Thursday, September 16, 2021

How to Deal with Difficult Clients as a Digital Forensic Examiner

 

How to Deal with Difficult Clients as a Digital Forensic Examiner

Businesses large and small often have the unfortunate occasion where they must deal with a difficult client.  In the world of digital forensics, this is no exception. It is essentially how you deal with them that matters.  Truth be told, most of us know that this is not always an easy task.  We often work with attorneys on behalf of their clients.  That being said, in our field, we have the occasional clients that represent themselves, however, a majority of clients are the attorneys which represent another individual(s).

Mad male employee blaming female colleague for mistake Mad male worker yelling at female colleague asking her to leave office, multiracial coworkers disputing during business negotiations, employees cannot reach agreement, blaming for mistake or crisis angry client stock pictures, royalty-free photos & images

There are several strategies to take into consideration when working and dealing with “difficult” clients.  In truth, there will be some clients that will be difficult regardless of what is done to remedy an issue they may present. However, many difficult situations can be potentially averted if certain steps are taken to minimize any potential issues that could arise. 

1.      Set clear concise boundaries and expectations.  If a client knows where you stand from the beginning of the business relationship, there is likely to be less confusion, deterring an angry client.  Items such as cost, schedule, deadlines and requirements are crucial in this step.  Each case will vary to one degree or another, therefore, those stipulations should be discussed in the initial meeting and put into a contract that all parties sign and date if agreed upon.  It should be noted that if a complication in a deadline arises, it should be addressed immediately and not held until the last minute.  This is applicable for ALL parties in the case.

2.      Be professional.  It is sometimes easy to get emotional in litigation, especially if you feel attacked on a personal level. It is best to remain calm and talk to the client in a professional matter, regardless of the manner to which they choose to respond.  In the field of digital forensics, we are often sought out for a specific task.  How you react to a difficult customer can impact not only your business, but your reputation as well.

3.      Document, document, document!!  As previously stated, not everyone will be happy with a resolution proposed.  There may be instances that arise that you may not have an immediate solution for an issue that pops up.  This is where documentation is critical.  Just as when performing an analysis from beginning to end, documentation is the backbone to cover yourself.  This is no exception. 

4.     If a mistake is made, own it!  Naturally, no one likes to admit they made a mistake.  We are human, mistakes happen.  However, trying to pawn the blame off on someone else, including the client, will do nothing but produce friction.  It is best to be upfront and honest about the mistake, address it and work on a solution to fix it.  Of course, the opposite can also apply in this situation.  If a mistake is made and it was not any fault of yours, do not take the blame on yourself.  This causes a divide in the business relationship.

5.     One big thing…If the client is so difficult that there is no solution that pleases them, know when to walk away.  Do not be afraid to let them know that their behavior will not be tolerated. Digital Forensic Examiners have a specialty that other seek out.  No one should be disrespected in the workplace. 


NOTE:  In the world of digital forensic cases, examiners are accustomed to the technology and forensic programs we work with daily, so often we tend to speak in terms that we understand without realizing that our clients are not as versed in such, making this confusing for them and leading to further frustration.  We must always remember to take this into consideration at the beginning of any professional relationship to lessen the possibility of frustration for all parties.

Wrapping It Up

In today’s business world, having a difficult client is almost a certainty.  How a business professional handles a difficult client makes all the difference.  At the same time, every individual deserves a modicum of respect. You cannot be afraid to walk away from a situation if you are put in a situation that makes you uncomfortable.  Your reputation and business could be on the line as a result of how a situation is handled with a difficult client.  As with any relationship, whether it be personal or professional, constant open communication and boundaries are key to the successful relationship between the service provider and the Client and/or attorney handling their matter.

Author: 

Tami Smith

Digital Forensic Examiner

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!

 

We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Tami Smith is a Digital Forensic Examiner and Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  An Army Veteran, she is a Suma Cum Laude graduate of Computer Forensics and Digital Investigations, she has had the opportunity to practice in the field, examining civil and criminal cases with the discipline of her military experience.  Tami holds vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is also a Private Investigator in the state of Virginia. She continues to hone her digital forensic knowledge, education, and experience in the private sector.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Tami Smith on LinkedIn:  https://www.linkedin.com/in/tami-smith-1b28ab29/

 

Tuesday, August 10, 2021

Apple’s New CSAM Detection Policy Analysis

 August 10, 2021


Apple’s New CSAM Detection Policy Analysis


Several times a year, there seem to be current events or topics that strike a chord both inside and beyond the digital forensic community.  We’ve discussed these in previous articles with regard to the Carpenter v. US decision and Apple’s previous spat with the FBI in the wake of the San Bernardino, CA terrorist attack.


As no stranger to these current event discussions (i.e., controversy) when it comes to matters of privacy and cooperation with Law Enforcement, last week we had another “bombshell” dropped by Apple that in a new US-based update, they will be subjecting user’s on-device photos to hash analysis attempting to track down images of known child sex abuse material (CSAM) that may be uploaded to iCloud and forwarding this information for follow-up to the National Center for Missing & Exploited Children (NCMEC) or other law enforcement investigative entity.  Here, we’ll discuss how this works and explore both sides of the issue.







How CSAM Detection Works


It is a commonplace practice for internet (or electronic) service providers (ISPs/ESPs) to work in conjunction with law enforcement to detect known CSAM images.  The first question naturally is, what is a known CSAM image?  Simply put, an image becomes known CSAM when a victim has been positively identified in the image.  This routinely comes through the investigation of new/unknown images and positive identification on the children in those images.  Often times, the images are within a series, depicting child sex abuse of one or more victims in the same setting with the same abuser and around the same time frame.  Law enforcement entities such as NCMEC, DHS and the FBI all maintain file hash databases of these images for use by law enforcement in investigation.  These file hash values are used to track down purveyors of child pornography across peer-to-peer networks, as well as those who may upload and share CSAM images to cooperating ESPs such as DropBox, Gmail, Yahoo, Kik, etc.  


Once a known CSAM image has been identified by the ESP by hash value, the offending party’s account information as well as the specific date/time of upload and manner of upload are all provided to NCMEC as an investigative lead.  NCMEC then performs a variety of open-source intelligence gathering on the offending party and provides the information to law enforcement in what is known as a Cybertip.  An affiliate or cooperating law enforcement agency receives the Cybertip for investigative follow up, which can include knock-and-talk, search warrant, additional investigation or a combination of these (or other) investigative methods.  Some Cybertips go nowhere.  Some, like one I worked while a member of law enforcement, are not eligible for a search warrant, but end up in a knock-and-talk, consent search and confession from the offending party of not only possessing CSAM, but molestation of his 10 year-old step daughter.  The value of Cybertips in the hands of properly trained investigators cannot be overstated.


Whether or not you know it, you are explicitly agreeing to this process in the End User License Agreement (EULA) by using any of these services.



One Side of the Argument: Privacy


Privacy is understandably an important issue to users of technology across the spectrum.  Apple has traditionally been very privacy-centric in their practices, including refusal to help the FBI unlock the iPhone belonging to a terrorist couple who killed several people.  And privacy is very important to almost all users.  The argument here on the privacy side is that, by Apple’s own statement, they are installing an agent on iDevices to subject photos to a hashing algorithm and then alert law enforcement if a “threshold” of CSAM content is discovered.  This is a half-step further in a direction than what Google, Yahoo or Kik do to detect CSAM content in that they detect content uploaded to their servers and report what is suspected CSAM to NCMEC.  Apple is detecting content on individual devices and reporting suspected CSAM content that may be shared via iCloud which meets the “threshold” to NCMEC. 




In some spirited discussion about this new policy on Linked In recently, it was pointed out that this may be a violation of a user’s 4th Amendment rights against unreasonable search & seizure because Apple is acting as a would-be agent of law enforcement and “searching” people’s photos on their devices without a warrant.  We’ll discuss this a bit further in the next section, but this is a valid argument on its face.  But like with most things in life, the devil is in the details.  


Another point brought up in discussion was the fact that Apple is projecting that they have the technology to scan files on your device generally, which could be more of a concern in the future.  This is very powerful technology that has the capability of infiltrating people’s devices without their express knowledge and potentially providing information to a third party, possibly for criminal investigation.  Furthermore, it opens the door for a would-be hacking entity to exploit this new door that Apple has opened on a much wider scale.  The security and data privacy implications may only be in the early stages.


The Other Side of the Argument: Child Safety


As a former law enforcement investigator on the Internet Crimes Against Children Task Force, I can assure you that proliferation of CSAM images across the internet is a real problem.  While doing this work also in the private sector, I’m sometimes asked how law enforcement knows that the images are of children and not simply people in their upper-teens who could easily be mistaken for someone over 18.  They know.  The most egregious examples of CSAM material involve infants and toddlers in sexually exploitative scenarios that no investigator can ever un-see.  These images are by-in-large not questionable in age or physical development.  They are small children, even sometimes babies.  Are there exceptions to this?  Yes.  Teens who possess smart devices also possess the ability to make their own images and share them with whomever they wish, particularly if their parent/guardian is not tech-savvy or they have not been taught the impact that the decision to share explicit photos can be long-lasting when it comes to the internet.  These images sometimes become part of criminal investigations as well, and they can be added to the CSAM database if the correct criteria and procedures are in place.


So why is Apple’s decision generally a good one for law enforcement?  The approach that investigators take with CSAM images is that a child is victimized every time these images are viewed or shared.  This then requires law enforcement investigation and intervention to help stem the flow of these images across the internet and decrease child sexual exploitation.  Apple’s cooperation in this mission opens a door not previously available without another third-party alerting NCMEC of images potentially stored on a device.  Additionally, with the proliferation of human trafficking, particularly of missing children, Apple’s new policy gives law enforcement another tool in the proverbial toolbox to help track down and locate missing children.




The argument that this practice goes against 4th Amendment protections against unreasonable search & seizure is a compelling one.  But there are some arguments to the contrary.  First, no one has a Constitutional right to own an iPhone.  If you don’t like Apple’s new policy, switch to Android.  Second, whenever we get a new i-Device (iPhone, iPad, iPod, etc.), we are prompted to “Agree” to Apple’s terms of service in the EULA, and this is in perpetuity for the time we use their software and hardware.  It is Apple’s discretion to change or updated the terms of this policy, as they have done recently with implementation of this new practice.  In short, we gave them permission to do this.  Finally, an argument can be made that while Apple’s practice for detecting CSAM images goes a half-step beyond other ESPs, the protection of children from sexual exploitation is worth whatever freedom we give up.  There is a tried & true adage that liberty and security rarely go hand-in-hand.  We frequently give up liberty for security.  Been to the airport lately?  


Finally, the argument was also brought up about mistaken identification of traders of CSAM images through this new process.  If we take Apple’s statement at face-value, there is a one in “one trillion chance per year” that this could happen, meaning it is far less than statistically insignificant.  I’m also quite certain the army of Legal Counsel at Apple have thoroughly reviewed and signed-off on this practice.




Wrapping It Up


This is a hot topic that won’t soon go away.  Apple has caught heat many times for many different approaches over the years and this is just the latest measure to garner such attention.  It is ultimately up to us as the consumers of Apple to decide… Do we want to give up a tiny bit of privacy (for now) in furtherance of the mission to stem the flow of child sex abuse images or do we care more about privacy over the content of our devices?  It’s a personal choice and fortunately, we still have the freedom to choose in the United States!


NOTE:  Article with additional information published on 8/9/2021:  https://www-bbc-com.cdn.ampproject.org/c/s/www.bbc.com/news/technology-58145943.amp 


Author: 

Patrick J. Siewert

Founder & Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!



We Find the Truth for a Living!


Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice.  Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business servicing litigators and their clients, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/  

Wednesday, July 14, 2021

Three Myths About Digital Forensics as a Practice

July 14, 2021


Three Myths About Digital Forensics as a Practice


Following up on last month’s article about “Three FAQs About Digital Forensics as a Service”, we thought it useful to spend some time debunking some myths about digital forensics from both a general practitioner and service provider perspective.  


Every industry comes with “urban legends” or popularized myths that surround the practice.  Many of these rarely represent reality and some are outright false.  The more intriguing or interesting the field, the more pervasive these falsehoods can be.  Digital Forensics is no different than any other industry in this respect.  The reality is that TV and movies have sensationalized what we do to the point where there are several misconceptions about the practice of digital forensics, which run the gamut of the various sub-sets of the practice and affect those in law enforcement, private sector litigation support, incident response and government contractors.  While Hollywood has tried to make the profession “sexy”, there are some realities to this field, including the long hours spent staring at a computer monitor, developing a script or researching an application.  While not overly exciting, those are activities in which any practitioner worth their salt needs to engage on a regular basis… But it doesn’t make for good TV.


In order to dispel some common myths about our field, three of these misconceptions are discussed in this article.  This selection of industry myths has been garnered through discussing and working cases with people outside the industry over the combined time in law enforcement and private sector practice of digital forensics for the past 12 years.


Myth #1:  Nothing Is Ever Truly Deleted


I wish this were true.  However, the reality is that it is not.  Not only are there anti-forensics methods readily available to users on the market (i.e., Hillary Clinton and “BleachBit”), but increasingly there are measures being put in place at the manufacturing level for both mobile devices and higher-end computer systems that make deletion of data a permanent state.  To be more accurate, the security over the stored data is such that when and item is deleted, it is often not recoverable.  


For example, on an iPhone, data is stored in the same basic way for most applications.  However, if an item is deleted from the phone, depending on the type of item (i.e., picture or video vs. text message), the item is sent to free space on the phone memory, which is encrypted and not accessible through the forensic process.  The image may not be gone, per se, but it is not accessible or viewable.  On newer Mac computers and other devices equipped with solid-state memory (i.e., not a spinning hard drive), there is a process in place called “Trim” which also helps clean up the free space of the memory and makes recovery of deleted items extremely difficult, if not impossible.  In the era of heightened data security, these measures are becoming more commonplace.  Deleted text messages that were once partially recoverable are now increasingly unavailable, even with the most state-of-the-art forensic tools.  




There are almost always alternative storage methods, however.  Hard backups (computer-based) or copies or cloud-based data can all be potential areas where valuable evidence can exist, but the reality of the digital consumer marketplace is that if all we have is the device and nothing else, we may not get your deleted data.  



Myth #2:  If It’s Deleted, It’s Gone


I know this sounds totally contradictory to the previous comments and Myth #1, but just because it’s deleted, doesn’t mean the evidence you need is gone.  Indeed, this is and always has been at the heart of the forensic process.  We utilized industry-standard methods to acquire, analyze, recover and report about the data.  The emphasis with this myth is the recovery part.  I tell potential clients and attorneys all the time, the data is *usually* stored in more than one place.  The aforementioned cloud-based data storage being the most ubiquitous, but there can also be additional data stored in some surprising places.  The more data we can get our hands on that is related to the matter at-hand, the more success we will have in getting you some evidence that will help confirm or refute your assertions in the case.  There are also methods of analysis that a trained, competent examiner will attempt to incorporate in many cases, including partial recovery of valuable data from places like file-slack (leftover space where a file may have previously existed) or volume shadow copies that are automatically created in Windows.  




In most cases, the proverbial smoking gun is not a realistic possibility.  We have certainly worked and seen cases where the smoking gun has come about and it has always met with great success, but the reality of our practice is that we will likely find *something* to help you, but it may not be the one piece of evidence that will confirm or refute the matter at-hand.  Will it add value?  Most likely.  The real value comes in with the examiner’s ability to articulate what they did, how they found what they did and to explain these findings in non-technical terms that everyone can understand.  


Tools don’t do the work.  They present the data for the analyst to do the work, so make sure your analyst is knowledgeable and not afraid of doing the work.



Myth #3:  It’s Just A Phone… What’s The Big Deal?


It’s not unlikely that the origination of this myth is rooted in our innate perception of the fact that the size of things should equal more cost.  Bigger vehicles cost more than smaller vehicles.  Bigger houses cost more than smaller ones, and so on.  So why should a device that fits in my pocket be more of a challenge to acquire and analyze data than my laptop or desktop computer?  


In recent years, the marketplace has demanded that phones be more complex, store more data and be much more secure than your computer.  Apple comes out with a new iteration of iPhone every year, and they usually (and much more quietly) update their computer hardware and software as well, but the emphasis since the inception of the iPhone has been on the mobile device.  So what’s so problematic about it?




As I tell attorneys and their clients frequently, many times we are acquiring the data that Apple allows us to have.  To be clear, this is almost always more than what the user could do themselves and in a forensically sound manner appropriate for evidence presentation, but Apple can be quite restrictive for non-law enforcement to obtain data.  We get the basics – messages, photos, videos, web history, and supported app data.  Many times we can also analyze unsupported app data as well.  But much of the deleted data is unavailable.  In recent years, more advanced methods for acquiring iPhone data have come about, but they are only available on certain iterations of the iPhone hardware and software.  But to be clear, we always try to get as much data as possible.


Android phones are increasingly problematic as well.  Last year, we had a Samsung Galaxy S20 in for acquisition and analysis.  I was amazed at how little data we obtained, despite multiple attempts at multiple different methods of acquisition.  Fortunately, the mobile forensic tool developers are always coming out with newer ways to get more data for our use and analysis, but it’s a constant game of catch-up.  


A final point about the volume of data that can be analyzed on phones, Apple currently has up to 512 GB of storage on an iPhone.  Some Android phones are pushing to 1TB or more worth of storage.  That may not seem like a lot when you’re using the phone, but it’s A LOT of data.  And the more we have to search that mountain of data, the longer it takes.  These are not the Nokia flip phones we all had in the mid-2000’s.  They’re not even the Blackberry Pearl you had and thought was so cool.  These are complex computer devices with as much storage capacity as many commonly used computer systems, with many enhanced security measures.  They may be small, but they’re mighty!


Wrapping It Up


The myths discussed here are a small sample of the push-back we sometimes get when it comes to the length of time and the cost associated with acquisition, analysis and reporting about the data on these devices.  For those in law enforcement, phones are seized daily and sometimes the means by which to simply acquire the data are challenging and time-consuming (if not impossible).  We are not miracle workers, but we do try to get you data that you can use in your case to help confirm or refute your suspicions or claims.  Just know, it’s not always easy, it’s not always quick and it’s unfortunately not always possible.  Sometimes, we just don’t know until we get into analyzing the data!


Author: 

Patrick J. Siewert

Principal Consultant

Professional Digital Forensic Consulting, LLC 

Virginia DCJS #11-14869

Based in Richmond, Virginia

Available Wherever You Need Us!



We Find the Truth for a Living!

Computer Forensics -- Mobile Forensics -- Specialized Investigation

About the Author:

Patrick Siewert is the Founder & Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia (USA).  In 15 years of law enforcement, he investigated hundreds of high-tech crimes to precedent-setting results and continues to support litigation cases and corporations in his digital forensic practice.  Patrick is a graduate of SCERS & BCERT and holds several vendor-neutral and specific certifications in the field of digital forensics and high-tech investigation and is a court-certified expert witness.  He continues to hone his digital forensic expertise in the private sector while growing his consulting & investigation business servicing litigators and their clients, professional investigators and corporations, while keeping in touch with the public safety community as a Law Enforcement Instructor.

Email:  Inquiries@ProDigital4n6.com

Web: https://ProDigital4n6.com

Pro Digital Forensic Consulting on LinkedIn: https://www.linkedin.com/company/professional-digital-forensic-consulting-llc

Patrick Siewert on LinkedIn:  https://www.linkedin.com/in/patrick-siewert-92513445/