Wednesday, April 29, 2015

5 Reasons Why You Need a Digital Forensic Examiner



 
April 29, 2015

5 Reasons Why You Need a Digital Forensic Examiner:

Lists are all over these blogs, aren’t they?  But I bet you haven’t seen the top 5 reasons you need to hire a digital forensic examiner!  Not to be outdone, we’ll try to keep it to only five:

1)     Data is everywhere

Think about all the digital devices you own and use.  Chances are, as this graphic shows, you probably use your handheld portable device(s) in the morning, transition to laptop/desktop computer(s) during work hours, then go back to mobile with heavy use of tablets during the evening hours (because you and your partner don’t want to watch the same TV shows).




This graphic doesn’t even take into account the internet of things (IOT) and cars with constant connectivity and GPS.  So the bottom line is, virtually everything you do during the day will involve a digital device on some level and leave a digital footprint.  That data is stored on those devices and if you’re involved in some sort of dispute, accident, encounter, etc. that may lead to legal action down the road, you’re going to want a trained digital forensic expert to acquire, analyze and report that data for you. 

2)     Data breaches affect everyone

In the past year or so, we’ve seen dozens of high-profile data breaches occur in the private commercial and government sectors.  Sony, Target, eBay & Anthem, just to name a few.  And no one has been immune from the spoliation of this data, even the rich & famous (i.e., Ben Affleck & Amy Pascal).  But for everyday consumers like us, it means that our personal information could be shared with unsavory types, so whether you’re hiring a digital forensic examiner yourself or your bank is hiring one to help find out what happened and by whom, it does affect you

3)     Chances are, you’ll be involved in litigation at some point
It’s a fact that the U.S. houses roughly 50% of the world’s attorneys and attorneys make money by handling legal matters.  Not all legal matters are contested, but when they are, you want the data to show the truth.  And if you believe #1 (data is everywhere), the likelihood that you will not only be involved in some sort of contested litigation, but that that litigation will likely involve retrieving & reporting data that is pertinent to your case in a verifiable, forensically sound & virtually airtight manner is very real.  From divorces to child custody to distracted driving personal injury to criminal cases, the ubiquitous nature of the devices we carry and the data (i.e., evidence) they store cannot be denied.

4)     Your IT guy probably doesn’t know squat about Digital Forensics

Information Technology (IT) is a huge field.  It encompasses everyone from help desk agents to information security officers and everyone in between.  Generally, when we think about IT, we think of the computer geek; the guy we call when we can’t access our email, when the computer “broke”, when our company-owned phone is acting funny or some other every day run-of-the-mill problem.  They’re good at that stuff and the information security guys are good at setting up networks and systems to prevent data breaches, but generally none of them are trained adequately to secure digital evidence, forensically acquire that evidence, analyze the evidence or testify about the evidence and the procedures they took.  These skills require special training and experience.  Do IT folks have access to it?  Yes.  Do most of them take this training? No.  Call a professional.

5)     The Police can’t do it all

Cybercrime & electronically-facilitated crime is no doubt on the rise.  When we get calls from potential clients stating they’ve been hacked, we refer them to the police because computer trespass and theft of personal information is a crime, but most of the time, they call back a couple weeks later for our help.  The police, especially local police, don’t have the resources to investigate, analyze data and report as to what may have happened.  And hacking is just one example.  In a day & age when everyone carries a micro-computer with GPS, a microphone, camera and telephone in their pocket, which tracks their moves, the value of the evidence that those devices store cannot be understated.  Unfortunately, along with being involved in litigation, you’ll probably also be the victim of a crime at some point.  If the police don’t have the resources to adequately investigate the incident, it may be worth it to call someone who does!

So there’s our list.  If nothing else, we hope this serves to educate just some of the reasons why you may need a digital forensic examiner on speed-dial.  Is a digital forensic examiner someone you need every day?  No.  But much like your car mechanic, your exterminator and your lawyer, you sure want to know how to contact a good one when the time comes! 

Did we mention our contact information is below?

Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.

Twitter: ProDigital4n6


Thursday, April 23, 2015

Probable Cause: As Good as it Gets



April 23, 2015

Probable Cause: As Good as it Gets

Recently, I had the honor of teaching a 3-day in-service course at the police academy for a group of new investigators.  While some of the participants had a degree of investigative experience, they still found some value in the course, especially with regard to the 4th Amendment and Search & Seizure updates & refreshers.  We spent a good chunk of time talking about Probable Cause (P.C.) and how establishing probable cause for search warrants and arrests is key to not only getting the warrant, but to having a rock-solid case overall.  I made the point that your case never looks better than at the P.C. state.  This took some explaining for the class participants, so I figured this concept could also use some wider elaboration.

Good looking things all over

When brainstorming about this article, I thought about all of the other instances in society when things don’t ever look as good as they do at that golden moment.  Take a relationship, for instance:  Boy meets girl, boy and girl are attracted to each other, chemistry develops and, within a couple of weeks, everyone is on cloud nine!  Then, the inevitable physical encounter happens and it all goes downhill from there.  Sure, there are peaks and valleys (including marriage, depending on your point of view), but that relationship doesn’t ever look as good as it does when the butterflies are in your stomach and the tension is building and everything your partner says or does is gold! 

Draw the analogy out another step… When you buy a new car, (even if it’s used, it’s still new to you) that car never drives better, smells better or looks better than that first week you own it.  You’ll even find reasons to drive it, taking the long way home from work or the grocery store.  Then that first car payment bill hits and it’s all downhill from there!  Maintenance, mechanical issues, insurance bills and monthly payment… it all just gets to be a grind and, after about another year, you just want a new car again!  I guess this is where leasing companies find their niche.

What does this have to do with my investigations?

The same philosophy and practice is true at the micro level in your cases.  Think about it – you work hard to build your case.  You develop informants, gather evidence, conduct surveillance, investigate your target’s background and write reports documenting all of your findings.  Then, you finally have that moment when you’re ready to pull the proverbial trigger and apply for your search warrant.  You write up your P.C. statement and get it approved by your supervisor and take it to the judge/magistrate and everything is golden!  Your case probably just got the best it’s ever going to get. 

Probable Cause represents a legal requirement that something illegal probably happened and the target of your investigation probably did it.  There are no absolutes about any of this, despite your hard work, diligent gathering of evidence, time invested, etc.  Probable Cause also represents the stage at which all of your evidence is in the light most favorable to your case – it never looks better.  Virtually no one has picked over the facts yet and no one has scrutinized your work.  Trust me, it’s coming!  Once the prosecutor and the defense attorney get ahold of your reports, affidavits, statements & other evidence, your case will be picked apart piece by piece and scrutinized to extreme levels.  It goes without saying (but I will anyway) that the more important the case, the more this is likely to happen.  The problem is, you may not know how important your case is until after you’ve established probable cause, so it is fully incumbent upon the investigator to keep an open mind and make sure all of the details are taken care of in all cases, otherwise we risk falling into complacency and bad patterns.

Many important cases require multiple warrants and have multiple targets.  When I say your case never looks better than it does at the P.C. stage, that doesn’t mean that it can’t look that good again, such as application for a subsequent search warrant.  It simply means that at that point, your evidence looks the best way it can for any audience.  After motion hearings have been had and plea bargains are discussed, the inevitable holes in your case start to shine some light on the overall facts. 

Begin with the end in mind

Before I left full-time police work and launched my business, I consulted my brother, a career entrepreneur & businessman.  I asked him to refer me to any resources that might help in my new business endeavors.  He recommended The 7 Habits of Highly Effective People by Stephen Covey.  I scoffed at first under the impression that Covey was some sort of cultish quack, but I decided to keep an open mind.  I listened to the book on tape (I always fall asleep reading books) and I loved it.  One of the 7 habits: Begin with the end in mind. 

Beginning with the end in mind as an investigator or digital forensic examiner is more of an abstract concept.  As I said before, it’s vital to go into any investigation with an open mind, but investigators in particular should have, at the very least, the end of successful case closure in mind. You will find the bad guy, you will get the evidence you need, you will establish more than probable cause and you will do good work repeatedly.

Begin with the mindset that you’ll find the truth of the matter.  Begin with the mindset that the evidence will lead you to the facts.  Begin with the mindset that, when you develop probable cause, your evidence will be air tight (or as much as possible).  And don’t forget the victims of the crime(s) you’re investigating – they’re the ones you’re out there to help.


Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.
Twitter: ProDigital4n6


Thursday, April 16, 2015

Digital Forensics vs. Data Extraction



 
April 16, 2015

Digital Forensics vs. Data Extraction

I was having lunch the other day with a good friend who is a very well-trained & accomplished Digital Forensic Examiner for the Virginia State Police.  He and I often get together and talk about trends in the industry, past cases, tools that work and tools that don’t among other things (we’re both avid motorcyclists).  He mentioned something again to me recently that I’ve heard him mentioned in the past.  “Forensics is all but dead”, he says. “Almost everyone now is just doing data extraction & reporting, not forensics.”

This comment spawned some more thought from me on the topic.  Is forensics almost dead?  There are several factors at play, not the least of which is the ubiquitous nature of digital forensics practices within government sectors.  These factors encompass personnel, practice, cost & overall expertise, to name a few.  I, for one, would like to think that forensics is not dead, rather going through an evolution of sorts, as most technology-oriented fields do over time.  So what’s the difference between digital forensics and data extraction?  Plenty!

Data Extraction & Reporting

I propose a hypothetical case:  Agent Smith is an investigative field agent.  He works child exploitation crimes for the Mayberry Police Department.  He receives an anonymous cybertip from the National Center for Missing & Exploited Children (NCMEC) that John Jones, who lives in Mayberry, has numerous images of child pornography on his smart phone.  Agent Smith does his due diligence in background case work and goes to visit Mr. Jones at his home for a knock-and-talk. 

Jones consents to talking to Agent Smith and further consents to have his phone examined, but refuses to let Agent Smith take the phone with him.  Smith pulls out his field kit, hooks up the phone to his laptop and starts the extraction.  Jones admits to nothing, the extraction is complete and a brief review on-scene of the images on the phone indicates there is illegal material, so Smith seizes the phone and arrests Jones based upon the images he found on-scene.  Now Agent Smith needs to dig further into the evidence to prove the case, but does he? 

Part of the problem and delicate balance with easy-to-use forensic tools (especially mobile forensic tools) is that they’re easy to use.  Point, click, extract, view, report, done!  This is simple data extraction, not digital forensics.  While some of the methods employed to acquire the data may be mostly forensically sound and/or within best practices, that’s about where the forensics ends.  The practice of data extraction simply pulls out the data Agent Smith needs to prove his case, not necessarily the whole story.  How did the images get on the device?  Who put them there?  When were they created?  Who else may have had access to the device (the anonymous tipster, perhaps)?  What additional inculpatory or exculpatory evidence may be present on the device?  In short, what does the whole picture look like?  These are questions that go mostly unanswered by simple data extraction & reporting.  This practice makes the evidence look very damning and very simple, where it may not be either. 

The Forensic Difference

Digital Forensics in the simplest definition goes far beyond simple data extraction.  Forensics looks at all of the available evidence with an open mind, objectively looking to prove or disprove the case from the start and looking to recover whatever relevant evidence that may be present.  The practice of forensics also looks much deeper than what can be found on the surface level.  Forensics seeks to answer questions like:

  • Are there old partitions on the disk that can be recovered?  If so, what evidence might they contain to help prove or disprove the theory of the case?

  • Are there deleted items in unallocated and/or file slack space that may provide proof of an attempt to cover up evidence?

  •  Are there file fragments that could be recovered and/or pieced together to provide a clearer picture of what may have been going on at the time of the incident?

  •  Are there logs of network connections, operating system journal entries, registry artifacts, encrypted or other data that needs to be examined at the hexadecimal level to put the pieces of the puzzle together?

All of these questions and more encompass just the basic differences between simple data extraction and digital forensics, which is much more complex.  It also requires much more training and hands-on experience.  I can honestly say that I don’t think I’ve ever conducted a true digital forensic examination where I didn’t have the need to research file types, headers, footers, applications and any number of other assorted case-specific items to help figure out what activity may have been going on with regard to the submitted device(s) and report those findings accurately & intelligently.  Indeed, digital forensics is true investigative work, not simply a point-and-click approach to recovering evidence.

Rationale

So why do so many field and some lab practitioners do data extraction rather than forensics?  There are several reasons.  The first, and easiest to explain, is laziness.  This may shock you, but some people are just plain lazy.  They can take a test, pass a certification and have all the on-paper credentials, but if they’re lazy and simply don’t want to do the work, none of that really matters.  The next factor is time, which can be closely related to laziness.  In the government sectors especially, examiners are pressured to turn over more cases in less time, especially when it comes to mobile devices.  A true digital forensic examination takes time and, oddly enough, some governmental supervisors don’t understand that.  It is entirely possible that a 64 GB smart phone or tablet full of valuable evidence could take much longer to examine than a 1TB hard drive that doesn’t really have much evidence at all.  Ask the bean-counters to wrap their heads around that one!

Along with extensive time goes money, but with digital forensics, it goes beyond that.  It takes not only an extensive investment in money, but time as well to get an examiner to a competent state.  In order to train a digital forensic examiner to be proficient, knowledgeable and effective requires a huge commitment.  Point-and-click classes take less time and are cheaper than weeks or months of in-depth digital forensic training and hands-on experience.  To add insult to injury, consider this:  I have a friend with whom I attended BCERT – a 5-week computer forensic “boot camp” of sorts.  He works at a local law enforcement agency at the level of Sergeant conducting digital forensic examinations.  He’s been at it for years and is a go-to resource for me whenever I have a question.  If he chooses to advance his career in law enforcement to the next rank (Lieutenant), he would have to quit doing forensics, go back in uniform on patrol and essentially give up that investment he and his department have made, thus starting all over again with a new, green examiner.  This practice is not limited to my friend’s department and is in fact commonplace in law enforcement and other government sectors.  What sense does that make?  Good question.  But the ultimate outcome is departments don’t want to spend that mountain of money to train somebody to my friend’s level again (and again), so they take the easy route:  Train them to get just what we need, i.e., data extraction. 

Conclusions

It seems to be a no-brainer - Trained, equipped, effective examiners are in the best interest of conducting thorough investigations and thus proving or disproving a case, which is in the best interest of justice.  Unfortunately, the general reality doesn’t reflect that.  Since I started in digital forensics in 2008, I’ve seen several cycles of examiners at the government level.  The highly-trained ones get cycled out and the newer ones have less and less training & experience at actually performing any forensics.  Conversely, the gap is widening between those who stick with the practice of digital forensics, whether it be in private or government practice, and those who are constantly in the refresh cycle of digital forensics. The smart get smarter & better and the newer ones keep doing data extraction, often not even submitting evidence to the lab unless it’s a “high-profile” case. 

This gap will undoubtedly get larger and the numbers of practitioners conducting data extractions will grow, while a few of us are continually staying up-to-date & trying to hone our skills.  At some point, the house of cards has to fall, but until it does, I really wish those doing simple data extraction would stop using the F-word: Forensics.

Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.
Twitter: ProDigital4n6