Saturday, June 1, 2019

Four Tips for Effective Forensic Report Writing


June 1, 2019

Four Tips for Effective Forensic Report Writing


Digital forensics is a complicated field.  As mentioned in previous articles, much of what we do as forensic practitioners is break down very complicated & technical matters to basic concepts that stake-holders in our cases can easily understand.  In fact, if you ever take any of the Mac Forensics courses taught by Sumuri, Instructor Steve Whalen starts out by asking “what is digital forensics?”  You’d be astonished how many people in the room who are digital forensic practitioners cannot answer the question.  Is this because they never (or rarely) have to present their findings in court?  Perhaps.  But even before the case gets to court, there has to be effective documentation of the steps undertaken to reach findings and conclusions.  Without this documentation, it makes it very hard to justify or affirm the conclusions.

Recently, we worked a criminal defense case where the law enforcement digital forensic examiners report was frankly abysmal.  This is not good for law enforcement, public safety or the digital forensic community overall.  We will not call out the examiner or his agency.  That’s unprofessional.  But in this article, we’ll relay some steps that can help make your forensic reports much more effective.  Whether the case is a criminal defense matter or a civil litigation domestic dispute, the report is your voice as an examiner and analyst and it’s extremely difficult, if not impossible, to do a “take-back”.  After all, when people’s lives and/or livelihood are on the line, don’t we all owe it to everyone involved to be thorough and accurate?


Tip # 1:  Know the Different Types of Reports

This seems basic, but it can often be confused by examiners, Counsel, judges and juries.  When explaining the different types of reports, we generally break it down like this:  There is the examiner’s narrative of the steps he took and a summary of the evidence and any conclusions.  This is the “Summary Report”(or narrative report).  The summary report refers to the forensic reports, which are generated by whichever forensic tools you’ve used in the case.  As most anyone who has been doing digital forensics for a while will attest, some forensic reports can be hundreds or thousands of pages long, depending on the type of case, the number of items analyzed, the amount of data and other factors.

Furthermore, it’s important that the distinction between the two reports is clear.  When we receive a narrative with no heading, no dates, no details about basic case items and no real format to it, it is automatically confusing.  Even more so when this type of “report” is not accompanied by any forensic report generated by a forensic tool.  We have to be clear and concise.  Confusion is the enemy in digital forensics.  While this may be a tactic used by some to overload or misdirect the opposing party, that too is unprofessional.  If your methods and findings are solid, why should there be a need to purposely confuse, confound or misdirect the other side?

Tip # 2:  Be Accurate

In the case mentioned above, we received a narrative that didn’t detail basic items about the system and tool(s) used in question.  These include:

·      Pictures of the examined item
·      Verification of system time
·      Operating system in use on the item
·      Version of forensic tool used to conduct the analysis
·      Detailed methods used for creating the forensic image

The last point proved to be rather important.  The forensic image of the Mac system was created in the .E01 format.  Normally, .E01 images are segmented into parts during the imaging process.  This one was not.  It was one large 265 GB .E01 file.  This was odd, but in and of itself not a big deal.  However, upon hashing the .E01 image that was provided, the hashes did not match the hash values in the log generated during the imaging process.  We still have no explanation for this, but there was missing data -- very important missing data.  One of the most frustrating things as an examiner is to have questions like this and no answers.  They can be huge or they can be inconsequential.  The problem is, we just don’t know because there is no accurate documentation.

In the narrative/summary report, it was stated that no activity was present on the system for the date in question (paraphrased), therefore it must have been wiped by CCleaner (see further on that below).  However, a timeline analysis of the system indicated there was a great deal of activity on the system on date in question.  At trial, the law enforcement examiner’s testimony and statement was updated to say that “no files were created” on the system on that date, not that there was no activity.  There’s a big difference.  Accuracy is important!



Tip # 3:  Be Thorough

In the cited case, there were allegedly illicit images downloaded from the defendant by the police, but no images were found anywhere on the computer system.  That in itself is intriguing from a forensic perspective and we were excited to see what the evidence showed.  One of our steps was to conduct a key word search for unique items in the file name of the main image charged (there were only two downloads, none of which were on the system).  We found several hits in a database for “PTHC” which is a frequent term in file names of illicit images and was in the file name of the main charged image.  We documented this for Counsel and were prepared to testify about it (despite the fact it did not help the defendant).

The law enforcement examiner also conducted a key word search for the same key word and the forensic report (which we obtained 2 days before trial – also unprofessional) simply stated 5 hits in 5 files.  No additional detail about what the hits were and where they were found was contained either in the summary/narrative report or the forensic report.  Did they find the same things we found?  Did they even look beyond the hits?  Did they index the system prior to conducting the key word search? To be clear, we received dozens of hits for that string of letters after indexing and conducting our search, but as often happens, the false positives needed to be checked and weeded-out and the relevant ones documented. 

The point about all of this is, we had no idea what we were dealing with in regards to the “5 hits in 5 files”.  Further, the issue of validation of these hits was outstanding.  We found 5 key word hits, but they were in 2 files, not 5.  The work was half done… or at least half documented. 

Tip # 4:  Your Conclusions Have to Make Sense

At issue in the cited case was the fact that no images were found on the suspect/defendant drive and CCleaner was also present on the system.  The law enforcement examiner’s narrative stated “No images were found and CCleaner was installed on the system, therefore the image(s) must have been wiped by the user using CCleaner” (paraphrased).  This conclusion was not supported by any evidence other than 1) no images found 2) CCleaner found.  That’s it. 

This conclusion is at least potentially erroneous and is not backed by any other facts, analysis, evidence or documentation.  It is a digital forensic leap to say that just because a disk cleaning utility exists on a system and little or no evidence relevant to the charges were found, that a disk cleaning utility must have been used to wipe the data.  Such an important hypothesis like this should be documented with logs, metadata, etc. to attempt to prove or disprove whether or not it is true.  Aside from that, it is conjecture and quite possibly coincidence.

Wrapping It Up

Our goal in this article is not to bash any one examiner or set of examiners.  We all make mistakes and while the examples cited here have been seen sporadically through the years, they are fortunately not the norm in digital forensics.  The goal is to help avoid complacency, inaccuracy and sloppy report writing in the future.  We’re all in this to find the truth, wherever that may lead and to whom ever benefit or detriment.  There’s an old saying that is drilled into police recruits heads in law enforcement basic training – IF YOU DIDN’T WRITE IT DOWN, IT DIDN’T HAPPEN!  This is a great rule to live by when it comes to everything from note-taking to writing your final summary/narrative reports. 

What we do is important.  Many times, the methods we undertake and the conclusions at which we arrive can mean a long prison sentence for some or a loss of a great deal of money or custody of their children for others.  We owe it to the stake-holders in the case and to the digital forensic community to adhere to a high standard when issuing our findings.  It’s the best way to ensure that justice is served, no matter the case.

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com
Twitter: @ProDigital4n6

Wednesday, April 10, 2019

Mobile Virtual Network Operators (MVNOs) in the U.S.


 April 10, 2019

Mobile Virtual Network Operators (MVNOs) in the U.S.


Increasingly, cellular records and their associated location information is being used in civil litigation, as where previously it was considered to be a “law enforcement only” tool.  But in the age when users carry at least one smart phone with them at all times, the location data with regard to calls/texts/data usage can be crucial evidence in certain cases.  These include insurance fraud investigations, domestic/custody/cohabitation matters and personal injury cases. 



As we’ve detailed in previous articles, there are five main US-based cellular carriers:  Verizon Wireless, AT&T, Sprint, T-Mobile & U.S. Cellular.  But what about those not on the list of five?  What about Boost or Straight Talk or Virgin Mobile or Cricket or Tracfone or… the list goes on and on.  Well, these carriers are all what are known as mobile virtual network operators or MVNOs.  Check out our article detailing the record retention periods for each provider.

Essentially how MVNOs operate is by “leasing” the use of one of the five main cellular carriers, or sometimes more than one, to increase subscribership and allow of use of multiple devices on their plans, many of which are pre-paid or pay-as-you-go. Some MVNOs operate on strictly CDMA or GSM networks and some operate on both.  Some MVNOs may be nationwide and some may be regional, as was the circumstance we dealt with recently regarding an MVNO that was based in the Tennessee Valley.  The fact is, MVNOs far outnumber their host-networks in sheer numbers. 

The first step is to determine which carrier the target of your investigation subscribes to, or which carrier owns the service for that number.  For this, the simplest resource is the Hawk Analytics Support site, which is free with a registration. The support site also has articles, sample wording for process, best practice documentation and more.

When you identify the carrier you need to submit legal process to is an MVNO, one of several things may happen upon submission, depending on what type of information you’re seeking and with which MVNO the account you’re interested in is associated.  For example, Boost or Virgin Mobile will refer you to Sprint’s legal compliance center for all types of requests, but Tracfone will not provide records for cell site listing and GPS location information.  Those requests will be referred to the parent network.  It really just depends on the MVNO you’re dealing with.  Remember, even if the account is a pre-paid “drop/burner phone” and the subscriber didn’t have to give a name or ID when initiating the account, there can still be great investigative data contained in the records.

And remember, only Verizon Wireless stores standard text message (SMS) content for a minimum of 3 and a maximum of 10 days.  After that, the information is purged.

As a quick reference, we’ve decided to compile a list of major MVNOs that you may run across in your investigations.  All of the addresses for service of legal process to the respective MVNOs may be found on the ISP listing under the “Resources” tab on search.org.

Verizon Wireless-Only MVNOs

·      Xfinity Mobile (Comcast)
·      Affinity Cellular
·      Spectrum Mobile
·      Total Wireless
·      GreatCall

AT&T-Only MVNOs

·      Black Wireless
·      Cricket Wireless
·      EasyGO Wireless
·      FreeUP Mobile
·      Jolt Mobile
·      Pure Talk USA
·      RuraLTE
·      ZillaTalk



Sprint-Only MVNOs

·      Boost Mobile
·      Chit Chat Mobile
·      Kroger i-wireless
·      Patriot Mobile
·      Ready Mobile
·      Tello US
·      Scratch Wireless
·      Virgin Mobile USA

T-Mobile-Only MVNOs

·      China Telecom Americas (CTExcel)
·      GoSmart Mobile
·      KidsConnect
·      Liberty Wireless
·      Mint Mobile
·      Roam Mobility
·      SeaWolf Wireless
·      Simple Mobile
·      Ultra Mobile
·      Value Wireless
·      Walmart Family Mobile

As previously stated, some MVNOs use multiple networks for their service.  Which network is utilized can depend on where the device is purchased (i.e, Walmart, Target, etc.) and/or what type of device is selected for use.  This naturally Allows for the MVNO to cast a wider net and attract more customers, but it can make things confusing for investigators who are trying to figure out where to submit legal process.  Here are some of the more common cross-carrier MVNOs:
     

·      FreedomPop:  AT&T, Sprint
·      Consumer Cellular:  AT&T, T-Mobile (GSM)
·      Republic Wireless:  Sprint, T-Mobile
·      Flash Wireless:  Sprint, Verizon
·      Expo Mobile:  Sprint, Verizon
·      EcoMobile:  Sprint, T-Mobile, Verizon
·      Red Stick WirelessSprint, T-Mobile, Verizon
·      Best Cellular:  AT&T, Sprint, T-Mobile, Verizon
·      Red Pocket Mobile:  AT&T, Sprint, T-Mobile, Verizon
·      Straight Talk:  AT&T, Sprint, T-Mobile, Verizon
·      Net10 WirelessAT&T, Sprint, T-Mobile, Verizon, US Cellular
·      Boom MobileAT&T, Sprint, Verizon
·      TracFoneAT&T, Sprint, T-Mobile, Verizon, US Cellular (feature phones only)
·      Google FiSprint, T-Mobile, US Cellular


A complete and up-to-date list of MVNOs, their networks and some features about the available plans can be found at this Wikipedia page:  https://en.wikipedia.org/wiki/List_of_United_States_mobile_virtual_network_operators


Wrapping It Up

MVNOs are a fact of life when looking to use cellular location data conducting investigations.  By arming yourself with the knowledge of which MVNO operates on which parent network and which information is available from whom, you can save valuable time, money and heartache.  Happy hunting!

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com
Twitter: @ProDigital4n6