Wednesday, December 14, 2016

Analysis vs. Translation



December 14, 2016

Analysis vs. Translation

Very often, examiners get called upon to do what may be referred to as "push-button forensics".  Meaning that we acquire data, plug it into a tool, and wait for the processing and output from that tool to tell us what we have that may be relevant to the case.  Unfortunately, this isn't forensics at all, it's allowing software to do a job for us.  Perhaps that's why some prefer forensic tools such as X-Ways Forensics, because while tools like X-Ways make the examiner's job easier, the data is not necessarily served up on a "silver platter" and the examiner still has to know how the tool works and how & where to find the relevant data.  This is analysis and investigation, not simple data extraction & reporting.  But there are nuances to this practice that go even beyond the analysis for the final product to be useful and understandable.

Analysis Levels

In digital forensics, analysis levels are important to know and distinguish.  Very often, the quick acquisition of evidence and triage of data can lead to a break in a case of a missing juvenile or help stem further data loss to mitigate a breach.  Triaging evidence can also help identify which pieces are more likely relevant and help examiners spend less time weeding through data that is simply not important.  However, triage is a very low-level type of analysis.  It's so low-level that triage of digital evidence is being taught to non-examiners just to help streamline the overall examination process.  Triage evidence should be used for investigative leads only as very often the finer points about where the data is stored, how it got there, who put it there and other key factors are not part of a triage of evidence.
When we dive deeper into the analysis of the evidence, we start to get into the nuts and bolts of forensics.  Important factors can include the type of file system, the users on the system, the time offset on the system, files and metadata.  This is the area where some push-button tools operate, because they do dive deeper than triage or preview levels, but it's also a danger zone for many would-be examiners.  Push-button tools are great for pointing you in the right direction, but sometimes lack with the detail that is often necessary in forensics.  And as any experienced examiner will tell you, the devil is in the details.



Deeper levels of examination, analysis and investigation require intense, skill and above all, experience.  No course of study can prepare an examiner for trying to prove or disprove the really hard cases.  For example, will a push-button tool really help you prove a child exploitation case without any images being present on the system?  Probably not.  Even if it did present some valuable evidence, you'd have to dive deeper and search for fragments, history and other evidence that may be "hidden" or very difficult to locate.  Most push-button tools won't dive deeper into slack space or volume shadow copies.  They're designed to streamline the digital evidence process to decrease backlogs and get cases out the door faster.  This is a dangerous trap in forensics and one examiners must constantly work to avoid.  

So once we've done our in-depth analysis and completed the digital forensic portion of the investigation, then what do we do?  This is where the intangible asset of translation becomes the point where the proverbial rubber meets the road.  Without it, the evidence is almost useless.

The Value of Translation

A wise man once said, "You can make a cop a geek, but you can't make a geek a cop!"  So what's a "geek" and what's a "cop" and why is it only a one-way street?  In this discussion, the term "geek" is used to describe a person who is good with computers, good with technology, enjoys gadgets and all of the new innovations on the market today and even goes so far as to learn more about them, study them, hone their knowledge of them.  These are skills that are necessary for a good digital forensic examiner.  One can be taught about file systems, operating systems, metadata, slack & unallocated space, but without the ability to articulate what those things are and why their important (i.e., relevant) in your investigation, those skills are only utilitarian. 



In this discussion, a "cop" is someone who has an inquisitive nature.  A truth-seeker.  A trained hunter of facts.  Someone who has honed the ability to weed out what may be irrelevant and concentrate on what facts or evidence help prove or disprove the matter at hand which is being investigated.  Most importantly, they've honed the ability to explain and articulate that evidence for stake-holders in the case, being other investigators, attorneys, judges and juries (i.e., laypeople).  It is this intangible asset which turns the analysis into something meaningful.  Because all of the technical skills in the world don't matter if you cannot articulate what you did, why you did it, what you found, where and how it got there.  Even the ability to explain what you may not have found is an asset to a trained examiner.  Sometimes the absence of evidence can be evidence in itself.

So when it's said that you "...can't make a geek a cop", what it means is that many "geeks" don't have this intangible ability in large part.  Think back to the last time you asked a really technical person a question.  You probably received a very technical answer, which is not something that lay people understand very often.  The ability to whittle down the minutiae into specific, articulable and understandable talking points is something many people in general don't possess, let alone highly technical people.

Wrapping it up

Analysis is but one important component of digital forensics.  The translation of that analysis into specific articulated facts is quite another.  It's hard for technical schools to teach students two basic, yet very important skills:  critical thinking and effective communication.  So just because someone has a degree/certification in digital forensics or law or medicine doesn't always mean they can effectively translate (i.e., communicate) what they know, suspect or conclude based upon the evidence at hand.  This ability comes from one primary source: experience.

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Globally


We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Twitter: @ProDigital4n6

Monday, November 21, 2016

Problem Solving Digital Forensics



November 21, 2016

Problem Solving Digital Forensics

For those of you who are involved in (and can tell people about) active digital forensic casework, you probably get the same response when you tell others about your job – “Wow!  That sounds really cool!”.  Yes, it sounds cool and can often be very interesting, but many cases are mundane and repetitive.  Often times, the most challenging part of digital forensics is getting to the data.  That is to say, acquiring the data so we may conduct our analysis fully and appropriately.  It is then when the life skill of problem solving comes in very handy.  Problem solving is an evolving issue in both computer and mobile device forensics and will continue to be as the industry progresses.  It’s also not a skill that is taught so much as ingrained and acquired over time with experience.

Problem Solving Computer Forensics

The methodology in computer forensics is virtually unchanged throughout the years.  Yes, the technology changes and there are additional considerations along with that, but at the core, we are trained and practice to create a forensic disk image, verify the image and conduct our analysis on the exact copy of the media.  However, the integration of newer technology such as solid state drives in various forms and memory storage that is hard-wired into the logic board of some computers presents a problem that needs to be solved.  With items like this, we can’t always simply remove the media and create our forensic image, we need to work-around the problem while still maintaining the integrity of the evidence.  I’m often asked how to acquire the main memory on items such as newer Mac computers.  For this particular subset of technology, we generally find Paladin by Sumuri to be a great resource.  The Linux-based bootable tool (which is also free) provides a non-intrusive forensic solution to acquire this data simply and easily without tearing the complex hardware apart.  There are other tools for trouble-shooting this as well.



But what about issues like encryption? Network storage?  RAID arrays?  Generally speaking, there are solutions available to deal with these circumstances, but when it comes down to the specific hardware, software and environment in a given case, you can almost always be guaranteed that there will be some case-specific problem solving that will need to take place.  For instance, a case we worked in 2015 required acquisition of network folders from an exchange 2003 server.  Not only was the server slow, but the process overall was painfully slow because of the outdated technology.  The data connections were out of date (SCSI), the transfer rates were slow (USB 2.0) and the acquisition took much longer than we would have preferred.  When working cases of varying type and technology, sometimes the most important questions are the ones you ask (or forget to ask) prior to getting on-scene. 

Problem Solving Mobile Device Forensics

As mentioned in previous articles, my personal forensic experience did not start out in the mobile device space, rather basic and more advanced training was gained on the computer/dead box forensic side first, then evolved into the mobile space within the past 3 years or so.  To say that acquiring the data in mobile forensic cases involves some problem solving is an understatement.  Consider that the security on devices such as the iPhone (and other associated iDevices) has consistently given digital forensic examiners problems throughout the past few years to the point of frustration.  Then add into the mix the multitude of manufacturers and software versions for Android-based devices and the water gets further muddied.  Now, throw the “feature phones” with proprietary operating systems and almost countless manufacturers from all over the globe and we have a problem-solving mess on our hands. 

This is why companies like Cellebrite, Oxygen, Magnet Forensics, XRY and others exist.  Yes, they all do an adequate job parsing, presenting and reporting the data post-analysis, but before we even get to that point, we need to acquire the data.  This has emerged as the biggest challenge in mobile device forensics.  This is why we pay so much for those licenses and renewals every year.



Techniques such as ISP, JTAG and chip-off have emerged as commonly accepted methods for bypassing this security and accessing the data as well.  These methods have given rise to a newer form of problem-solving where we access the physical memory storage on the device to be able to obtain a data extraction.  However, these methods likely won’t be viable indefinitely and the problem-solving part of the mobile forensics industry will need to keep evolving to work-around acquiring the data for years to come.    

Wrapping it up

Problem solving is a tangible skill.  If digital forensic examiners think that “push-button forensics” is the norm or even the wave of the future, it is not.  Quite the opposite.  Sometimes, what separates a decent examiner from a plug-and-play examiner is the ability to size up the problem(s) in the case and devise ways to work around or solve them.  The fundamentals of forensics can be taught, but only experience working cases of varying type and degree can serve to separate those who can solve problems from those who cannot.


Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Globally


We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Twitter: @ProDigital4n6

Monday, October 24, 2016

Electronically Stored Information (ESI) in High-Profile Cases



October 24, 2016

Electronically Stored Information (ESI) in High-Profile Cases

If it seems like the frequency of high-profile and attention-grabbing cases involving Electronically Stored Information (ESI) and digital evidence in the media are on the increase, you’re 100% correct!  ESI is ubiquitous – on our computers, on our phones, on our tablets and even in our watches and cars.  ESI can range from standard email to text messages to any other type of messaging service and from pictures to audio files to video and even the GPS data on your car’s navigation system.  It is, quite literally, everywhere!  So when an incident involving email or text messages arises, we naturally gravitate to the salacious nature of the ESI and the information stored on digital devices.  After all, we all use them!  In this article, we’ll explore some of the higher profile cases involving ESI and digital evidence and what considerations examiners should take in cases like these.  First up, a "no-brainer"…

The FBI Investigation of Secretary Hillary Clinton

Unless you’ve been living under a rock, you’ve heard in painful repetition about the alleged malfeasance of former Secretary of State Hillary Clinton and her once-private email server.  Indeed, I wrote about this case in abstract terms when discussing Ethical Sensitive Data Handling. But when we boil down the politics of the case, it involves ESI and digital evidence in their purest form.  Digital evidence examiners and investigators were required to sift through gigabytes (if not more) of data to determine what, if any, illegal acts took place.  And because it is generally humanly impossible to read each and every email amongst the thousands presented individually, the normal methodology would be to use e-discovery methods and key words to search for emails to and from individuals of interest and the content of emails which may contain certain key words.



Regardless of all of the expertise at the digital evidence section of the FBI and other investigating agencies, a reported 30,000 emails could not be recovered.  This, perhaps more than any other factor involved in this case, has garnered the most high-profile attention.  Think about the irony of that for a minute – the data we don’t know about and can’t recover has garnered the most attention.  Undoubtedly, the value of appropriate, effective recovery methods for ESI cannot be ignored.

Former Congressman & Mayoral Candidate, Anthony Weiner

Are selfies considered ESI?  You bet!  Unfortunately for the legal profession in general, ESI generally gets pigeon-holed into two categories – email and text messages.  But Electronically Stored Information (ESI) can come in various means as this example and the following will show.  When former New York Congressman Anthony Weiner was exposed (pun intended) in 2011 sending nude pictures of his genitals to women he met online, it opened up a can of worms about ESI that perhaps hasn’t been fully explored.  While those pictures may not have been used as evidence in any court case yet, with the subsequent revelations of similar behavior (2013 & 2016), it’s almost certain they will be used in some sort of domestic case involving divorce and/or custody.



As I constantly tell investigators in both the private and public arenas, affairs are conducted via mobile devices, plain and simple.  Toward the end of discovering the evidence of those affairs, examiners should consider all areas where the evidence may be stored.  In this simple example, it can be stored on the primary (sending) device, the secondary (receiving) device and stored on the servers of the provider used to send the photos, such as iMessage (Apple), Skype, Twitter and so on.  The data is somewhere, it’s just a matter of articulating where it may be found and why you need access to it.

Law Enforcement Use of Body-Mounted Cameras

As touched-upon in the article linked here, the advent of police use of body-mounted cameras to help create an unedited view of encounters with the public has created a swell of a particular type of ESI and digital evidence, digital video.  Along with the ability to record virtually every encounter an officer has with the public comes the responsibility for safe, accurate storage and public access to the ESI, where appropriate.  These videos have already been used in a number of civil and criminal proceedings and their ubiquitous nature will only continue.



Fortunately, along with the explosion of this type of evidence, the market has adjusted and there are already at least one or two reputable digital evidence storage services for this ESI.  However, the volume of storage space needed to store millions of hours of digital video cannot be overlooked.  This evidence must be handled very carefully to ensure the purest form of the evidence is provided in legal proceedings and to belay any claim that the custodial agency manipulated or edited the video, beyond protection of innocent victims. 

Wrapping it up

ESI is everywhere… In case you missed it the first time.  This article merely points out a few cases and instances where ESI either was used or could be used in future proceedings.  The goal here is to spawn those in the legal profession to start broadening their view of where ESI can originate and what is available in any case they may work.  However, once certain types of ESI are identified, only trained professionals should be charged with the acquisition and secure storage of this digital evidence.  Only then is the integrity of the evidence and the digital forensic process truly adhered to. 


Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Globally


We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others). He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Twitter: @ProDigital4n6