Upload
timothy-opsitnick
View
2.475
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Presentation on Computer Forensics and Social Media given to the Lorain County Bar Association, May 17 2012.
Citation preview
© 2009 Property of JurInnov Ltd. All Rights Reserved
Lorain County Bar Association
Computer Forensics and Social Media
May 17, 2012
Timothy M. Opsitnick, Esq. Senior Partner and General Counsel JurInnov Ltd.
John Liptak, ACE, EnCE Senior Consultant Computer Forensic and Investigation Services
Daniel Dean, ACE Consultant Computer Forensic and Investigation Services
© 2012 Property of JurInnov Ltd. All Rights Reserved
Who Are We?
JurInnov works with organizations that want to more effectively manage matters involving “Electronically Stored Information” (ESI).
– Electronic Discovery
– Computer Forensics
– Document and Case Management
– Computer & Information Security
2
© 2012 Property of JurInnov Ltd. All Rights Reserved
Presentation Overview
• Understanding Computing Environments
• Collecting Electronically Stored Information
• Forensic Analysis Demonstration
• Social Media Explained
• Social Media Discovery Issues
3
© 2012 Property of JurInnov Ltd. All Rights Reserved
What is Computer Forensics?
Computer Forensics is a scientific, systematic inspection of the computer system and its contents utilizing specialized techniques and tools for recovery, authentication, and analysis of electronic data. It is customarily used when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer Forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel.
4
© 2012 Property of JurInnov Ltd. All Rights Reserved
Types of “ESI”
• Office Files
• Database
• Ephemeral
• Legacy Systems
• Metadata
5
© 2009 Property of JurInnov Ltd. All Rights Reserved
Sources of “ESI”
• Desktops
• Laptops
• CDs/DVDs
• Network Attached Storage Devices (NAS)
• Storage Area Networks (SAN)
• Servers
• Databases
• Backup Tapes
• Archives
• Cell Phones/PDAs
• Thumb Drives
• Memory Cards
• External Storage Devices
• Cameras
• Printers
• GPS Devices
6
© 2012 Property of JurInnov Ltd. All Rights Reserved
© 2012 Property of JurInnov Ltd. All Rights Reserved
Why Computer Forensics?
• Reasons to use Computer Forensics – Internal Company Investigations
• Alleged criminal activity
• Civil or Regulatory Preservation
– Receivership, Bankruptcy
– EEO issues
– Improper use of company assets
– Recovery of Accidentally or Intentionally Deleted Data
• Deleted is not necessarily deleted
• Recovery from Improper shutdowns
7
© 2012 Property of JurInnov Ltd. All Rights Reserved
How Does a Computer Operate?
• Hardware
– Processor
– Memory (RAM)
– Hard Drive
– CD/DVD Drive
– Motherboard
– Mouse/Keyboard
• Software
– Operating System
– Applications
8
© 2012 Property of JurInnov Ltd. All Rights Reserved
How Does a Computer Operate?
• How is data stored on a hard drive?
• How is data “deleted” by the operating system?
9
© 2012 Property of JurInnov Ltd. All Rights Reserved
10
© 2012 Property of JurInnov Ltd. All Rights Reserved
11
© 2012 Property of JurInnov Ltd. All Rights Reserved
12
© 2012 Property of JurInnov Ltd. All Rights Reserved
Computer Forensics Process
• Case Assessment & Planning
• Maintaining Chain of Custody
• Record Evidence Information
• Imaging & Data Collection
• Analysis
• Exports and Reporting
• Expert Testimony
13
© 2012 Property of JurInnov Ltd. All Rights Reserved
Collecting “ESI”
• “Let’s let the IT staff do it.”
• Forensic Harvesting
– What is a forensic copy?
14
© 2012 Property of JurInnov Ltd. All Rights Reserved
Collecting “ESI”
• Forensic Harvesting - Logical v Physical
– Logical / “Ghost” copy (Active Files)
• Data that is visible via the O.S.
– Physical
• Logical + File Slack + Unallocated Space + system areas (MBR, Partition table, FAT/MFT)
15
© 2012 Property of JurInnov Ltd. All Rights Reserved
16
© 2012 Property of JurInnov Ltd. All Rights Reserved
Collecting “ESI”
• Network Harvest
• E-Mail Harvest
• Cell Phone / Device Seizure
17
© 2012 Property of JurInnov Ltd. All Rights Reserved
Acquisition (Data Harvest)
• Software Tools
– EnCase (Guidance Software)
– Forensic Tool Kit (AccessData)
– Device Seizure (Paraben)
– Raptor (Forward Discovery)
– Sleuth Kit (SANS.org)
• Hardware Tools
– Write Blockers (Tableau)
– CellDEK (Logicube)
18
© 2012 Property of JurInnov Ltd. All Rights Reserved
Types of Data Acquisitions • Image Types
– EnCase Image (.E01)
– Logical EnCase Image (.L01)
– DD Image (.001)
– Custom Content Image (.AD1)
• ESI Locations
– Hard Drives
– External Media
– Servers
• Network Shares
– Cell Phone/PDA
19
© 2012 Property of JurInnov Ltd. All Rights Reserved
What is a “hash value”?
• MD5 Hash: 128-bit value calculated based on an algorithm
• Odds of duplicate values are 2128 or 1 in
340,282,366,920,938,000,000,000,000,000,000,000,000
• It is a Digital Fingerprint that uniquely identifies any stream of data or file
• Utilized For:
– Verifying Images
– Identifying Exact File Duplicates
20
© 2012 Property of JurInnov Ltd. All Rights Reserved
Image Verification • Presentation Suspect Images
• Description: Physical Disk, 39102336 Sectors, 18.6GB
• Physical Size: 512
• Starting Extent: 1S0
• Name: Presentation Suspect Images
• Actual Date: 03/24/09 03:17:21PM
• Target Date: 03/24/09 03:17:21PM
• File Path: E:\Presentation image.E01
• Case Number: Presentation Drive
• Evidence Number: Presentation Suspect Images
• Examiner Name: Stephen W. St.Pierre
• Drive Type: Fixed
• File Integrity: Completely Verified, 0 Errors
• Acquisition Hash: 5cfa3830c3af83741da4f9adcfb896e1
• Verify Hash: 5cfa3830c3af83741da4f9adcfb896e1 • GUID: 04d345276275524c8a111824be6eb170
• EnCase Version: 5.05j
• System Version: Windows 2003 Server
• Total Size: 20,020,396,032 bytes (18.6GB)
• Total Sectors: 39,102,336
21
© 2012 Property of JurInnov Ltd. All Rights Reserved
Encryption Issues
• Windows Encryption
– Encrypted File System (XP)
– BitLocker (Vista & Windows 7)
• Other Hardware or Software Encryption
– Laptop hard drives
– e.g., Truecrypt
22
© 2012 Property of JurInnov Ltd. All Rights Reserved
Forensic Analysis
• Key Word Searching
– Indexing (dtSearch / FTK)
– Filters
• AND/OR/NOT
• Date Range
• Specific File Types
• USB Device Activity
• LNK File Analysis
23
© 2012 Property of JurInnov Ltd. All Rights Reserved
Forensic Analysis
• Deletion
– Recovery of Deleted Documents
– Recycle Bin Analysis
– Data Carving
– Unallocated Space
– Evidence of Wiping
• Signature Analysis: File Extension vs. File Signature (Header)
24
© 2012 Property of JurInnov Ltd. All Rights Reserved
Forensic Analysis
• File Hash Analysis
• Internet History
• Windows Registry
• Mobile Devices
• Analysis Examples …
25
© 2012 Property of JurInnov Ltd. All Rights Reserved
Registry Overview
• Windows Registry – central database of the configuration data for the OS and applications.
• Gold Mine of forensic evidence
• Registry Keys
– Software
– System
– SAM (Security Account Manager)
– NTUSER.dat
26
© 2012 Property of JurInnov Ltd. All Rights Reserved
Software Key
• What Operating System Installed?
• Date/Time OS Installed
• Product ID For Installed OS
• Programs That Run Automatically at Startup (Place to Hide Virus)
• Profiles
27
© 2012 Property of JurInnov Ltd. All Rights Reserved
System Key
• Mounted Devices
• Computer Name
• USB Plugged-In Devices (USBSTOR)
• Last System SHUT DOWN Time
• Time Zone
28
© 2012 Property of JurInnov Ltd. All Rights Reserved
SAM & NTUSER.DAT Keys
• SAM
– Domain Accounts
• NTUSER.DAT
– Network Assigned Drive Letters
– Typed URLs (websites)
– Last Clean Shutdown Date/Time
– Recent Documents
• Registry examples …
29
© 2012 Property of JurInnov Ltd. All Rights Reserved
Unallocated Space Analysis
• Residual Data
• Unallocated Space
• Drive Free Space
• File Slack
30
© 2012 Property of JurInnov Ltd. All Rights Reserved
Data Transfer Analysis
• FTP
• External Drives
• Link Files
• Internet History
• Webmail
• Created/Accessed/Modified Dates
31
© 2012 Property of JurInnov Ltd. All Rights Reserved
Evidence/Analysis Reporting
• Native File Exports
• HTML Based Reports
– FTK, Device Seizure, CellDEK
• Final Expert Report
• Interpretation of Report
• Expert Testimony
• Creation of key terms
• Evolving analytical search terms
32
© 2012 Property of JurInnov Ltd. All Rights Reserved
Forensic Analyst
• Tips For Dealing With Your Forensic Analyst
• What to Expect From A Forensic Analyst
– Certifications
– Training
– Experience
– Testimony
33
© 2012 Property of JurInnov Ltd. All Rights Reserved
Types of Cases When Forensics Are Useful…
• Financial
– Receivership
– Bankruptcy
• General Litigation
– Commercial Litigation
– Product Liability
• Corporate
– Regulatory (SEC, Second Requests, FTC)
– Mergers/Acquisitions
34
© 2012 Property of JurInnov Ltd. All Rights Reserved
Types of Cases When Forensics Are Useful, cont.
• Intellectual Property
– Theft of Intellectual Property
– Temporary Restraining Order (TRO)
– Permanent Injunction
35
© 2012 Property of JurInnov Ltd. All Rights Reserved
Types of Cases When Forensics Are Useful, cont.
• Labor/Employment
– Violation of Non-Compete Agreements
– Sexual Harassment
– Age Discrimination
– Fraud/Embezzlement
– Other Violations of Company Policy
36
© 2012 Property of JurInnov Ltd. All Rights Reserved
Types of Cases When Forensics Are Useful, cont.
• Domestic Relations
– Divorce
– Custody
• Corporate Criminal
– Other Criminal
37
© 2012 Property of JurInnov Ltd. All Rights Reserved
Social Media – What is it?
• “Tools that allow the sharing of information and creation of communities through online networks of people.”
• Typically feature content that is:
– Shared (made available to others)
– Interactive (participants are suppliers and users of content)
– Internet-based (on the web)
– Personal (usually represents personal comment or seeks commentary)
– Informal (tends to be conversational, candid, unstructured, unedited)
• Used for both business and personal reasons
38
© 2012 Property of JurInnov Ltd. All Rights Reserved
Social Media – What is it?
• Benefits of Social Media
– Enhanced collaboration
– Improved business relationship
– Increased productivity
• Risks of Social Media:
– Destroy productivity
– Loss of confidential data
– Misuse of personal data and privacy concerns
– Damage to brand and reputation
– Casual manner
– Once disclosed hard to prevent dissemination
– Employees become publishers
– Burden of preservation for regulatory and legal 39
© 2012 Property of JurInnov Ltd. All Rights Reserved
Social Media – What is it?
• Examples of Social Media Sites: – FaceBook: Social Networking
– Twitter: Social Networking
– LinkedIn: Business Networking
– Foursquare: Location based check-in’s / Reviews
– YouTube: Video posting/sharing
– Instagram: Photo posting/sharing
– Tumblr: Blogging
40
© 2012 Property of JurInnov Ltd. All Rights Reserved
Social Media Threshold Issues
• Establish Relevance
• Possession, Custody and Control
– Complicated issue
– Access once posted
– Dynamic and spoliation
– Interactive with other sites
– Point in time
– Issues regarding ease of loss of control
• Ethical Issues
– Not clear
– Pretexting
– Collector in chain of custody
– Evidentiary issues
41
© 2012 Property of JurInnov Ltd. All Rights Reserved
Social Media Threshold Issues
• Stored Communications Act (“SCA”) of the Electronic Communications Privacy Act (“ECPA”)
– Complex, communications service providers versus computing service providers
– Criminal exceptions
– Do not apply to civil matters
– Civil and criminal sanctions for violations
• Privacy concerns and need for protective orders
• Anonymity
• Practical solution to seeking discovery
– Directly from user or litigant
– Since dynamic give notice of preservation as negotiation takes time
42
© 2012 Property of JurInnov Ltd. All Rights Reserved
Social Media Threshold Issues
• Practical problems with social media – Evolving new forms
– Forensic tools are behind
– Difficult to review
• Preservation
• Dynamic
• Point in time
• API and other links, e.g., integration with database or other websites
– Production
• Print, image, static versus dynamic
• Conflict with the rules, reasonably useable format
43
© 2012 Property of JurInnov Ltd. All Rights Reserved
Social Media – Forensic Capabilities
• Manual Screen Capture/Video Capture/Image Format – Print screen
– SnagIt
• Temporary Internet Files – Web browsing artifacts
– Temporary Pictures
• Residual Data/Unallocated Space – Deleted data (Temporary Internet Files)
– Partial web pages
• New Software Tools – X1 Social Discovery
• Industry's first investigative solution specifically designed to enable eDiscovery and computer forensics professionals to effectively address social media content. X1 Social Discovery provides for a powerful platform to collect, authenticate, search, review and produce electronically stored information (ESI) from popular social media sites, such as Facebook, Twitter and LinkedIn.
44
© 2012 Property of JurInnov Ltd. All Rights Reserved
Social Media Issues
• Social Engineering – Ability to manipulate a person into giving you personal or sensitive information.
• Fraud Schemes – Criminals use Social Media sites to pass off fraud schemes such as investment
dealings. They create pages that seem legitimate but are actually traps to entice possible investors.
• Phishing Schemes – Criminals use Social Media to steal personal information such as logins and
passwords from people in an attempt to commit identity theft. The primary method used is to send fraudulent links across followers/friends of an account in hopes of people clicking on the link which will then log the password and login of those users.
• Data mining – Companies use Social Media to collect vast amounts of data from the people
using the sites. This information is then sold off to companies in the form of marketing research in most cases.
45
© 2012 Property of JurInnov Ltd. All Rights Reserved
Social Media for Attorneys
• Use of social media and ethical rules – Solicitation and advertising
– Establishing an attorney-client relationship
– Examination of jurors and witnesses
46
© 2012 Property of JurInnov Ltd. All Rights Reserved
For assistance or additional information
• Phone: 216-664-1100
• Web: www.jurinnov.com
• Email: [email protected]
JurInnov Ltd.
The Idea Center
1375 Euclid Avenue, Suite 400
Cleveland, Ohio 44115
47