Computer Forensics and Social Media

© 2009 Property of JurInnov Ltd. All Rights Reserved

Lorain County Bar Association

Computer Forensics and Social Media

May 17, 2012

Timothy M. Opsitnick, Esq. Senior Partner and General Counsel JurInnov Ltd.

John Liptak, ACE, EnCE Senior Consultant Computer Forensic and Investigation Services

Daniel Dean, ACE Consultant Computer Forensic and Investigation Services


Who Are We?

JurInnov works with organizations that want to more effectively manage matters involving “Electronically Stored Information” (ESI).

– Electronic Discovery

– Computer Forensics

– Document and Case Management

– Computer & Information Security

2


Presentation Overview

• Understanding Computing Environments

• Collecting Electronically Stored Information

• Forensic Analysis Demonstration

• Social Media Explained

• Social Media Discovery Issues

3


What is Computer Forensics?

Computer Forensics is a scientific, systematic inspection of the computer system and its contents utilizing specialized techniques and tools for recovery, authentication, and analysis of electronic data. It is customarily used when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer Forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel.

4


Types of “ESI”

• E-mail

• Office Files

• Database

• Ephemeral

• Legacy Systems

• Metadata

5


Sources of “ESI”

• Desktops

• Laptops

• CDs/DVDs

• Network Attached Storage Devices (NAS)

• Storage Area Networks (SAN)

• Servers

• Databases

• Backup Tapes

• E-Mail

• Archives

• Cell Phones/PDAs

• Thumb Drives

• Memory Cards

• External Storage Devices

• Cameras

• Printers

• GPS Devices

6



Why Computer Forensics?

• Reasons to use Computer Forensics – Internal Company Investigations

• Alleged criminal activity

• Civil or Regulatory Preservation

– Receivership, Bankruptcy

– EEO issues

– Improper use of company assets

– Recovery of Accidentally or Intentionally Deleted Data

• Deleted is not necessarily deleted

• Recovery from Improper shutdowns

7


How Does a Computer Operate?

• Hardware

– Processor

– Memory (RAM)

– Hard Drive

– CD/DVD Drive

– Motherboard

– Mouse/Keyboard

• Software

– Operating System

– Applications

8


How Does a Computer Operate?

• How is data stored on a hard drive?

• How is data “deleted” by the operating system?

9


10


11


12


Computer Forensics Process

• Case Assessment & Planning

• Maintaining Chain of Custody

• Record Evidence Information

• Imaging & Data Collection

• Analysis

• Exports and Reporting

• Expert Testimony

13


Collecting “ESI”

• “Let’s let the IT staff do it.”

• Forensic Harvesting

– What is a forensic copy?

14



• Forensic Harvesting - Logical v Physical

– Logical / “Ghost” copy (Active Files)

• Data that is visible via the O.S.

– Physical

• Logical + File Slack + Unallocated Space + system areas (MBR, Partition table, FAT/MFT)

15


16



• Network Harvest

• E-Mail Harvest

• Cell Phone / Device Seizure

17


Acquisition (Data Harvest)

• Software Tools

– EnCase (Guidance Software)

– Forensic Tool Kit (AccessData)

– Device Seizure (Paraben)

– Raptor (Forward Discovery)

– Sleuth Kit (SANS.org)

• Hardware Tools

– Write Blockers (Tableau)

– CellDEK (Logicube)

18


Types of Data Acquisitions • Image Types

– EnCase Image (.E01)

– Logical EnCase Image (.L01)

– DD Image (.001)

– Custom Content Image (.AD1)

• ESI Locations

– Hard Drives

– External Media

– Servers

• Email

• Network Shares

– Cell Phone/PDA

19


What is a “hash value”?

• MD5 Hash: 128-bit value calculated based on an algorithm

• Odds of duplicate values are 2128 or 1 in

340,282,366,920,938,000,000,000,000,000,000,000,000

• It is a Digital Fingerprint that uniquely identifies any stream of data or file

• Utilized For:

– Verifying Images

– Identifying Exact File Duplicates

20


Image Verification • Presentation Suspect Images

• Description: Physical Disk, 39102336 Sectors, 18.6GB

• Physical Size: 512

• Starting Extent: 1S0

• Name: Presentation Suspect Images

• Actual Date: 03/24/09 03:17:21PM

• Target Date: 03/24/09 03:17:21PM

• File Path: E:\Presentation image.E01

• Case Number: Presentation Drive

• Evidence Number: Presentation Suspect Images

• Examiner Name: Stephen W. St.Pierre

• Drive Type: Fixed

• File Integrity: Completely Verified, 0 Errors

• Acquisition Hash: 5cfa3830c3af83741da4f9adcfb896e1

• Verify Hash: 5cfa3830c3af83741da4f9adcfb896e1 • GUID: 04d345276275524c8a111824be6eb170

• EnCase Version: 5.05j

• System Version: Windows 2003 Server

• Total Size: 20,020,396,032 bytes (18.6GB)

• Total Sectors: 39,102,336

21


Encryption Issues

• Windows Encryption

– Encrypted File System (XP)

– BitLocker (Vista & Windows 7)

• Other Hardware or Software Encryption

– Laptop hard drives

– e.g., Truecrypt

22


Forensic Analysis

• Key Word Searching

– Indexing (dtSearch / FTK)

– Filters

• AND/OR/NOT

• Date Range

• Specific File Types

• USB Device Activity

• LNK File Analysis

23


Forensic Analysis

• Deletion

– Recovery of Deleted Documents

– Recycle Bin Analysis

– Data Carving

– Unallocated Space

– Evidence of Wiping

• Signature Analysis: File Extension vs. File Signature (Header)

24


Forensic Analysis

• File Hash Analysis

• Internet History

• Windows Registry

• Mobile Devices

• Analysis Examples …

25


Registry Overview

• Windows Registry – central database of the configuration data for the OS and applications.

• Gold Mine of forensic evidence

• Registry Keys

– Software

– System

– SAM (Security Account Manager)

– NTUSER.dat

26


Software Key

• What Operating System Installed?

• Date/Time OS Installed

• Product ID For Installed OS

• Programs That Run Automatically at Startup (Place to Hide Virus)

• Profiles

27


System Key

• Mounted Devices

• Computer Name

• USB Plugged-In Devices (USBSTOR)

• Last System SHUT DOWN Time

• Time Zone

28


SAM & NTUSER.DAT Keys

• SAM

– Domain Accounts

• NTUSER.DAT

– Network Assigned Drive Letters

– Typed URLs (websites)

– Last Clean Shutdown Date/Time

– Recent Documents

• Registry examples …

29


Unallocated Space Analysis

• Residual Data

• Unallocated Space

• Drive Free Space

• File Slack

30


Data Transfer Analysis

• FTP

• E-Mail

• External Drives

• Link Files

• Internet History

• Webmail

• Created/Accessed/Modified Dates

31


Evidence/Analysis Reporting

• Native File Exports

• HTML Based Reports

– FTK, Device Seizure, CellDEK

• Final Expert Report

• Interpretation of Report

• Expert Testimony

• Creation of key terms

• Evolving analytical search terms

32


Forensic Analyst

• Tips For Dealing With Your Forensic Analyst

• What to Expect From A Forensic Analyst

– Certifications

– Training

– Experience

– Testimony

33


Types of Cases When Forensics Are Useful…

• Financial

– Receivership

– Bankruptcy

• General Litigation

– Commercial Litigation

– Product Liability

• Corporate

– Regulatory (SEC, Second Requests, FTC)

– Mergers/Acquisitions

34


Types of Cases When Forensics Are Useful, cont.

• Intellectual Property

– Theft of Intellectual Property

– Temporary Restraining Order (TRO)

– Permanent Injunction

35



• Labor/Employment

– Violation of Non-Compete Agreements

– Sexual Harassment

– Age Discrimination

– Fraud/Embezzlement

– Other Violations of Company Policy

36



• Domestic Relations

– Divorce

– Custody

• Corporate Criminal

– Other Criminal

37


Social Media – What is it?

• “Tools that allow the sharing of information and creation of communities through online networks of people.”

• Typically feature content that is:

– Shared (made available to others)

– Interactive (participants are suppliers and users of content)

– Internet-based (on the web)

– Personal (usually represents personal comment or seeks commentary)

– Informal (tends to be conversational, candid, unstructured, unedited)

• Used for both business and personal reasons

38



• Benefits of Social Media

– Enhanced collaboration

– Improved business relationship

– Increased productivity

• Risks of Social Media:

– Destroy productivity

– Loss of confidential data

– Misuse of personal data and privacy concerns

– Damage to brand and reputation

– Casual manner

– Once disclosed hard to prevent dissemination

– Employees become publishers

– Burden of preservation for regulatory and legal 39



• Examples of Social Media Sites: – FaceBook: Social Networking

– Twitter: Social Networking

– LinkedIn: Business Networking

– Foursquare: Location based check-in’s / Reviews

– YouTube: Video posting/sharing

– Instagram: Photo posting/sharing

– Tumblr: Blogging

40


Social Media Threshold Issues

• Establish Relevance

• Possession, Custody and Control

– Complicated issue

– Access once posted

– Dynamic and spoliation

– Interactive with other sites

– Point in time

– Issues regarding ease of loss of control

• Ethical Issues

– Not clear

– Pretexting

– Collector in chain of custody

– Evidentiary issues

41



• Stored Communications Act (“SCA”) of the Electronic Communications Privacy Act (“ECPA”)

– Complex, communications service providers versus computing service providers

– Criminal exceptions

– Do not apply to civil matters

– Civil and criminal sanctions for violations

• Privacy concerns and need for protective orders

• Anonymity

• Practical solution to seeking discovery

– Directly from user or litigant

– Since dynamic give notice of preservation as negotiation takes time

42



• Practical problems with social media – Evolving new forms

– Forensic tools are behind

– Difficult to review

• Preservation

• Dynamic

• Point in time

• API and other links, e.g., integration with database or other websites

– Production

• Print, image, static versus dynamic

• Conflict with the rules, reasonably useable format

43


Social Media – Forensic Capabilities

• Manual Screen Capture/Video Capture/Image Format – Print screen

– SnagIt

• Temporary Internet Files – Web browsing artifacts

– Temporary Pictures

• Residual Data/Unallocated Space – Deleted data (Temporary Internet Files)

– Partial web pages

• New Software Tools – X1 Social Discovery

• Industry's first investigative solution specifically designed to enable eDiscovery and computer forensics professionals to effectively address social media content. X1 Social Discovery provides for a powerful platform to collect, authenticate, search, review and produce electronically stored information (ESI) from popular social media sites, such as Facebook, Twitter and LinkedIn.

44


Social Media Issues

• Social Engineering – Ability to manipulate a person into giving you personal or sensitive information.

• Fraud Schemes – Criminals use Social Media sites to pass off fraud schemes such as investment

dealings. They create pages that seem legitimate but are actually traps to entice possible investors.

• Phishing Schemes – Criminals use Social Media to steal personal information such as logins and

passwords from people in an attempt to commit identity theft. The primary method used is to send fraudulent links across followers/friends of an account in hopes of people clicking on the link which will then log the password and login of those users.

• Data mining – Companies use Social Media to collect vast amounts of data from the people

using the sites. This information is then sold off to companies in the form of marketing research in most cases.

45


Social Media for Attorneys

• Use of social media and ethical rules – Solicitation and advertising

– Establishing an attorney-client relationship

– Examination of jurors and witnesses

46


For assistance or additional information

• Phone: 216-664-1100

• Web: www.jurinnov.com

• Email: [email protected]

[email protected]

[email protected]

JurInnov Ltd.

The Idea Center

1375 Euclid Avenue, Suite 400

Cleveland, Ohio 44115

47

Technology

Computer Forensics and Social Media