I had a case where I spent two full weeks (80 hours) viewing  pornagraphic images and videos contained on a business computer .  The investigators wanted to make sure  there was nothing illegal being viewed and passed along.  See the article about the actual case below:

http://www.nypost.com/seven/12112008/news/nationalnews/naked_world_bodies_143638.htm

Why I Don’t Share the Name of Client on First Recruiting Call

When I am recruiting for an open Security Job that is not a retained search, I usually do not share the name of my client with a cold called candidate for several reason,  until we have talked in detail.

First, I interview many candidates daily, and unfortunately I must tell several that they are not a match for “this job”.  Perhaps future jobs, but not this one. It does not mean that are not a good security candidate, just not a good match for this job. Sometimes, they on the other hand, feel that they are a great fit and want to proceed with the interview process. When I explain that the client wants and expects me  to pre-screen heavily so as only to present dead on matches, they get upset.  I have had these people try to go directly to the client themselves or call other recruiters and ask them to present them. If the company name has not been discussed, it protects me.

Also, I have had some very good intentioned people that knew my client name simply mention  to a friend or co-worker that I called and discussed a great opportunity with them at XYZ company and the friend or co-worker simply goes directly to the company without thinking about me. They did not mean to cut me out, they just did not realize they should call me to present them. After all, I am dealing directly with the hiring authority and can make things happen.

Please be aware that I do share the client name as soon as we (you and I) determine that it is a good match and worth proceeding forward with the process.

Since this is how I earn a living for me and my family please don’t be insulted by the process and my guarding my client name until we agree it’s a match.

Happy Holidays,

Wils Bell – Security Recruiter

Bell (at) SecurityHeadhunter.com

SecurityHeadhunter.com, Inc.

SecurityHeadHunter.com

Desk: 407-365-2404

7Safe’s Adam Page, Senior eDiscovery Consultant sent in the following guest blog….:

The eDiscovery team completed a job recently that we fully expect to see more requests for in the future.

It involved visiting a client site who was facing a class action litigation in the US. The aim was to enable the client to produce to their US counsel only those documents relevant to the matter, and not remove any non-relevant material from the clients facility; Thus addressing any confidentiality, data protection and privacy issues.

The client came specifically to 7Safe as we are the only eDiscovery specialists in the UK market that had both the forensic heritage, technical ability and relevant security clearances to meet their demands. The client was faced with up to 4TB of data that had to be forensically captured, processed and filitered in order to meet the court requirements. We deployed forensic consultants to collect and preserve the data from a variety of sources. Then, after an initial data cull, the data was processed on-site using our mobile data processing unit. The processing speeds achived were around 1TB per day, therefore from collection through to processing followed by keyword filtering, the project was completed in little over one week.

We are seeing demand for this type of service increasing from our client base. As litigation and regulatory activity increases, clients are faced with more requests for information with ever increasing data volumes on their infrastructure. Innovative firms like 7Safe offer cost-effective solutions that are forensically sound in the eyes of the courts and regulators.

7Safe has introduced the hosted version of CaseLogistix into its eDiscovery end-to-end service – Legal Gateway.    

CaseLogistix is Anacomp’s flagship litigation support review and production platform, and forms part of 7Safe’s eDiscovery and litigation support services offering.  This latest addition gives 7Safe clients the ability to quickly organise, review, analyse and produce digital evidence, resulting in more streamlined and accelerated litigation review.

In short, 7Safe’s capability now encompasses the breadth of the Electronic Discovery Reference Model (EDRM), providing cost-effective solutions including lightning-fast turnaround times from our London City offices.  7Safe Director Jim Kent leads this team of technical and litigation support experts who are earning a reputation for fantastic client service. 

An article on PoliceProfessional.Com contains the following statement:

“ACPO is currently working on a new software tool that will allow forensic officers to operate locally and uncover information almost instantaneously. “What we’re very keen on doing is looking for a forensic triage tool that police officers or forensic officers can use locally. One that is quite simple, one they can ask questions of, such as, ‘in this computer is there the following…?’,” said Ms Williams. “The triage tool can pull that out for them.” She said the current backlog is one of e-crime’s biggest problems and that ACPO is close to identifying the right product to handle it.”

[Note: I've been told that the ACPO is looking to the vendor community for this solution. Rereading this quote, I suspect I should focus less on "working on new software" and focus more on "identifying the right product". I'll leave the post as originally written but will insert commentary.]

The apparent expectation that a tool will significantly address the backlog is rather disturbing for three reasons:

1)  The tool will not provide context. It may indicate the presence of an encrypted file container on the system but cannot determine its contents. Or that file sharing is present, but not what it was used for. Or that seven different chat programs are in use, but not the information going through them. As several people have pointed out, these PBF tools will get the low hanging fruit and gather disparate facts but cannot put do any analysis to show relationships, or lack thereof. Further, we’ll need to err on the conservative side and may well end up with a lot of false positives.

2) Technology, and the criminal’s use of technology, advances rapidly, often more rapidly than the tools. This is why DriveProphet’s author is very willing to add new capabilities as issues are reported to him. It is why Digital Detective Group’s Blade product has plug in modules that they can develop and release as new capability is required. Keeping a triage tool current requires ongoing investment by the developer and ongoing training for the users. A one time investment in the technology and training will quickly lead to a situation where the triage tool is missing relevant information. [Note: ACPO's looking to a vendor solution should address the support issue. Keep in mind maintenance costs when investing in a tool. Some vendors charge upwards of 20% of the initial investment each year for maintenance.]

3) I’ve not seen any well researched study on the LE computer forensics backlog that we can use to determine where resources should be spent. The ACPO and others believe that the the backlog is in the triage stage. This appears to be valid, particularly for getting evidence back to the owners, but I suspect that “fixing” the triage stage will simply move the backlog further downstream, even more so if the number of false positives is high.

I also wonder why the ACPO is working on a new tool rather than working with a vendor of an existing tool to tune it to their particular needs. A number of good, well supported, triage tools already exist – Drive Phrophet, Blade, EnCase Portable, e-fense’s suite (now Access Data’s?), to name a few. The ACPO money might be better spent creating a fund to provide training on these existing tools rather than bringing another tool to an already crowded market. [Note: This point is moot given the feedback I received, noted above.]

Triage is an incredibly valuable process, particularly in time critical situations where limited resources are available. Triage, in the medical environment, is performed by trained specialists using diagnostic tools. Computer forensics triage tools often are designed to be used by anyone with minimal training. Witness the Microsoft press release about COFFE – “According to a Microsoft spokesperson ‘an officer with even minimal computer experience can be tutored—in less than 10 minutes—to use a pre-configured COFEE device.’” I believe there is value in this sort of tool when used as part of a well designed forensics process. I fear that, due to vendor marketing, budget issues, and backlog pressures, these tools will be deployed without the necessary framework to properly support them.

Allow me to close with some questions:

1. Why is the ACPO creating a new tool rather than using an existing one? [Note: Addressed by feedback, noted above.]
2. Who will use these triage tools and how much training will they get? If they’re designed for lab use to address the backlog will they stay in the lab? Can they safely be deployed earlier in the process?
3. Are there any well documented studies on the LE computer forensics backlog?
4. What other options are available for addressing the backlog? Anyone who knows me also knows that I’m very interested in finding ways for the private sector to assist LE with computer forensics and this would be one option.

In the next few weeks 7Safe will be releasing an eDiscovery white paper in conjunction with another leading industry expert and a report on data compromise breach investigations performed by our forensic investigations team.

Through the Veterans Initiative the National Forensics Training Center is offering free training in the field of digital forensics to eligible military veterans and law enforcement officers. Please visit the following website for more information:

http://www.security.cse.msstate.edu/ftc/va.php

My post about the value of push button forensics produced a number of interesting comments for which I am quite thankful. A common thread in many of the remarks was that someone needs to understand the the science, logic, and art behind the PBF tools. I absolutely agree. Anyone depending on a technician and a tool alone is doing a disservice to their clients, and will likely fail spectacularly in court.

As one reader put it:

“I think the point that is being missed is this – at the end of the day the goal is to produce admissible evidence. The fact remains that our system generally looks to an expert to introduce digital evidence into court. “

Harlan made a similar comment, and really got to the heart of the matter:

“The fact is that the questions being asked by customers…was data exfiltrated, did the malware make data exfiltration possible, etc…cannot be answered by a $50/hr “analyst” with a dongle. This approach will work for low hanging fruit, but even a relatively unsophisticated compromise will be improperly and incompletely investigated in this sort of environment.”

A $50/hour analyst with a PBF dongle should not testify in court and their findings alone should not be presented to a client as they lack context and perspective. Their results are only pieces of the larger construct, a construct that should be built and signed off on by people with significantly more experience. A senior examiner can guide a team of less experienced staff using a wide variety of tools, interpret and combine the results into a well constructed report, and sign off on the team’s work product.

Law firms and private investigation firms are but two of many examples of organizations that employ associates to perform many of the simpler tasks involved in preparing cases. Doing so distributes the workload, frees senior staff up for more complex tasks, provides associates with opportunities to learn on the job under the supervision of senior staff, and ensures that work product is reviewed and approved by someone in the firm who is responsible for presenting the case to the court or to the client. The same can hold true in a computer forensics firm, lab, or department. In fact, any firm with more than a few examiners needs to operate in this manner simply for coordination and responsibility purposes. I’m just proposing that the same structure works well to mitigate the risks of using push button forensics.

We build everything from airplanes to software applications to roads out of component parts that are designed to accomplish a specific task but that, standing on their own, have little value. Organizations work in a similar manner, utilizing human components along with their associated skills and tools to streamline many processes and produce better results than one person standing alone could accomplish. Integrate PBF tools and less experienced people into your organization, manage them appropriately, validate the tools, review the results, and let the senior examiners do the heavy lifting with the complex problems, clients, and courts.

Also, I suspect if most people looked around their organization, they’ll see technicians using push button tools as part of the computer forensic process already. Do you have Voom Hard Copy II or a Talon or one of the other hardware imaging solutions? How many button presses does it take to image a drive, and who is usually pushing those buttons? Do you really believe that you’ll need to explain to a client or a court how the Talon creates an E01 image? Your report will say “Imaged the suspect’s drive with a Talon, serial number XXXXX. The hash values reported by the Talon were XXXX and they matched. The Talon was certified to be operating normally during our regular maintenance, conducted per our SOPs.” It is pretty likely that the imaging was performed by a technician, and as was the regularly scheduled testing.

Push button forensics tools are here to stay and they’re already in use in most of our organizations. There clearly are risks to using PBF and inexperienced examiners inappropriately but through sound business practices they can safely contribute to our projects and improve our efficiency in the process.

Access Data recently entered into a partnership with e-fense. In the announcement, they wrote: “Digital investigations are no longer the exclusive domain of highly trained experts.” I don’t think Access Data is wrong, and I think the forensics community needs to accept that “push button forensics” is here to stay. Further, I think it can be an important part of our future.

(Two notes: 1) For the purpose of this article, forensics and e-discovery are essentially interchangeable. 2) I’m using “technician” to describe someone with basic to moderate technical skills but lacking in deep forensics and/or e-discovery experience.)

“Push button forensics” (PBF) is often derided by computer forensics professionals. We rail against it, occasionally joke about it, and have even made “Find Evidence” buttons to stick on our keyboards. Certain facts suggest that we should embrace it, though perhaps while wearing PPE.

1. Tool vendors have a vested interest in selling forensics and e-discovery tools that can be used by people without forensics experience and certifications. If you can make a tool that any technician, lawyer, or IT person can use in a legally defensible manner, you will expand your potential market considerably. We are no match for the combined weight of the marketing departments of the vendors whose tools we are using.
   
2. Corporations, LE agencies, law firms, and other consumers of computer forensics services have a financial interest in acquiring tools that will perform complex forensics and e-discovery tasks and that can be used by technicians rather than by experts. The cost per hour of computer forensics services in the San Francisco Bay Area is around $250. There is a lot of appeal in buying a tool and using a $50 per hour in house technician if you can get the same results.
3. The volume and complexity of digital evidence is growing, and growing faster than we can cope with it. LE agencies at all levels have significant computer forensics backlogs, made worse by current budget issues. Corporate legal departments and law firms are under pressure to sift through enormous volumes of data more quickly, and more efficiently, than ever before. The number of people available who can manually sort through the complex evidence isn’t keeping pace, and the explosion in new computer forensics certification and degree programs will not solve the problem any time soon.

In addition to the facts that suggest we need to accept PBF into our environments, I’d like to suggest that, properly integrated, it can be very good for us personally and for our businesses. Here’s one example:

I’ve quite enjoyed following the development of Harlan Carvey’s timeline analysis tools and procedures. I’ve learned a lot from working through his examples, and I’d strongly encourage others to do so. But, the process is currently far too time consuming to use on any project with any significant pressure. We will need more automation, more “push buttoness”, to effectively employ it. And once it is “push button” AND validated, why can’t I farm that part of the process out to a technician? In doing so, I will:

• Acquire useful information in a more timely manner, speeding the investigation and saving the client money.
• Distribute the workload among more junior staff, enhancing their ability to contribute and decreasing the bottleneck on senior resources.
• Free up senior staff for tasks that truly require more experience and knowledge.

Put another way, from a consulting perspective, I can save my clients money, free up experienced people to work on more difficult problems, and safely incorporate people with less experience. The clients will be happy – better results for less money; the senior people will be happy – real challenges, less grunt work; and the junior people will be happy – more opportunity to gain experience.

Our forums are full of discussions about how to use an enormous number of tools, many of which automate and greatly simplify our processes.

• Anyone proficient with EnCase, FTK, X-Ways, or Sleuthkit could replicate Drive Prophet’s results but it would take hours longer, and the chance of missing something is greater.
• Similar point for web browser analysis – if there wasn’t a need to automate this, why do we have Mandiant Web Historian, Gaijin Historian, Cache Back, Pasco, Fox Analysis, NirSoft Mozilla History View, and Passcape History Viewer to name a few?
• With Mount Image Pro, I can provide a forensically sound image to a reviewer to examine with tools they’re comfortable with – Outlook, Explorer, dtSearch – without any risk that they’ll modify the evidence. This can save me a lot of back and forth to produce directory listings, copies of the My Documents folder, and .pst files.

If we look back through the archives of out discussion forums we’ll see that we’ve been automating and simplifying computer forensics processes since the dawn of the profession. In doing so we’ve made the profession more accessible to new practitioners, more valuable to our clients, and more interesting to ourselves. This mimics developments in the rest of the computer industry, and in every aspect of our lives. We’ve got push button cooking, push button flying (auto-land capability), push button navigation, push button photography, …. Push button forensics is here to stay. Accepting the fact and incorporating it into our processes and companies seems wise.

Mind you, I say this with several important assumptions in mind:

• The tools work as advertised, their behavior and results are well understood, and the process and results can be verified.
• The tools are verified internally.
• The use of the tools is supervised by experienced staff.

“Push Button Forensics” has a place in our business toolkits. Digital investigations are no longer the exclusive domain of highly trained experts. Validated PBF tools in the hands of properly trained and supervised technicians can be a very powerful combination for law enforcement agencies, law firms, corporations, and consulting firms.

I’d like to leave you with perhaps the most important point, one that is frequently overlooked or assumed – Finding the evidence is only a small part of the process. Tools can find keywords, put together a timeline, or show you the CP images. They cannot put any of that information in context. Interpreting the information, whether found manually or by PBF tools, still falls squarely in the pervue of a trained and experienced computer forensics investigator.

[Comments on this post also appear on Forensic Focus, LinkedIn's DFA Group, and the CCE mailing list.]

Access Data (AD) recently formed a partnership with e-Fense, the creative masterminds behind the Helix program, and the computer forensics community is eagerly awaiting their next move. Will AD run Helix into the ground like they have their own software? AD has shown very little expertise in anything but advertising over the last few years. I will admit that FTK 3 is a huge improvement over FTK 2.2, but they really only had one way to go-it couldn’t have gotten much worse.

Up until the end of this summer Protegga was still using FTK 1.8 for some investigations. After testing 2.2 we determined that the license was still useful and would retain it, but we would only use 1.8. The new platform was slow, the indexing was incomplete, and the database was unstable. How can a tool like this be taken into court with any confidence?

When FTK 3 came out in October, we quickly downloaded it in anticipation of huge improvements and advancements in the platform. However, our excitement was quickly crushed when we discovered that the Oracle database used with the software was not able to be installed on Windows 7. Protegga has been testing Windows 7 since March of this year and recently made the switch on our workstations to the new operating system. Did AD not see Windows 7 coming? Why would they release their new product and not make sure it was compatible with the newest operating system? I put a call into support to get some of my questions answered, but support was less than, well…supportive. My questions were quickly answered with, “we are aware of the incompatibility and are unable to help at this time.” That was it.

So Protegga set forth to figure out how to install Oracle on Windows 7. 20 pots of coffee and 2 days later we had FTK 3 up and running and have been testing it ever since. If it only took us 2 days to figure out, why didn’t AD do that prior to release? Were they incapable? Well, since the issue has since been resolved, I don’t think that was the problem. The truth is AD has been making some terrible business decisions over the last few years and this new partnership with e-Fense could spell the end to the open-source forensic tool Helix.

Our community went up in arms when it was announced that Helix would no longer be free to the public, and the $150 price was deemed excessive by many (we did not mind paying for such a useful tool). AD has been raising the price on their licenses while continuing to run their product into the ground. I don’t see this new partnership benefiting either company or the computer forensics community as a whole.

Digital Evidence Collection Kit

Overview

Collecting evidence accurately is clearly a foundational element for any ediscovery or forensics analysis project. The equipment required is important, but so are the supporting items – office supplies, forms, and documentation tools. – as well as the processes and procedures governing how they are applied. And if you cannot find the items, or get them to the destination, it doesn’t matter how great your tools are.

This kit, and the thoughts and processes behind it, attempts to address concerns I’ve encountered while doing collections all over the world. The novice investigator or experienced examiner can use this as a foundation for their own kit, or just find insight to fine tune their existing processes.

Bear in mind that, in addition to this kit, I carry a laptop backpack everywhere. The backpack has my primary laptop for note taking and Internet research with WiFi and a cellular modem, cell phone cables, spare USB thumb drives, food, reading materials, and other basic necessities of any computer forensics analyst.

Kit Contents

Collection Kit – items with serial numbers

The following table includes all the items that might be of interest to a customs agent. Everything on this list should accurately reflect the actual contents of the collection kit. It may seem odd to include the Brother labeler and the Targus external DVD-ROM drive, but I had these flagged by customs.

Column descriptions:

Item – Name of the item, from the manufacturer’s label.
Description – Self descriptive
Serial Number – Self descriptive
Quantity – Self descriptive
Country of Origin – Self descriptive
Internal Name – Either a name or a bar code number. Used to keep contents of the kit in line with inventory sheet.
Unit Price – Replacement value, what it would cost if you looked it up on the Internet.

Collection Kit – items with without serial numbers

The following items lack serial numbers and generally are not of interest to customs though I’d still include all of these on the list I gave to customs. Customs issues aside, you still want to ensure that they are in the kit before heading out the door, of course.

Explanation of items:

Pelican Case – This Pelican case will fit in the overhead compartment of domestic and international flights. The “LOC” designation means that it is designed to carry a laptop in the lid and clothes in an insert. Remove the insert and install the case organizer instead.

Office Supplies

• PostIts – For labeling drives and systems temporarily.
• Pillboxes – Hold screws from disassembled laptops. I had one laptop that required the removal of seven different sets of screws. The pillboxes kept them organized.
• Sharpies – For labeling evidence and for filling in the notecards.
• Notecards – The notecards get the following information on them:
  • Custodian
  • Date
  • System serial number

I then place the notecard for that system in each photograph taken of the system or its components. It allows me to sort a couple hundred photographs out later without too much difficulty.

Tools

• The best precision screwdriver set I’ve found is the Boxer 40 Piece 4mm Precision Screwdriver set, model PK-30.
• Wiresnips are for cutting cable ties.

Software

• I include a bootable version of each tool on both CD and USB thumb drive. I can clone either one in the field and run an essentially limitless number of collections in parallel. We tend to think about the speed of individual imaging solutions and forget about parallelization of processes..
• I maintain an SOP/Documents repository on my laptop and a Software Tools repository. The former contains forms, processes, articles, etc. The latter contains installers, source code, and stand alone apps for everything I need to build a new forensics analysis station. I periodically sync these repositories with the thumb drive in the collections kit as well as other systems.

Other notes:

• The tools included will pass TSA scrutiny for carryon items based on the TSA website and personal experience.
• You could bar code all the media before you go into the field. I often label mine when I wipe them, and set up a TrueCrypt volume up on them at the same time.
• TrueCrypt volumes – I can ship the disks, hand them to customs, or flat out lose them without worrying about data being exposed. It can take hours to wipe and encrypt a drive so you really want to do a number of them in the lab rather than in the field. This is another reason not to assume you can get enough drives while you’re running around a foreign country, or even domestically. More than once I had multiple laptops running in my hotel room overnight doing the wipe/encrypt cycle with an alarm set to wake me so I could change drives out every few hours.
• Each drive pair covers a single set of images. One is the primary, one is the backup. You can create both at the same time or use Robocopy to create the backup copy when you’re not imaging.
• There’s not enough room in the kit for a dedicated hardware imager plus the bare drives it would require. The laptop isn’t quite as fast but it is more flexible, a useful characteristic when in the field. I do try to include a dedicated imaging solution in other luggage.
• For long collection projects, I’ll carry a second case full of drives and/or ship drives to various locations. I’ve bought drives in the field, but it consumed a lot of shopping and prep time.
• If you need to expand this kit for a larger project, all your office supplies are in this kit and other kits can hold more equipment – laptops, hardware imaging solutions, etc.
• If multiple people are working on a project, each one gets a kit so they can split up if necessary without losing access to office supplies.
• Whenever possible, I prepare collections forms in advance with the common information included – matter, custodian, address, etc. In addition to these forms, I include blank copies of all the common forms.
• One copy of the inventory goes in the case, under the inserts. One goes in the case, on top of the inserts to give to Customs. One goes in my laptop bag.

Other items for consideration

There are a number of items missing from this kit that you might want to consider including. For example:

• It doesn’t include anything for collecting cell phones.
• It doesn’t contain a dedicated hardware imaging solution.
• There are no packing materials – pre-printed FedEx labels, packing tape, evidence tape, etc.
• Spares of many things.

Packaging

The entire kit fits into the Pelican 1510 LOC using the case organizer.

• There aren’t quite enough dividers for my taste.
• The power supplies for the write blocker and laptop go in the lid, side by side. I’m not certain that a Tableau power supply would fit.
• Pack the stuff you really need on top.
• I wish there was room for a clipboard with a forms storage compartment.
• Put a business card under the organizer and another one elsewhere in the kit.

Digital Media Collections Kit

• Laptop is in lid, left side.
• Power supplies are in lid, right side.
• UltraDock and adapters are in case, upper left.
• Labeler and some cables are next to adapters.

Almost all of my corporate investigations have been relating to the theft of intellectual property.  Intellectual property is defined as “any intangible asset that consists of human knowledge and ideas. Some examples are patents, copyrights, trademarks and software”.  This is a good article that illustrates what happens when a person takes intellectual property from a company.

http://www.law.com/jsp/cc/PubArticleCC.jsp?id=1202435208672&Employee_Leaving_Are_You_Sure_emYourem__Data_Isnt_Going_With_Him

7Safe co-founder Dan Haagman will be keynote speaker at this year’s First Forensic Forum (F3) Conference on Trends in Information Security Compromises.  It will be a sneak preview of 7Safe’s Breaches report that has been put togther using data from over 60 actual breach investigations. The report is scheduled for release later this year.

The F3 Conference will take place yet again at Tortworth Court, South Gloucestershire from Wednesday morning, ending on Thursday afternoon.  Should you be at F3, come by stand 10 for a chat and grab a snack (m&ms!).  Members of the 7Safe training team will also be with Dan on our stand.

Enjoy F3!

Bonjour, Marhaba, Zdravo, Goddag, Guten Tag, Buongiorno, Hola and Hello.

THANK YOU, first of all, for reading. It’ll be worth it, I promise. This blog will become a mine of information about computer forensics education, in the form of my ‘diary’ – a log of what I’m up to as a final (third) year student at Leeds Metropolitan University, UK. My name is Ryan Hurst, and you can find out far more about me by following me on Twitter – please do – than I can tell you here.

For two years previous, I have been studying an undergraduate Bachelor of Science in Computer Forensics. Further information about the course will come out in the blog, and you can read more here – but the years prior to this blog will be covered, at least until I drown in apathy.

Please, however, don’t expect rampant drudgery about the difficulty of student life, or the antics of each night on the town; don’t dread thousands of words of dullness either, you’ll find none of those here. What I hope this will be, is an honest record of what the year will contain; how I use it; how well (or otherwise) I do and how all this could interest YOU, the reader – be you a younger student, a pro’ in the field, a recruiter or an interested spectator. I’ll include a bit of ‘me’ in it too. It won’t lie, or sound like a job application’s covering letter. It won’t be a technical manual (try SANS for such excellent stuff!) either, but I do hope it will be interesting at least. Thanks must go to Simon Steggles and Disklabs, for initiating this blogging process: three cheers.

The ball is rolling on the year, education has commenced – and now the blogging will follow suit. Hope you enjoy it.

My very first case in computer forensics was one of the most memorable for me.  The case background went something like this:

A very popular celebrity newscaster was due to renew her contract with her television station.  When it came time for the contract talks to begin, the station refused to offer her a new contract and persuaded her to take a position in another market.  The newscaster retaliated by making a claim of sexual harassment against the station manager.  The television station obviously took this claim very seriously and started an internal investigation into the matter.

I was retained to perform the computer forensic examination in this case.  I worked with general counsel of the television station to define a scope for the forensic investigation.  One of the tasks included looking for any communications between the newscaster and station manager via email (corporate or personal), chat, and other forms of messaging. 

I began reviewing the corporate emails between the two parties and was shocked at what I found.  Both parties were carrying on a romantic and sexual relationship for almost a year.  They communicated frequently during the day planning liaisons, flirting, and discussing their future together.  Their communications described their liaisons which occurred during working hours after the newscaster would tape her morning show.  They would communicate about where to eat lunch and would plan a time to sneak away together and spend some time in hotels.  They would communicate about getting together after work for lavish dinners and short stays together.  Based on their communications it seemed that everything was going well for this couple until the newscaster was overcome with guilt that she was cheating on her husband and her family.  The newscaster tried to break off the affair with the station manager.  The station manager was distraught and would write these heartfelt emails to the newscaster asking her to leave her family and move away with him.  When she refused, the station manager decided not to renew her contract and was persuading her to find another station in another market.  Because of the station manager’s incessant communications to the newscaster, she felt that the only thing to do was to bring up sexual harassment charges against him. 

I spent two weeks just reviewing the emails in this case.  At the conclusion of my investigation, I had about 300 pages of printed emails between the two parties.  All of the evidence in the case was presented to the General Counsel of the station who terminated the contracts of both parties.  The newscaster went on to report for a morning show in another market. 

During my investigation, I would watch the newscaster’s morning show via the Internet.  I was amazed watching it, because she was always talking about her husband and kids and would share stories and photos of her family.  Meanwhile, I had just spent all this time sorting out her affair with another man.

La digital forensics rientra tra le tecniche investigative più interessanti e di utilità crescente. La ricerca di indizi e l’acquisizione della prova attraverso l’analisi dei dati in forma elettronica sui dispositivi interessa non solamente i computers, ma anche i dispositivi di diverso tenore, compreso cellulari, palmari, etc.

Recentemente la digital forensics ha catalizzato l’attenzione del grande pubblico per la rilevanza che assume nelle indagini e nel procedimento penale anche dei crimini violenti, come per l’omicidio di Garlasco.

E’ di applicazione diffusa, non solo per i reati informatici.

Per la verità si tratta di tecnica investigativa utilizzata anche al di là delle ipotesi di reato, come avviene in contesti industriali o comunque aziendali (spionaggio industriale, concorrenza sleale, etc.), nei rapporti con i dipendenti (nei casi di licenziamento a seguito, ad esempio, di navigazione su Internet e download di file estranei all’attività lavorativa da parte del lavoratore, durante l’orario di lavoro; etc.), nei casi di accertamento delle responsabilità in sede civile, e così via.

Riscontri di grande rilevanza si ottengono proprio analizzando i dispositivi che più si utilizzano, giacché sono costantemente sottomano, come avviene per cellulari, palmari, PDA, etc.

La “mobile forensics” richiede un’attenzione particolare rispetto alla “digital forensics” in generale.

Soluzioni tecnologiche mirate alla mobile forensics sono state approntate da imprese specializzate, come per la soluzione commercializzata con il marchio “.XRY”, che offre un importante aiuto al digital forenser chiamato ad analizzare i dispositivi mobile.

Benedetta Perilli, per La Repubblica, ne offre una descrizione ponendo provocatoriamente l’attenzione sulle ripercussioni sociali a fronte della possibile violazione della privacy, prospettando solo uno degli scenari possibili, legato alle infedeltà coniugali.

L’articolo, che ha il pregio di avvicinare il grande pubblico a tematiche di settore come questa, mi sembra che contenga un’imprecisione vistosa nella parte in cui attribuisce la paternità di XRY ad una società di consulenza australiana Khor Wills & Associates, anziché alla produttrice svedese Micro Systemation (come invece risulta da questo link  - e in particolare questo – nonché da questo documento tecnico). 

Per avere un’idea del funzionamento di XRY si può consultare anche questo post.

Peraltro, l’offerta dei tools di mobile forensics è varia e, come ricorda un commento reperito in rete, a seguito di prove tecniche per testare la loro funzionalità, è sempre opportuno che l’analista ricorra per il medesimo caso a software diversi, cumulativamente (una prova tecnica con 5 tools diversi ha dato risposte differenti e non tutto ciò che è stato rilevato in un test veniva rilevato anche negli altri test). 

Avv. Fabio Bravo

www.fabiobravo.it

For many years I have refused to upgrade my cellphone and this article just proves me right (I’ll be able to say “told you so” to sooo many people!). Forensic mobile phone work reveals threat to all of us demonstrates just why we should be very concerned about a) how much information we program into our cellphones, b) the amount of information we are carrying about ourselves, most of which we are unaware is being collected and updated practically by the minute, and c) the very real possibility of fraud, or worse. Mobile phones have traditionally been targeted by thieves because of their value. Now, the more tech-savvy thief can target a specific individual to gain access to all kinds of data and information. Fraud seems to be the minor end of the scale; blackmail and extortion also spring to mind.
Particularly of interest was the data collected by the Sports Tracker facility – who knew that a photo of your home address could be on your own phone without your knowledge? A danger of which women should be aware.
Add to all of this the possibility of hijacking of wireless network connections and the list of potential crimes rolls on and on. Some people will say that that either I’m a pessimist or a drama queen. Others will say that this article is about the UK so why should anyone else worry? Yet others may say that it takes a computer expert to access the data. In my job, computer and technology forensics has increased dramatically over the past five years and it is a very real danger of which all of us should be aware. Some people choose to access data in legitimate settings to help solve crimes. Other people will exploit any weakness they can to make money, in whatever way they see fit.

Members of the 7Safe eDiscovery team will be exhibiting at the electronic evidence and eDiscovery forum 2009 at London’s Victoria Park Plaza Hotel on Tuesday and Wednesday this week.

It’s the same venue (and event organiser) as the eCrime Congress and it will be interesting to see what the turn out is like this year. We have seen a real upturn in new cases requiring litigation support in the last couple of months.  Please feel free to drop by for a chat if you’re attending.

Dell, one of the world’s leading brands in information technology, has released a case study on how 7Safe uses technology for providing services to our eDiscovery clients.

eDiscovery case study

A few off the wire…

• Michael Bell reminds us that outsourcing isn’t all bad, it actually creates more jobs.
• Venkat Balasubramani at Spamnotes discusses Amazon is nearing settlement over wrongly deleted copies of 1984.  The importance?  Amazon may be agreeing to never delete any Kindle content – ever!
• This is VERY interesting – the topic of SMS messaging.  IT-Chuiko is reporting that computer forensic specialists have devised software to delete text messages in case your cell phone is stolen.  I wonder how that would play out in court…

A group of full time students from the Univerity of Bedfordshire visited 7Safe’s Cambridge computer forensics lab and training centre today.  They attended two hands-on seminars with instruction on computer forensic techniques and ethical hacking / penetration testing.

Beds students at 7Safe

Ray Brown, himself a MSc graduate, brought the students across as part of 7Safe’s association with the university.  7Safe and the University of Bedfordshire operate a joint Master of Science in Computer Security and Forensics.  The 7Safe/Beds MSc is particularly popular with people who are in full-time employment because the training courses are taken in block mode (courses of between 2 and 4 days) and the university assignment and dissertation components are submitted remotely.  Students have up to 6 years to complete the university components of the MSc.  There is a full FAQ on the 7Safe web site.

North Texas computer forensics and data recovery company, Protegga, has added e-Discovery and litigation support services to better meet their clients’ needs.

FOR IMMEDIATE RELEASE
PRLog (Press Release) – Oct 12, 2009 – Protegga LLC today announced the release of a new website and marketing focus to inform their current and prospective clients of their continued excellence in the field of computer forensics and the addition of several new services. Protegga has been aiding attorneys, individuals, and corporations involved in Civil Litigation, Family Law, Corporate Bankruptcy, Employment Law, Mergers & Acquisitions, and more since 2003. Now with their added focus on e-Discovery and Litigation Support, Protegga will be better able to give their clients the support they need from the beginning phases of discovery all the way through presentation at trial.

With a growing list of faithful clients that include attorneys within, and outside of, Texas, CPA’s, SEC Receivers, and local corporations, Protegga has shown a consistent ability to deliver superior results. Texas attorney Robert Wood says, “Protegga’s service is excellent and their pricing extremely fair. I wouldn’t trust any one else with my clients’ data.”

Owner and lead Forensic Investigator, R. Lance Fogarty is focused on maintaining the highest levels of integrity and core ethics while continuing to grow the business and better serve clients. According to Mr. Fogarty, “We have a dedicated group of professionals on staff, willing to do what is necessary to deliver the results people have come to expect from Protegga. We are focused on providing services, whether they be computer forensics, e-Discovery, data recovery, or litigation support, that exceed industry standards at affordable prices.”

For more information on Protegga LLC visit Protegga.com or call (888)988-9240

# # #

Since 2003 we have provided Computer Forensics, e-Discovery, Data Recovery, and Litigation Support services to attorneys, individuals, and corporations involved in Civil Litigation, Family Law, Corporate Bankruptcy, Employment Law, Mergers & Acquisitions, and more.

To see this press release in it’s original form click here.

Excellent DOJ manual on searching and seizing computers and obtaining electronic evidence in criminal cases.

Department of Justice, CCIPS (Computer Crimes and Intellectual Property Section) has just published an updated version of its computers and electronic evidence surveillance manual.  See it on the www.cybercrime.gov website here:  Here

Bill Lowrance