Sooner Rather Than Later… Please!

August 16, 2016

Sooner Rather Than Later… Please!

In the past few weeks, we’ve received a higher than average number of requests for digital forensic services on very short notice.  To some digital forensic practitioners, particularly in the public sector, this may seem almost unheard of, but when I say short notice, I mean short notice!  For example, an attorney called on a Friday afternoon from out-of-state and wanted a mobile forensic extraction and analysis done on a serious felony case set for trial the following Wednesday.  Without the weekend, that would have given us 2 working days to obtain the evidence, analyze the evidence and somehow put forth a set of conclusions suitable for a high-level trial.  To aggravate the circumstances, the case also involved analyzing the search warrant return from an internet service provider and incorporating that into the overall case.  In another serious case, counsel wanted call detail records and tower records analyzed, mapped and concluded for trial in just a few days.

The purpose of this article is not to whine or chide, rather to illustrate to all of the potential stakeholders in the legal system and corporations who may have need to for adequate, competent and professional expertise in the field of digital forensics why it is important to call us sooner rather than later.  Pretty please.

Reason #1: Thoroughness

Being thorough normally manifests itself in one of the following ways:  Either you are trained to be thorough or you have thoroughness in your genes.  Me, I’ve had to work rather hard at being thorough and in particular, knowing how thoroughness plays into all of the cases we work.  In digital forensics, thoroughness is extremely important.  It is important that your examiner know where to look for potential evidence, where potential evidence may be hiding, clues that may lead to the discovery of hidden evidence and what all of that means when put together in the larger investigation.  More often than not, thorough examinations also involve multiple levels of analysis using a variety of tools to adhere to the “holistic” approach.  Depending on the scope of the case, this process can take a lot of time.  The last thing you need, as an attorney, corporate security manager or a CEO, is a rush job.  The bottom line is, lives are depending on it.  Whether the case involves someone’s employment status, a potential divorce or custody issue or a defendant’s ultimate freedom, it matters.  And if it matters, its worth taking the time to be thorough and utilizing an examiner that is thorough.

Reason #2: No Examiner is an Island

Current status: Solo practitioner.  This means that I rely heavily on training, expertise, reference material and instinct.  These resources not only provide a more focused view of the cases Pro Digital works, but also serve to build upon a base of knowledge so each case is (hopefully) better than the last.  When I really need to bounce an idea off someone who is generally more knowledgeable and experienced, I call upon one or more colleagues for their advice.  However, because it is in the Pro Digital Mission Statement (as well as my personal belief), every effort is made to research, learn and grow as a digital forensic resource for our clients.  This time is not billed.  It does take time, though.  Every case is different, so every case requires different amounts of resources in order for the final product to be acceptable and defensible.

Recently, opposing counsel in a civil case put forth digital forensic conclusions from their expert which were not supported by evidence or fact in the declaration.  This means that our rebuttal is based upon their conclusions, which are incomplete at best.  It also necessitated posing questions of the opposing expert for clarification, which naturally extended the court-imposed deadline.  Could we have rendered some opinion based on what was presented?  Yes.  But the opinion would have been full of qualifying statements and holes that can only be filled by taking the time to do the examination.  Please remember, we cannot do what you want us to do with incomplete or partial information.  It invites opposing parties to poke holes in our conclusions, which is embarrassing and ultimately not helpful in your case.

Reason #3: You Want the Best We Can Give

I put forth a question to attorneys of all areas of practice who may read this article:  Would you represent a client in a serious civil, administrative or criminal matter where the client brought the case to you a week or less before trial?  Of course not.  By the same token, you don’t want a digital forensic expert to take on a case with little or no time to be as thorough as possible and render conclusions that may very well affect the outcome of your case.  Often, getting the data and/or disk image is a simple matter, so we can work to get that done in a timely manner, but the devil is in the details and in digital forensics, the details are in the analysis. 

We prioritize cases likely the same way – court-imposed deadlines are prioritized by date and others are taken in-turn.  If there is an employment matter that is time-sensitive, we will work to get those completed as soon as possible, but to reiterate, we strive in every case to be thorough and render conclusions based upon the analysis and examination of evidence.  It is my constant hope that all colleagues who conduct digital forensic analysis do the same.  Therefore, we all need the time to do the proper analysis, attempt to locate the relevant evidence, consult with you and/or the client and button-up our findings as best we can.  We all owe that to the client/company/defendant/plaintiff in the pursuit of justice.

Wrapping it up

So what’s the point of all of this?  Please give your digital forensic examiner/resource the time they need to help you and your case to the best of their ability.  We don’t want to turn the work away for a multitude of reasons and we’ll help you out any way we can, but please allow us the time to do that.   Some of the best cases we’ve worked have incorporated several key elements:   Plenty of notice, excellent coordination/communication and effective security of the evidence once the relevant evidence items are identified.  By putting those three elements together, you maximize the effectiveness of your digital forensic resource as well as the value they can add to your case!

Author:

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Globally

We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  A graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations.

Email:  ProDigitalConsulting@gmail.com

Web: www.ProDigital4n6.com

Linked In: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Twitter: @ProDigital4n6

The Digital Forensic Answer: It Depends

July 18, 2016

The Digital Forensic Answer: It Depends

In life, we rarely ever get solid answers.  The same is true in many forensic disciplines.  Indeed, even when some answers are put forth as solid, after years of scrutiny, challenges and vetting, the answer can be reversed (see: FBI hair comparison “forensics”).  One of the things that really appeals to me about digital forensics as an investigator is when you are able find the answer, it’s pretty definitive… most of the time.  But with computer and mobile technology increasing in complexity and in how it intertwines in our daily lives, the universal answer in digital forensics is still “it depends”.  Think about it – when is the last time you worked a case where you had all of the answers?  Even cases where the evidence you have is solid can still have that sliver of a window for some doubt or another stone that possibly could have been turned over.  We can’t examine every bit of data in every case, so we concentrate on what is relevant, what is possible, what is valuable in our cases.  But the variables do play into our conclusions, so we conduct as thorough analysis as we can, given time and case-specific restraints, we publish our conclusions and trust in our ability, training and experience.  That’s practical digital forensics.

Routinely, we get calls from attorneys and other prospective clients asking if we can find key pieces of evidence in their case.  The answer I always give is, it depends!  Now, as a private practitioner, I know clients don’t like to pay money for a “maybe”, but sometimes that’s the nature of the beast.  Generally I tell them that the sooner you can get me the evidence and the more information you can provide, the better chance we’ll have to find and report the data you need in your case.  This is naturally true in law enforcement as well, but most governmental examiners have the benefit of what I call “time capsule evidence” – evidence that is seized under a lawful order at a specific point in time and (hopefully) is not destroyed or altered subsequent to the seizure.  In private practice, that doesn’t always happen, so the universal answer is… It depends!

Dependent Variables in Computer Evidence Analysis

Generally speaking, the “it depends” factor in computer-based (PC/Mac, etc.) cases is a little lower than in mobile cases (to be discussed next).  However, it’s still present.  Some of the factors that affect whether or not we’ll be able to find evidence include:

·       The time in between the alleged incident and the creation of the forensic image

·       The usage (if any) on the system since the alleged incident and that users behavior

·       Whether or not the evidence being sought is suspected to have been deleted or not

·       The type of data being sought in the investigation

I’ll elaborate a bit in a few “real-world” examples:  Last year, Pro Digital was retained in a corporate case involving alleged theft of intellectual property by a former employee.  Upon discovery of the potential violation, the custodian of the company’s computers immediately stopped all use on the suspect computer system and locked the system in a safe place with limited access.  He then called us and the case progressed from there.  We were able to find definitive evidence that the ex-employee transferred vital information to a thumb drive and presented this evidence in court.  That’s a textbook example of what should happen.

By contrast, we recently investigated a case involving the time-frame of a submitted document, which relied heavily on the document metadata analysis.  Unfortunately, the alleged incident happened 8 months prior.  Not only was there 8 months of potential usage, alteration and deletion on the system, but to add to the problems in recovering the evidence, the user’s system had been updated and replaced within the 8-month time frame.  And no, they couldn’t locate the old system for us to analyze.  The request – analysis if document metadata – is a fairly simple one.  However, the case was complicated by factors related to time and usage.  So as you can see, it really depends!

Dependent Factors in Mobile Device Analysis

While the “it depends” factor exists in many computer cases, that same factor is virtually always present in mobile device analysis cases.  Think about how often we use our mobile devices.  I recently attended a seminar in which the estimated times per day we even look at our mobile devices was reported to be between 150 – 250.  While we’re fortunate as examiners that mobile devices store an increasingly higher amount of data with each new generation of device, we use them so much that these user-dependent factors often affect whether or not we can get the data that is necessary to help prove or refute a claim. 

For example, I recently did some rudimentary testing with regard to how images & videos are stored on an Apple iPhone 5s, which was running iOS 9.3.2.  I was able to quickly identify the file naming convention and locate the pictures.  Most forensic tools will do that natively anyway.  But when I looked at the SQLite database table for the pictures, I found that the deleted information and metadata for older files was no longer available.  More recent deleted pictures and their associated metadata were still recoverable, but the older ones, which were taken on another device with an older operating system and transferred via iCloud backup, were not available.  So when we say “it depends” with mobile devices, we are referring to factors such as:

·       Device make/model/manufacturer

·       Operating system version

·       Age of data being sought in the investigation

·       Potential deletion of data being sought in the investigation

·       Forensic tools utilized by the investigator for extraction and analysis

·       Overall device storage capacity

·       User behavior

And that’s really just the tip of the mobile device iceberg.  When we also factor in the multitude of apps available on the market which may store valuable data, how the data is stored within those apps (i.e., encrypted or encoded) and what type of data that may be, it really starts to prove two things:  First, it really depends on many factors as to whether we can get the data that is needed in a particular case and second, the potential value of that data, if recoverable, cannot be over-stated.

Dependent Factors in Call Detail Record (CDR) Analysis

As detailed in a previous article, call detail and cell tower records can prove vital in a wide variety of cases.  However, the “it depends” factor is present here as well.  The unfortunate part is, some of the dependent factors with regard to call detail records are out of the examiner’s control in that they reside within policies of the cell provider, as well as other factors.  The most common question in this world of data analysis is, “what is the range of a cell tower?”  Well, it depends!  In most basic terms, the range of a cell tower is only as far as the next closest cell tower of the same provider.  However, other factors also play into the cell tower range including:

·       Number of mobile devices connected to the tower at the time of interest (load)

·       Geographical terrain/topography (trees, hills, buildings, etc.)

·       Tower maintenance, both scheduled & unscheduled

·       Manufacturer, age, height & type of cell tower

·       Handset-specific factors, such as antenna strength

Just as with forensic analysis of computers and mobile devices, time is of the essence in call detail record analysis.  The closer to the alleged incident you can request the data from the cell provider (via search warrant, court order, etc.), the better chance you’ll have to get more data, which could add great value to the case.

Wrapping it up

To most digital forensic examiners, the concept of “it depends” will not be a new one.  I was first taught that it really does depend while attending BCERT at the National Computer Forensics Institute by a savvy and knowledgeable attorney.  She was very correct and I’ve seen this played out in case after case ever since.

Even though the examples listed here are just a fraction of some of the dependent factors in various types of analysis, hopefully it’s clear now that there are generally not many clearly-defined answers in many areas of digital forensics and they are all case-specific.  Naturally, it bears noting that the training and experience of your examiner is a huge factor in determining whether or not you are getting all of the information you can get in your case, so choose your examiner wisely and carefully… Because success or failure can depend on that too! 

Author:

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Globally

We Find the Truth for a Living!

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  A graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations.

Email:  ProDigitalConsulting@gmail.com

Web: www.ProDigital4n6.com
Linked In: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc 

Twitter: @ProDigital4n6

Link to Forensicator Podcast #103: Magnet Axiom

July 5, 2016

Pro Digital Forensic Consulting Principal Consultant, Patrick Siewert talks with Jamie McQuaid, Digital Forensic Consultant at Magnet Forensics about their new tool, Axiom.  They discuss what went into the design of Axiom, what the tool offers, what you can do to help the tool grow and more!

The podcast is linked here on Sound Cloud:
https://soundcloud.com/pro-digital-forensics/forensicator-no-103-magnet-axiom 

And may also be downloaded on iTunes.

Please check out the podcast and Magnet Axiom and let us know what you think!

Author:

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Globally

We Find the Truth for a Living!

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and various online investigation schools (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations.

 

Email:  ProDigitalConsulting@gmail.com

Web: www.ProDigital4n6.com

Twitter: @ProDigital4n6