Monday, February 22, 2021

Keys To Success in Digital Forensics: Incident Response vs. Litigation Support

February 22, 2021


Keys To Success in Digital Forensics:  Incident Response vs. Litigation Support


Digital forensics as a practice and as a service has been evolving for since its inception.  Among the evolutionary explosions we’ve seen in the field are the hardware, the size of data repositories, the data storage technology and the tools we use to acquire and analyze the data we come across in our analysis cases.  The advent of remote work, cloud data storage, universal use of email and internet-based applications and the development of bad actors on a worldwide scale has confirmed that the field of digital forensics will be not only present, but necessary now and well into the future.  We’ve also seen offerings in academia growing with colleges offering coursework in both undergraduate and graduate programs focusing on digital forensics.  What is sometimes overlooked, however, is the nuance that there is more than one path within the field of digital forensics.  So which path will you choose:  Incident Response (IR) or Litigation Support?



Incident Response Path


To help to identify which path is appropriate, it’s probably best to first define the particular path.  Digital Forensic Incident Response (DFIR) is defined loosely by a myriad of online resources as incorporating digital forensics techniques to identify bad actors at the heart of malicious attacks on networks networks and systems.  This can include malware/spyware infections, hacker attacks, data theft, data leakage, etc.  This is often referred to as an arm of Cybersecurity and is part of what many cybersecurity professionals do.  But all one has to do is look up jobs for a Cybersecurity Responder or Engineer to read the litany of responsibilities that are associated with these positions to realize that it is truly only one part of the listed responsibilities.  I’m often boggled when I search for job openings in Digital Forensics and find the dozens of listings that have very little to do with digital forensics at all, but because the job of a DFIR responder is partially to deal with these incidents, forensic response is listed as one of the desired skills.  The argument could be made that the forensic component is a dedicated position in itself.




Regardless of that, the work of a DFIR responder is somewhat different than that of a litigation support professional in several ways.  First, the manner in which you acquire the data to be analyzed can be very different.  It is a common practice in IR work to acquire logical data from a network repository for analysis and not a “dead box” physical acquisition of the data.  This is a practical consideration because networks in enterprise environments can’t be shut down for a physical acquisition.  Many times, network logs, Windows event logs, registry entries and IP log files play a crucial role in determining who is responsible for the incident.  Acquisition and analysis of these logs can be tedious and may only lead to part of the conclusion about what happened.  The job of an IR digital forensic professional is absolutely necessary, particularly in large corporations and those that store sensitive personal information.  We hear about data breaches of personal information almost weekly and security-minded practitioners struggle with constant pulpit-pounding of good practices leading to good security.  


Regular readers of this blog know well that I put forth regularly that “forensics” means the acquisition, analysis & reporting of facts associated with the data in such a manner that is presentable in a Court of Law.  While it is no doubt possible that an IR professional could work a case that would lead to litigation, it is far less likely than in the litigation support realm.  As such it’s probably safe to say that IR practitioners could reasonably be more on the technical side than the presentation & explanation side.  However, every incident has at least one stakeholder, so the ability to explain very technical matters to very non-technical people is still a vital skill.


Litigation Support Path


It’s probably safe to say that when many people decide on a Digital Forensic course of study, they probably think of litigation support as their main path, probably due to the romanticization of the field in TV shows like CSI.  We hear about data breaches in the IR realm all the time, but we rarely hear in popular media the outcomes of their investigations.  Litigation support can be (and often is) the exact opposite.  Most law enforcement digital forensic practitioners are involved in litigation support and do so in very high-profile incidents.  Many private companies are also involved in digital forensic litigation support.  So what does a litigation support analyst do?  We acquire, analyze and report on evidence most often specific to a particular person, company, etc.  The means by which we acquire this data often differs from the IR path because we generally have physical access to the suspect or target media to be analyzed. This means we can acquire physical repositories, instead of just logical data.  Of course, mobile forensics can be a large exception to the last statement, but generally speaking and with current technology, we are able to acquire physical memory of stand-alone computer systems and workstations.  (However, that will probably not always be the case.)




Law Enforcement works criminal litigation support by identifying a criminal suspect, seizing their electronic equipment, acquiring & analyzing same as part of their investigation and reporting about their findings.  Part of their reporting often comes in the form of formal expert testimony in court, which is one of the biggest differences between IR and Litigation Support.  It requires further refinement of the skill of presenting very technical matters to very non-technical people.  


Private companies who engage in Litigation Support also have a similar approach to casework, but work Civil disputes as well.  These civil cases may be everything from divorce/custody matters to intellectual property theft to employment disputes to independent analysis in criminal defense cases.  No matter the court of the case at hand (i.e., criminal or civil), the litigation support professionals seek to add clarity, value and definition to the matters they work as part of the adversarial justice system.  


Similarities between Incident Response & Litigation Support


We’ve highlighted the main differences between IR and Litigation Support, but there are naturally many similarities.  The basic knowledge of how data is stored and analyzed is probably the largest similarity.  Both paths need to have a good basic understanding of data storage and forensic implications thereto.  Another similarity can be in the tools we use.  Fortunately, most modern and popular digital forensic tools, whether open source or proprietary, are capable of handling both IR and litigation support work.  The nuance factors in with the examiner’s ability to properly use the tool, given the particular type of case or incident.  Some forensic tool vendors like to say their tool has “been validated in Court”.  This is a misleading statement.  Tools don’t get validated in court.  Examiners get qualified as Experts in Court and their findings are validated because of their requisite knowledge, skills, abilities and experience.



Finally, the most important part is that the approach philosophy is and needs to be the same across the digital forensic spectrum.  In every case, we operate on the approaches of objectivity & neutrality, analyzing the data as the data is presented to us and never allowing personal bias or beliefs about the suspected parties involved to cloud our ability to prove or disprove what happened.  Digital Forensics is a scientific discipline.  It requires us to constantly evaluate evidence in a neutral environment to arrive to a conclusion of fact.  As experts in the field, we are afforded the ability to draw conclusions based upon our knowledge and experience, even if the data doesn’t explicitly show us what those conclusions are.  But those conclusions are always supported by the data and never created out of conjecture or bias.  


Wrapping It Up


In every field, there are nuanced sub-sects.  If one decides to be a doctor, they can become a surgeon or a psychiatrist.  If one decides to be a lawyer, they can become a corporate risk manager or a criminal litigator.  The refined skill sets for the two paths within the same field are where the differences lie and Digital forensics is no different.  There are nuances within the two paths of Incident Response and Litigation support that dictate which skills will be highlighted and which will be of less value to hone and refine.  Knowing the difference is key to the practitioner’s success, particularly early in the field of practice. Can a DFIR practitioner choose to switch between IR and Litigation support (or vice-versa)?  Absolutely!  Many litigation support professionals from law enforcement retire to work for IR shops.  The take-away here is to start the thought process about which path is the best fit for you.  Ultimately, everyone involved the practice of digital forensics wants to get to the heart of the matter, just like all doctors want to help their patients and all lawyers want to serve their client in the best manner possible.  So do some soul-searching and drill down about what path you’d like to choose.  And as a wise man once said, “Go with your gut, but use your head!”


Author: 

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!



We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice.  Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  

Thursday, January 7, 2021

Cellebrite Reader: You Don’t Know What You’re Missing!

January 7, 2021

Cellebrite Reader:  You Don’t Know What You’re Missing!

As a digital forensic practitioner who logs approximately 70% of cases in the mobile device forensics arena, it has become the norm for us to receive discovery in any number of forms from opposing counsel, law enforcement agencies, etc.  Being one of the most commonly used mobile forensic tools on the market (particularly by law enforcement), Cellebrite has wisely developed a way for people who wish to view the data on a particular device to do so, also with the capability of generating their own report.  This pared-down or lightweight version of the Cellebrite Physical Analyzer program, called the Cellebrite Reader, is a great free way to browse the 30,000-foot view of the data, particularly for laypersons who may just want to get text messages, pictures, videos, etc.  These are traditionally the “high points” of the data on the phone or tablet and can sometimes include deleted items, but a serious warning should accompany the Cellebrite Reader file:  You don’t know what you’re missing!



Who Should Use The Cellebrite Reader?

The Cellebrite (or UFED) Reader is a lightweight version of the paid version of the analysis tool that accompanies a full Cellebrite product license called Physical Analyzer.  To say it’s a “lightweight version” of Physical Analyzer is a bit of an understatement.  At first glance in the user interface, the two applications look very similar, but as with most things in digital forensic analysis, the devil is in the details.  So then who should use the Cellebrite/UFED Reader?  If your case involves any of the “basic” data areas, such as undeleted text messages, photographs and some location data, then the UFED Reader tool is probably fine.  The tool is best for on-staff investigators, paralegals, private investigators and other mostly non-technical support staff.  If you have absolutely no need to dig into the data at all, the UFED Reader program should serve your purposes just fine.  The issues emerge when we dive into how the data is generated and what is included, or rather not included, by the person who generated the Reader file.


The “Analyzed Data” portion provides a great overview of the simple data areas decoded automatically by Cellebrite, including *some* deleted data (red parentheses)


How Is a Cellebrite Reader File Generated And What Is Included?

A Cellebrite/UFED Reader File is generated within the larger licensed tool called Cellebrite UFED Physical Analyzer.  Many times, because of case backlog or by specific request, the person doing the data extraction from the device(s) will create a “data dump” report, viewable in the UFED Reader.  This creates a .UFDR file, which is only able to be opened and read in the UFED Reader program, which accompanies the UFDR file at no cost to the user.  In the case of a data dump report, ostensibly all of the readily viewable and automatically decoded data on the device is included in the UFDR file. 

However, one strong warning about UFDR files is that they can easily be generated by the analyst cherry-picking or selectively choosing the data to include in the UFDR file, which is NOT a data dump.  For example, the person responsible for generating the Cellebrite Reader file can choose only certain picture file types or certain text messages or message strings to include in the Reader file. This could *look* the same as a data dump within Cellebrite Reader, but would have far less data than the 100% dump of everything available from the device.  There is no clear indication that a data dump file has been generated versus one that is selectively created by the analyst and exported into a UFDR and Cellebrite UFED Reader file.  It is not unlikely that the person generating the Cellebrite Reader file for your review has not included things like the databases from the device (pictured below).  We’ll discuss the importance of this shortly…


The other strong warning about Cellebrite Reader (UFDR) files is that they MAY NOT include all of the data.  While companies like Cellebrite, Oxygen, MSAB and Magnet Forensic try very hard to keep up with the trends in mobile technology, they are always playing a game of catch-up with their support of hardware and software because mobile technology moves so fast.  Add into the support equation that only a fraction of third-party applications are supported for decoding by these tools and the point becomes clear that if you are relying solely on UFED Reader files, you are likely missing data!  There is currently no exception to this rule.

The analogy we often use is that the Cellebrite Reader file is like a “prepared meal”.  A competent digital forensic analyst wants to inspect the ingredients that went into preparing that “meal” to make sure there’s nothing missing.


What Data Is Missing From Cellebrite Reader Files?

At a basic level, all application data (i.e., apps) on mobile devices is stored in roughly the same way.  This common storage approach is in a series of databases that are created, updated and stored as part of the application itself.  The databases work in the background of the user interface to store and present the data to the user on the device in the native user experience.  The problem is that, as stated earlier, a mere fraction (probably 10% or less) of the applications available on the Apple App Store (iPhone) or Google Play Store (Android) are supported for automatic decoding in Cellebrite or any other mobile forensic analysis tool.  This means that manual analysis of these databases will frequently become a necessity in your cases.  And these databases may not included as part of a UFED Reader file, and you may only be provided with automatically decoded data from supported applications.  The illustration below shows a snapshot of how many applications are decoded by Cellebrite on an iPhone 8 Plus running iOS 14.  Among the applications not decoded are common applications like Snapchat, Twitter, Instagram and others:



Even if an application like WhatsApp is supported for automated decoding in your tool, when the developers of WhatsApp make even minor changes to the application in development and roll the new version of the application out to their users, this could cause the mobile forensic tool to no longer be able to decode and display the data automatically.   This is another circumstance where manual analysis of the database(s) for the application will be required and as stated previously, the databases may very well not be included in your Cellebrite Reader file.

This is why you should always consult with a digital forensic professional in any case where you are provided data from an opposing party, particularly if there is a possibility that any of this data could be presented as evidence.


Wrapping It Up

While Cellebrite and their UFED Reader program are used as an example in this article, many other mobile forensic tools also have similar lightweight versions for simple review of the data.  These are often called “portable case files”, or something similar.  Regardless of the tool and what they call their lightweight application, the same limitations and warnings apply.  And when faced with the possibility that your client could go to prison for a significant period of time or lose custody of their children or perhaps even lose a large sum of money, due diligence dictates consultation with an expert who knows how this data is stored, how to appropriately analyze it and what steps should be taken to ensure nothing is missed.  Lives depend on it!


Author: 

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice.  Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/


Tuesday, December 15, 2020

Keys to Success in Digital Forensics Series: Knowing the Justice System

Keys to Success in Digital Forensics Series: 

Knowing the Justice System


A recent discussion on an international podcast spawned several offspring topics about what bona-fide occupational qualifications (previously known as BFOQs) are key to success in the field of digital forensics.  This question has several answers, some of which are not readily apparent to many who may be pursing coursework and a career in digital forensics, but they are often intangible assets that differentiate between a good examiner and a great examiner.  One of these has very little to do with the nuts-and-bolts of digital forensics: Knowledge of the Justice System.  We’ll explore the system and elements to this key to success here, concentrating on those elements particularly in the United States.

Key Element #1:  The Difference in Types of Justice Systems

In the United States, there are several different types or levels of court system.  They are also divided into levels inside their own particular system.  For instance, there are Federal, State and Uniform Courts of Military Justice (UCMJs), which handles solely military justice matters (i.e., Army, Navy, Air Force, Marine, Coast Guard).  The Federal and State Courts are each divided into “lower” and “higher” courts.  The lower courts are usually District Courts and the higher courts are usually circuit, appellate and supreme courts.  Trials are conducted at the District and Circuit levels, but cases are only reviewed and ruled upon based upon evidence presented at trial in Circuit Courts in the Appellate and Supreme Courts.  No additional evidence is heard at the Appellate or Supreme Court levels, only written and oral arguments by the litigators involved.  


In addition to the different venue and types of courts, there are types of cases – Criminal or Civil.  Criminal cases are those which an accused is arrested based upon a complaint or criminal accusation and faces a fine, jail/prison time or some other punishment laid out in the criminal or penal law.  Civil actions are those brought before the court when there is a dispute between two entities, such as two companies or a company and a former employee.  Divorces, intellectual property theft, monetary or property disputes and other types of lawsuits are heard in Civil court.  Some cases can cross-over between both courts, depending on the circumstances.  In Virginia in 2016, Pro Digital was involved in a divorce case which had a criminal element to it, so different parts of the case were heard in two different courts.  While most minor cases start in lower courts District courts and proceed up to the Circuit level, many cases may start directly at the Circuit Court level.

Key Element #2:  How The Courts Work Differently

State & Federal Courts do operate somewhat differently, but the differences mainly lie in the types of cases that are heard in each court.  In State Criminal Courts, cases brought by local and state law enforcement are heard.  Usually, private citizens can also take out certain criminal charges on someone they feel has committed a crime against them and the police are either not willing or unable to conduct an investigation.  In Federal Criminal Courts, cases are usually brought by one of any number of 3 or 4-letter federal law enforcement agencies (FBI, DEA, ATF, HSI, etc.) and have specific jurisdiction over the cases via Federal Law.  For instance, many child sexual abuse material (CSAM) cases are brough before federal criminal courts because the images are traded/downloaded/traffic across the internet, so the nexus of the case is interstate commerce… Because all traffic over the internet has to cross state lines, whether the accused left their house in commission of the crime or not.  Add into the mix that many local law enforcement agents belong to Federal Task Forces for CSAM, drug investigations, etc., which can also affect in which court the case is heard.

Civil Actions in State Court are generally between two people who either entered into a contract/agreement locally (including marriage) or conduct business on a more local level or inside a state’s boundaries.  Federal Civil actions usually deal with the Civil side of interstate commerce, larger national/international business disputes, anything covered under entities like copyright or patent law and so forth.  Essentially, the court in which the case you’re working is heard in is determined by jurisdiction.  Only courts with jurisdiction to hear a particular case will be appropriate to do so.

Key Element #3:  Practical Application

So what does all of this mean and why is it important to digital forensic practitioners?  Whether you know it or not, implement this mindset or not or ever see it in practice or not, you may very well become a first-hand participant in the justice system.  Even incident response professionals have the potential to be called as a witness if their investigation leads to criminal charges or a civil action.  As such, we should always begin with the end in mind.  When being assigned or at the intake phase of a case, ask yourself (or your team) some basic questions:


What basic facts does this case deal with?

What elements of the case/incident are relevant to prove or disprove?

Who are the potential bad actors and where are they located?

What best practices need to be put in place to ensure that your investigation is conducted in an appropriate manner for court?

What documentation should you have with regard to your methods, procedures, findings and conclusions AND…

Is that documentation appropriate and acceptable for use in Court?


Beyond those basic front-end questions, there are considerations after you conduct your analysis and come to your conclusions.  The first is how the system moves along.  It is not unlikely that you could be called for a pre-trial hearing to testify about any number of issues such as access to the evidence (pre-examination), irregularities with the evidence or limitations to the analysis of the evidence.  During this testimony, you may be qualified as an expert witness, and if you’ve never been through the qualification process, you’ll want to work with the attorney handling the case to ensure that you’ll have success in that process.  For more details about that process, please check out this recent article.

After any pre-trial hearings are concluded, the attorney(s) handling the case should have lengthy discussions with you about your procedures and findings.  Everything you do in the course of your data acquisition & analysis needs to be defensible and repeatable so that someone with similar qualifications could do what you did and come to the same conclusions.  This is where details matter.



But what matters most -- and what is arguably the most intangible piece to this whole process -- is not just the ability to relay what you did, why you did it and how you came to your conclusions, but to do so in a manner that is understandable to non-technical people.  Lawyers, Clients, Executives, Judges and juries are largely non-technical people.  You will need to possess, hone and refine the ability to explain your findings to them in a manner that they will easily understand.  Bonus points if you can make it interesting!

Wrapping It Up

Some may read this article and wonder what on Earth it has to do with digital forensics?  To paraphrase Steve Whalen of Sumuri, forensics is the application of methods & procedures to come to conclusions that are sound and presentable in a court of law.  That’s what is meant by “begin with the end in mind”.  We all have stories about that one case or the one examiner who did a halfway-job and somehow skates by without anyone calling them out on their sloppy work.  The larger issue is not the one examiner, rather what that examiner represents in our industry.  If we accept that our work product will be lackluster, bare minimum or just plain bad, that will eventually affect all DFIR practitioners.  And none of us wants that!

Author: 

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia USA.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury & plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator, Physical Analyst, Advanced Smartphone Analyst and Instructor, as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: www.ProDigital4n6.com 

Pro Digital LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/ 

Tuesday, October 6, 2020

2020 Key Influencers in DFIR

October 6, 2020


2020 Key Influencers in DFIR


One of the things I enjoy most about the field of digital forensics is that it’s a community of people who all generally have one set of goals in mind:  Find the truth, get to the facts, uncover the evidence using tried & true methods and present those findings to an ultimate finder-of-fact, whether it be a corporate CEO, an attorney/client, a prosecutor/judge/jury or whatever the case may be.  We encounter daily challenges in our work and we collaborate relatively well because as the technology evolves, so do our approaches to the various challenges need to evolve. 
 
Like many industries, there are influencers – those who contribute to the profession in ways that go far above-and-beyond typical members of the community, whether it be by sheer volume of notable work, publications, time & effort put forth, etc.  In digital forensics, those influencers may stand out even more because of the exclusive and specialized nature of the work we do and the relatively small community in which we work.  Some are daily contributors while some share their knowledge and experience with a measure of humility or quiet dignity.  I’ve chosen to highlight five such personalities in our industry for this article.  They have not paid me, I don’t know all of them personally and I may never have even spoken to one or more of them, but their contributions to our field are valuable and deserve recognition.  In compiling this list, I attempted to run the DFIR gambit of key computer forensic influencers, mobile device forensic influencers, incident response influencers and those who may influence all of the above and/or a different specialty that is more on the periphery of our industry.  So, at the risk of spawning much heated debate, let’s go!

Key Influencer #1:  Eric Zimmerman

If you don’t know Eric Zimmerman and his contributions to our community, you’re at a decided disadvantage.  A former FBI Special Agent and government forensicator, Eric has been contributing his vast knowledge and expertise to the DFIR community for many years.  I was first introduced to his wealth of knowledge and generosity when he released OS Triage, a free tool for law enforcement examiners to quickly triage and identify evidence on-scene that may (or may not) contain illicit images.  The tool was simple, effective and really useful to those of us who 1) didn’t want to spend time analyzing evidence that wasn’t relevant and 2) had limited physical space in which to store such evidence.  Since then, Eric has developed other free tools such as Shellbags Explorer and Timeline Explorer, all of which most of us have used in one case or another (or a few dozen).  I personally love Shellbags Explorer for, well… Exploring Shellbags!  It does a great job at graphically representing the folders that have been touched by the user to help belay any argument that someone else did it.  Among the offerings on Zimmerman’s Github are Link File Parser, MFT Parser, Volume Shadow Copy Mounter and more.


Now with Kroll, Zimmerman continues to create and share tools with the community that are exceptionally useful in conducting varying types of analysis (oh, and they’re free).  The Kroll Artifact Parser & Extractor (KAPE) is a fast, flexible way to find, extract and analyze artifacts in your case.  Simply put, it’s the next generation of free tools from Zimmerman and it is being used daily to help examiners save time and find the evidence they need.
  
As an X-Ways Forensics user for the past several years, I’ve also found the book X-Ways Forensics Practitioner’s Guide -- which Zimmerman co-wrote with another awesome influencer, Brett Shavers -- to be an invaluable resource.  Sure, I’ve been through the XWF Level 1 & 2 training, but sometimes I don’t remember every single tidbit of the 56 hours or so of those courses, so this book is a super helpful reference guide for both new and experienced XWF users.  I think both Zimmerman and Shavers would tell you that if you’re not using X-Ways Forensics in your PC analysis, you’re wrong :).

I’d also be remiss if I didn’t mention Eric’s participation in the IACIS list serve.  If anyone has a question, Eric frequently chimes in with a pointed, yet helpful response.  Heck, sometimes he even makes me laugh!  We are truly a better community for Eric being a part of it and sharing his vast knowledge, skills & abilities with us all.  

Key Influencer #2:  Heather Mahalik

I’ve never met Eric Zimmerman in person, but I have met Heather Mahalik in person and we’ve had a few email exchanges over the years, including one surrounding this exchange with Shark Mark Cuban.  A former government examiner, Heather now works with mainly with Cellebrite as a consultant and SANS instructing their mobile forensics courses.  A virtual bottomless well of knowledge about mobile device forensics, Heather has also co-written the book Practical Mobile Forensics, which is another must-have in your reference library if you’re going to be conducting analysis on mobile devices.



As far as helpfulness, willingness to share their knowledge, ability to test theories and publish the findings we need to know in the ever-changing landscape of mobile forensics -- and just plain giving back to the community -- I’m not sure any influencer in our industry is as generous as Heather.  Heather’s ongoing blog, Smarter Forensics frequently jumps on the most current issues with testing of new operating systems and/or applications, validating the findings and putting the initial impressions and impact on our industry in a simple, concise, easy-to-understand format (example, see her blog on iOS 14 here).  

Also very active on the IACIS list serve, Heather always seems willing to answer any questions members may pose, particularly with regard to the functionality of Cellebrite and the tool’s ability (or lack thereof) in decoding, parsing, searching, etc.  Anyone who does mobile device analysis can see why Cellebrite hired her – In addition to being a virtual walking encyclopedia of mobile forensic knowledge, she’s a terrific ambassador for the company and vocal proponent of all the great things we can analyze, report and testify upon with regard to mobile device evidence.  She also hosts a regular webinar, discussing current trends in forensics.  She truly gives of herself, her time and her knowledge to help us all out consistently and is clearly passionate about our field.

Key Influencer #3:  Harlan Carvey

Harlan Carvey is sadly another influencer I’ve never met -- which is odd because he lives about a half an hour from me – but I digress.  Harlan has been in the DFIR game virtually since leaving the USMC.  Included in his resume are heavy-hitters like IBM, Nuix, SecureWorks and Crowdstrike, to whom he’s referred me and my clients several times. Harlan is probably best known for his books and his contribution to the community with free/open source tools like RegRipper.  Another walking encyclopedia of incident response knowledge, Harlan has penned the books Windows Forensic Analysis, Investigating Windows Systems, Windows Registry Forensics, Perl Scripting for Windows Security and Digital Forensics With Open Source Tools (to name a few).  Basically, go on Amazon and type in Harlan Carvey.  Correction:  he’s not a walking encyclopedia of Windows Forensics, he wrote the encyclopedia!  



Harlan has also contributed to our community with his free, open source toll, RegRipper, which does exactly that – rips through your (exported) suspect system registry files to present a clear, concise view of the artifacts contained therein.  While many of us don’t, it’s true that you can perform forensic analysis on PC (and Mac) systems with mainly open-source tools and if you’re going to do that, I suggest that RegRipper be one of your main, go-to tools in the toolbox.  It’s a fantastic contribution to our community.  Also on Harlan’s Github are presentations that he’s given and other tools/tips that he has shared for the benefit of everyone.  

Keeping in line with the “giving of self” theme that is a large component of a contributor to our community, I recall reading a proverbial “tip of the hat” about Harlan, which I believe was written by the aforementioned Brett Shavers.  He stated that Harlan never hesitated to answer his questions and give him guidance.  He was always open, willing and gracious (paraphrased).  I have also seen a bit of this from Harlan myself.  He frequently contributes substantively to conversations on LinkedIn and provided some welcomed guidance to me personally with regard to launching into the incident response realm.  Many of our colleagues simply ignore requests or don’t have the desire to take the time.  Harlan is not one of them.  He is thoughtful and generous… And he’s forgotten more about incident response than I’ll probably ever know.  Harlan also wants you to contribute.  He truly recognizes DFIR as a collaborative community, so if you can pitch in to make RegRipper a better tool, Harlan wants to hear from you!

Key Influencer(s) #4:  The Hawk Analytics Team

Ok, I recognize that a for-profit company may come with a bit of an asterisk on this list, but stick with me…
I’ve been acquainted with the folks at Hawk Analytics for several years and have attended their training. In case you’re not familiar, Hawk Analytics makes a tool for cellular records analysis called CellHawk, which helps analysts map and display cellular and other location records. The tool also helps identify known associates by phone number, frequent locations, patterns of usage, incorporates an animated timeline of usage and more.  If you are involved in the analysis and mapping of any records with date, time and GPS coordinates – like records for ankle monitors for sex offenders or those out on bail or parole – CellHawk is a must-have tool.  It’s robust, flexible and keeps improving.


  
But what separates the Hawk Analytics team from others in the industry is their passion and dedication to getting to the facts.  They do not speculate about things which they are either not trained in or the tool isn’t equipped to handle.  Many analysts who are involved in these types of cases erroneously attempt to estimate radio frequency range of cell sites.  This is bad practice without specialized equipment and the team at Hawk Analytics knows this.  Founded by former cellular engineer Mike Melson, Hawk Analytics and their team genuinely have a desire to do good.  Many times behind the scenes, Mike and his team will assist agencies with search & rescue to help find missing and/or endangered persons, despite having families of their own and the obligations of running a company.  Even if you’re not a CellHawk user, their team will be more than willing to discuss quirks or anomalies in your record returns or assist with interpretation based upon their vast experience.  Even though I may do independent CDR analysis for criminal defendants, they’re always willing to help because they are guided by the truth and don’t engage in conjecture or speculation.  

In the spirit of giving to the community, Hawk Analytics also has a free toolbox, which will help you identify the cellular carrier for phone numbers in your case and even compile a preservation letter or search warrant template for you at the click of a button.  Did I mention it’s all free?  Mike and his team truly epitomize professionalism and seek to make a positive difference in their own little corner of the world (i.e., their expertise).  If you value integrity in your vendors, Hawk Analytics is definitely the way to go.

Key Influencer #5:  Larry Daniel

Lastly, in a departure (and perhaps surprise to some), I’d like to give recognition to Larry Daniel of Envista Forensics as being a key influencer in our field.  Having transitioned from law enforcement to the private sector, I have known Larry both in my former life and my current one.  Some of you may not know Larry while some of you may have gone up against him in court.  To be clear, Larry and his company are essentially business competitors of ours, but that’s sort of like saying your local corner convenience store is a competitor with WalMart, as Envista is a much larger operation than Pro Digital and they conduct all manner of forensic analysis, not just digital forensics.  Regardless, I’ve come to know Larry as a savvy businessman and a very knowledgeable and formidable forensic and cellular records analyst.  I respect Larry not only for his business acumen, but for his tenacity.  Larry didn’t have the advantage of the government or a huge corporation sending him through digital forensic training – he did it all himself and learned it from the ground up.  He is, as his son and co-worker described to me once – a “serial entrepreneur”, but one that has had a great deal of success in the private sector side of our industry.  
 


Larry founded and grew Guardian Digital Forensics in Raleigh, NC and several years ago sold the company to Envista Forensics and took over as Principal Consultant of their digital practice.  Since diving head-first into the DFIR pool, Larry has published numerous articles, presented at EnFuse and multiple litigator’s conferences and authored two booksDigital Forensics For Legal Professionals and Cell Phone Location Evidence for Legal Professionals.  These books are fairly basic, but in writing them, Larry tapped into a previously uneducated audience that was severely lacking in knowledge about digital forensics and cellular analysis – criminal and civil litigators and paralegals.   I think it’s safe to say that Larry has written the book(s) on digital forensics for the private sector legal professional.

Practitioners like Larry make everyone better.  They challenge us to cover all the digital bases and make sure we know the evidence when so much is at stake, whether it be child custody, a large sum of money or someone’s freedom.  Quiet professionals like Larry are no different from the quiet professionals that work in DFIR roles in law enforcement, for government contractors and big corporations.  We all strive to get to the truth, analyzing the available evidence and utilizing our training, experience and wisdom.  

Wrapping It Up

This list of DFIR influencers isn’t all-encompassing.  For every person on this list, there are probably hundreds behind the scenes working hard to prove or disprove the incident or allegation.  We all know there are blowhards and charlatans in every industry and digital forensics is no exception.  But by the contributions of the people on this list, we are all benefitted.  It’s my hope that one day, someone can point to an article or a book that I’ve written or a major case that I’ve worked and say that I’ve contributed to the community in a positive way.  Even though all of the people on this list are still active practitioners, their legacy in our field is already carved out.  

It’s my hope that this list will continue to evolve over the next year (and beyond) and we can re-visit and tip our hats to five (or so) more influencers that make our industry great and help make us all better at what we do.  Thanks to everyone on this list for all that you do to help us improve and grow… and keep up the great work!

Author: 
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC 
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!

We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:
Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia USA.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst and Instructor, as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com
Web: www.ProDigital4n6.com
Pro Digital LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc
Patrick Siewert LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  





Monday, September 14, 2020

Digital Forensics: Adding Value To Title IX (Title 9) Cases

September 14, 2020

Digital Forensics: Adding Value To Title IX (Title 9) Cases


For the past several years, there have been multiple business articles stating how the private sector digital forensics industry will be growing exponentially in the near future.  This is partially due to increased data breaches, increased civil litigation filings where data is at issue and increased electronically-facilitated criminal activity.  One area where we are seeing a decided uptick in the need for forensic data acquisition, analysis, consulting & expert testimony services is Title IX cases, which occur largely on college campuses.  According to Harvard University:

Title IX is a US federal civil rights law passed as part of the Education Amendments of 1972. This law protects people from discrimination based on sex in education programs or activities that receive Federal financial assistance.
Title IX states that:
‘No person in the United States shall, on the basis of sex, be excluded from participation in, be denied the benefits of, or be subjected to discrimination under any education program or activity receiving Federal financial assistance.’”



Since it’s initial passing, Title IX has grown to include claims involving sexual harassment, discrimination and sexual violence.  The odd procedural issues with Title IX claims are that they may be made personally or anonymously, may or may not lead to a formal administrative charge against the accused and the accused may or may not even know the claim was ever made about them until long after the claim has been filed and/or adjudicated.  This can lead to problematic issues surrounding due process, rights to face one’s accuser and false claims made against the accused.  Further, if the accused graduates college and submits to any type of background investigation for employment, the presence of the claim on their formal educational record will likely cause expulsion from the hiring process.  Because of all of these controversial factors, recent years have also seen Title IX civil litigation blossoming into another area where justice may be sought by either the accuser or the accused.

Digital Forensics In Title IX Cases

Because Title IX claims deal mainly with college-aged claimants and accused persons, who undoubtedly use their mobile devices to a high level, the likelihood of having data in some form that may show extensive contact between the parties and serve to add value to the case is fairly high.  Whether the data is stored on a mobile device via chat or texting apps, pictures, call history, voice recordings, web history and/or email, the appropriate forensic acquisition of this data is of paramount importance to identifying the circumstances surrounding the alleged event.  Title IX cases are legal proceedings, however there may be no law enforcement investigation and the proceedings may not have a judge or attorneys present, which can put one or both sides of the matter at a procedural disadvantage.  However, the accusation and disposition of the proceedings have a long-lasting effect on the accused and/or the claimant.  Because the outcomes of these proceedings are essentially permanent and potentially impactful for a lifetime, the use of screen shots or tools with which the mobile device’s data can be easily altered prior to presentation to document contact between the parties involved is highly discouraged, as discussed in our recent article here



Another area that should not be overlooked in Title IX claims is data that may reside on one or both party’s computer systems.  While it’s a digital evolutionary fact that much of modern class and professional work can be conducted on mobile devices, many mobile devices are still not ideal for composition of long-form text such as research papers, lengthy emails and files or documents with larger data sets.  Email exchanges between the accused and the claimant as well as synced text message contact (iMessage, WhatsApp, etc.) over desktop applications could also be vital evidence in the Title IX claim, some of which may not be present or available via forensic data acquisition from the mobile device. Additionally, it’s very likely that the mobile device in use by either party has been charged and/or synced by the computer system at some point in the recent past.  Depending on a number of different parameters, this may lead to a backup of the mobile device data being created, which can then be acquired, analyzed as if it were the mobile device itself and used as evidence in Title IX proceedings.  While the Rules of Evidence or Civil Procedure may not be an overwhelming consideration in Title IX cases, the potential that evidence may be used in later formal courtroom litigation dictates that the evidence used in the administrative proceedings should be acquired and analyzed in a forensically sound manner.

Conclusions

Title IX cases present a host of challenges for virtually all parties involved.  As with all formal proceedings, the truth of the matter can ultimately boil down to the evidence, and particularly the strength of that evidence.  Because so much can be at stake with regard to the future of both the claimant and the accused, the appropriate documentation and forensic acquisition and presentation of data in the case is vital to proving or disproving the claim.  People increasingly live their lives on their devices, whether it be a mobile device (phone, tablet) or a computer or a combination within the various data storage ecosystem.  The good (and sometimes bad) thing about this ubiquitous connection to electronic devices is that they document nearly everything for us.  This becomes evidence in many legal and administrative proceedings, but the “devil in the details” can ultimately rest on the proper handling, acquisition, analysis and presentation of the data involved in the case.  When someone’s future is at stake, why risk presenting bad, unverifiable or lacking evidence?

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia USA.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst and Instructor, as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com
Patrick Siewert LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  

Monday, June 1, 2020

Beyond Location Data In Cellular Records Analysis


June 1, 2020

Beyond Location Data In Cellular Records Analysis

For reasons I’m not sure I can put a firm grasp on, there still seems to be a debate over the value of cellular call detail records and their strength in being able to prove or disprove location in litigation.  Clearly the location data is generally what is sought after the most, because it carries weight with regard to a particular incident and/or time frame at the heart of the dispute.  However, some still try to debunk this data as “junk science”.  The reasoning for this is a great topic for another article, and is touched upon in our previous article entitled Three Reasons Why Call Detail Records Analysis Is Not “Junk Science”.  However, there’s much more to the cellular records than location data, or at least much more that is ancillary to location data.  This deeper level of analysis can further lend validity to the records themselves and any conclusions drawn from their analysis, location or otherwise.



Dataset #1:  Link Analysis

Along with location data, properly obtained cellular records also tell us a great deal about who our target is talking to, when they are talking and how often.  This is most commonly referred to as link analysis, but effective analysis of these records goes beyond that.  For instance, target is suspected of marital infidelity with a married woman.  The call detail records (CDR) show he calls and texts the married woman several dozen times a day.  A private investigator tracking the married woman spots the two of them together on a particular date and time.  What is likely to happen?  They’ll stop calling or texting each other during that time because they’re in the same location.  In another example, suspect #1 is arrested and charged with robbery.  His defense team has information that he was NOT the only one involved in the robbery, and perhaps was not the primary involved in the robbery.  Analyzing who the suspect called and texted the most leading up to the robbery and afterward can be of great value in determining whom an accomplice may have been.  Usually what we see with link analysis is the people will call and text their loved ones the most – husbands/wives, parents, best friends, etc.  This all goes to show a pattern of usage and helps identify who they talk to the most and potentially, their activity with regard to those people as well.

Dataset #2:  Usage Patterns

Often in conversations with litigators about analysis of these records, we get asked “what if they turned their phone off?” or “What if he simply left his phone at home or at work?” during the time of interest.  All valid questions!  The issue becomes, what can we tell is likely during the time frame of interest in relation to other usage patterns.  If a cheating husband is meeting his paramour in a hotel during his lunch hour once or twice a week and he leaves his cell phone at the office, we’ll be able to tell from looking at 1) the usage patterns from when he is not with his paramour and 2) a pattern of missed calls and/or texts for the period of time he was separated from his phone.  Let’s also not overlook that he may have had a flurry of text messages or calls with the paramour leading up to this activity.  There are very interesting and often very valuable items we can tell by looking at the record, such as: 

·      If the phone rang and went to voicemail
·      If the phone was turned off and calls when directly to voicemail
·      If calls were received and unanswered in succession for a period of time (and later returned)
·      If text messages were received and  unanswered for a period of time (and later returned)
·      Whether any of this activity is normal, as compared to other activity for time frames outside of the time frame of interest

People are creatures of habit.  By analyzing the usage patterns in the records, we can see what their habits are in relation to the use of their device.  This is the single biggest reason we advise all litigators who wish to use these records to obtain at least 30 days of records on either end of the incident in question.  The more data, the better.  Usage patterns are of great value when conducting this analysis.



Dataset #3:  Where They Lay Their Head

Much of usage analysis mentioned previously has little or nothing to do with location.  One area that has to do with location, although not necessarily during the time frame of the alleged incident(s), is where your target lays their head.  As stated earlier, people are creatures of habit.  Their phones are with them virtually all the time.  So even outside of the time frame of the incident, we can likely tell where that person is staying at night.  By in large, during late night and early morning hours, we see the mobile device stationary, only using one sector of one cell site for an extended period.  This information in the records tells us likely where they lay their head.  By filtering down to late night & early morning hours, we can also see if they have more than one place where they may stay at night.  This typically generates a “hot list” of cell sites that are used most often, and this is also included in any reports we generate.  It’s relevant insofar as it shows the finder of fact or opposing counsel that where their stated address is may not be where they stay.  It could also provide additional information for follow-up if the house and likely person with whom they are staying can be determined.  It’s a fantastic piece of evidentiary data!

Wrapping It Up

As illustrated briefly here, there’s more to cellular call detail records analysis than simple location.  These points also further prove that the proper and effective analysis of this data is not “junk science”, rather there may be a contingent of analysts who simply don’t have the ability or desire to perform this type of higher-level analysis in their cases.  Ignorance of the power and effective use of the data does not make the data invalid.  By looking deeper into the data, we can start to sort out what may help to prove or disprove the claims in the case.  It could also help shed light upon or validate who else may be involved in the matter, whether previously known or not.  The ability to analyze behavior patterns in the record cannot be over-stated either.  At the heart of any digital forensic practice is a person, whether it is behind the keyboard, phone screen or a cellular subscriber.  People behave in patterns.  Your analyst should be able to identify those patterns and determine whether or not they are of relevance in your case.  Happy hunting!

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com