Saturday, June 20, 2015

Metadata

June 20, 2015

The Relevance of Metadata

There are numerous pieces of evidence that hold value in a digital forensic investigation.  Like all investigations, we try to answer the basic questions: Who, what, where, when, how and, if applicable, why.  In the world of digital forensics, there is perhaps no single category of data that helps answer these questions more than metadata.  Metadata has gotten a lot of [bad] press lately because of the “revelation” that the U.S. government is collecting cellular usage metadata in their ongoing fight against domestic and international terrorism.  But what is metadata?

Simply put, metadata is data about data.  Now, you’re probably reading that and saying “oh, ok… What?!”  So I’ll try to break it down a bit.  One of the most basic and understandable examples is the Microsoft Word document I’m using to write this blog article.  The data is what is contained in the document.  The actual text, pictures, etc.  The metadata is all of the background information -- Who created the document, when it was created or modified or accessed, who the owner of the document is and so forth.  All of this identifying information comes from various sources.  Some of it is created when you first install Windows or other operating system.  When you install the operating system, you generally create a user account and subsequently install utilities on that computer using that account.  This is where some metadata starts.  Then, when you install the utility (like MS Word), it prompts you to enter author/owner information, which is then attributed to every document that is created on that user account through MS Word.  Are you starting to see how this information could be useful in a multitude of investigations?

Take it a step further...

You know that smart phone you carry around in your pocket and take selfies with?  There’s all sorts of metadata about those pictures, too. It’s called EXIF data and it contains a virtual treasure trove of information that we use in our investigations to help prove or disprove a claim in a particular case.  This wealth of information includes the date & time the picture was taken, the device on which the picture was taken, the latitude and longitude (location) where the picture was taken and the operating system of the device.  For stand-alone digital cameras, this EXIF data can also include the shutter speed, aperture settings and other associated photographic data.  It really is quite valuable for investigators.

So what does metadata look like to the digital forensic examiner?  Various forensic tools we use parse this data, but you can look at it too.  For instance, this picture was taken recently during a presentation for the Private Investigator’s Association of Virginia (PIAVA) in Mclean, VA:


By using a free tool called Irfanview, I’m able to extract and view the native EXIF data:

Filename - _DSC1749 Lo Rez.jpg
Orientation - Top left
ImageWidth - 4928
ISOSpeedRatings - 640
ImageLength - 3280
ExifVersion - 0221
BitsPerSample - 8 8 8
DateTimeOriginal - 2015:06:18 20:13:47
PhotometricInterpretation - 2
DateTimeDigitized - 2015:06:18 20:13:47
Make - NIKON CORPORATION
ShutterSpeedValue - 1/60 seconds
Model - NIKON D4S
ApertureValue - F 6.30
Orientation - Top left
ExposureBiasValue - -0.33
SamplesPerPixel - 3
MaxApertureValue - F 2.83
XResolution - 150.00
ExifImageWidth - 1050
YResolution - 150.00
ExifImageHeight - 826
ResolutionUnit - Inch
FocalPlaneXResolution - 1368.89
Software - Adobe Photoshop CC 2014 (Windows)
FocalPlaneYResolution - 1368.89
Copyright - Ron XXXX
FocalPlaneResolutionUnit - Centimeter
ExifOffset - 332
SensingMethod - One-chip color area sensor
ExposureTime - 1/60 seconds
FileSource - DSC - Digital still camera
Orientation - Top left
SceneType - A directly photographed image
SamplesPerPixel - 3
CustomRendered - Normal process
ResolutionUnit - Inch
ExposureMode - Auto
Software - Adobe Photoshop CC 2014 (Windows)
ISOSpeedRatings - 640
DateTime - 2015:06:19 09:16:26
ExifVersion - 0221
Artist - Ron XXXX
ExifOffset - 332

As you can see, this EXIF data provides much more information about the picture that the user hardly ever sees.  This particular camera does not have GPS enabled, but your smart phone does, providing even more detailed information about the location the picture was taken.  The evidence contained in the photograph itself is only the beginning.

This data isn’t restricted to documents and photographs.  In fact, metadata at a basic level is an extremely important string of information in digital forensic examinations.  Data like this can not only accompany documents, images, etc., but also be stored in the file table of the operating system or piece of external media (i.e., thumb drives, SD cards, etc.) that you’re using to store other documents, pictures, etc. upon.  File tables are created when you format a particular piece of media to keep track of the files and allow operating systems ease of access to the files.  External media like thumb drives and SD cards store only basic metadata in the file tables, while your Windows or Mac operating systems store much more.  Even more valuable can sometimes be the natively created copies, backups and shadows of your operating system that can store historical data about when files may have been altered, previously existed upon or removed from the system. 

Digital forensic examiners pull the threads and unravel the tapestry of the evidence.  We look for the information that shows us what was going on and, hopefully, who was responsible.  With data storage devices at everyone’s fingertips in the digital age, this information and evidence is invaluable in helping to prove or disprove a claim.  As I tell groups of attorneys, investigators and information security officers all the time, the data doesn’t lie.  It helps paint a clearer picture of what happened, which is ultimately what everyone is after: The truth.

Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.

Twitter: @ProDigital4n6

Friday, June 12, 2015

The Art of Estimation



June 12, 2015

The Art of Estimation (in Digital Forensics)

In business, there are definite priorities.  Priorities are often driven by cost, time and available resources, regardless of the line of business in which you operate.  Digital forensics is definitely a niche business.  Many of our clients are litigators & investigators who are retained by clients during some sort of dispute, part of which may be settled through the proper acquisition and analysis of digital evidence.  Regardless, they almost always want to know the two factors that affect nearly every business decision:
     
     1)      How much does it cost?

And
     
     2)      How long will it take?

While these questions may seem simple to answer, in a digital forensic case, they are often affected by a number of variables.  Some of these variables can be anticipated, but many of them cannot.  It’s because of these variables that many in the legal services field (including us) are starting to transition to a flat fee-based system of providing estimates.  While we currently only incorporate this system for mobile devices, we’ve found it helps our clients make informed, definite decisions about which direction they’d like to proceed after presenting the initial facts of the case.  Mobile device acquisition and analysis is a big part of our service offering, but the variables encountered in computer forensic analysis (i.e., desktop, laptop, portable hard drives etc.) can be even trickier.

The problems with providing a decent estimate on computer forensic cases comes down to simple math.  If an acquisition and analysis on a mobile device that stores 32 Gb worth of data takes X amount of time, think about how much time it takes to examine a computer hard drive of 1Tb or more.  This is the problem with big data from a forensic perspective.  Most people really don’t have a firm grasp on how much data can be stored on a 32 Gb mobile device, let alone a 1Tb hard drive or larger.  The sheer volume of data that exists on media with this high capacity is astonishing.  Factor into it that your case may involve video or other multimedia files which take longer to process and view and the clock just keeps ticking up on your case.

Through years of case work in both the private and governmental sectors, we’ve learned to try and drill down exactly what is relevant to the case to mitigate the length of these examinations to a degree.  However, as in police work when a detective hands a forensic examiner a computer and says “find me whatever you can”, clients will sometimes retain our services for what we term as an “open-ended” investigation.  These types of cases can often cost clients thousands of dollars, so when we’re asked to give an estimate on them, we’re obligated to estimate on the high range.  It’s always better to estimate high and bill low than vice-versa.

Unfortunately, those variables that are unforeseen are the real bugaboo.  As a matter of practice, we generally incorporate these into our estimates, but as Murphy’s law has it, there’s always something that can go wrong and at the wrong time.  Ethical business practices dictate that we stick to our estimates and “eat” the extra time it takes to get the work done, but those instances factor into our next estimate for subsequent clients as well.
Then there’s the cases when we have to give a WAG estimate – a Wild Ass Guess.  And while the WAG is a humorous term for it, we still try to incorporate experience along with case-specific information from the client to come up with a decent estimate.  But the WAG estimates are those in which the perfect storm of absence of information exists: An open-ended request with moderate to big data size and little information provided by the client.  Estimates like this can be hard to swallow, but we try to be consistent and reasonable.



So how do you mitigate all of these factors?  When you call a digital forensic consultant with a request, have as much case-specific information as possible.  Know what you’re looking for and where it may be located.  Be open and honest.  We adhere to strict confidentiality in all cases and trust me, we’ve seen and heard it before, so your case isn’t any more shocking than anything else we’ve seen.  Understand that these things take time.  Often during an examination, we find something we’ve not encountered before, which takes research and documentation.  For example, if you are investigating a financial case and there is the potential for valuable data to reside within a specific bookkeeping program (i.e., Quicken), we may need to research the file format(s) incorporated by that program and any encryption, data protection or other considerations with regard to those files.  We’ve seen a lot, but we haven’t seen it all (yet).

The bottom line: If we can get as much information as possible about your case BEFORE you retain us, we can provide a more accurate estimate of how much your case may cost and avoid the WAG estimates.  The data we find may help settle your case much, much faster than it would have been without the data analysis, therefore saving you more money in the long run.  That alone is worth the investment in a digital forensic expert.

Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.
Twitter: @ProDigital4n6