Press release

Suppose, for example, that you suspect that an employee may be stealing company secrets – intending to work for a competitor.  You make a mental list of competitors that might be interested in your intellectual property and set to work to confirm your suspicions.

You search through the internet history visible from within Internet Explorer during the evenings, after they have left work.  When you don’t recognize a site, you visit to determine what it is.

You enter the names into the Windows Search box to see if anything comes up and review any document with any results in it.

You browse through folders on your network that contain your files and try and determine if the “Last Accessed” date is later than it should be.  You open any document with a “Last Accessed” date later than you expect and print it.

Whether you think you’ve found it or not, you realize you should hire licensed investigators to prepare a legal case and the computer works its way to us.

You explain your suspicions, provide us with a list of competitors and relevant access dates and project names.  We begin our investigation.

Almost immediately, we find a slew of relevant data.  Indeed, it seems as if everything you’ve suspected is present on the computer!  This computer was used to search for your project names, research your competitors, it accessed many sensitive documents on your network – we may have a suspect!

During a conference call with you to report our preliminary findings, you mention that these were all your actions.  Here’s the first problem – are they all your accesses?  In order to determine that, we need to know when you accessed things and what you did during those times.

You think back and try and recall what you’ve done, but you never made any notes about it – was it you who searched that term on that date?

As you can likely conclude, not only does this complicate the investigation itself, but it can be a nightmare in court.  The opposition’s counsel can call into question every unfavorable result as a potential “contamination” by you – rather than unauthorized activity by the employee.  With enough ambiguity, even a winning case can be lost to doubt on the jury’s part.

REMEMBER:  If possible, do not access a device you intend to have investigated.  If you must access it, document the start and end times (according to the computer’s clock) and exactly what actions you’ve taken.

Austin Chamber Press release:

http://www.austinchamber.com/TheChamber/AboutTheChamber/NewsReleases/2009/2009_08_27.html

And Photos of the Winners:

http://www.austinchamber.com/TheChamber/AboutTheChamber/09bisaw/index.html

-          Inigo Montoya, The Princess Bride

As with any other scientific specialty, computer investigations have their own lexicon of ideas and terms.  Many of them are foreign enough that a layman will require an explanation just to understand them, but several are words with which most people will be familiar that have a distinct meaning in the context of forensic examination of electronic evidence.  Some of these are outlined below.

Image

Both the standard idea – “a picture” and the forensic meaning are used.  The forensic term “image” refers to a forensically sound capture of evidence into a file format that allows for examination.  It is an exact duplicate of the original device’s data, in a new format.  “Bob took an image of the hard drive and then photographed an image of the computer from which it came.”

Acquire

Typically not used by experts in the traditional meaning “to obtain” but rather in the forensic sense “to obtain an image of (see above)” – when an expert says that they “acquired the hard drive” they normally mean that they made a forensic image of it, not that they got their hands on it.

Hash

Not the fried potatoes you have for breakfast, but a mathematical formula used to represent the unique fingerprint of a file.  “I compared the hashes of the two files and determined they were identical.”

Accessed

This is a particularly troublesome term.  In computer forensics, this indicates that the computer has ‘touched’ the file in some way, whether by a user or by the computer’s own internal programs.  Files are often “accessed” by things like virus scanners that occur without the user’s knowledge.  This is in distinct contrast to the layman’s concept of “accessed” on a computer – meaning a user interacted with a file, by opening it, for example.

Viewed

Like accessed, this term can be confusing and is often the source of misunderstanding by non-experts.  If an expert says that a web page is “viewed” they mean that it was loaded in a browser.  It does not necessarily indicate that human eyes saw the whole page – or indeed that any of it was actually seen.  Forensic analysis can sometimes give strong indications that a page was actually seen by human eyes – perhaps by showing that information on a page was followed by a web search of that information, or that a link in a page was clicked on – but ultimately, there is no incontrovertible evidence that a human being has “viewed” a web page on the computer.

Deleted

When we think about the phrase “deleted files” most of us think of this as an intentional action.  We imagine a user selecting some files and dragging them to the Recycle Bin or hitting their Delete key.  In actuality, deleted information can often be deleted by the normal operation of the computer, as is the case with Temporary Internet Files.  It is therefore important that the understanding of the term “deleted” and its usage in a particular situation be well-defined.

 As you can see from these few examples, when using precise terms-of-art in a legal setting, it is crucial that the speaker and the listener both be understanding the term in the same way.  Ensuring this is the case is one of the keys to a successful computer forensic examination.

I recently had a case where my client’s computer was placed under a preservation order by the courts. He was prohibited from deleting any files on his computer.   He was accused of having many files that he was not supposed to have, therefore the opposing council ordered a complete forensic examination of his computer, and asked me to provide them with a copy of my evidence files.  My client asked me to look for any deleted files, or files that he was “not supposed to have.”  I performed a forensic examination of his computer hard drives , and found nothing of interest, and no evidence that he had deleted anything.

On a Sunday night, after I had done my examination, I received a frantic call from my client.  Opposing council’s forensic computer expert had written a report stating that he had found considerable proof that my client had deleted “hundreds of files.”   My client emphatically maintained that he had not deleted anything, so I reassured him that I would look into the report from the opposing expert.  

The opposing expert stated that he had found an “Evidence Eliminator” on my client’s computer which was used to destroy hundreds of files.  I was shocked; I had done a thorough examination and had found no evidence of malfeasance.  I felt confident that my client had not deleted any files.  I quickly returned to my exam machine and re-opened the case.

The first thing I found was there were indeed around seven hundred files that had been deleted.  How could I have missed that?  I then looked for a file mentioned in the opposing expert’s report called, “SymEraser,” and to my astonishment there it was, as we say in Texas, “Bigger than Dallas!”  Wow, I started to believe that I had failed my client.  Before I lost all hope that I was doing my job properly, I quickly ran a Google search for “SymEraser.”

I discovered that “SymEraser” is a file included in Norton Antivirus, Symantic Antivirus, and various other Norton and Symantic packages that include antivirus software.  It was not an evidence eliminator, it was a virus eliminator.  OK, that’s not too bad, I thought, but what about all those files?  There were definitely hundreds of deleted files.  I re-examined them.  They were all deleted from a folder called “virdef.”  They were in fact, Virus Definition files.  My client had not deleted them; Norton Antivirus had deleted them when it had updated the computer to a newer set of definitions!  This was not the blatant act of a human, but rather an automatic function of a piece of software.

I had done my forensic examination, and had not found anything malicious or suspect.  Opposing side’s expert had done his examination, and had found quite a lot. So what was the truth?  The truth was that files were deleted during a time that my client was not supposed to delete files.  The truth was that there is a software program called SymEraser, which eliminates things.  That was the truth.  Fortunately for my client, it was not the whole truth!

Thank you to all of the people that have supported us over the years.

Acquisition

When we talk about acquiring evidence in forensic investigations, we aren’t talking about receiving it.  An art dealer may say “I acquired a rare Picasso while in London” – meaning he took possession of it.  When a digital investigator talks about “acquisition”, they mean obtaining a forensically-sound copy of the evidence.  This may be either an “image” or a “clone” – both defined below. 

Image

When we talk about an image, we are talking about a bit-by-bit copy of the source material into a file (or series of files) to be used in the investigation.  The image files are not accessible without specialized software and some popular formats support compression and encryption.  You may hear images talked about in “flat-file” format – where a 20GB drive produces a 20GB file, which can also be split into segments for more convenient storage.  All popular e-discovery and forensics platforms can read flat files.  You may also hear about “EnCase” or “E01″ files.  These are a compressible, encryptable format for use in Guidance Software’s EnCase investigation software.  Accessing an image does not modify the data it contains and no specialized hardware is needed.

Clone

A clone is a copy of one hard drive to another.  It is readable in the same way the original drive is and can be put in an enclosure and connected via USB for perusal.  It is not uncommon to create both an image for the forensic investigator and a clone for the client to look through.  A clone will be modified if it is not accessed through specialized hardware that prevents writes to the disk (a write-blocker).

Hash

Not the shredded potatoes, but a mathematical function used to fingerprint a digital file or disk.  The most popular are MD5, SHA-1 and SHA-256.  You may hear some discussion of MD5 and SHA-1 being “broken” – but this vulnerability is mostly theoretical insofar as its application in e-discovery.  The “weakest” of the three – MD5 – only has a 1 in 340 trillion trillion trillion chance of being inaccurate.  By comparing hash values, we can identify matching files very quickly.  We can also use it to verify that a data has remained unchanged by comparing the original hash value with the current one.

Carving

Carving is the process by which deleted file can be recovered long after the computer’s file system has forgotten about them.  You may also hear this referred to as “raw recovery” sometimes.  Most files have a defined structure.  By searching through the media for this “file signature” it is possible to recover fragments of files or even entire files years after they were deleted.

Unallocated Space

When you save a file to disk, the computer makes an “allocation” of space on the disk for that file.  When you delete that file, the entry corresponding to it is removed from the allocation table.  That space is now unallocated.  Unallocated space is that area of the disk that the file system has marked as available for use.  It is often possible to recover hundreds or thousands of files from unallocated space.

Slack

The area of a disk is divided into units called clusters.  Files start at the beginning of a cluster for ease of organization.  If a file is not precisely the size of a cluster (a rarity to be sure) then there will be some space left between the end of the file and the beginning of the next cluster.  This is slack.  It is possible that remnants of a previous file will be readable from slack space on a disk.

Metadata

Metadata is simply “data about data.”  There are two types commonly referred to:  filesystem metadata and program metadata.  Filesystem metadata includes the security permissions, dates of last access, last write and creation and whether a file is hidden, compressed or archived.  Program metadata is information written into a file by an application.  In the case of Microsoft Word, this can include the Author, Organization, Date of Last Printing and even a journal of changes and commentary in a collaborative document.

Wipe

Also called sanitizing, scrubbing, erasing, zeroing and many other things, wiping a drive involves overwriting every location on the drive with new information.  Because each location can only contain one value at a time, overwriting renders the previous data unrecoverable.  As many of my colleagues and I have been saying for quite some time, regardless of what old wives’ tales you may hear, a single-pass overwriting of data renders it permanently and irrevocably unrecoverable.  You may hear of three-pass, seven-pass and even thirty-five-pass erasure.  This is unnecessary overkill.  One pass is sufficient to defeat all known methods of data recovery.

Examining the drive connectors, we noted some deep scoring on the connectors that was not consistent with any accidental scratches we might expect to see if a drive had been improperly disconnected.  A photograph of the scratches can be seen at right.  The scratches have been marked in the right-hand frame.

Having determined that there had  been some deliberate and intentional damage done to the drive, we continued to investigate – this time, with a keener eye for other intentional damage that may have been inflicted on the drive.

When we removed the logic board, there was very apparent damage to the connecting pins.  Several were bent in odd directions and folded over. 

There was also significant strike damage to the plastic housing the pins sit in, with a chunk missing and a large abrasion on the outward-facing edge.

We also noted some chipping of the metal in the area adjacent to the damage on the pin housing.  The damage was consistent with a small screwdriver, like one might have in an eyeglass repair kit, being slid underneath the logic board and repeatedly being rammed back and forth.

Turning over the logic board and inspecting the area which contacts these now-bent pins under a microscope was startling.  It confirmed our hypothesis regarding the damage.  The strike path of the screwdriver is defined by the scrapes on the soft board and the chipping away of the thin metal on the pin contacts.  Here we see at least four distinct strike paths, which caused a great deal of damage to the logic board.  With these contacts damaged, the drive’s internal hardware would be unable to connect to the processors on the board.

More inspection of the logic board indicated that not only had some circuit paths been severed, but an entire resistor had been violently snapped off and gone missing!  There was also pin damage on the semiconductor (seen at left – follow the arrow marked “path of screwdriver” all the way to the large chip and note the damage in a straight line across the entire board.)

That settled it.  This board would never work again.

But wait!  Our database indicated we had a similar drive in our parts inventory.  A quick check indicated a perfect match.  Ten minutes later, we began forensic imaging of the drive evidence.  Not only had the former employee left mounds of evidence regarding intentional destruction of evidence, but it hadn’t actually gained him anything.  The recovery was 100% successful and productive and our client has even more evidence to use against the former employee in court.

Suppose one day you went to the dentist for a filling and while you were there, you mentioned that you were scheduled for heart surgery the next week.  If he told you that he could perform your bypass, would you take him up on the offer?

In medicine, most people understand the idea that specializations exist and why.  Medicine is a complex field and it makes sense to choose someone whose expertise relates to your particular problem.  It’s not a question of whether your doctor knows what to do to fix your problem, but rather whether he knows what to do when things don’t go as planned.

It’s interesting that this same attitude does not always translate over to the law – and specifically to the field of digital examinations.  Too often we are called in to clean up a botched examination after unqualified people have “had a go” at developing evidence on a computer or mobile phone.

The field of e-discovery has many specializations.  Some of these are equipment-based:  tape restorations, outdated discs, rare or arcane operating systems or applications.  A vendor won’t be able to perform in this case because they lack the ability to connect your data to the platform they use for processing.  It is when the specialization is knowledge based, like with digital forensics, that we run into a particularly dangerous issue.

In order to properly handle, acquire and view a hard drive or other device, some specialized hardware and software is necessary.  The baseline cost for a capable complement of equipment is around $10,000 – a sum that is within reach for almost every business.  As a matter of fact, there are many people who advertise digital forensics services with little more than the baseline equipment, a week of classroom training and no practical experience in either computers or investigation.

Why has this happened?  The answer is simple:  businesspeople saw a revenue stream that they were not tapping and looked into “what is necessary” to conduct an examination on a digital device.  That week-long basics course allows them to speak about the field as if they understand it (and to sound like an expert to someone who knows nothing about the field), while the equipment adds the rarified air of being a “specialist” whose toolkit contains mystical and unusual devices.

Some examinations may be extremely simple and straightforward.  The computer has not been tampered with or mishandled, no evidence is hidden and the investigation requires no analysis or conclusions.

When a novice conducts these types of examinations, the entire process may go smoothly – adding to their client’s perception of them as an expert.  Many times, no testimony is required – or if there is testimony, no opposing expert exists to counter it.
What happens when the examination is not so straightforward?  What if the system clock was changed to backdate documents?  What if key evidence has been securely erased with a third-party application?  What if you need to correlate evidence among several related devices?  These are not investigative results you can achieve with the press of a button, or after a week’s tutoring.  Many times, modification or manipulation of data will go completely undetected by an unskilled investigator.

Another key function of an experienced professional investigator is to provide some context for the investigation.  Let us suppose that there is evidence of backdating of the system clock and it is detected.  Knowing how frequently backdating occurs in similar cases suddenly becomes vitally important.  Being able to state in court that an event is rare, based on your personal knowledge over hundreds of examinations and your discussions with other recognized experts in the field is much more powerful than saying it’s rare because you heard it in a class last week. 

Being able to conduct complex analysis and provide expert opinions are hallmarks of the professional digital investigator – not the use of a particular tool or program.  Anyone can buy a hammer, but owning a hammer doesn’t make you a carpenter.

When you have important evidence on a computer or cell phone, being able to evaluate your options early can save a mountain of heartache down the road – contacting an expert first and getting an idea about the complexity and difficulty of the case will allow you to choose the best path for your investigation and to ensure that you make the best use of every dollar you spend.

The deceased was brought into the lab and laid out on a cold, hard table.  Instruments were laid out on the table beside them, some eerily familiar and others strange and arcane.  In a few moments, we were inside, looking at the innards that held the secrets to the end of a life cut short.  What had happened that had struck this one down in his prime?  Who was responsible?

A few minutes work and the major organs were out, sent on for further examination.  All that was left was a shell – nothing left of what made this one glow in life.

Into the lab we went.  Here, the organs had been hooked up to all manner of odd devices by a multitude of wires.  Electricity coursed through the leads and the organs began to stir!  A scientist sat nearby, making notations on a pad about each item.  Soon, each organ was functioning as it had in life.  What story would they tell?   Would we find the perpetrator of this dastardly deed?  Would the victim have their revenge from beyond the grave?

They had separated the brain into its sections:  short term memory here, long term there, thoughts over here, auditory center here, visual center there.  Such a complex device!  The long-term memory was connected through several wires into a box.  From the box, another long wire led into a computer.

As the monitor began to flicker into operation, the most wondrous thing occurred!  There before me on the screen were the victim’s memories!  Here, we could see the moment of birth; over here were memories of a youth spent playing games with a close friend.  The mood darkened.  I saw memories of the friend – more sinister-looking now – involving our dear departed in some nefarious scheme.  There were forged letters written, accounting entries backdated, fraud, deception and theft.  The poor victim had no idea he was being used, so blindly he trusted his friend.

Our victim had been trusting, but he had not been a fool.  All along, he had kept a journal.  And oh what a journal it was!  Every detail of his day had been written out in explicit detail.  Every time the villain forged a letter, the true circumstances had been dutifully recorded in the journal.   Every backdated document had it’s true date exposed.  The minutiae of life was laid out truthfully, recorded simply for the sake of having an accurate record.  I think his friend had realized it at some point.  Unable to determine the location of the journal, he had instead decided to eliminate the journaler.

The fiend had turned on him.  He had injected a deadly virus in hopes of destroying his memory.  He had prattled on about all manner of bland things in an attempt to make the victim forget about what he had seen.  He reset the clocks constantly – I suppose to drive him mad, or to confuse his journaling.  Eventually, it came to violence – the trauma to the brain had been severe, leading to a quick and messy end.

Yet, our hapless victim was steadfast to the last.  Each event was recorded with the same clarity, scribing a horrific story of the destruction of a faithful friend through the machinations of one who had fallen to a life of lies.

The trial was short.  The entries in the journal peeled back the veneer of lies that had been presented by the defense in the case.  In the end, the jury realized that the defendant had betrayed his faithful companion to cover up his crimes.  He had taken advantage of the trust they had established and tried to use it against him.  The evidence was overwhelming and irrefutable.

“Guilty,” the foreman intoned solemnly “of capital spoliation resulting in the death of a Dell Inspiron laptop.”

You always remember your first one, they say.  I sure remember mine.