Friday, March 27, 2015

Tenacity & Objectivity: The Double-Edged Sword of Digital Forensics




March 27, 2015

Tenacity & Objectivity: The Double-Edged Sword of Digital Forensics

In our article with tips on how to select a competent digital forensic examiner, we touched on two important attributes of competent examiners that I'd like to expand upon - Tenacity & objectivity.  The two traits are extremely important and can often be at odds with each other when it comes to working cases at all levels, including digital forensic examinations.  It's that conflict that bears some exploration within the field of digital forensics and investigation.

Tenacity

Tenacity is a trait that many people don't have, but one that extremely important in investigations at all levels. To me, tenacity means leaving no proverbial stone unturned.  Looking at all of the factors and options in a given case before putting the stamp of "closed" on your findings.  I recently told an attorney that I never think I'm done and I always think there's more evidence to find.  Of course, one has to be careful not pursue rabbit holes or wild goose chases, but with experience & training, a competent investigator can discriminate between potentially irrelevant information and evidence that can provide value in a given case. 

The problem with tenacity is ego.  Ego is another subject we've discussed in this blog, but it bears mentioning that tenacity requires a personal "motor" -- the drive to want to find out what's going on and to follow the investigation to its natural conclusion.  But when and investigator or examiner gets personally involved in a case, his tenacity can sometimes lead to tainted findings by looking at the case through the lens of his own ego.  This is an extremely dangerous area to operate in and one that many investigators fail to recognize in themselves.  The other problem with the ego's relationship to tenacity is the psychological snowball effect that comes from being a competent investigator or examiner who experiences repeated success.  With each case, confidence & ego build and the ability to look at cases objectively decreases, which leads to bad work product.

Objectivity

If tenacity is the motor that drives a competent examiner or investigator, then objectivity is the preventative maintenance that keeps the motor running efficiently & effectively.  It is incumbent upon professionals in the field to wipe the slate clean with every new case, thus maintaining a position of objectivity.  As a famous podcaster often says, always keep in mind that you're just not that good.  Maintaining objectivity with every new case ensures appropriate work flow and adherence to best practices.  Objectivity requires putting one's ego in check and following the evidence to conclusions, as opposed to following conclusions to evidence.  Objectivity also has the great benefit of increasing credibility in legal proceedings and with professional reputation overall.

When initiating an investigation, it would be beneficial to start from a place of not caring who is responsible.  Care about the evidence, care about the facts, care about the truth.  Don't care about the ancillary or even political factors that can affect a case because this leads to loss of objectivity.  Yes, I know this is sometimes easier said than done, but it's also what separates true professionals from those who are less professional.

Conclusions

The fact that tenacity & objectivity are not only vital in every case, but potentially very much at odds with each other in every case cannot be overstated.  Even with trained, dedicated professionals, the internal struggle with wanting to do a GOOD job and bring out the facts in any given case while maintaining objectivity occurs at virtually every level.  But these two traits are so vitally important to a complete & appropriate investigation that they need to be at the top of the list for any decent investigator, digital forensic examiner or forensic practitioner. 

If you're tenacious, embrace it.  Nurture and hone your tenacity because it's what makes you an effective, intuitive investigator.  Just be careful.  As I've seen repeatedly throughout both law enforcement & the private sector, success tends to breed an over-inflated sense of self-worth.  A healthy dose of objectivity about your cases and about yourself is also vital to maintaining integrity of investigations and ensuring the proper outcome in all aspects of the case.

Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally

About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.
Twitter: ProDigital4n6

Saturday, March 21, 2015

Why I'm Not Sitting for the CISSP Exam (for now)




March 21, 2015

Why I’m Not Sitting for the CISSP Exam (for now)

Regular followers of this blog will note that I often bounce around between current events, issues within digital forensics and even touch on some information security topics.  Sometimes, a case or a related experience gives me cause to write about one of these topics with a little opinion thrown in.  While the old adage about opinions is quite true, it seems that some of the more opinionated pieces are also more provocative and interesting. 
Toward the goal of being at least somewhat provocative and interesting, I would like to relay a recent experience.  Being that information security is a very hot-button topic and loosely related to digital forensics, I took advantage of a local opportunity in Richmond, Virginia.   

The Central Virginia Chapter of the Information Systems Security Association (ISSA) offers a 10-week course of instruction and study toward preparation for the industry-standard Certified Information Systems Security Professional (CISSP) exam.  The local ISSA chapter offers this at a very reasonable rate and they even provide dinner during the weekly class, so I saw it as a very good deal, a great way to get me more exposure to the field of information security and possibly increase the value Pro Digital can add to potential clients.  The ultimate goal of this course is to sit for the CISSP exam, which offers one the CISSP designation, if passed.  After completion of the course, I’ve decided not to sit for the exam (for now) and here’s why…

Backing up a Bit

Before I dive into my opinion about the CISSP, it might be appropriate to give readers who aren’t in the information security sector some background information.  The CISSP is one of several certifications offered by the International Information Systems Security Certification Consortium or the (ISC)².  This governing body offers numerous information system & security-oriented certification programs that are generally considered industry-standard.  The CISSP covers 10 “domains” or subject areas that all have some specific bearing on information security.  The domains range from networking to cryptography to legal matters, including digital forensics.  To sit for the CISSP exam, a candidate needs to have several year’s experience in one or more of the domains and/or some formal education to equal a specific number of points on a rating scale.  Being that my years of criminal investigation and digital forensics combined with a 4-year degree met the requirements, I went into the process thinking I would sit for the exam.

What Changed My Mind

I will start by saying that I’ve been through hundreds of hours of digital forensic training, perhaps more.  Some of it was very timely & topical and some of it was outdated and quite dull.  Nevertheless, even the outdated courses offered something in the way of education as to how technology evolved into what it is today.  I’ve also had a fair amount of exposure to things like cryptography and networking, both domains covered by the CISSP, but only on a functional level and as part of an overall course related to either high-tech investigation or digital forensics.  All that being said, I was a sponge during our 10-week course for everything I didn’t already know or have some hands-on experience with.  Then we got to the legal portion, which also dealt with digital forensics.

Even though most of my classmates were bored to death learning about different types of law, cases, regulations and forensics, I was really eager to see what this domain covered.  Bear in mind, all of my digital forensic training has been geared toward professional investigators, not information system professionals, so I was expecting a little bit of a different flavor.  The instructor did a good job getting through what was, by his own admission, a dry subject.  But again, I’m a legal nerd, so it was mostly interesting to me.   

After the PowerPoint presentation, the instructor plugged in the sample CISSP test questions taken right out of the CISSP Common Body of Knowledge (CBK) book.  As a class, we went through 83 questions dealing with legal matters, incident response and how to handle sensitive data legally.  I was NOT impressed.  Not only was I not impressed with the obvious confusing nature of how some of the questions are written, but some of the answers were just plain wrong.  For example, a question about the first steps in a digital forensic examination offered 4 multiple choice answers, none of which were correct.  The CBK told us the correct answer was to image the system first, but that’s actually several steps down the road.  The first step is to document the scene through notes and photographs as much as possible.  Especially if a crime has occurred, documentation of how the scene was found is vital to a proper chain-of-evidence.  That is just one example and I truly wish I would have written down how many were like that, but I didn’t.  I can tell you there were several, however. 

This disturbed me quite a bit because this very well-respected certification is giving people incorrect information.  Not only that, but some participants may go through this certification and think they can adequately and appropriately respond to these incidents when that is certainly not the case.  As I’ve repeatedly stated in this blog, taking the right steps from the beginning is paramount in any digital forensic case.  It doesn’t matter if it’s a minor violation or a major crime.  Adhering to best practices of documentation, acquisition, analysis, reporting and testimony is appropriate in ALL cases and what the CBK, and by virtue of it’s reference, the CISSP itself is telling those that go through the certification is wrong and certainly not within best practices.

This led me to wonder, what else have we gone over in this course that is incorrect, bad information or contrary to best practices?  You don’t know what you don’t know, but the obvious lapses in this one domain covered during this course lead me to believe this can’t be isolated.  There’s an old rule in police work – the “plus one” rule.  If you find one bad guy, look for another until you prove there isn’t one.  The rule applies to this experience as well – if there are that many errors in the CBK with regard to legal considerations & digital forensics, how many others are there?  There are bound to be more and that really turns me off to the entire certification.

Conclusions

I was grateful for the opportunity to take this course and I met some great professionals along the way.  The instruction was top-notch and given by individuals in the field who have the experience and knowledge to relay real-world information, not just what’s in the book.  I can’t say enough good things about the Central Virginia ISSA for making this course available and about the instructors for the time, effort and advice they offered us as prospective CISSPs.  

All that aside, I think the CISSP as it is now is outdated and may contain some very incorrect information.  Even though the subject is dry, adhering to legal best practices and doing the right things when an incident occurs could possibly be the most important domain in all of the CISSP.  After all, if you don’t do the right things at the right times within the law, you could open yourself up to civil or criminal liability and no one wants that.  But the apparent construction of the questions to which candidates are tested is downright horrible and it makes me question the validity of the entire certification. 

In fairness, the (ISC)² is re-vamping the domains in the CISSP course and re-doing the test later this year.  I can only hope that the new information is more relevant and more correct.  And maybe I’ll sit for the new exam, but we’ll see…


Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally

About the Author:

Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia.  In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history.  A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.

Twitter: ProDigital4n6

Wednesday, March 11, 2015

Ethical Sensitive Data Handling



 
March 11, 2015

Ethical Sensitive Data Handling

Current events with regard to public and private officials handling sensitive data have given rise to the larger question, beyond legal requirements, what is the right thing to do when it comes to handling sensitive data?  Indeed, data handlers in both the public and private sectors have a responsibility to handle that data with integrity and keeping in mind who they are serving while handling the data.  We’ll explore some of the different considerations here:

Sensitive Data Handling in the Private Sector

There’s no doubt that data security and the threats posed from both internal and external data breach perpetrators has become a very hot topic in recent months.  External hacking attacks upon the systems at eBay, Home Depot, Staples, Google and Anthem are just a few of the high-profile examples of the external threats that exist with regard to data security.  But what ethical obligation do those companies have with regard to handling your sensitive data?  I would suggest that the base-level of ethical responsibility is the same across the board, no matter the industry.  Whether the company is handling your credit card number or your healthcare records, they all have a basic ethical responsibility to treat the trust their customers place in them with the highest regard.  As consumers, we all have a choice of who earns and keeps our business.  The waters get a little muddier when the data handler is an employer-sponsored insurance company, but the fact remains that you still have a choice.  Fortunately, it appears that most companies do understand this ethical obligation, even if only after a breach has occurred and when “prosecuted” in the court of public opinion.

Beyond credit card numbers, email address & other personal information, certain industries have an even higher ethical responsibility to handle your data securely.  The obvious recent example is the data breach at Anthem, an extremely large health insurance company which warehouses the healthcare information for millions of customers.  There are several reasons why the doctor-patient legal privilege exists, not the least of which is the sensitivity of the information shared between patients and their healthcare providers.  Regulations and laws such as HIPAA are in place to try and force healthcare providers and their associated industries (i.e., insurance companies) to do the right things insofar as patient privacy, but we still see outdated, insecure practices like pen-and-paper sign-in clipboards in doctor’s offices and examining room doors being left open while awaiting treatment or while under treatment.  These violations are minor in comparison to a large data breach, but they signal a larger systemic problem in healthcare data security, HIPAA compliance and patient privacy – the oneness for patient confidentiality is ultimately on the healthcare provider and carelessness or complacency is no excuse to sacrifice patient information security.   

However, we as the “consumers” of health care need to also educate ourselves to the best practices of patient privacy and hold our healthcare providers to those standards.
It bears noting that healthcare is only one example of this ethical responsibility.  Other industries that bear an ethical and often times legal responsibility for client information security are legal practitioners, financial institutions and the government.

Ethical Data Handling in the Public Sector

The “pink elephant in the room” example with this particular subject is the recent story of Hillary Clinton and her handling (or rather mishandling) of potentially vital emails through use of a personal email address for official U.S. State Department business.  While the media pundits and critics from both sides of the political spectrum will debate her actions as legal or illegal, the more poignant question is, was it ethical?  I submit the answer is a resounding “NO!”

Political ideology aside, let’s explore the common-sense side of data storage that is potentially vital to our national security on a private email server.  The first consideration is accountability.  It was reported today that Clinton may have “deleted” upwards of 30,000 emails from this personal server, and by her own admission used the personal email for official business, but it was legal because there’s no law against it.  This would seem to be an obvious example of an instance where the law has not yet caught up with technology, which is a repeated theme in the legislature and court decisions.  Public officials are placed in positions of public trust.  The higher the position, the more the public has implied trust in the person holding that position.  But trust is backed up by verification, or in this case, transparency.  Unfortunately, transparency is out the window because Clinton allegedly deleted half of the emails lying on the server.  Does that mean our trust should be out the window too?

The other notable area with regard to ethical data handling by public officials is the security of that data.  The Federal Government has regulations, standards & practices in place for secure data handling.  If a public official handles his or her data privately, they are not necessarily subject to those standards, presenting a very convenient loophole.  Even if they are subject to data security standards, the government may have trouble compelling an employee to turn over personal data, even when mixed with official communications.  However, those data security standards are in place because there are other nations that would be very interested in any and all data from the public sector they can get their hands upon to exploit.  I recently saw a tweet from an information security professional that read: “Maybe the American People didn’t know Hillary had a private email server, but the enemies of our State sure did!”  No truer words have been spoken.  If Clinton was handling official business on a private email server, as she has admitted, what security measures were in place to handle the data?  What server logging, monitoring, incident response or data encryption was in place?  If we take Clinton at her word, she used one email and one device “for convenience”.  Is it possible none of these security measures were put in place because of the same convenience mindset?

Was anyone really over her shoulder looking? (Picture credit: ABC News)

 While Hillary Clinton’s mishandling of sensitive data has provided a great example here, the responsibility for ethical data handling is not limited to the Federal Government or officials in high-ranking positions.  Federal, State & Local officials at every level bear the same responsibility.  Local and State Departments of Social Services not only warehouse client information, but may also have healthcare-related and highly sensitive and confidential information about their clients.  Local and State public safety agencies warehouse data for every ambulance call, police report, traffic stop and personal encounter with virtually everyone they come into contact with, including those involved in a personal health crisis.  While these incidents may be exempt from HIPAA, that doesn’t mean the data any less sensitive.  These examples are just two of many that illustrate the need and responsibility for ethical data handling at all levels of the government.

Conclusions

High-profile cases have certainly created an increased awareness of data security, but the practice and implementation of real data security measures is still reactionary at best.  To be sure, virtually everyone in every industry (including digital forensic consultants & bloggers) is responsible for some sort of sensitive data and bears responsibility for ethical data handling that goes beyond simple legal requirements.  The Golden Rule applies across the board, no matter your industry and can be applied to data handling as well – Handle other’s data as you would handle your own.

In the end, ethics and integrity go hand-in-hand.  Integrity means doing the right thing, even if no one is watching.  So let’s all start taking the proactive measures required to handle sensitive data not just to the legal standard, but to high ethical standards worthy of the trust of our clients, customers and the public at-large.


Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally
Twitter: ProDigital4n6