Thursday, October 22, 2015

The Value of (the right) Key Word Searches



October 22, 2015

The Value of (the right) Key Word Searches

When I was a full-time police detective, I was fortunate enough to attend several very good, very long digital forensic training courses (see letters at end of name).  Unfortunately, what this also did was widen the gap between what I knew I could do in a forensic analysis and what my supervisor(s) thought I could do in a forensic analysis.  Nowhere was this more apparent than when we seized a couple of computers on a drug search warrant where the suspect was growing his own marijuana by the gross in the acreage behind his house.  The computers were seized under the guise of potentially containing pertinent financial documents or other transactional information with regard to the suspect’s drug production and distribution (selling) activity.  Pretty simple, right?  Wrong.


At the time, I had just returned from the Federal Law Enforcement Training Center (FLETC) with new forensic hardware, software and fresh knowledge on how to do this stuff!  Apparently, my supervisor should have gone too.  As many of my colleagues who are still fighting the good fight in law enforcement will attest to, it’s very hard to do a highly technical job like computer forensics when your direct-report doesn’t have a clue what you do, how you do it, why you do it or how much time is involved.  It’s honestly one of the most frustrating professional experiences I can point to in my time as a police investigator.

Like I said, we seized these computers and my boss wanted me to work my newfound magic on them.  “Ok”, I said, “What would you like me to look for?”  The first answer was “Anything”.  Ummm… that doesn’t work.  So I asked him about key word searches.  He said “YES!”  Ok, what key words would you like me to search for?  “Weed. Pot. Drugs. Money.”

Are we seeing a problem here yet?  If not, allow me to explain…

Key word searches are generally conducted over the entire forensic image (i.e., exact copy).  This amount of data can be as “small” as 16 GB on your smart phone or as large as the 4TB (or more) hard drive I have in for analysis now.  Yes, we can limit the searches to specific partitions or pieces of evidence in a global case if necessary, but generally speaking, I like to search an entire physical hard drive just to see what we can find.  The way these searches are conducted with modern forensic tools is by translating the text into any number of coding formats and scanning all of the data for that specific coding, i.e., key word.  This can often take a bit of time and VERY often yields false positives and/or repetitive hits.  In the screen shot below, you can see that my very basic search on a current case for five simple terms (four names and the word “ashes”) yielded thousands of hits while only 4% of the drive was scanned.  Not only does this not bode well for maximizing the examiner’s time, but the hits are so voluminous that it tends to all blur together after a while.  Plus, because there’s no buffer, the search for the term “ashes” will yield every single word that contains those characters in that order.  Sashes, hashes, flashes, mashes… you get the idea.  Tons of false positives.  The same is true for all of the terms my former supervisor told me to search for.


On the next search, I remembered some of my key word training… Insert a space before and after the search term(s).  This ensures that ONLY your term is reported back on the hits.  The number of hits went from thousands to just a few hundred.  Not only that, they were much easier to sift through to see what may be relevant vs. what isn’t . 

So if you’re sending a computer, smart phone or other digital device to your forensic examiner and key word searches may be relevant to your case (and they often are), here’s a few tips that may help him or her out:


  • The longer the search term, the better.  Think about it this way, if I searched for one whole sentence in this blog as opposed to just one or two words together in the same sentence, that will drastically cut down on the false positives AND the time it will take to achieve and examine the results.  More is definitely better.


  • Short words are bad.  Even with a space before and after the search term, short words yield a ton of false positives and the hits for those terms will just keep climbing.  Best bet, try to use longer words in your search terms which hopefully also consist of multiple words.  “Connecticut” is much better than “con” or “cut”.

  • Unique terms are good.  Full names of people involved, cities, unique internet search terms are all great things to search for and will narrow the scope of the key word search.

  • Think globally.  Don’t just think about the case you have before you, but think about other things the owner of the computer or smart phone may be involved in that are on the periphery of your case.  Then, incorporate that mindset into the information you provide your forensic examiner using the first two tips.


Key word searches often provide valuable evidence, but generally, they’re also just pieces in the bigger puzzle.  By providing the right key words from the start, you can help your forensic examiner be more effective and, hopefully, get you the evidence you need faster.  Whether you’re an investigator, attorney, IT security professional or other interested party, just please don’t say the one dreaded “key word” answer when your forensic examiner asks you what to look for: “Anything”


Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.
Twitter: @ProDigital4n6

Tuesday, October 13, 2015

What Social Media Activity Tells a Trained Forensic Examiner



October 13, 2015

What Social Media Activity Tells a Trained Forensic Examiner

For better or for worse, social media has become a driving force in many aspects of our lives.  It helps individuals stay in touch with friends, relatives, former classmates and other acquaintances.  It also helps business drive users to websites, advertise and (hopefully) generate revenue.  Heck, even this little ole blog gets posted across multiple social media platforms to help generate "buzz" for a startup digital forensic consulting business.  But what value does that social media activity have when conducting investigations?  What can the social media data tell a trained digital forensic examiner?

This subject is yet another where I'll emphasize the value of possessing honed investigative skills in addition to being a practicing, competent, trained forensic examiner.  The basis of how to conduct investigations involving social media, web activity or other electronically stored information (ESI) or even simply basic online investigations, comes through training and experience.  Through the Internet Crimes Against Children (ICAC) Task Force, I was trained how to effectively track down people and gather intelligence online, mostly without their knowledge.  This served me quite well in law enforcement and now serves me well in private investigations. But taking that training a step further into the findings of a digital forensic examination, we can incorporate that training and experience to dig even deeper to find out what the user(s) may be doing online.



As an example, we'll use the current “flagship” of social media, Facebook.  Facebook has revolutionized how people stay in touch and they are constantly evolving the offerings they put forth.  What was once an online yearbook for college students has now become a multi-billion dollar mega online conglomerate of services.  Over time, users have gained the ability to search for other users, chat with other users, send links, videos, pictures and now even voice messages.  And the best part is, most or all of this data is available to us when we get ahold of your computer and/or mobile device.  Because Facebook is so ubiquitous across the user spectrum, almost everyone has an account, which means there's social media evidence almost everywhere.

And the great thing about social media is, it's tailor-made for us by us.  We choose who we want to be "friends" with.  We decide who to communicate with and for what purpose(s).  We seek out and "follow" or "like" different social causes, businesses, political candidates, entertainers... the number and scope of what we can tell the social media world about ourselves is virtually boundless.  Most social media users don't give much thought to the fact that they are sacrificing personal information security when they follow these things, too.

So when we conduct a digital forensic investigation, we’re looking for clues about all of these things.  If the case involves a subject suspected of infidelity, perhaps they were using Facebook messenger to send messages to their paramour instead of regular text or email.  And even if they were somewhat clever and never became "friends" with the other party on Facebook, the account information for the other user is recoverable and will lead right back to that person almost instantly.  In the case of a law enforcement agent investigating someone suspected of having terrorist ties, perhaps they "liked" or followed anarchist, hate or radical religious groups.  With tools that specialize in extracting and reporting this information like Magnet Forensics Internet Evidence Finder, the forensic evidence in these cases becomes vital to painting the picture of the truth.  The best thing for us in the digital age is, if there's any digital evidence of it, we'll probably find it.



And while Facebook is a good example, the potential for valuable evidence doesn't end there.  Twitter, Tindr, Snap Chat, Linked In... they all provide valuable pieces of information by way of personal and/or professional interests, potential romantic relationships, life events and random online rants (which happen more often than you might think).  One final point that should not be overlooked is the responsibility of the investigator and/or examiner to stay abreast of the changes in social media.  Like with most things in the digital age, social media is ever-changing.  It’s a competitive market and their challenge is to gain new users while still maintaining a certain level of service and user expectation, lest they become MySpace.  But the investigators and forensic examiners have to stay up with these changes to be able to consistently deliver quality service.  Is it time-consuming?  You bet!  But it’s also extremely important to successful, accurate investigations.

Regardless of the platform, social media really does intertwine into all of our lives.  Because of that, it becomes a virtual mountain of valuable personal information that a digital forensic examiner and investigator can use to help find the truth.  Now go search for it!


Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.
Twitter: @ProDigital4n6

Friday, October 2, 2015

Five Tips for Effective Technical Warrant-Writing


October 2, 2015

Five Tips for Effective Technical Warrant-Writing

Having worked in law enforcement at the level of investigator and forensic examiner and subsequently transitioning to a trainer/private practitioner role, I’m starting to gather the benefit of something many law enforcement (LE) agents may well overlook – diversity of experience.  While many of my friends in LE may scoff at some of my professional choices, I have actually grown to appreciate both sides of the issue with regard to investigation and digital forensics.  After all, what we’re really after is the truth!




Along with the diversity of experience comes the opportunity to review and scrutinize various legal documents submitted on behalf of the government (or other parties) to obtain information and other suspected relevant materials from businesses, individuals and other involved parties in both criminal and civil litigation.  Unfortunately, I’m not always “impressed” with what I read.  I attribute this to many factors including the lack of adequate training, lack of updated training, lack of writing ability, lack of experience and the simple fact that the law is always several steps behind technology.  In order to help out burgeoning investigators of electronically-facilitated crime and increase the effectiveness of search warrants, court orders and other legal filings that may become necessary in these types of investigations, here are five tips to keep in mind when constructing your affidavits:


1)    More is More

Yes, I know in the police academy you are taught that less is more.  Just the facts.  Don’t elaborate.  Don’t get too detailed.  Write like a cave man.  The problem is, the more ambiguous you are in your affidavit, the more holes the defense can drive through your facts.  Be specific, deliberate and write as if someone is actually going to read the darn thing!  In other words, make it flow well, like a story.  If it helps, think about the fact that the outcome may very well be to potentially punish someone for a good portion of their life rests in your hands as the architect of that document.  If that authority and responsibility is something that you appreciate, then you should be as verbose as you need to be in order to establish the facts surrounding your probable cause.  You owe it to your case, your reputation and, believe it or not, you owe it to the suspect.

2)    Don’t Assume Your Audience Knows Anything

When composing warrant affidavits for legal tech items or information, you have to develop the ability to explain very technical items to very non-technical people.  This may be your supervisor, magistrate, prosecutor, defense attorney, judge, or the jury.  Don’t assume that everyone knows what a smart phone is or what you can do with it or that apps can be used for a myriad of purposes.  Don’t assume that people know what Craigs List is or the multitude of items or services you can get from it.  The first Magistrate I went before with my first electronic search warrant affidavit was a dinosaur.  He literally pecked one letter at a time on the keyboard and when he saw how lengthy my PC was, he literally cursed me.  But he also appreciated the authority and comes with the ability to invade someone’s home or business and what an awesome responsibility it is to make sure we get it right.



3)    Get With Someone Who Knows More

The value of mentorship cannot be understated when investigating crimes that are complex in nature.  No man (or woman) is an island, so don’t think you know everything and try to go it alone.  Drop your ego, realize what you don’t know and ask for help.  I had several mentors starting out and still look upon them as far more knowledgeable than I.  They just can’t get online and publish a blog because their command staff would have a [proverbial] cow. 
Use every resource at your disposal – colleagues, list serves, online articles…  You’ll learn more and grow infinitely more than you’ll ever realize.

4)    Know What You’re Talking About & Don’t Fudge

The term “fake it till you make it” is a fairly tried and true business practice, but it has no place in law enforcement or investigations.  “Faking it” might as well be lying on an affidavit.  I once knew an investigator who fudged data from an electric company to beef-up his PC for a search warrant in a drug case.  When it was discovered during his testimony at a pre-trial hearing, the judge understandably didn’t care for it too much.  Even worse, his credibility was shot… and it’s all on the record.

The stats aren’t worth it.  If you don’t know, say you don’t know.  Don’t make it up and don’t embellish.

5)    Proofread, Review, Repeat

Many investigators are over-worked, there’s no doubt about that.  In order to save time and effort, “boiler-plate” affidavits are often used to streamline the process.  There’s nothing wrong with this, but you must review the items every single time you construct your document.  It only takes one word to completely screw up the efficacy of your warrant in a suppression hearing, so do yourself a favor and take the time to really review, scrutinize and revise your documentation, facts and application for warrant.  When you’ve done it, do it (at least) one more time just to be sure.  When that’s done, ask yourself if it passes the “mirror test” – if you can look yourself in the mirror and know that everything is the way it should be, you’re in a good place.

Writing decent affidavits and other legal paperwork is part of your legacy as an investigator and/or examiner.  Whatever other mistakes you may make along the way, you will ultimately be assessed by others on your professional reputation by judges, juries, defense attorneys, prosecutors and other investigators.  That reputation is something that needs to be nurtured, honed and never taken for granted.  Step one is to know how to articulate yourself in such a manner to shore up that reputation as time goes on. 

I recently spoke with the prosecutor with whom I used to work many, many cases.  He said he’s received several inquiries about me from other attorneys since I transitioned to the private sector and has told them “He’s thorough, he knows his stuff and he doesn’t lie.” I appreciate those words more than almost any award or certification.  Hopefully, you’re well on your way to having the same said about you!


Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.
Twitter: @ProDigital4n6