Monday, September 14, 2020

Digital Forensics: Adding Value To Title IX (Title 9) Cases

September 14, 2020

Digital Forensics: Adding Value To Title IX (Title 9) Cases


For the past several years, there have been multiple business articles stating how the private sector digital forensics industry will be growing exponentially in the near future.  This is partially due to increased data breaches, increased civil litigation filings where data is at issue and increased electronically-facilitated criminal activity.  One area where we are seeing a decided uptick in the need for forensic data acquisition, analysis, consulting & expert testimony services is Title IX cases, which occur largely on college campuses.  According to Harvard University:

Title IX is a US federal civil rights law passed as part of the Education Amendments of 1972. This law protects people from discrimination based on sex in education programs or activities that receive Federal financial assistance.
Title IX states that:
‘No person in the United States shall, on the basis of sex, be excluded from participation in, be denied the benefits of, or be subjected to discrimination under any education program or activity receiving Federal financial assistance.’”



Since it’s initial passing, Title IX has grown to include claims involving sexual harassment, discrimination and sexual violence.  The odd procedural issues with Title IX claims are that they may be made personally or anonymously, may or may not lead to a formal administrative charge against the accused and the accused may or may not even know the claim was ever made about them until long after the claim has been filed and/or adjudicated.  This can lead to problematic issues surrounding due process, rights to face one’s accuser and false claims made against the accused.  Further, if the accused graduates college and submits to any type of background investigation for employment, the presence of the claim on their formal educational record will likely cause expulsion from the hiring process.  Because of all of these controversial factors, recent years have also seen Title IX civil litigation blossoming into another area where justice may be sought by either the accuser or the accused.

Digital Forensics In Title IX Cases

Because Title IX claims deal mainly with college-aged claimants and accused persons, who undoubtedly use their mobile devices to a high level, the likelihood of having data in some form that may show extensive contact between the parties and serve to add value to the case is fairly high.  Whether the data is stored on a mobile device via chat or texting apps, pictures, call history, voice recordings, web history and/or email, the appropriate forensic acquisition of this data is of paramount importance to identifying the circumstances surrounding the alleged event.  Title IX cases are legal proceedings, however there may be no law enforcement investigation and the proceedings may not have a judge or attorneys present, which can put one or both sides of the matter at a procedural disadvantage.  However, the accusation and disposition of the proceedings have a long-lasting effect on the accused and/or the claimant.  Because the outcomes of these proceedings are essentially permanent and potentially impactful for a lifetime, the use of screen shots or tools with which the mobile device’s data can be easily altered prior to presentation to document contact between the parties involved is highly discouraged, as discussed in our recent article here



Another area that should not be overlooked in Title IX claims is data that may reside on one or both party’s computer systems.  While it’s a digital evolutionary fact that much of modern class and professional work can be conducted on mobile devices, many mobile devices are still not ideal for composition of long-form text such as research papers, lengthy emails and files or documents with larger data sets.  Email exchanges between the accused and the claimant as well as synced text message contact (iMessage, WhatsApp, etc.) over desktop applications could also be vital evidence in the Title IX claim, some of which may not be present or available via forensic data acquisition from the mobile device. Additionally, it’s very likely that the mobile device in use by either party has been charged and/or synced by the computer system at some point in the recent past.  Depending on a number of different parameters, this may lead to a backup of the mobile device data being created, which can then be acquired, analyzed as if it were the mobile device itself and used as evidence in Title IX proceedings.  While the Rules of Evidence or Civil Procedure may not be an overwhelming consideration in Title IX cases, the potential that evidence may be used in later formal courtroom litigation dictates that the evidence used in the administrative proceedings should be acquired and analyzed in a forensically sound manner.

Conclusions

Title IX cases present a host of challenges for virtually all parties involved.  As with all formal proceedings, the truth of the matter can ultimately boil down to the evidence, and particularly the strength of that evidence.  Because so much can be at stake with regard to the future of both the claimant and the accused, the appropriate documentation and forensic acquisition and presentation of data in the case is vital to proving or disproving the claim.  People increasingly live their lives on their devices, whether it be a mobile device (phone, tablet) or a computer or a combination within the various data storage ecosystem.  The good (and sometimes bad) thing about this ubiquitous connection to electronic devices is that they document nearly everything for us.  This becomes evidence in many legal and administrative proceedings, but the “devil in the details” can ultimately rest on the proper handling, acquisition, analysis and presentation of the data involved in the case.  When someone’s future is at stake, why risk presenting bad, unverifiable or lacking evidence?

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia USA.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst and Instructor, as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com
Patrick Siewert LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  

Monday, June 1, 2020

Beyond Location Data In Cellular Records Analysis


June 1, 2020

Beyond Location Data In Cellular Records Analysis

For reasons I’m not sure I can put a firm grasp on, there still seems to be a debate over the value of cellular call detail records and their strength in being able to prove or disprove location in litigation.  Clearly the location data is generally what is sought after the most, because it carries weight with regard to a particular incident and/or time frame at the heart of the dispute.  However, some still try to debunk this data as “junk science”.  The reasoning for this is a great topic for another article, and is touched upon in our previous article entitled Three Reasons Why Call Detail Records Analysis Is Not “Junk Science”.  However, there’s much more to the cellular records than location data, or at least much more that is ancillary to location data.  This deeper level of analysis can further lend validity to the records themselves and any conclusions drawn from their analysis, location or otherwise.



Dataset #1:  Link Analysis

Along with location data, properly obtained cellular records also tell us a great deal about who our target is talking to, when they are talking and how often.  This is most commonly referred to as link analysis, but effective analysis of these records goes beyond that.  For instance, target is suspected of marital infidelity with a married woman.  The call detail records (CDR) show he calls and texts the married woman several dozen times a day.  A private investigator tracking the married woman spots the two of them together on a particular date and time.  What is likely to happen?  They’ll stop calling or texting each other during that time because they’re in the same location.  In another example, suspect #1 is arrested and charged with robbery.  His defense team has information that he was NOT the only one involved in the robbery, and perhaps was not the primary involved in the robbery.  Analyzing who the suspect called and texted the most leading up to the robbery and afterward can be of great value in determining whom an accomplice may have been.  Usually what we see with link analysis is the people will call and text their loved ones the most – husbands/wives, parents, best friends, etc.  This all goes to show a pattern of usage and helps identify who they talk to the most and potentially, their activity with regard to those people as well.

Dataset #2:  Usage Patterns

Often in conversations with litigators about analysis of these records, we get asked “what if they turned their phone off?” or “What if he simply left his phone at home or at work?” during the time of interest.  All valid questions!  The issue becomes, what can we tell is likely during the time frame of interest in relation to other usage patterns.  If a cheating husband is meeting his paramour in a hotel during his lunch hour once or twice a week and he leaves his cell phone at the office, we’ll be able to tell from looking at 1) the usage patterns from when he is not with his paramour and 2) a pattern of missed calls and/or texts for the period of time he was separated from his phone.  Let’s also not overlook that he may have had a flurry of text messages or calls with the paramour leading up to this activity.  There are very interesting and often very valuable items we can tell by looking at the record, such as: 

·      If the phone rang and went to voicemail
·      If the phone was turned off and calls when directly to voicemail
·      If calls were received and unanswered in succession for a period of time (and later returned)
·      If text messages were received and  unanswered for a period of time (and later returned)
·      Whether any of this activity is normal, as compared to other activity for time frames outside of the time frame of interest

People are creatures of habit.  By analyzing the usage patterns in the records, we can see what their habits are in relation to the use of their device.  This is the single biggest reason we advise all litigators who wish to use these records to obtain at least 30 days of records on either end of the incident in question.  The more data, the better.  Usage patterns are of great value when conducting this analysis.



Dataset #3:  Where They Lay Their Head

Much of usage analysis mentioned previously has little or nothing to do with location.  One area that has to do with location, although not necessarily during the time frame of the alleged incident(s), is where your target lays their head.  As stated earlier, people are creatures of habit.  Their phones are with them virtually all the time.  So even outside of the time frame of the incident, we can likely tell where that person is staying at night.  By in large, during late night and early morning hours, we see the mobile device stationary, only using one sector of one cell site for an extended period.  This information in the records tells us likely where they lay their head.  By filtering down to late night & early morning hours, we can also see if they have more than one place where they may stay at night.  This typically generates a “hot list” of cell sites that are used most often, and this is also included in any reports we generate.  It’s relevant insofar as it shows the finder of fact or opposing counsel that where their stated address is may not be where they stay.  It could also provide additional information for follow-up if the house and likely person with whom they are staying can be determined.  It’s a fantastic piece of evidentiary data!

Wrapping It Up

As illustrated briefly here, there’s more to cellular call detail records analysis than simple location.  These points also further prove that the proper and effective analysis of this data is not “junk science”, rather there may be a contingent of analysts who simply don’t have the ability or desire to perform this type of higher-level analysis in their cases.  Ignorance of the power and effective use of the data does not make the data invalid.  By looking deeper into the data, we can start to sort out what may help to prove or disprove the claims in the case.  It could also help shed light upon or validate who else may be involved in the matter, whether previously known or not.  The ability to analyze behavior patterns in the record cannot be over-stated either.  At the heart of any digital forensic practice is a person, whether it is behind the keyboard, phone screen or a cellular subscriber.  People behave in patterns.  Your analyst should be able to identify those patterns and determine whether or not they are of relevance in your case.  Happy hunting!

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com

Wednesday, May 13, 2020

So You Want To Start A Digital Forensic Business


May 13, 2020

So You Want To Start A Digital Forensic Business

Pro Digital Forensic Consulting is about to embark on it’s 7th year in full-time operation.  It’s hard to believe that when I made the decision to transition from law enforcement to the private sector, my little company would have come this far, servicing hundreds of clients through the years.  Because of my background and the contact I have with the DF community via this blog and professional associations, I usually receive inquiries about starting up a digital forensic consultancy/business several times a year.  In fact, I got another one just the other day via Linked In.  And with the current state-of-affairs (Covid-19 shut down) and people’s livelihoods being somewhat in question, it seems natural that some might consider taking on a new venture.  So, in the spirit of answering some of the frequently asked questions about what to expect if and when someone starts a digital forensic business, it seems a good idea to write down my thoughts and experience for future similar inquiries.  To be clear, I could (and may) write a book about this topic, but this blog is fairly well-established, so it seems the appropriate vehicle for sharing these lessons learned.  As a slight disclaimer, this article and the tips to follow are geared mainly toward sole-proprietor and small consulting firms.  I’m pretty sure Kroll and KPMG have this figured out J.



Tip #1:  Have A Supplemental Income Plan

Virtually no business starts off day 1 churning revenue and making a profit.  When Pro Digital was launched full-time in June of 2014, we billed a whopping $7,800 for the from that point to the end of 2014.  It would have been much less were it not for one large computer forensic case which accounted for nearly 85% of the billings for 2014.  Alongside the work that went into opening a business, I was also fortunate to have some things to fall back on personally, such as part-time and/or contract work, some of which had nothing to do with forensics.  The take-away here is that it’s important to have a supplemental income source that you can use to help keep your newly-formed lights on while the business is growing and you’re working on creating awareness and “buzz” for the business.  The downside is the marketing and awareness campaigns for your new shingle are a full-time business in themselves, so it can be double the work.  I’ll touch on marketing more in Tip #6.

Tip #2:  Keep Abreast of Trends

Most of my notable work in law enforcement was working for a full-service agency on the Internet Crimes Against Children (ICAC) Task Force.  Accordingly, all of my training and equipment was paid for by grants and other funding.  My last year in law enforcement was in an administrative role for a small campus police department, which had no use for any digital forensic expertise, so the skill sets that I’d worked on for the previous 5+ years sat on a shelf and collected dust.  When the business was launched full-time, I quickly realized how much things had evolved, changed and blown past me for the year I was not doing forensics.  This is a field driven by current events and evolving technology.  Try explaining the differences between and HFS+ and APFS file systems to someone who hasn’t been doing Mac forensics for a year or more.  It’s a vast change and the changes don’t stop.  I was amazed at how much I’d forgotten in that year and the learning curve was much steeper than I would have liked.  It’s imperative to keep up to date with the field.  Blogs, webinars, free training, list serves and colleagues are all great resources to keep current with what’s going on in the world of digital forensics. 

Tip #3:  Invest In GOOD Tools & Equipment

The start-up investment capital for Pro Digital was not a lot of money and was all self-funded.  Accordingly, I did some research on tools and cost/benefit analysis on the investment in those tools and/or training.  Initially, I purchased tools and equipment that wouldn’t break the bank and would get the job done.  It wasn’t long before I realized that certain things will save me time and therefore, money.  Along with that, it’s hard to work cases using tools no one has ever heard of before, particularly when the more tech-savvy attorneys with whom I work know the difference between one tool and another.  Some of these tools I still use.  Some of the software companies have basically gone belly-up and some I’ve gotten rid of over the years for one reason or another.  Additionally, some tools have been purchased for case-specific needs.  But the point remains that you need to invest in these things as if you were working a case for a loved-one.  Would you want the analyst on your father’s case using sub-par tools that no one really uses?  Probably not.  Spend the money and get the good stuff.  You’ll make your money back many times over.  The adage is true, you have to spend money to make money.

Tip #4:  Be Picky About Your Clients

When you’re hungry, everything looks like filet mignon.  The problem is, if you eat everything you’re “fed”, you’ll have a host of side-effects that will be hard to manage.  We used to work any and all cases that caused the phone to ring.  The most notable and frequent of these are the “I’ve been hacked” cases.  It is an unfortunate truth that there are many mentally ill people in the world and the internet gives them free reign to research to their hearts content and contact those whom they feel may be able to assist them in whatever issues they believe they are having, many of them tech-related.  But these cases are a forensic and business quagmire.  If you’re fortunate enough to get a client who will actually pay for your services, they will never be happy with the results.  This could eventually have an adverse effect on your professional reputation as well.  This is a reputation and referral-based business, so if you have clients that are in a position to ruin your reputation or malign you publicly, you will likely see fewer referrals over time. 

As a matter of policy, Pro Digital has transitioned to a purely litigation support model.  If you are not actively involved in litigation or a representative of a corporation that needs digital forensic services, we likely will not take your case.  If you’ve hired a PI to work your case, we may take it as a referral from a trusted source.  We don’t need anybody’s money *that* badly to work a case for someone who is obviously suffering from some form of mental illness or someone who wants to spy on their spouse to dig up enough dirt to file for divorce.  This is an ethical decision, but can also lead to legal issues if you’re not careful, i.e., theft of property, theft of data, unauthorized access to personal information, etc..  Also consider that if you are the digital forensic equivalent of an ambulance chaser, eventually you’ll devalue these services for everyone, including yourself.  Be picky.  It’s worth it.  You’ll get the clients you want and you’ll preserve your professional reputation, this much I know and have seen first-hand.  The big take-away here is always ensure you have written consent from the owner and/or an order from the court to access whatever you’re acquiring and analyzing.

Tip #5:  YOU Are Your Brand

Digital Forensics is a small community.  Whether you are in law enforcement, have transitioned out of law enforcement or have branched into digital forensics as an arm of your IT or infosec training, we generally know each other and recognize names and faces.  We also recognize when someone is either a charlatan or is pushing an obvious agenda to try and attract clients.  Everything you put out for public consumption (including blog articles) is subject to scrutiny, whether it be by the DF community, potential attorney-clients, opposing counsel, referral sources and/or other professional contacts.  If you have an opinion about something, make sure you’re on solid footing before getting into public discourse about it.  Take this recent example from a public post on Linked In from a professional contact (name and ID redacted):



I’ve worked many independent analysis cases for criminal defense attorneys and have been appointed by the court dozens of times.  I don’t know what this person is referring to, nor do I agree with their approach to putting this comment out publicly.  Business is relationships and everything that you put in writing can come back to haunt you.  I’ve received more referrals from my former law enforcement colleagues than I can remember over the years.  Do you know why?  Because I don’t take a public stand with an obvious agenda which maligns professionals.  Not only would I never call out the law enforcement community as essentially being crooked and/or liars, I don’t believe that they are because I haven’t seen it in my 7 years working full time in the private sector.  I have seen errors.  I have seen mistakes.  I have seen over-zealous investigators.  But I have not seen liars. There’s also nothing “science” about this post.  It’s an opinion and it’s part of an agenda to market specifically toward the criminal defense bar.

The reality of our industry is that the majority of who it serves is law enforcement and government, including government contractors.  The government is generally not on the cutting edge of anything, but they’ve certainly been on the cutting edge of digital forensics.  Can private practitioners access tools like Gray Key?  No.  But I have almost never had a need for Gray Key.  Why is that?  Refer back to tip #4.  I virtually always get a pass code and any necessary passwords either by consent or court order.  The only exception to this has been when the owner doesn’t remember the password, usually on an older device.  And to be clear, about 70% of the cases we work deal with mobile devices.

When in business, it may be beneficial to remember the wise words of Michael Jordan, who still has his own shoe brand, despite being out of basketball for over 15 years.  When asked at a press conference why he stays out of politics, his reply was simple:  “Both Republicans and Democrats buy shoes!”  Discretion is the better part of valor.

As a final point to this tip, I was in a discussion with a colleague in law enforcement recently while at a conference.  They said to me very confidently “The customer is always right, so you have to do what the client says no matter what!”  My reply:  “No I don’t!”  What’s the point?  Your professional integrity and reputation is your most valuable asset in this business.  Lose it and you’re done.  We will not alter any facts or data in any report or testimony to counsel or their clients, period.  I’m sorry if the data doesn’t support your case.  The data stands on its own and is irrefutable.  Truth is not fungible.

Tip #6:  Market Yourself (Because No One Else Will)

When I was a member of the ICAC Task Force, I was a fairly big fish in a pretty small pond.  The agency for whom I worked had less than 60 sworn officers and was in a rural area.  I did all of the tech-based investigation, search warrant planning & execution, evidence collection and as time progressed and casework grew, the forensic analysis.  And because many of these cases garnered a lot of public interest, the command staff frequently put me as the media relations person with these cases.  I never liked it.  As a cop, I considered myself a modest personality.  Others nominated me for awards and I was never comfortable in the spotlight.  When I launched the business, I quickly realized all of that had to change.

Because I had media contacts already in place, I offered my knowledge and experience as a local media resource for tech-related stories.  For a while, I was getting multiple calls every week from local media.  Because I had a lot of time (i.e., no clients) in the beginning, I also churned out blog articles virtually once a week.  I issued self-written press releases and worked hard on SEO for the company’s website.  I also began sponsoring several associations for litigators in my area because, as previously noted, this is a referral-based business.  In short, I had to become my own cheerleader because no one else was going to do it.  Furthermore, I learned VERY quickly that just having a good professional reputation and a business does not make the phone ring.  If you build it, they will not come – at least not like they did in Field Of Dreams.

If you want the business, you have to go get it.  And you have to keep on going out there to get it.  The minute you lapse on marketing, the phone will stop ringing.  This is why I’m constantly trying to add fresh content to the Pro Digital website.  Having a website is great.  Paying for Google ads is fine, but content is key.  I had to learn this and be taught what works and what doesn’t over time.  And I still make mistakes and spend money where I probably shouldn’t, but no one gave me a blueprint for running this business.  Tips, advice, counsel & support?  Yes.  But this is such a niche business, it requires a special marketing skill set.  If you don’t have it, you will likely fail.  This is the biggest area I think many ex-law enforcement are not comfortable with and probably what turns many of them off to launching their own business.  Quiet professionals don’t normally like the public spotlight.

Wrapping It Up

Some may read this article and wonder why on earth I would tell potential competitors how to run a successful digital forensic business?  One last tip I’ve learned over the years:  There’s plenty of work to go around.  I find it silly that a competitor of mine seemingly reported the Pro Digital Twitter as “spam”, which caused Twitter to shut it down.  I don’t want their clients.  I have my own and I am fortunate to bring on new ones every month.  If any of these tips can help someone be successful, I’m happy to share what I’ve learned.  No one taught me these things when I started out.  Hopefully by sharing some of these tips, I can pay it forward to the next old cop who wants to try his hand at something new(ish).  Until then, I’m off to work the next case and hopefully clear out my backlog queue.  Good luck!

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com

Friday, April 24, 2020

Screen Shots Are Not (Good) Evidence


April 24, 2020

Screen Shots Are Not (Good) Evidence

Working a variety of civil, corporate and criminal litigation cases, we see a myriad of different approaches to digital forensics in a litigation support model.  One of the common cost-benefit questions that comes up is, why would a party involved in litigation spend the money to hire a digital forensic expert if they can simply take screen shots of disputed and/or evidentiary text messages on a mobile device and print them out?  It’s a good question & a valid point, on its face.  However, there are a number of different reasons we generally discourage this as a practice for presenting evidence in litigation, which we’ll explore here.



Screen Shots Are Susceptible to Alteration

Consider a real-world example from a criminal case worked several years ago.  Our client was charged with a misdemeanor count of assault & battery, but because his career field was such that he did not want a criminal conviction tarnishing his ability to obtain future employment, nor his reputation, he hired a very renowned law firm and a digital forensic expert to help refute the claim of assault because there were to have been exonerating text messages on his phone between he and the complaining party.

When the trial date came, the complaining party introduced into evidence several screen shots of a text message between them and our client.  The content of the messages was different from what we had obtained from the client’s phone via mobile forensic data extraction, which was confusing to the judge and the other parties in the case.  When pressed for an answer about this discrepancy, they admitted that they had altered the text message screen shots before printing them to not only change the content of the messages, but the chronology as well.  The lesson learned here is that anyone with very basic tools and computer skill can take an image (i.e., screen shot) and cut-and-paste or insert messages to their own ends.  This is also true of some non-forensic tools which can be purchased online to extract text messages from a phone.

When we conduct a mobile forensic data extraction and report the relevant information, we cannot alter the data.  Furthermore, even if we could alter the data, we would be violating professional ethics and risking reputation by doing so.  This example was a great lesson in why screen shots should never be presented as evidence.

Screen Shots Cannot Be Fully Validated or Authenticated

The point of validation & authentication is an important one for court proceedings.  If evidence such as text messages cannot be validated or authenticated, how can they be introduced into evidence?  To me, this point all boils down to the source of the evidence that is being presented in court, which is usually some sort of printout of the relevant messages between the parties involved in the case.  Who created those printouts or the report from which they came?  Was it one of the parties involved in the litigation or was it a third-party expert who used bona-fide, validated and repeatable methods?  If the evidence that is being presented was generated by one of the parties involved in the case, that should immediately call the veracity of those messages into question. 



Presentation is Important

I’d be willing to bet that both attorneys and digital forensic experts who read this article have, at some point, been presented with a series of screen shot printouts from a client which they believe is of extreme importance to their case.  Many times, these printouts also include pictures, which if printed out improperly, are simple unrecognizable.  Beyond that, some of the text conversations which may be relevant can lead to dozens or hundreds of pages being printed, which are hard to keep track of and just plain look bad!

The benefit of a mobile forensic data extraction is that we can often report out just what is relevant in a concise, easy-to-read manner, which is much more concise for presentation in court.  The ultimate goal and purpose behind all of the methods used during the forensic process is so we can present those findings, along with any reasonable conclusions, in a court of law.  It is counter-productive to present overly voluminous and/or excessive information to the judge, jury and opposing parties because their attention span for what may (or may not) be relevant is quite short during the course of a trial or hearing.

Wrapping It Up

Covey said in his book 7 Habits for Highly Effective People, “Begin with the end in mind.”  When involved in litigation where text/picture messages may be used as evidence, this is a good rule by which to live.  Do we want to be flipping through volumes of printed screen shots, which may or may not be altered by whomever “collected” them, in order to present a relevant point at trial?  Probably not.  We also don’t want questions about the veracity of the content or chronology of the messages, which is easy to alter and therefore be disputed just as easily.  When we “begin with the end in mind”, we can see that it’s always better to have a trained, certified, experienced digital forensic examiner conduct the data collection and reporting.  By doing so, we can make great strides toward getting at the truth of the matter!

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!
Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com

Thursday, January 9, 2020

Digital Forensics: Theory vs. Practice



January 9, 2020

Digital Forensics: Theory vs. Practice

As an active digital forensic practitioner for over 10 years, I have attended many training offerings from many different companies/resources, read many white papers published by any number of scientific and academic entities and worked hundreds of active cases for plaintiffs, defendants and in law enforcement covering PC, Mac and mobile device forensics.  One aspect that crosses all of these areas that has waned slightly in the last few years, but still rears its ugly head, are the theoretical questions surrounding digital forensics.  Among these we have all heard at one point or another -- hash collisions, data cross-contamination and reverse-engineering of hash values to be made into a viewable data file.  While we can Google these theories and findings to death, their practical application in “everyday forensics” is reality-based, not theoretical. 



Hash Collisions

The topic of hash collisions generally comes up when working independent analysis in criminal defense cases.  This digital version of the “some other dude did it” (or SODDI) defense is based upon the theory that two digital files containing completely different data can be run through a hashing algorithm and obtain the same result.  Hash calculation is a big part of forensics and particularly in cases dealing with child exploitation images, the hash value is used to locate those sharing illicit images on the peer-to-peer file-sharing networks.  However, we also use hash values to validate evidence files as identical to the original, to cancel out any irrelevant/system files and to validate the authenticity of files across a system or multiple pieces of evidence.  Hashing algorithms such as MD5 and SHA-1 have been “broken” for years, but are still in ubiquitous use in digital forensics.  Why?  Because the practical application of these collisions is so minimal, it is not even worth mentioning in a court of law. But rest assured, it still gets mentioned!  The only real application these collisions have is to attempt to obfuscate the facts and/or confuse the finder of fact in a legal proceeding.  Simply put, there are no documented cases where someone accused of downloading or sharing illicit images was falsely accused because the images they downloaded/shared possessed the same hash value as some innocuous files they were attempting to download/share.  Consider the statistical likelihood that someone downloaded/shared an innocuous file which happened to share the same hash value as an illicit file and also was on a police watch list where a search warrant was executed.  All of those factors being in place at once is very unlikely.

While we are constantly testing, honing and refining our knowledge in the field of digital forensics and we may even work in a “lab”, the fact remains that at a practical level, none of us have the ability to re-create these collisions, nor have we seen them “in the wild”, so to speak.  They are reserved for a theoretical lab environment where the sole purpose is to find and publish the collision, not to find and report the truth in the evidence.

Data Cross-Contamination

Before I discuss the practicality of data cross-contamination, I’ll insert a disclaimer that I understand that using sterilized media to store forensic data and conduct analysis is mentioned as potential best practices, as detailed in the Scientific Working Group on Digital Evidence (SWDGE) Best Practices for Computer Forensic Acquisitions (v. 1.0).  One of the reasons for this to avoid data cross-contamination.  What is that?  It is a theory that if you have a piece of media upon which you store data to be analyzed in a forensically-sound environment, that if you do not sterilize the media (i.e., wipe and validate prior to placing the data to be analyzed on the media) that some data from a previous or unrelated case could become part of the current case analysis data, thus potentially contaminating the results with un-related data.  This is a viable theory when dealing with physical evidence such as DNA samples or fingerprints, but it has very little, if any practical application in digital forensics.  Consider that if you create a forensic data file such as an .e01, raw or .zip file, what is the method and/or likelihood that copying that file onto a piece of non-sterilized media will somehow mix or comingle with pre-existing data?  I’ve heard one claim of data cross-contamination from another examiner, but anecdotes are not data, nor was the claim ever validated.  We sterilize the media, not because we’ve ever seen it affect any cases, but to avoid questions about it when testifying. 



Hash Value Reverse-Engineering

Having obtained much of my initial training in law enforcement and, as such, working a majority of cases involving illicit images, I can recall being trained that catalogs of illicit image hash values are law enforcement sensitive and not to be disseminated to independent examiners or to the general public.  Why?  Because someone could potentially and theoretically reverse-engineer the hash value to re-create the file, which would be illegal.  This came up again in a case worked independently in 2019.  I thought this theory and explanation was long gone, but it is not.

The problem with the theory of reverse-engineering a hash value is I’m not sure it’s ever been done, at least not at a practical level.  It is a theory.  Scientists, academics and lab-rats may have done it, but I don’t know anyone who actively practices digital forensics that either 1) has the knowledge, skills and abilities to do it and/or 2) has the desire to do it.  So why is it still mentioned as a consideration in cases?  (Hint: see the above note about obfuscation and confusion).

Wrapping It Up

I’m not an academic or a lab-rat.  I’m just an old(ish) retired investigator with some skillsets that can often be of benefit to parties involved in litigation.  Because of that, I’m concerned with the practicality of digital forensics – What is the best way to get the case analyzed?  What evidence is relevant?  Where do I need to look for the evidence?  What am I missing that could potentially answer important questions?  Theoretical considerations like those mentioned here are not worthy of much calorie-burning when trying to answer these questions.  In the pragmatic world of digital forensics, we have to consider what is, not what could be.  Because the truth lies in the facts of the case and the data which is part of the case, not on theory of what could or may have happened… And likely did not! 

Author:
Patrick J. Siewert
Principal Consultant
Professional Digital Forensic Consulting, LLC
Virginia DCJS #11-14869
Based in Richmond, Virginia
Available Wherever You Need Us!


We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation investigations in Virginia court history.  Patrick is a graduate of SCERS, BCERT, the Reid School of Interview & Interrogation and multiple online investigation schools (among others).  He is a Cellebrite Certified Operator and Physical Analyst as well as certified in cellular call detail analysis and mapping.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business marketed toward litigators, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.
Email:  Inquiries@ProDigital4n6.com
Twitter: @ProDigital4n6