COMPUTER FORENSICS

THIS IS NOT “CSI COLORADO SPRINGS”

Frank Gearhart, ISSA Colorado Springs

TECHNOLOGY + INVESTIGATION + STORYTELLING

• Know the case

• Find the evidence

• Follow the facts

• Create the timeline

• Tell the story

2

GUIDELINES FOR FORENSIC INVESTIGATORS

• No national standards or licensing

• Can be a forensic examiner, a factual witness, an expert consultant, or an expert witness

• Professional organizations: • Digital Forensics Association • High Technology Crime Investigation Association

3

TYPES OF DIGITAL FORENSICS CASES

• Corporate: HR violations, fraud, insider threat

• Civil: divorce proceedings, wrongful termination

• Criminal: identity theft, fraud, murder

4

5

• Know what you are allowed to look for and look at

• Document everything: use photos, notes, labels, evidence bags, etc.

• Use forensically sound tools and documented procedures

• Protect the evidence

• Follow the facts

• Tell the story

GUIDELINES FOR FORENSIC INVESTIGATION

WORKING WITH FILE SYSTEMS

BOOT PROCESS

FILE SYSTEMS: • Partitions, slack space, etc. • FAT32, NTFS, EXT3

DIRECTORY STRUCTURES:

• Desktops & laptops

• Mobile devices

6

WORKING WITH EMAIL

Finding & understanding headers

Server logs

Cloud-based vs. server-based email

7

THE DIGITAL FORENSICS LAB

• Physical security

• Storage of evidence (chain of custody)

• Forensically secure hardware and software

• Sufficiently powerful hardware

• Adequate short & long-term storage

• Audits and positive control

8

LOGICAL AND PHYSICAL DATA RECOVERY

Consistency checking and zero-knowledge analysis.

Swap parts: circuit board; read/write heads; move disk platters to new, identical drive.

9

FORENSICS TOOLS

10

• EnCase

• Forensics Toolkit

• OS Forensics

• Kali Linux

• Paraben Email Examiner

• Write blockers

• Hex editors

• Mobile device tools

• Cloud access tools

• Steganography tools

• Free forensics software list: ForensicControl.com

WORKING WITH LAWYERS

• Educate them on the capabilities and limitations of digital forensics

• Understand the scope of the investigation

• Don’t talk about a specific case without a signed contract

• Minimize written communications to your lawyer (discovery motions)

• Get paid before you testify

• Your loyalty is to the facts

11

TESTIFYING

• Speak to the jury

• Use visual aids where necessary

• Use everyday language & explain any tech-speak

• Stay within your area of expertise and within the scope of your investigation

• Don’t get rattled

• Opposing counsel is the enemy

12

THE DAUBERT STANDARD

FOR A FORENSIC PROCESS OR TECHNIQUE TO BE ACCEPTED BY A COURT:

1. It must be generally accepted by relevant experts in the scientific community.

2. It must be published and peer reviewed.

3. It must be testable and tested.

4. Its known or potential error rate is acceptable.

5. It must have been researched independent of the current litigation or testimony.

13

FEDERAL RULES OF EVIDENCE NO. 702: TESTIMONY BY EXPERT WITNESSES

A witness who is qualified as an expert by knowledge, skill, experience, training, or education may testify in the form of an opinion or otherwise if:

A. The expert’s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or determine a fact in issue;

B. The testimony is based on sufficient facts or data;

C. The testimony is the product of reliable principles and methods; and

D. The expert has reliably applied the principles and methods to the facts of the case.

14

IMPACT OF NEW TECHNOLOGIES

CLOUD SERVICES

15

MOBILE COMPUTING

INTERNET OF THINGS

CLOUD

Multiple jurisdictions

Multiple cloud service providers

Multiple legal & corporate layers

Varying levels of forensic expertise

Forensic soundness of evidence

16

MOBILE COMPUTING

Rapid changes in operating systems and apps

Relatively few mobile device-capable forensics tools

Whole device encryption

Can provide useful evidence: • Location • Logs • Automatic backups

17

INTERNET OF THINGS

Billions of devices

Inconsistent standards

Proprietary data formats

Few legal precedents

Few IoT forensics tools

18

THE CASE OF THE TELLTALE PACEMAKER

Arson & insurance fraud

Data extracted from pacemaker: • Heart rate • Pacer demand • Cardiac rhythms

Story vs. data

19

DENNIS RADER - THE BTK KILLER

• At least 10 killings between 1974 & 1991 around Wichita, KS

• Resurfaced in 2004 & asked if communication with police via floppy was safe - “Rex, it’ll be okay.”

• Deleted documents & metadata found on floppy sent to police.

20

FITBIT TELLS THE TALE - RICHARD DABATE

Story: Armed intruder broke into home, tied up husband, and killed wife when she returned from gym. But…

• Distance recorded on wife’s FitBit

• FaceBook postings from wife’s account after her alleged death

21

DATA TELLS THE TALE - RICHARD DABATE~8:30 ~9:00

8:04 9:23

22

Connie leaves for gym, Richard leaves for work.

Richard returns home to retrieve work laptop & is tied to chair by

intruder.

~9:20

Connie returns home, is killed by intruder in basement. (~125 feet

from garage to basement.)

~10:15

Richard escapes & struggles with intruder, who runs away.

Richard calls 911, reports Connie killed ~1 hour ago by intruder.

Richard sends email to work from home

IP address.

Connie’s FitBit shows activity at

same time kitchen door to garage is

opened.

9:40-9:46

Connie’s FaceBook page updated from

her iPhone using home IP

address.

10:11

Richard hits panic button on

home alarm system & calls

911.

10:05

Connie’s FitBit stops showing

movement.

9:189:18 to 10:05: 1,217 feet recorded on Connie’s FitBit.

22

SUMMARY

• Follow the facts

• Know your tools

• Know the law

• Understand the case

• Protect your reputation

23

ORGANIZATIONS:

• Digital Forensics Research WorkShop (http://www.dfrws.org//)

• Digital Forensics Association (http://www.digitalforensicsassociation.org/)

• Association of Digital Forensics, Security, and Law (http://www.adfsl.org/)

• American Society of Digital Forensics & E-Discovery (https://asdfed.com//)

EDUCATION & TRAINING: • University of Maryland - M.S. in Digital Forensics and Cyber Investigation

• SUNY Business School - B.S. in Digital Forensics

• SANS - Digital Forensics & Incident Response

24

CONTACT INFORMATION: frank.gearhart@mac.com

RESOURCES