20
WHAT SHOULD YOU KNOW AND PREPARE FOR UPON HIRING A DIGITAL FORENSICS EXPERT? By Anyck Turgeon August 2015

Sued or Suing: Introduction to Digital Forensics

Embed Size (px)

Citation preview

WHAT SHOULD YOU KNOW AND PREPARE FOR

UPON HIRING A DIGITAL FORENSICS EXPERT?

By Anyck Turgeon

August 2015

Table of Contents

1) Defining your needs 2) Introduction to digital forensics 3) Demystifying different types of digital forensics 4) Pros and cons of using digital forensics 5) Understanding digital evidence 6) Admissibility of digital forensics evidence 7) Where can you find digital evidence? 8) Example of crimes being resolved with digital forensics

Case Scenario #1: Fraud, cyber-security & money laundering Case Scenario #2: Trafficking Case Scenario #3: Murders Case Scenario #4: Incidents, Accidents & Disasters

7) Objectives & 5 main stages of digital forensics 8) Digital forensics methodology 9) Why use digital forensics experts? 10) Risks of self-collection 11) Engaging digital forensics experts 12) Q&A

Examples of digital forensics you may want/need:

- Locating erased data

- Attesting to authenticity of records

- Neutral/impartial/evidence based analysis of digital devices

Defining Your Needs

Examples of evidence you may want/need:

- Original financial statements, bank records and tax filings

- Authenticated legal to HR contracts and/or documents

- Timestamped activities from logs

- Timeline of events by participants or by filed claim(s)

- Deleted/damaged records (including re-formatted hard drives, moved email messages, etc.)

- Untampered contextual evidence (e.g. video feed from separate traffic camera recordings and cell phones demonstrating an accident from different angles plus satellite feed)

- Overlooked data (hiding evidence within massive amounts of changed records, root kit, file slack, versioning, etc.)

Introduction to Digital Forensics

DIGITAL FORENSICS: “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”

American Academy of Forensic Sciences Reviews,

AnalyzesProtects

DIGITAL EVIDENCE

Demystifying Digital Forensics

Computer Forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis

Methods of computer forensics are:

Discovering data on computer system Securing potential evidence sometimes validated through contextual analysis (e.g. correlating 3+ independent sources) Recovering deleted, encrypted, or damaged file information Monitoring live activity Detecting violations of corporate policy

Cyber & Social Media Forensics

Hacking Forensics

IoT, Car, Cloud, Contextual Forensics

Ability to SEARCH

Through a massive amount of data

Quickly

From several devices

Thoroughly

In any language

And REPORT

Efficiently

Accurately

Convingsingly

Pros & Cons of Digital Forensics

DIGITAL FORENSICS Advantages Disadvantages

Required

Expertise

Tools (over 80 tools continuously updated)

Cost

Potential exposure of privileged documents

DIGITAL EVIDENCE: “Any data that is recorded or preserved on any medium in or by a computer system or

other similar device, that can be read or understand by a person or a computer system or other similar device. It includes a display, print out or other output of that data.”

Understanding Digital Evidence

5 Rules of Evidence 1) Admissible Based on Relevance (Federal Rules of

Evidence 401 and 402 + FRCP Rule 26(b)(1))

Must be relevant and prepared to be used in court or other resolution approach

2) Authentic (FRE 901(a))*

Evidence must be validated (DF methodology)

3) Complete

Offer an unbiased representation of the facts with sufficient context and validation

4) Reliable

No question about authenticity and veracity

5) Believable

Clear, well represented and easy to understand by a jury

Top 5 Considerations of

Digital Evidence:

o Circumstantial (hearsay) status

o Easily altered, damaged, or destroyed

o Latent as fingerprint or DNA

o Fragile

o Can be Time sensitive

Admissibility of Digital Forensics

5 Rules for Admissibility of Digital Evidence

1) Authenticity/Reliability

2) Traceability

3) Repeatability

4) Data integrity

5) Confidentiality/Security

The Federal Rules of Evidence (FRE) were codified in 1975 with the intention of assisting

and guiding parties and courts, in both civil and criminal matters, on the admission of

evidence. In civil matters, the Federal Rules of Civil Procedure (FRCP) also addresses the

manner in which facts or tangible items are admitted as evidence.

Rule 803(6) and 803(7) provide exceptions to the hearsay rule permitting the admission of evidence if the source of the records is sufficiently reliable.

To be admissible in court, digital forensics experts must prove :

That there is/was/has been no tampering

All evidence is fully accounted for

Their complete knowledge of all aspects of the appropriate domain of digital forensics, legal requirements, evidence handling and storage and documentation procedures related to the evidence that they are asked to locate, analyze and report on.

All types of civil, criminal, military and administrative cases use digital forensics whereas activities and evidence that are captured through digital media (such as: - computers, - printers, - home appliances, - vehicle ECUs and CANs (cars, drones,

UAVs, planes, helicopters, scooters, boats, satellites, etc.)

- robots, - electric, cooling, alarm and/or lighting

systems with remote access, - sensor-based controllers, - cell phones, - tablets, etc.) and used FOR RESOLUTION.

Digital Forensics can be cost prohibitive but… with more than 9.4 Billion devices be

connected under the Internet of Things (IoT/IoE), digital forensics should be used in

95% of legal cases by 2020.

Where Is Digital Evidence?

Example of crimes being resolved through digital forensics:

o Computer security breach & identity theft

o Fraud & money laundering

o Copyright violations & intellectual property infringement

o Trafficking investigations (narcotics, armament, human, organ, slavery, etc.)

o Threats, kidnappings and ransom (especially randomware), murders

o Burglary, fires & disasters

o Suicide to terrorist activities and counter-terrorism

o Defamation & cyber-bullying

o Administrative investigations

o Sexual assault, stalking & child pornography

o Divorce & child custody

“Digital forensics has become an indispensable tool

in the practice of law” State Bar of CA (2010)

Solving Crimes

Costs Benefits

Proportionality doctrine

Case scenarios: - Fraud, cyber-security and money

laundering cases to”

- identify criminal activities and parties

from their altered cell phone, printer

and computer records

- analyze complex financial transfers

through advanced ratio analysis of

accounting/financial/taxation reports

(especially when restated) and

- document intent through email

communications and recordings

How Is Digital Forensics Used:

Case scenarios: - Fraud, cyber-security and money

laundering cases to:

- identify criminal activities and parties

from their altered cell phone, printer

and computer records

- analyze complex financial transfers

through advanced ratio analysis of

accounting/financial/taxation reports

(especially when restated) and

- document intent through email

communications and recordings

- Drug trafficking, human trafficking,

organ trafficking cases to:

- demonstrate usage of social media

groups for recruitment,

- show the processing of the complex

and anonymous financial

transactions via the Deep Web using

Bitcoins and

- intentional use of online application

to confirm delivery of goods

How Is Digital Forensics Used:

Case scenarios:

Using Digital Forensics

- Murders through:

- deleted online search logs

- airline reservations using counterfeited IDs

- encrypted receipts for purchase of illegal

guns

- recorded shooting with picture of

perpetrators captured from traffic signal

camera

Case scenarios:

- Fires, car accidents and plane

crashes/explosions through:

- captured ECU/CAN data

- transmitted signals

- analyzed and reconciled activities

Using Digital Forensics

- Murders through:

- deleted online search logs

- airline reservations using counterfeited ids

- encrypted receipts for purchase of illegal

guns and,

- recorded shooting with picture of

perpetrators captured from traffic signal

camera

Objectives & Steps of Digital Forensics

Identify what data could versus should be recovered. Numerous parsing tools are used to identify damaged/deleted/corrupted data. Keyword searches are used to retrieve content about specific topics. Other forensic approaches and tools may be used.

Represent and testify about the evidence discovered (often using data visualization tools) in a manner that is understood by lawyers, non-technical staff/ management, and is suitable as evidence as determined by the Court.

Physically and/or remotely obtain possession of the computer, all network mappings from the system, and external physical storage devices. A mirror image is created with secure hash.

Ensure compliance with evidentiary maintenance requirements.

Identify, classify and prioritize all sources of evidence. Request access directly or indirectly. Secure authorization (including subpoenas).

• Preservation • Collection • Validation • Identification

• Analysis • Interpretation • Documentation and • Presentation

DF OBJECTIVES:

Acquisition

Approval

5 MAIN STEPS OF DIGITAL FORENSICS:

Analysis

Reporting

Storage / Disposal

Digital Forensics Methodology

1) Discuss potential crimes 2) Develop crime theories 3) Assess all evidence and digital items to investigate 4) Agree on retainer, activities to be completed, terms of engagement and payments 5) Obtain approval 6) Secure digital devices, data and evidence to investigate (including timestamped photos) 7) Document hardware and software system(s) plus configuration (decide to shut down or not) as part

of chain of custody 8) Transport the system(s) to a secure location 9) Create timestamped mirror image 10) Make Bit Stream Backups (at a minimum 3) 11) Authenticate data (original and copies) 12) Protect system 13) Itemize all easily accessible content 14) Evaluate swap file, file slack and unallocated spaces revealing all content used by systems and apps 15) Evaluate Program Functionality 16) Identify File, Program and Storage Anomalies 17) Access content of protect files (as applicable and authorized) 18) Develop keyword list (with legal parties if possible) 19) Analyze data 20) Document all findings and deliver tracked analysis report(s) to all appropriate parties 21) Provide expert consultation and/or testimony 22) Abide by court and jurisdictional storage/disposal requirements

Why Use a Digital Forensics Expert?

5 Rules of Digital Evidence

1) Admissible / Relevant

2) Authentic

3) Complete

4) Reliable

5) Believable

Digital Forensic experts are trained to:

- Locate relevant evidence from massive

amounts of sources and data segments

- Avoid destruction and/or corruption

- Ensure security and non-spoliation (chain of

custody) over long periods of time and parties

- Prove the reliability and authenticity of the

data (through mirror images and hash)

- Offer summarization reports with advanced

data visualization tools for believable

evidence

- Testify about the admissibility, authenticity,

completeness, reliability and believability of

the captured evidence

Attorneys attempting trying

to locate files on computers

without proper training may

end up corrupting the entire

data set, become liable for

tampering with evidence

and, will not be able to

testify about the validity of

the data through Court-

recognized forensic

methodology.

Nearly everyone can turn a computer on and take a file so, here is why they should not:

• Inadmissibility of evidence (due to lack of traceability and repeatability)

• Under-collection (missing critical case evidence that was intentionally deleted or unintentionally

corrupted and requires forensic expertise for identification recovery)

• Failure to disclose relevant content reliably = affirmative misrepresentation

• Destruction or corruption of files (starting with changes to metadata or turning off upon defrag)

• Spoliation, invasion of privacy, intrusion upon seclusion and other tort liability

• Inability to maintain the chain of custody (digital records require on-going maintenance)

• Lack of proper authentication and separation of access plus duty

• Bad preservation and extensive degradation of the digital environment may result in faulty physical

sectors and destruction of data

• Knowingly accessing a protected computer without authorization or intentionally accessing a computer

without authorization (without warrant/subpoena/written authorization)

• Charges for tampering with evidence

• Professional rule violation for client misrepresentation

• Conflicting responsibilities (attorney becomes a fact witness (in violation of Rule 3.7))

• The attorney’s testimony required to authenticate evidence may also endanger attorney-client privilege

upon all communications

• Unfair representation of your client’s interest in comparison with opposing party

• Firing of attorney based on negligence, deception and inadequate representation

WHY TAKE SUCH RISKS WHEN…

A 2006 survey of civil trials estimated that experts appear in 86% of cases with an average of

3.8 experts per trial.

Risks of Self-Collection

Engaging a Digital Forensics Expert

Main Qualifications of DF Experts: • Extensive and on-going training, LICENSING and

certifications in digital forensics (GCFE/GCFA/ GNFA/CGFI) and computer security (CISSP/C:CISO/CISM)

• Insured

• Fledged with operating systems, networks, databases, security tools and applications

• Strong analytical & presentation skills (data science) for concise but complete reporting

• Master all rules of evidence (e.g. handling, authentication, analysis, interpretation, documentation, storage, destruction)

• Ability to offer expert testimony in court (FRE 901(b)(1))

• Neutral fact-finding & robust legal background

Failure to verify licensing status may result in expensive civil ($5,000/day) and criminals ($10,000/day) cumulative fines.

To establish admissibility of expert under FRE 702, DF experts must have particular technical qualifications or use industry methodologies (Daubert + Kumho Tire Co. v. Carmichael), and provide relevant and reliable testimony.

Top 10 Engagement Topics:

1) Qualifications of Expert

2) Case charges

3) Case history

4) Child pornography liability

5) Fees

6) Contract – Attorney agent status

– Attorney-client privilege

– Work doctrine covering mental impressions, conclusions, opinions or legal theories

– Report(s) & exhibits - (FRE 26(a)(2) protects report drafts)

– Necessary testimony

7) Case chronology & theories

8) Sought-after evidence

9) Warrants & subpoenas

10) Keyword search

M-CAT Enterprises, LLC 111 Congress Avenue, Suite 400 Austin, Texas 78726 O: (512) 535-0012 F: (512) 469-6306 www.MCATEnterprises.com

Anyck Turgeon CFE, GRCP, C:CISO, CBA, PI, EP, CDS CRMP, CEFI, SMIA, CCIP Founding Chief Executive Officer (CEO) & Chief Information Security Officer (CISO)

[email protected]

Q & A