Pro Digital Forensic Consulting

Thursday, May 21, 2015

The INconvenience of INfosec

May 21, 2015

The INconvenience of INfosec in the Digital Age

I often get requests from civic groups, consumer groups and the media to speak about information security (infosec) practices, trends, etc. Although infosec is not our primary role at Pro Digital, it does seem as if there is a vacuum of individuals willing to tell folks what they should do with regard to protecting their data, even if it is just the simple things. What I constantly try to drive home is the notion of personal responsibility with regard to your information security. YOU are responsible for the strength of your passwords and how often you change them. YOU are responsible for the data you put out on social media. YOU are responsible for making sure your mobile device isn’t left unattended in a public place. YOU are responsible for not leaving your desktop up and accessible when not at your desk. All of these concepts (and more) really drive the point home that infosec is everyone’s responsibility.

Being a former cop and investigator, I know there are evil people in the world. There are just plain bad people who, if they worked as hard as they do at trying to exploit the innocent, hard-working people at a REAL job, they might actually be successful in life. Sadly, this is not reality. It’s because of this that I generally keep my head on a swivel, both proverbially and physically. Even in my own home, I generally lock my desktop when I walk out of my office. I have decent security on my smart phone and tablet. At Pro Digital, we also make it part of our mission statement to secure our client’s data. We take all of these measures because 1) it’s vitally important to maintaining confidentiality and 2) someone else would love to get ahold of this data and exploit it. But is it inconvenient? You bet!

Unfortunately, human nature is often to take the path of least resistance, which is in direct conflict to good personal information security practices. It’s a pain in the butt to change your password every 60 days. Encrypting your data takes time and can even slow down the speed of access of your data. It’s hard to keep track of multiple passwords, especially if you take the recommended precaution of using non-dictionary-based words, numbers and symbols. Multi-level verification with security words, passwords and biometrics makes logging on a longer, tedious process. Mix all of these factors together and the fact is most people won’t do it (if they have a choice). But as this chart illustrates, there’s a huge reason why you should do it:

Thanks to the recent Sony hack, everyone thinks our cyber-enemies are in foreign countries. The fact of the matter is, we have plenty of cybercrime happening right here at home. And it’s up to YOU to protect yourself. The government won’t do it, your bank won’t do it, your company won’t do it. Sure, they’ll put some measures in place to push you along to decent infosec practices, but when it’s all said and done, it’s up to you to make sure all of your passwords aren’t the same. It’s up to you to put those optional security measures on your mobile device in place. Here’s another reason:

What’s more important than your money? You work hard for it, you save, you invest, you make savvy purchases. Good infosec practices take less time than clipping coupons and will save you much more money in the long run. Make sure you always know where your mobile device is. Make sure it’s locked-down and, if it’s lost or stolen, you can wipe the data remotely. Even though you may want to, don’t use the “quick log-on” option. This will only increase the likelihood that someone will guess your PIN and access your account(s).

We all love convenience and indeed, convenience is one big reason why we all love our mobile devices. But what’s more inconvenient than having your identity stolen or your credit score destroyed by someone opening accounts in your name because you didn’t protect your personal information well enough? I sometimes use clichés in this blog and this is another one of those times: An ounce of prevention is worth a pound of cure!

So what else should you do? Take the time to come up with new passwords. Change them often, at least several times a year (perhaps when you change the batteries in your smoke detector). Don’t ever, EVER use the same password for all of your accounts. Embrace and use multi-level authentication because it will protect you. Don’t use common words or words that can be found in a dictionary for your passwords and make sure you mix up symbols, numbers and letters. Need an example? Let’s say your favorite color is purple and your mother’s birthday is September 25. Instead of making your password Purple0925, try Purp13#0925. Sometimes, it’s just that simple.

Free wi-fi is great and it’s everywhere. Unfortunately, you should never use open wireless networks like those found in coffee shops, restaurants and hotels. Yes, I know this means you’ll be using up more of your cellular data on your mobile device, but trust me, open networks are fodder for hackers and quite easy to compromise. Think of how a packed Starbucks or a crowded hotel is a target-rich environment for someone who knows what they’re doing. At home, make sure your wireless network is secure and using a password scheme similar to what is mentioned above to connect. Hide and don’t broadcast your network so anyone connecting to it needs to know the specific name and password to log on to the network. If someone sitting outside your home can access your network, in theory they can access every single device connected to the network including mobile devices, laptops, desktops and gaming systems.

When making purchases online, use a credit card with ID theft protection. Don’t make purchases from websites that are from countries that may have opposing interests with the US or western ideologies. Most internet browsers offer a very definitive symbol to let you know they’re using good security, so pay attention before you input and send your credit card information, it should be easy to tell when you look in the browser bar. On mobile devices, only make purchases through verified, trusted apps. This is generally less of a problem on Apple devices than on Android devices because Apple vets all of the apps on the App Store and holds developers to a standard. Android apps can be open-source which means they can be made and posted by virtually anyone.

Good infosec is everyone’s responsibility, but first and foremost, it’s yours. Larger companies and banks have armies of data security experts on their side to help you, but even they sometimes get beat. And no one wants to be a victim, so let’s all agree to do whatever we can do to prevent it, right here and now. The encroachment of digital devices for every aspect of our lives is only going to increase. Make the decision now to be a responsible user of the technology

Author:

Patrick J. Siewert, SCERS, BCERT, LCE

Principal Consultant

Professional Digital Forensic Consulting, LLC

Based in Richmond, Virginia

Available Globally

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia. In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history. A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.

Email: ProDigitalConsulting@gmail.com

Web: www.ProDigital4n6.com

Twitter: @ProDigital4n6

Thursday, May 14, 2015

Pro Digital: Frequently Asked Questions

May 14, 2015

Pro Digital: Frequently Asked Questions

Recently, a colleague in the eDisovery field was talking to me about another prolific blogger. The blogger in question had a simple theory to his blogs: Answer the questions people have about your business and you’ll not only foster good relationships built on trust, but also have more well-informed clients.

This made a lot of sense to me, so at the risk of being repetitive, here are some Frequently Asked Questions that people often throw at us with regard to our services, rates, etc.

You can also find these F.A.Q.s and other information about Pro Digital Forensic Consulting on our website: www.ProDigital4n6.com

Q: Who are your main clients?

A: Our main clients are attorneys who have been retained in legal matters ranging from criminal defense to intellectual property cases to employment disputes and domestic matters. Our services also cater to Investigative Professionals, both in private and governmental service. We also offer our public sector clients free consultation for law enforcement and prosecutor's offices and greatly value our partners in government. Other areas where Pro Digital Consulting may add value are:

Companies conducting internal audits/ forensic accounting investigations
Internal, civil and/or administrative cases where disputed records are stored electronically,
Individuals seeking to recover and document lost and/or questioned data from computers and/or mobile devices and (see disclaimer below)
Corporations who wish to retain, preserve and secure their old data in a safe manner.

With our history of public service and dedication to helping young people make good decisions in their online activity in the digital age, we also offer services for concerned parents at greatly reduced rates. These services include data extraction and analysis of your child's mobile device or computer usage and reporting back to you to make sure there are no issues you may need to address as a parent. Please visit this page for more information on these services.

While we recognize the need for individuals to obtain data in various forms, we generally do not accept clients who are not formally represented by an Attorney and/or who have not retained a Private Investigator. The main exception to this is our services for concerned parents, detailed further on this page. If you are interested in a referral to an attorney or private investigator prior to Pro Digital taking your case, please contact us.

Q: What are your rates?

A: Because every case is different, Pro Digital Consulting has adopted a fee-based rate schedule which depends upon particular case need. Most mobile (cell phone, smart phone, tablet) examinations range from $1000.00-$2000.00 per item, depending on the scope of the examination. Computer forensic (PC/Mac) cases are billed at a rate of $175.00 per hour. It is roughly estimated that computer forensic examinations take about 10 hours per device/piece of media/hard drive. However, with ever-growing access of big data technologies for end users, those time estimates may increase.

Cases and media examined in bulk may be negotiated at a different rate. Feel free to contact us for an independent case needs assessment.

Case assessments vary in scope and complexity and are therefore billed on a case-by-case basis, but rates generally start at $500.00 and increase depending on need.

The Pro Digital staff serves clients locally in Central Virginia and is available to travel virtually anywhere to facilitate data acquisition and assist with your case. Certain travel expense rates may apply, depending on location. Additionally, because of the portability of many digital devices, it is always possible to ship an item(s) to us while still preserving the chain of custody and for added convenience to our clients.

Testimony in court, depositions or administrative hearings are billed on a per diem basis with routine expenses charged for cases taking place in other states. Please contact us for a case-specific assessment so we may tailor a rate for your needs.

Q: What tools do you use?

A: We strive to offer the best and most state-of-the-art forensic tools available on the market. Many hours of training and research go into our decision to invest in a particular tool which we feel may be of utmost benefit to our clients. Among the tools we are proud to offer are Cellebrite Universal Forensic Extraction Device (UFED) and Lantern by Katana Forensics for mobile forensic cases. For stand-alone computer forensic cases, we primarily incorporate Xways Forensics and supplement with Internet Evidence Finder by Magnet Forensics, as well as some open-source tools. All tools are independently tested and validated and updated regularly.

Q: Do you offer any reduced rates and/or Pro Bono services?

A: Yes. It is our philosophy at Pro Digital Consulting that everyone deserves a fair trial and access to high-quality expertise and competent representation. Toward that end, we offer reduced rates and Pro Bono services to clients who have previously qualified for indigent or court-appointed defense. Above all, we believe in the methodology of digital forensics and that the data doesn't lie.

Q: My data is very sensitive. How do you ensure confidentiality and security?

A: In the digital era, most people rely on their devices to hold the keys to the most valuable parts of their lives, such as banking information, passwords and/or client contact information. As part of our mission statement, we will keep any and all findings in our examinations in the strictest confidence and see this as a vital part of our service. We go further by not only physically securing digital media evidence, but also by encrypting the acquired data to prevent any outside parties from unauthorized access.

Hopefully, this snapshot has given you some good info about what we do, the tools we use, our rates and even some of our philosophy.

Thanks for reading!