October 22,
2015
The Value of (the right) Key Word Searches
When I was a full-time police detective, I was
fortunate enough to attend several very good, very long digital forensic
training courses (see letters at end of name).
Unfortunately, what this also did was widen the gap between what I knew
I could do in a forensic analysis and what my supervisor(s) thought I could do
in a forensic analysis. Nowhere was this
more apparent than when we seized a couple of computers on a drug search
warrant where the suspect was growing his own marijuana by the gross in the
acreage behind his house. The computers
were seized under the guise of potentially containing pertinent financial
documents or other transactional information with regard to the suspect’s drug
production and distribution (selling) activity.
Pretty simple, right? Wrong.
At the time,
I had just returned from the Federal Law Enforcement Training Center (FLETC)
with new forensic hardware, software and fresh knowledge on how to do this stuff! Apparently, my supervisor should have gone
too. As many of my colleagues who are
still fighting the good fight in law enforcement will attest to, it’s very hard
to do a highly technical job like computer forensics when your direct-report
doesn’t have a clue what you do, how you do it, why you do it or how much time
is involved. It’s honestly one of the
most frustrating professional experiences I can point to in my time as a police
investigator.
Like I said,
we seized these computers and my boss wanted me to work my newfound magic on
them. “Ok”, I said, “What would you like
me to look for?” The first answer was “Anything”. Ummm… that doesn’t work. So I asked him about key word searches. He said “YES!” Ok, what key words would you like me to
search for? “Weed. Pot. Drugs. Money.”
Are we
seeing a problem here yet? If not, allow
me to explain…
Key word
searches are generally conducted over the entire forensic image (i.e., exact
copy). This amount of data can be as “small”
as 16 GB on your smart phone or as large as the 4TB (or more) hard drive I have
in for analysis now. Yes, we can limit
the searches to specific partitions or pieces of evidence in a global case if
necessary, but generally speaking, I like to search an entire physical hard
drive just to see what we can find. The
way these searches are conducted with modern forensic tools is by translating
the text into any number of coding formats and scanning all of the data for
that specific coding, i.e., key word.
This can often take a bit of time and VERY often yields false positives
and/or repetitive hits. In the screen
shot below, you can see that my very basic search on a current case for five
simple terms (four names and the word “ashes”) yielded thousands of hits while
only 4% of the drive was scanned. Not
only does this not bode well for maximizing the examiner’s time, but the hits
are so voluminous that it tends to all blur together after a while. Plus, because there’s no buffer, the search
for the term “ashes” will yield every single word that contains those
characters in that order. Sashes,
hashes, flashes, mashes… you get the idea.
Tons of false positives. The same
is true for all of the terms my former supervisor told me to search for.
On the next
search, I remembered some of my key word training… Insert a space before and
after the search term(s). This ensures
that ONLY your term is reported back on the hits. The number of hits went from thousands to
just a few hundred. Not only that, they
were much easier to sift through to see what may be relevant vs. what isn’t
.
So if you’re
sending a computer, smart phone or other digital device to your forensic
examiner and key word searches may be relevant to your case (and they often
are), here’s a few tips that may help him or her out:
- The longer the search term, the better. Think about it this way, if I searched for one whole sentence in this blog as opposed to just one or two words together in the same sentence, that will drastically cut down on the false positives AND the time it will take to achieve and examine the results. More is definitely better.
- Short words are bad. Even with a space before and after the search term, short words yield a ton of false positives and the hits for those terms will just keep climbing. Best bet, try to use longer words in your search terms which hopefully also consist of multiple words. “Connecticut” is much better than “con” or “cut”.
- Unique terms are good. Full names of people involved, cities, unique internet search terms are all great things to search for and will narrow the scope of the key word search.
- Think globally. Don’t just think about the case you have before you, but think about other things the owner of the computer or smart phone may be involved in that are on the periphery of your case. Then, incorporate that mindset into the information you provide your forensic examiner using the first two tips.
Key word
searches often provide valuable evidence, but generally, they’re also just
pieces in the bigger puzzle. By
providing the right key words from the start, you can help your forensic
examiner be more effective and, hopefully, get you the evidence you need
faster. Whether you’re an investigator,
attorney, IT security professional or other interested party, just please don’t
say the one dreaded “key word” answer when your forensic examiner asks you what
to look for: “Anything”
Author:
Patrick J.
Siewert, SCERS, BCERT, LCE
Principal
Consultant
Professional
Digital Forensic Consulting, LLC
Based in
Richmond, Virginia
Available
Globally
About the Author:
Patrick Siewert is the Principal
Consultant of Pro Digital Forensic Consulting, based in Richmond,
Virginia. In 15 years of law enforcement,
he investigated hundreds of high-tech crimes, incorporating digital forensics
into the investigations, and was responsible for investigating some of the
highest jury and plea bargain child exploitation cases in Virginia court
history. A graduate of both SCERS and
BCERT (among others), Siewert continues to hone his digital forensic expertise
in the private sector while growing his consulting business marketed toward
litigators, professional investigators and corporations.
