UFED Reader file.  It is not unlikely that the person generating the Cellebrite Reader file for your review has not included things like the databases from the device (pictured below).  We’ll discuss the importance of this shortly…


The other strong warning about Cellebrite Reader (UFDR) files is that they MAY NOT include all of the data.  While companies like Cellebrite, Oxygen, MSAB and Magnet Forensic try very hard to keep up with the trends in mobile technology, they are always playing a game of catch-up with their support of hardware and software because mobile technology moves so fast.  Add into the support equation that only a fraction of third-party applications are supported for decoding by these tools and the point becomes clear that if you are relying solely on UFED Reader files, you are likely missing data!  There is currently no exception to this rule.

The analogy we often use is that the Cellebrite Reader file is like a “prepared meal”.  A competent digital forensic analyst wants to inspect the ingredients that went into preparing that “meal” to make sure there’s nothing missing.


What Data Is Missing From Cellebrite Reader Files?

At a basic level, all application data (i.e., apps) on mobile devices is stored in roughly the same way.  This common storage approach is in a series of databases that are created, updated and stored as part of the application itself.  The databases work in the background of the user interface to store and present the data to the user on the device in the native user experience.  The problem is that, as stated earlier, a mere fraction (probably 10% or less) of the applications available on the Apple App Store (iPhone) or Google Play Store (Android) are supported for automatic decoding in Cellebrite or any other mobile forensic analysis tool.  This means that manual analysis of these databases will frequently become a necessity in your cases.  And these databases may not included as part of a UFED Reader file, and you may only be provided with automatically decoded data from supported applications.  The illustration below shows a snapshot of how many applications are decoded by Cellebrite on an iPhone 8 Plus running iOS 14.  Among the applications not decoded are common applications like Snapchat, Twitter, Instagram and others:



Even if an application like WhatsApp is supported for automated decoding in your tool, when the developers of WhatsApp make even minor changes to the application in development and roll the new version of the application out to their users, this could cause the mobile forensic tool to no longer be able to decode and display the data automatically.   This is another circumstance where manual analysis of the database(s) for the application will be required and as stated previously, the databases may very well not be included in your Cellebrite Reader file.

This is why you should always consult with a digital forensic professional in any case where you are provided data from an opposing party, particularly if there is a possibility that any of this data could be presented as evidence.


Wrapping It Up

While Cellebrite and their UFED Reader program are used as an example in this article, many other mobile forensic tools also have similar lightweight versions for simple review of the data.  These are often called “portable case files”, or something similar.  Regardless of the tool and what they call their lightweight application, the same limitations and warnings apply.  And when faced with the possibility that your client could go to prison for a significant period of time or lose custody of their children or perhaps even lose a large sum of money, due diligence dictates consultation with an expert who knows how this data is stored, how to appropriately analyze it and what steps should be taken to ensure nothing is missed.  Lives depend on it!


Author: 

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice.  Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/


Tuesday, December 15, 2020

Keys to Success in Digital Forensics Series: Knowing the Justice System

Keys to Success in Digital Forensics Series: 

Knowing the Justice System


A recent discussion on an international podcast spawned several offspring topics about what bona-fide occupational qualifications (previously known as BFOQs) are key to success in the field of digital forensics.  This question has several answers, some of which are not readily apparent to many who may be pursing coursework and a career in digital forensics, but they are often intangible assets that differentiate between a good examiner and a great examiner.  One of these has very little to do with the nuts-and-bolts of digital forensics: Knowledge of the Justice System.  We’ll explore the system and elements to this key to success here, concentrating on those elements particularly in the United States.

Key Element #1:  The Difference in Types of Justice Systems

In the United States, there are several different types or levels of court system.  They are also divided into levels inside their own particular system.  For instance, there are Federal, State and Uniform Courts of Military Justice (UCMJs), which handles solely military justice matters (i.e., Army, Navy, Air Force, Marine, Coast Guard).  The Federal and State Courts are each divided into “lower” and “higher” courts.  The lower courts are usually District Courts and the higher courts are usually circuit, appellate and supreme courts.  Trials are conducted at the District and Circuit levels, but cases are only reviewed and ruled upon based upon evidence presented at trial in Circuit Courts in the Appellate and Supreme Courts.  No additional evidence is heard at the Appellate or Supreme Court levels, only written and oral arguments by the litigators involved.  


In addition to the different venue and types of courts, there are types of cases – Criminal or Civil.  Criminal cases are those which an accused is arrested based upon a complaint or criminal accusation and faces a fine, jail/prison time or some other punishment laid out in the criminal or penal law.  Civil actions are those brought before the court when there is a dispute between two entities, such as two companies or a company and a former employee.  Divorces, intellectual property theft, monetary or property disputes and other types of lawsuits are heard in Civil court.  Some cases can cross-over between both courts, depending on the circumstances.  In Virginia in 2016, Pro Digital was involved in a divorce case which had a criminal element to it, so different parts of the case were heard in two different courts.  While most minor cases start in lower courts District courts and proceed up to the Circuit level, many cases may start directly at the Circuit Court level.

Key Element #2:  How The Courts Work Differently

State & Federal Courts do operate somewhat differently, but the differences mainly lie in the types of cases that are heard in each court.  In State Criminal Courts, cases brought by local and state law enforcement are heard.  Usually, private citizens can also take out certain criminal charges on someone they feel has committed a crime against them and the police are either not willing or unable to conduct an investigation.  In Federal Criminal Courts, cases are usually brought by one of any number of 3 or 4-letter federal law enforcement agencies (FBI, DEA, ATF, HSI, etc.) and have specific jurisdiction over the cases via Federal Law.  For instance, many child sexual abuse material (CSAM) cases are brough before federal criminal courts because the images are traded/downloaded/traffic across the internet, so the nexus of the case is interstate commerce… Because all traffic over the internet has to cross state lines, whether the accused left their house in commission of the crime or not.  Add into the mix that many local law enforcement agents belong to Federal Task Forces for CSAM, drug investigations, etc., which can also affect in which court the case is heard.

Civil Actions in State Court are generally between two people who either entered into a contract/agreement locally (including marriage) or conduct business on a more local level or inside a state’s boundaries.  Federal Civil actions usually deal with the Civil side of interstate commerce, larger national/international business disputes, anything covered under entities like copyright or patent law and so forth.  Essentially, the court in which the case you’re working is heard in is determined by jurisdiction.  Only courts with jurisdiction to hear a particular case will be appropriate to do so.

Key Element #3:  Practical Application

So what does all of this mean and why is it important to digital forensic practitioners?  Whether you know it or not, implement this mindset or not or ever see it in practice or not, you may very well become a first-hand participant in the justice system.  Even incident response professionals have the potential to be called as a witness if their investigation leads to criminal charges or a civil action.  As such, we should always begin with the end in mind.  When being assigned or at the intake phase of a case, ask yourself (or your team) some basic questions:


What basic facts does this case deal with?

What elements of the case/incident are relevant to prove or disprove?

Who are the potential bad actors and where are they located?

What best practices need to be put in place to ensure that your investigation is conducted in an appropriate manner for court?

What documentation should you have with regard to your methods, procedures, findings and conclusions AND…

Is that documentation appropriate and acceptable for use in Court?


Beyond those basic front-end questions, there are considerations after you conduct your analysis and come to your conclusions.  The first is how the system moves along.  It is not unlikely that you could be called for a pre-trial hearing to testify about any number of issues such as access to the evidence (pre-examination), irregularities with the evidence or limitations to the analysis of the evidence.  During this testimony, you may be qualified as an expert witness, and if you’ve never been through the qualification process, you’ll want to work with the attorney handling the case to ensure that you’ll have success in that process.  For more details about that process, please check out this recent article.

After any pre-trial hearings are concluded, the attorney(s) handling the case should have lengthy discussions with you about your procedures and findings.  Everything you do in the course of your data acquisition & analysis needs to be defensible and repeatable so that someone with similar qualifications could do what you did and come to the same conclusions.  This is where details matter.



But what matters most -- and what is arguably the most intangible piece to this whole process -- is not just the ability to relay what you did, why you did it and how you came to your conclusions, but to do so in a manner that is understandable to non-technical people.  Lawyers, Clients, Executives, Judges and juries are largely non-technical people.  You will need to possess, hone and refine the ability to explain your findings to them in a manner that they will easily understand.  Bonus points if you can make it interesting!

Wrapping It Up

Some may read this article and wonder what on Earth it has to do with digital forensics?  To paraphrase Steve Whalen of Sumuri, forensics is the application of methods & procedures to come to conclusions that are sound and presentable in a court of law.  That’s what is meant by “begin with the end in mind”.  We all have stories about that one case or the one examiner who did a halfway-job and somehow skates by without anyone calling them out on their sloppy work.  The larger issue is not the one examiner, rather what that examiner represents in our industry.  If we accept that our work product will be lackluster, bare minimum or just plain bad, that will eventually affect all DFIR practitioners.  And none of us wants that!

Author: 

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia USA.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury & plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator, Physical Analyst, Advanced Smartphone Analyst and Instructor, as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: www.ProDigital4n6.com 

Pro Digital LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/ 

Tuesday, October 6, 2020

2020 Key Influencers in DFIR

October 6, 2020


2020 Key Influencers in DFIR


One of the things I enjoy most about the field of digital forensics is that it’s a community of people who all generally have one set of goals in mind:  Find the truth, get to the facts, uncover the evidence using tried & true methods and present those findings to an ultimate finder-of-fact, whether it be a corporate CEO, an attorney/client, a prosecutor/judge/jury or whatever the case may be.  We encounter daily challenges in our work and we collaborate relatively well because as the technology evolves, so do our approaches to the various challenges need to evolve. 
 
Like many industries, there are influencers – those who contribute to the profession in ways that go far above-and-beyond typical members of the community, whether it be by sheer volume of notable work, publications, time & effort put forth, etc.  In digital forensics, those influencers may stand out even more because of the exclusive and specialized nature of the work we do and the relatively small community in which we work.  Some are daily contributors while some share their knowledge and experience with a measure of humility or quiet dignity.  I’ve chosen to highlight five such personalities in our industry for this article.  They have not paid me, I don’t know all of them personally and I may never have even spoken to one or more of them, but their contributions to our field are valuable and deserve recognition.  In compiling this list, I attempted to run the DFIR gambit of key computer forensic influencers, mobile device forensic influencers, incident response influencers and those who may influence all of the above and/or a different specialty that is more on the periphery of our industry.  So, at the risk of spawning much heated debate, let’s go!

Key Influencer #1:  Eric Zimmerman

If you don’t know Eric Zimmerman and his contributions to our community, you’re at a decided disadvantage.  A former FBI Special Agent and government forensicator, Eric has been contributing his vast knowledge and expertise to the DFIR community for many years.  I was first introduced to his wealth of knowledge and generosity when he released OS Triage, a free tool for law enforcement examiners to quickly triage and identify evidence on-scene that may (or may not) contain illicit images.  The tool was simple, effective and really useful to those of us who 1) didn’t want to spend time analyzing evidence that wasn’t relevant and 2) had limited physical space in which to store such evidence.  Since then, Eric has developed other free tools such as Shellbags Explorer and Timeline Explorer, all of which most of us have used in one case or another (or a few dozen).  I personally love Shellbags Explorer for, well… Exploring Shellbags!  It does a great job at graphically representing the folders that have been touched by the user to help belay any argument that someone else did it.  Among the offerings on Zimmerman’s Github are Link File Parser, MFT Parser, Volume Shadow Copy Mounter and more.


Now with Kroll, Zimmerman continues to create and share tools with the community that are exceptionally useful in conducting varying types of analysis (oh, and they’re free).  The Kroll Artifact Parser & Extractor (KAPE) is a fast, flexible way to find, extract and analyze artifacts in your case.  Simply put, it’s the next generation of free tools from Zimmerman and it is being used daily to help examiners save time and find the evidence they need.
  
As an X-Ways Forensics user for the past several years, I’ve also found the book X-Ways Forensics Practitioner’s Guide -- which Zimmerman co-wrote with another awesome influencer, Brett Shavers -- to be an invaluable resource.  Sure, I’ve been through the XWF Level 1 & 2 training, but sometimes I don’t remember every single tidbit of the 56 hours or so of those courses, so this book is a super helpful reference guide for both new and experienced XWF users.  I think both Zimmerman and Shavers would tell you that if you’re not using X-Ways Forensics in your PC analysis, you’re wrong :).

I’d also be remiss if I didn’t mention Eric’s participation in the IACIS list serve.  If anyone has a question, Eric frequently chimes in with a pointed, yet helpful response.  Heck, sometimes he even makes me laugh!  We are truly a better community for Eric being a part of it and sharing his vast knowledge, skills & abilities with us all.  

Key Influencer #2:  Heather Mahalik

I’ve never met Eric Zimmerman in person, but I have met Heather Mahalik in person and we’ve had a few email exchanges over the years, including one surrounding this exchange with Shark Mark Cuban.  A former government examiner, Heather now works with mainly with Cellebrite as a consultant and SANS instructing their mobile forensics courses.  A virtual bottomless well of knowledge about mobile device forensics, Heather has also co-written the book Practical Mobile Forensics, which is another must-have in your reference library if you’re going to be conducting analysis on mobile devices.



As far as helpfulness, willingness to share their knowledge, ability to test theories and publish the findings we need to know in the ever-changing landscape of mobile forensics -- and just plain giving back to the community -- I’m not sure any influencer in our industry is as generous as Heather.  Heather’s ongoing blog, Smarter Forensics frequently jumps on the most current issues with testing of new operating systems and/or applications, validating the findings and putting the initial impressions and impact on our industry in a simple, concise, easy-to-understand format (example, see her blog on iOS 14 here).  

Also very active on the IACIS list serve, Heather always seems willing to answer any questions members may pose, particularly with regard to the functionality of Cellebrite and the tool’s ability (or lack thereof) in decoding, parsing, searching, etc.  Anyone who does mobile device analysis can see why Cellebrite hired her – In addition to being a virtual walking encyclopedia of mobile forensic knowledge, she’s a terrific ambassador for the company and vocal proponent of all the great things we can analyze, report and testify upon with regard to mobile device evidence.  She also hosts a regular webinar, discussing current trends in forensics.  She truly gives of herself, her time and her knowledge to help us all out consistently and is clearly passionate about our field.

Key Influencer #3:  Harlan Carvey

Harlan Carvey is sadly another influencer I’ve never met -- which is odd because he lives about a half an hour from me – but I digress.  Harlan has been in the DFIR game virtually since leaving the USMC.  Included in his resume are heavy-hitters like IBM, Nuix, SecureWorks and Crowdstrike, to whom he’s referred me and my clients several times. Harlan is probably best known for his books and his contribution to the community with free/open source tools like RegRipper.  Another walking encyclopedia of incident response knowledge, Harlan has penned the books Windows Forensic Analysis, Investigating Windows Systems, Windows Registry Forensics, Perl Scripting for Windows Security and Digital Forensics With Open Source Tools (to name a few).  Basically, go on Amazon and type in Harlan Carvey.  Correction:  he’s not a walking encyclopedia of Windows Forensics, he wrote the encyclopedia!  



Harlan has also contributed to our community with his free, open source toll, RegRipper, which does exactly that – rips through your (exported) suspect system registry files to present a clear, concise view of the artifacts contained therein.  While many of us don’t, it’s true that you can perform forensic analysis on PC (and Mac) systems with mainly open-source tools and if you’re going to do that, I suggest that RegRipper be one of your main, go-to tools in the toolbox.  It’s a fantastic contribution to our community.  Also on Harlan’s Github are presentations that he’s given and other tools/tips that he has shared for the benefit of everyone.  

Keeping in line with the “giving of self” theme that is a large component of a contributor to our community, I recall reading a proverbial “tip of the hat” about Harlan, which I believe was written by the aforementioned Brett Shavers.  He stated that Harlan never hesitated to answer his questions and give him guidance.  He was always open, willing and gracious (paraphrased).  I have also seen a bit of this from Harlan myself.  He frequently contributes substantively to conversations on LinkedIn and provided some welcomed guidance to me personally with regard to launching into the incident response realm.  Many of our colleagues simply ignore requests or don’t have the desire to take the time.  Harlan is not one of them.  He is thoughtful and generous… And he’s forgotten more about incident response than I’ll probably ever know.  Harlan also wants you to contribute.  He truly recognizes DFIR as a collaborative community, so if you can pitch in to make RegRipper a better tool, Harlan wants to hear from you!

Key Influencer(s) #4:  The Hawk Analytics Team

Ok, I recognize that a for-profit company may come with a bit of an asterisk on this list, but stick with me…
I’ve been acquainted with the folks at Hawk Analytics for several years and have attended their training. In case you’re not familiar, Hawk Analytics makes a tool for cellular records analysis called CellHawk, which helps analysts map and display cellular and other location records. The tool also helps identify known associates by phone number, frequent locations, patterns of usage, incorporates an animated timeline of usage and more.  If you are involved in the analysis and mapping of any records with date, time and GPS coordinates – like records for ankle monitors for sex offenders or those out on bail or parole – CellHawk is a must-have tool.  It’s robust, flexible and keeps improving.


  
But what separates the Hawk Analytics team from others in the industry is their passion and dedication to getting to the facts.  They do not speculate about things which they are either not trained in or the tool isn’t equipped to handle.  Many analysts who are involved in these types of cases erroneously attempt to estimate radio frequency range of cell sites.  This is bad practice without specialized equipment and the team at Hawk Analytics knows this.  Founded by former cellular engineer Mike Melson, Hawk Analytics and their team genuinely have a desire to do good.  Many times behind the scenes, Mike and his team will assist agencies with search & rescue to help find missing and/or endangered persons, despite having families of their own and the obligations of running a company.  Even if you’re not a CellHawk user, their team will be more than willing to discuss quirks or anomalies in your record returns or assist with interpretation based upon their vast experience.  Even though I may do independent CDR analysis for criminal defendants, they’re always willing to help because they are guided by the truth and don’t engage in conjecture or speculation.  

In the spirit of giving to the community, Hawk Analytics also has a free toolbox, which will help you identify the cellular carrier for phone numbers in your case and even compile a preservation letter or search warrant template for you at the click of a button.  Did I mention it’s all free?  Mike and his team truly epitomize professionalism and seek to make a positive difference in their own little corner of the world (i.e., their expertise).  If you value integrity in your vendors, Hawk Analytics is definitely the way to go.

Key Influencer #5:  Larry Daniel

Lastly, in a departure (and perhaps surprise to some), I’d like to give recognition to Larry Daniel of Envista Forensics as being a key influencer in our field.  Having transitioned from law enforcement to the private sector, I have known Larry both in my former life and my current one.  Some of you may not know Larry while some of you may have gone up against him in court.  To be clear, Larry and his company are essentially business competitors of ours, but that’s sort of like saying your local corner convenience store is a competitor with WalMart, as Envista is a much larger operation than Pro Digital and they conduct all manner of forensic analysis, not just digital forensics.  Regardless, I’ve come to know Larry as a savvy businessman and a very knowledgeable and formidable forensic and cellular records analyst.  I respect Larry not only for his business acumen, but for his tenacity.  Larry didn’t have the advantage of the government or a huge corporation sending him through digital forensic training – he did it all himself and learned it from the ground up.  He is, as his son and co-worker described to me once – a “serial entrepreneur”, but one that has had a great deal of success in the private sector side of our industry.  
 


Larry founded and grew Guardian Digital Forensics in Raleigh, NC and several years ago sold the company to Envista Forensics and took over as Principal Consultant of their digital practice.  Since diving head-first into the DFIR pool, Larry has published numerous articles, presented at EnFuse and multiple litigator’s conferences and authored two booksDigital Forensics For Legal Professionals and Cell Phone Location Evidence for Legal Professionals.  These books are fairly basic, but in writing them, Larry tapped into a previously uneducated audience that was severely lacking in knowledge about digital forensics and cellular analysis – criminal and civil litigators and paralegals.   I think it’s safe to say that Larry has written the book(s) on digital forensics for the private sector legal professional.

Practitioners like Larry make everyone better.  They challenge us to cover all the digital bases and make sure we know the evidence when so much is at stake, whether it be child custody, a large sum of money or someone’s freedom.  Quiet professionals like Larry are no different from the quiet professionals that work in DFIR roles in law enforcement, for government contractors and big corporations.  We all strive to get to the truth, analyzing the available evidence and utilizing our training, experience and wisdom.  

Wrapping It Up

This list of DFIR influencers isn’t all-encompassing.  For every person on this list, there are probably hundreds behind the scenes working hard to prove or disprove the incident or allegation.  We all know there are blowhards and charlatans in every industry and digital forensics is no exception.  But by the contributions of the people on this list, we are all benefitted.  It’s my hope that one day, someone can point to an article or a book that I’ve written or a major case that I’ve worked and say that I’ve contributed to the community in a positive way.  Even though all of the people on this list are still active practitioners, their legacy in our field is already carved out.  

It’s my hope that this list will continue to evolve over the next year (and beyond) and we can re-visit and tip our hats to five (or so) more influencers that make our industry great and help make us all better at what we do.  Thanks to everyone on this list for all that you do to help us improve and grow… and keep up the great work!

Author: 
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC 
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!

We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:
Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia USA.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst and Instructor, as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com
Web: www.ProDigital4n6.com
Pro Digital LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc
Patrick Siewert LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  





Monday, September 14, 2020

Digital Forensics: Adding Value To Title IX (Title 9) Cases

September 14, 2020

Digital Forensics: Adding Value To Title IX (Title 9) Cases


For the past several years, there have been multiple business articles stating how the private sector digital forensics industry will be growing exponentially in the near future.  This is partially due to increased data breaches, increased civil litigation filings where data is at issue and increased electronically-facilitated criminal activity.  One area where we are seeing a decided uptick in the need for forensic data acquisition, analysis, consulting & expert testimony services is Title IX cases, which occur largely on college campuses.  According to Harvard University:

Title IX is a US federal civil rights law passed as part of the Education Amendments of 1972. This law protects people from discrimination based on sex in education programs or activities that receive Federal financial assistance.
Title IX states that:
‘No person in the United States shall, on the basis of sex, be excluded from participation in, be denied the benefits of, or be subjected to discrimination under any education program or activity receiving Federal financial assistance.’”



Since it’s initial passing, Title IX has grown to include claims involving sexual harassment, discrimination and sexual violence.  The odd procedural issues with Title IX claims are that they may be made personally or anonymously, may or may not lead to a formal administrative charge against the accused and the accused may or may not even know the claim was ever made about them until long after the claim has been filed and/or adjudicated.  This can lead to problematic issues surrounding due process, rights to face one’s accuser and false claims made against the accused.  Further, if the accused graduates college and submits to any type of background investigation for employment, the presence of the claim on their formal educational record will likely cause expulsion from the hiring process.  Because of all of these controversial factors, recent years have also seen Title IX civil litigation blossoming into another area where justice may be sought by either the accuser or the accused.

Digital Forensics In Title IX Cases

Because Title IX claims deal mainly with college-aged claimants and accused persons, who undoubtedly use their mobile devices to a high level, the likelihood of having data in some form that may show extensive contact between the parties and serve to add value to the case is fairly high.  Whether the data is stored on a mobile device via chat or texting apps, pictures, call history, voice recordings, web history and/or email, the appropriate forensic acquisition of this data is of paramount importance to identifying the circumstances surrounding the alleged event.  Title IX cases are legal proceedings, however there may be no law enforcement investigation and the proceedings may not have a judge or attorneys present, which can put one or both sides of the matter at a procedural disadvantage.  However, the accusation and disposition of the proceedings have a long-lasting effect on the accused and/or the claimant.  Because the outcomes of these proceedings are essentially permanent and potentially impactful for a lifetime, the use of screen shots or tools with which the mobile device’s data can be easily altered prior to presentation to document contact between the parties involved is highly discouraged, as discussed in our recent article here



Another area that should not be overlooked in Title IX claims is data that may reside on one or both party’s computer systems.  While it’s a digital evolutionary fact that much of modern class and professional work can be conducted on mobile devices, many mobile devices are still not ideal for composition of long-form text such as research papers, lengthy emails and files or documents with larger data sets.  Email exchanges between the accused and the claimant as well as synced text message contact (iMessage, WhatsApp, etc.) over desktop applications could also be vital evidence in the Title IX claim, some of which may not be present or available via forensic data acquisition from the mobile device. Additionally, it’s very likely that the mobile device in use by either party has been charged and/or synced by the computer system at some point in the recent past.  Depending on a number of different parameters, this may lead to a backup of the mobile device data being created, which can then be acquired, analyzed as if it were the mobile device itself and used as evidence in Title IX proceedings.  While the Rules of Evidence or Civil Procedure may not be an overwhelming consideration in Title IX cases, the potential that evidence may be used in later formal courtroom litigation dictates that the evidence used in the administrative proceedings should be acquired and analyzed in a forensically sound manner.

Conclusions

Title IX cases present a host of challenges for virtually all parties involved.  As with all formal proceedings, the truth of the matter can ultimately boil down to the evidence, and particularly the strength of that evidence.  Because so much can be at stake with regard to the future of both the claimant and the accused, the appropriate documentation and forensic acquisition and presentation of data in the case is vital to proving or disproving the claim.  People increasingly live their lives on their devices, whether it be a mobile device (phone, tablet) or a computer or a combination within the various data storage ecosystem.  The good (and sometimes bad) thing about this ubiquitous connection to electronic devices is that they document nearly everything for us.  This becomes evidence in many legal and administrative proceedings, but the “devil in the details” can ultimately rest on the proper handling, acquisition, analysis and presentation of the data involved in the case.  When someone’s future is at stake, why risk presenting bad, unverifiable or lacking evidence?

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia USA.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst and Instructor, as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com
Patrick Siewert LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  

Monday, June 1, 2020

Beyond Location Data In Cellular Records Analysis


June 1, 2020

Beyond Location Data In Cellular Records Analysis

For reasons I’m not sure I can put a firm grasp on, there still seems to be a debate over the value of cellular call detail records and their strength in being able to prove or disprove location in litigation.  Clearly the location data is generally what is sought after the most, because it carries weight with regard to a particular incident and/or time frame at the heart of the dispute.  However, some still try to debunk this data as “junk science”.  The reasoning for this is a great topic for another article, and is touched upon in our previous article entitled Three Reasons Why Call Detail Records Analysis Is Not “Junk Science”.  However, there’s much more to the cellular records than location data, or at least much more that is ancillary to location data.  This deeper level of analysis can further lend validity to the records themselves and any conclusions drawn from their analysis, location or otherwise.



Dataset #1:  Link Analysis

Along with location data, properly obtained cellular records also tell us a great deal about who our target is talking to, when they are talking and how often.  This is most commonly referred to as link analysis, but effective analysis of these records goes beyond that.  For instance, target is suspected of marital infidelity with a married woman.  The call detail records (CDR) show he calls and texts the married woman several dozen times a day.  A private investigator tracking the married woman spots the two of them together on a particular date and time.  What is likely to happen?  They’ll stop calling or texting each other during that time because they’re in the same location.  In another example, suspect #1 is arrested and charged with robbery.  His defense team has information that he was NOT the only one involved in the robbery, and perhaps was not the primary involved in the robbery.  Analyzing who the suspect called and texted the most leading up to the robbery and afterward can be of great value in determining whom an accomplice may have been.  Usually what we see with link analysis is the people will call and text their loved ones the most – husbands/wives, parents, best friends, etc.  This all goes to show a pattern of usage and helps identify who they talk to the most and potentially, their activity with regard to those people as well.

Dataset #2:  Usage Patterns

Often in conversations with litigators about analysis of these records, we get asked “what if they turned their phone off?” or “What if he simply left his phone at home or at work?” during the time of interest.  All valid questions!  The issue becomes, what can we tell is likely during the time frame of interest in relation to other usage patterns.  If a cheating husband is meeting his paramour in a hotel during his lunch hour once or twice a week and he leaves his cell phone at the office, we’ll be able to tell from looking at 1) the usage patterns from when he is not with his paramour and 2) a pattern of missed calls and/or texts for the period of time he was separated from his phone.  Let’s also not overlook that he may have had a flurry of text messages or calls with the paramour leading up to this activity.  There are very interesting and often very valuable items we can tell by looking at the record, such as: 

·      If the phone rang and went to voicemail
·      If the phone was turned off and calls when directly to voicemail
·      If calls were received and unanswered in succession for a period of time (and later returned)
·      If text messages were received and  unanswered for a period of time (and later returned)
·      Whether any of this activity is normal, as compared to other activity for time frames outside of the time frame of interest

People are creatures of habit.  By analyzing the usage patterns in the records, we can see what their habits are in relation to the use of their device.  This is the single biggest reason we advise all litigators who wish to use these records to obtain at least 30 days of records on either end of the incident in question.  The more data, the better.  Usage patterns are of great value when conducting this analysis.



Dataset #3:  Where They Lay Their Head

Much of usage analysis mentioned previously has little or nothing to do with location.  One area that has to do with location, although not necessarily during the time frame of the alleged incident(s), is where your target lays their head.  As stated earlier, people are creatures of habit.  Their phones are with them virtually all the time.  So even outside of the time frame of the incident, we can likely tell where that person is staying at night.  By in large, during late night and early morning hours, we see the mobile device stationary, only using one sector of one cell site for an extended period.  This information in the records tells us likely where they lay their head.  By filtering down to late night & early morning hours, we can also see if they have more than one place where they may stay at night.  This typically generates a “hot list” of cell sites that are used most often, and this is also included in any reports we generate.  It’s relevant insofar as it shows the finder of fact or opposing counsel that where their stated address is may not be where they stay.  It could also provide additional information for follow-up if the house and likely person with whom they are staying can be determined.  It’s a fantastic piece of evidentiary data!

Wrapping It Up

As illustrated briefly here, there’s more to cellular call detail records analysis than simple location.  These points also further prove that the proper and effective analysis of this data is not “junk science”, rather there may be a contingent of analysts who simply don’t have the ability or desire to perform this type of higher-level analysis in their cases.  Ignorance of the power and effective use of the data does not make the data invalid.  By looking deeper into the data, we can start to sort out what may help to prove or disprove the claims in the case.  It could also help shed light upon or validate who else may be involved in the matter, whether previously known or not.  The ability to analyze behavior patterns in the record cannot be over-stated either.  At the heart of any digital forensic practice is a person, whether it is behind the keyboard, phone screen or a cellular subscriber.  People behave in patterns.  Your analyst should be able to identify those patterns and determine whether or not they are of relevance in your case.  Happy hunting!

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com

Wednesday, May 13, 2020

So You Want To Start A Digital Forensic Business


May 13, 2020

So You Want To Start A Digital Forensic Business

Pro Digital Forensic Consulting is about to embark on it’s 7th year in full-time operation.  It’s hard to believe that when I made the decision to transition from law enforcement to the private sector, my little company would have come this far, servicing hundreds of clients through the years.  Because of my background and the contact I have with the DF community via this blog and professional associations, I usually receive inquiries about starting up a digital forensic consultancy/business several times a year.  In fact, I got another one just the other day via Linked In.  And with the current state-of-affairs (Covid-19 shut down) and people’s livelihoods being somewhat in question, it seems natural that some might consider taking on a new venture.  So, in the spirit of answering some of the frequently asked questions about what to expect if and when someone starts a digital forensic business, it seems a good idea to write down my thoughts and experience for future similar inquiries.  To be clear, I could (and may) write a book about this topic, but this blog is fairly well-established, so it seems the appropriate vehicle for sharing these lessons learned.  As a slight disclaimer, this article and the tips to follow are geared mainly toward sole-proprietor and small consulting firms.  I’m pretty sure Kroll and KPMG have this figured out J.



Tip #1:  Have A Supplemental Income Plan

Virtually no business starts off day 1 churning revenue and making a profit.  When Pro Digital was launched full-time in June of 2014, we billed a whopping $7,800 for the from that point to the end of 2014.  It would have been much less were it not for one large computer forensic case which accounted for nearly 85% of the billings for 2014.  Alongside the work that went into opening a business, I was also fortunate to have some things to fall back on personally, such as part-time and/or contract work, some of which had nothing to do with forensics.  The take-away here is that it’s important to have a supplemental income source that you can use to help keep your newly-formed lights on while the business is growing and you’re working on creating awareness and “buzz” for the business.  The downside is the marketing and awareness campaigns for your new shingle are a full-time business in themselves, so it can be double the work.  I’ll touch on marketing more in Tip #6.

Tip #2:  Keep Abreast of Trends

Most of my notable work in law enforcement was working for a full-service agency on the Internet Crimes Against Children (ICAC) Task Force.  Accordingly, all of my training and equipment was paid for by grants and other funding.  My last year in law enforcement was in an administrative role for a small campus police department, which had no use for any digital forensic expertise, so the skill sets that I’d worked on for the previous 5+ years sat on a shelf and collected dust.  When the business was launched full-time, I quickly realized how much things had evolved, changed and blown past me for the year I was not doing forensics.  This is a field driven by current events and evolving technology.  Try explaining the differences between and HFS+ and APFS file systems to someone who hasn’t been doing Mac forensics for a year or more.  It’s a vast change and the changes don’t stop.  I was amazed at how much I’d forgotten in that year and the learning curve was much steeper than I would have liked.  It’s imperative to keep up to date with the field.  Blogs, webinars, free training, list serves and colleagues are all great resources to keep current with what’s going on in the world of digital forensics. 

Tip #3:  Invest In GOOD Tools & Equipment

The start-up investment capital for Pro Digital was not a lot of money and was all self-funded.  Accordingly, I did some research on tools and cost/benefit analysis on the investment in those tools and/or training.  Initially, I purchased tools and equipment that wouldn’t break the bank and would get the job done.  It wasn’t long before I realized that certain things will save me time and therefore, money.  Along with that, it’s hard to work cases using tools no one has ever heard of before, particularly when the more tech-savvy attorneys with whom I work know the difference between one tool and another.  Some of these tools I still use.  Some of the software companies have basically gone belly-up and some I’ve gotten rid of over the years for one reason or another.  Additionally, some tools have been purchased for case-specific needs.  But the point remains that you need to invest in these things as if you were working a case for a loved-one.  Would you want the analyst on your father’s case using sub-par tools that no one really uses?  Probably not.  Spend the money and get the good stuff.  You’ll make your money back many times over.  The adage is true, you have to spend money to make money.

Tip #4:  Be Picky About Your Clients

When you’re hungry, everything looks like filet mignon.  The problem is, if you eat everything you’re “fed”, you’ll have a host of side-effects that will be hard to manage.  We used to work any and all cases that caused the phone to ring.  The most notable and frequent of these are the “I’ve been hacked” cases.  It is an unfortunate truth that there are many mentally ill people in the world and the internet gives them free reign to research to their hearts content and contact those whom they feel may be able to assist them in whatever issues they believe they are having, many of them tech-related.  But these cases are a forensic and business quagmire.  If you’re fortunate enough to get a client who will actually pay for your services, they will never be happy with the results.  This could eventually have an adverse effect on your professional reputation as well.  This is a reputation and referral-based business, so if you have clients that are in a position to ruin your reputation or malign you publicly, you will likely see fewer referrals over time. 

As a matter of policy, Pro Digital has transitioned to a purely litigation support model.  If you are not actively involved in litigation or a representative of a corporation that needs digital forensic services, we likely will not take your case.  If you’ve hired a PI to work your case, we may take it as a referral from a trusted source.  We don’t need anybody’s money *that* badly to work a case for someone who is obviously suffering from some form of mental illness or someone who wants to spy on their spouse to dig up enough dirt to file for divorce.  This is an ethical decision, but can also lead to legal issues if you’re not careful, i.e., theft of property, theft of data, unauthorized access to personal information, etc..  Also consider that if you are the digital forensic equivalent of an ambulance chaser, eventually you’ll devalue these services for everyone, including yourself.  Be picky.  It’s worth it.  You’ll get the clients you want and you’ll preserve your professional reputation, this much I know and have seen first-hand.  The big take-away here is always ensure you have written consent from the owner and/or an order from the court to access whatever you’re acquiring and analyzing.

Tip #5:  YOU Are Your Brand

Digital Forensics is a small community.  Whether you are in law enforcement, have transitioned out of law enforcement or have branched into digital forensics as an arm of your IT or infosec training, we generally know each other and recognize names and faces.  We also recognize when someone is either a charlatan or is pushing an obvious agenda to try and attract clients.  Everything you put out for public consumption (including blog articles) is subject to scrutiny, whether it be by the DF community, potential attorney-clients, opposing counsel, referral sources and/or other professional contacts.  If you have an opinion about something, make sure you’re on solid footing before getting into public discourse about it.  Take this recent example from a public post on Linked In from a professional contact (name and ID redacted):



I’ve worked many independent analysis cases for criminal defense attorneys and have been appointed by the court dozens of times.  I don’t know what this person is referring to, nor do I agree with their approach to putting this comment out publicly.  Business is relationships and everything that you put in writing can come back to haunt you.  I’ve received more referrals from my former law enforcement colleagues than I can remember over the years.  Do you know why?  Because I don’t take a public stand with an obvious agenda which maligns professionals.  Not only would I never call out the law enforcement community as essentially being crooked and/or liars, I don’t believe that they are because I haven’t seen it in my 7 years working full time in the private sector.  I have seen errors.  I have seen mistakes.  I have seen over-zealous investigators.  But I have not seen liars. There’s also nothing “science” about this post.  It’s an opinion and it’s part of an agenda to market specifically toward the criminal defense bar.

The reality of our industry is that the majority of who it serves is law enforcement and government, including government contractors.  The government is generally not on the cutting edge of anything, but they’ve certainly been on the cutting edge of digital forensics.  Can private practitioners access tools like Gray Key?  No.  But I have almost never had a need for Gray Key.  Why is that?  Refer back to tip #4.  I virtually always get a pass code and any necessary passwords either by consent or court order.  The only exception to this has been when the owner doesn’t remember the password, usually on an older device.  And to be clear, about 70% of the cases we work deal with mobile devices.

When in business, it may be beneficial to remember the wise words of Michael Jordan, who still has his own shoe brand, despite being out of basketball for over 15 years.  When asked at a press conference why he stays out of politics, his reply was simple:  “Both Republicans and Democrats buy shoes!”  Discretion is the better part of valor.

As a final point to this tip, I was in a discussion with a colleague in law enforcement recently while at a conference.  They said to me very confidently “The customer is always right, so you have to do what the client says no matter what!”  My reply:  “No I don’t!”  What’s the point?  Your professional integrity and reputation is your most valuable asset in this business.  Lose it and you’re done.  We will not alter any facts or data in any report or testimony to counsel or their clients, period.  I’m sorry if the data doesn’t support your case.  The data stands on its own and is irrefutable.  Truth is not fungible.

Tip #6:  Market Yourself (Because No One Else Will)

When I was a member of the ICAC Task Force, I was a fairly big fish in a pretty small pond.  The agency for whom I worked had less than 60 sworn officers and was in a rural area.  I did all of the tech-based investigation, search warrant planning & execution, evidence collection and as time progressed and casework grew, the forensic analysis.  And because many of these cases garnered a lot of public interest, the command staff frequently put me as the media relations person with these cases.  I never liked it.  As a cop, I considered myself a modest personality.  Others nominated me for awards and I was never comfortable in the spotlight.  When I launched the business, I quickly realized all of that had to change.

Because I had media contacts already in place, I offered my knowledge and experience as a local media resource for tech-related stories.  For a while, I was getting multiple calls every week from local media.  Because I had a lot of time (i.e., no clients) in the beginning, I also churned out blog articles virtually once a week.  I issued self-written press releases and worked hard on SEO for the company’s website.  I also began sponsoring several associations for litigators in my area because, as previously noted, this is a referral-based business.  In short, I had to become my own cheerleader because no one else was going to do it.  Furthermore, I learned VERY quickly that just having a good professional reputation and a business does not make the phone ring.  If you build it, they will not come – at least not like they did in Field Of Dreams.

If you want the business, you have to go get it.  And you have to keep on going out there to get it.  The minute you lapse on marketing, the phone will stop ringing.  This is why I’m constantly trying to add fresh content to the Pro Digital website.  Having a website is great.  Paying for Google ads is fine, but content is key.  I had to learn this and be taught what works and what doesn’t over time.  And I still make mistakes and spend money where I probably shouldn’t, but no one gave me a blueprint for running this business.  Tips, advice, counsel & support?  Yes.  But this is such a niche business, it requires a special marketing skill set.  If you don’t have it, you will likely fail.  This is the biggest area I think many ex-law enforcement are not comfortable with and probably what turns many of them off to launching their own business.  Quiet professionals don’t normally like the public spotlight.

Wrapping It Up

Some may read this article and wonder why on earth I would tell potential competitors how to run a successful digital forensic business?  One last tip I’ve learned over the years:  There’s plenty of work to go around.  I find it silly that a competitor of mine seemingly reported the Pro Digital Twitter as “spam”, which caused Twitter to shut it down.  I don’t want their clients.  I have my own and I am fortunate to bring on new ones every month.  If any of these tips can help someone be successful, I’m happy to share what I’ve learned.  No one taught me these things when I started out.  Hopefully by sharing some of these tips, I can pay it forward to the next old cop who wants to try his hand at something new(ish).  Until then, I’m off to work the next case and hopefully clear out my backlog queue.  Good luck!

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com