Digital devices have become so ubiquitous that virtually every crime scene now includes one or more pieces of digital evidence in the form of a mobile phone, laptop, desktop, tablet or another device. Performing a proper forensic analysis on this type of evidence can take time, but it’s often decisions and actions taken during the initial evidence collection that can make or break the case. In our experience as an outsourced digital crime lab for local, state and federal law enforcement, these are the three biggest mistakes we see made on scene.
1) Failure to Isolate a Seized Mobile Device From Cellular or Wireless Networks
Of course, the purpose of seizing a device is to analyze and investigate the information it contains, but having physical control of a digital device doesn’t mean you automatically control access to the data on that device. If a mobile device can connect to a cellular or wireless network, the evidence it contains is automatically at risk.
Mobile devices are constantly syncing with cloud-based services that store photos, contacts, emails and other documents. While convenient for most uses, these background processes can corrupt or destroy digital evidence.
The greater risk to the evidence is that the device’s owner, or anyone with the right password, can remotely wipe or lock the device. This capability is a standard option on most mobile phones and many computers, and it doesn’t require much technical knowledge to execute.
There are rare instances where you want a seized device to operate as normal for a brief time, but if you seize a device to have it forensically examined, you’ll want to isolate it from cellular, wireless and Bluetooth connectivity as soon as possible. The options for doing this will depend on the status of the device and the details of the case.
If the device is on and accessible, you can simply turn off access to any remote connection by putting the device in airplane mode and turning off wireless and Bluetooth capability.
If the device is on, but not accessible, you have two options. First, you can power the phone down and/or remove its battery. This can alter data on the device, so be careful. The best option is to physically shield the device from receiving RF signals using a Faraday bag or box.
The way to be sure that you make the right choice is to plan ahead. You should expect every seizure to include at least one digital device, and the more options you consider ahead of time, the better prepared you’ll be, and the safer your evidence will be.
2) Powering On a Computer
When a computer is seized, it can be very tempting to turn it on to look for obvious evidence. In some cases of terrorism or other immediate threat, powering on a computer may be necessary. However, there are so many background processes that go on when a computer powers up, that it’s almost always a mistake from the perspective of proper digital evidence handling.
Just think of your own computer. When you log on in the morning, your computer will connect to a network, run a virus check, check for software updates, sync with a cloud-based server, etc. It’s difficult to stop all these things from happening. Even if these processes don’t impact the specific evidence that’s important to a case, the mere fact that the computer is connected to the Internet means that the information is at risk of being remotely deleted or modified.
If a seized computer is off, and you don’t need it on immediately, don’t turn it on.
Digital forensic examiners have special equipment that allows them to access a computer’s storage devices without actually turning the computer on. Some departments have mobile or “field” versions of this equipment in order to conduct an on-scene analysis without corrupting the evidence. If you’re planning a seizure and you’ll need immediate access to the information on a computer or hard drive, plan accordingly to protect the digital evidence.
3) Failure to Identify and Label All Digital Evidence and Derivative Media
The final mistake that we often see relates to improperly identifying and labeling all pieces of digital evidence and their derivative media.
It’s common to seize a desktop computer and think of it as a single device. It’s a computer, right? Wrong. From a digital forensics perspective, every component of that computer that can store data is a separate piece of digital evidence that requires the same level of labeling and chain of custody documentation.
For example, a computer may have 2 internal hard drives and a flash drive connected via USB port. Each of these pieces of media has its own serial number and must be tracked in relation to the seized computer.
Even mobile phones can have multiple storage media such as expandable storage, in addition to its SIM card.
When you seize a computer or other digital device, be aware that it may technically be multiple devices from a forensics perspective, and ensure that each device and its derivative media is properly recorded and secured. The DA will thank you later.
If you’re planning a significant seizure of digital evidence and want the assistant of a private, accredited digital crime lab to ensure the evidence is seized, processed and examined quickly and efficiently, contact Flashback Data.
CALL US AT 866-786-5700 FOR A FREE CONSULTATION.
Hidden Costs of an Internal Digital Forensics Lab
/in Digital Forensics /by Russell ChozickMany of our law enforcement clients currently have or have had their own internal digital crime lab. At some point, each of these departments built their own lab, but have moved away from that decision over time.
Here are the top 4 things these customers have told us about the hidden costs of running your own digital crime lab.
1) It takes longer than expected to develop in-house expertise.
Departments that choose to staff their lab with an existing sworn officer instead of an experienced civilian forensic examiner tell us that they underestimated how long it takes to develop digital forensics expertise.
The minimal training for a new examiner involves classes on basic forensic analysis and mobile device forensics. These classes are typically several weeks each and require travel. In addition, new examiners need hands-on practice and need time to get familiar with new equipment. Altogether, it can be six months before a new examiner is able to perform his or her first real forensic exam.
It takes another 12 months of regular work for that new examiner to be at the level of a “junior” examiner in the civilian world. Our clients tell us that during that 18 months, they’re still sending their most important and complex cases to the RCFL or a private lab.
2) Keeping your infrastructure up-to-date is surprisingly expensive.
An in-house digital forensics lab requires some up-front investment in equipment and software in order to properly track, manage, analyze and report on digital evidence. The costs associated with these up-front investments can easily run into the tens of thousands of dollars, but are predictable.
What is less predictable is the cost of keeping that equipment and software up to date. A digital crime lab must stay abreast of and be able to forensically analyze virtually every new device and operating system that comes along. It may be ok to skip a few upgrade cycles for your personal computer or mobile device, but your forensic analysis software and equipment has to stay as close to the cutting edge as possible.
3) It’s expensive to keep your expertise current
In addition to keeping your equipment and software up to date, you’ll also need to keep your examiners trained on the most up-to-date developments in digital forensics. In order to maintain an IACIS certification (which is highly recommended), your examiner will need to have 60 hours of continuing education every three years.
Even without this requirement, you would want your examiner to get at least that much training regularly to stay abreast of new technologies and forensic techniques.
4) The role of Digital Forensic Examiner doesn’t fit well into a typical law enforcement career path, and turnover is higher than expected.
Finally, our clients tells us that their department’s promotion and compensation systems aren’t set up to include the job of digital forensic examiner. Becoming a forensic examiner might sound like an attractive option to a career officer at first . Move off the street and into the office, get lots of new training, and make at least as much as you did before.
However, options for promotion and raises can be minimal for a digital forensics examiner. We’ve talked to examiners who love their job, but simply can’t continue to forgo the promotions and raises associated with a more traditional law enforcement career path. The challenges of ramping up a new examiner and keeping that examiner well-trained are compounded when you have high turnover among your examiners.
If your department is struggling to maintain an effective in-house crime lab or if you want to explore the potential of working with an accredited, private digital crime lab, contact Flashback Data today.
We work with law enforcement and DA’s around the country and provide faster turnaround than your local RCFL or state crime lab.
CALL US AT 866-786-5700 FOR A FREE CONSULTATION.
Paying for a Private Digital Forensics Lab
/in Digital Forensics /by Russell ChozickPrivate computer forensics labs offer a great alternative to a local RCFL, state lab or even an in-house lab. They provide cutting-edge expertise, fast turnaround times (days or weeks instead of months or years) and can often deliver service that is more customized to the specific needs of each case. The question, of course, is how much does a private lab cost and how do you pay for it?
What is the Cost?
No matter the details or complexity of your case, you want the same deliverable – a concise forensic analysis that can stand up in court. The general cost of a digital forensic analysis can range from a few hundred to a few thousand dollars depending on the complexity of the case and the number of devices involved. Generally, simple cases that involve a single mobile device can cost a few hundred dollars. More complex cases with multiple devices and device types that require an examiner to testify in court can cost several thousand dollars.
Package Options
If you’re looking for a private lab that is more than an occasional, one-off solution, you may opt for a package option. Some digital forensics labs offer casework packages that let you choose a fixed annual price for a pre-defined quantity of work. Rather than buying hours, you’re buying case “units” based on common device types. For example, a simple mobile device acquisition may be 1 unit and a damaged mobile device that requires a chip-off or JTAG process may be 3 units.
This approach lets you select an annual budget amount that your department can afford and still have the flexibility to pursue cases that include a wide range of device types.
Justifying the Expense
Finding money for a private digital crime lab can be difficult. As with most expenses, the question is not what the actual cost is but how that cost compares with your next best alternative. Flashback Data serves as the outsourced digital forensics lab for law enforcement agencies across the country. The two most common ways that our customers justify their partnership with us are:
If you’re considering using a private digital forensics lab, contact Flashback Data today. We can be your own private forensics lab or can help with one-off cases as needed. We’re proud to be the first private digital forensics lab accredited under the same program as the FBI and state crime labs.
CALL US AT 866-786-5700 FOR A FREE CONSULTATION.
On Scene Tips: Securing Computers for Forensic Analysis
/in Digital Forensics /by Russell ChozickChoices you make in securing digital evidence on scene can make or break your department’s ability to recover evidence and make a case. In the past, we’ve covered common mistakes made on scene and offered advice for water emergencies. Today we share best practices for securing a computer, especially one that is powered ON and potentially encrypted.
In a previous post, we talked about ways to secure mobile devices and computers that are powered OFF. We encourage you to read that entire post, but if you seize a computer that is OFF, don’t turn it ON. Just bag it, tag it and send it to the digital crime lab for analysis.
If A Computer is ON and Accessible
If the computer is ON and accessible, the traditional way to secure the evidence is to unplug the device from its power source. This prevents any unexpected changes to data that may occur during a “normal shutdown”. However, the increasing use of data encryption is forcing first responders to change that protocol slightly. If the computer is ON and accessible, you’ll need to perform a few cursory checks for encryption before you do anything else.
If a hard drive is encrypted, the data on that drive is effectively inaccessible to a forensic examiner (or anyone) without the appropriate password. So if you come across a computer that is ON, accessible and encrypted, you have a unique opportunity to access the data on that drive that will be lost if you simply pull the plug and process it like other devices. If you believe that the device is encrypted, you should immediately seek the help of a trained forensic examiner, who may perform a field analysis of the device.
Determining If The Data Is Encrypted
To detect full disk encryption on a computer that is ON may be as easy as identifying the operating systems and version of those operating systems that support full disk or full volume encryption schemes like Windows BitLocker full volume encryption. This feature is available on most modern versions of Windows and is enabled by default on certain clean installs of Windows 8.1 Pro and higher.
To check for Windows BitLocker, you’ll need to view a list of the computer’s hard drives or volumes. From the START menu, click on COMPUTER or FILE EXPLORER. From there you should see a list of the storage media connected to the computer. A BitLocked drive will have a closed LOCK through the icon. (see the image below)
BitLocker Enabled on Windows 10
Close attention should also be given to the volume names at this point. The presence of a volume name that contains the word “CRYPT”, “VAULT”, “LOCKED” or similar phrase should serve as a clue that volume level encryption may be present.
If BitLocker can be ruled out, then a minimally intrusive look for other encryption tools should be undertaken.
STEP 1 – Check the Desktop: Perform a close visual inspection of all desktop icons. Note any programs with names like PGP, VeraCrypt, TrueCrypt, BestCrypt or FreeOTFE.
STEP 2 – Check the System Tray: Visually inspect the systray area (usually in the lower right of the screen) to check for icons associated with FreeOTFE.
STEP 3 – Check the Program List: Review the list of program files for applications capable of providing encryption. You can see this list from START > PROGRAMS (or All Programs) or in the PROGRAM FILES folder in FILE EXPLORER. Look for names including PGP, VeraCrypt, TrueCrypt, BestCrypt, Jettico, Kremlin, Protector, Shredder, and anything containing the word Encrypt or Crypt.
Any of these programs or icons indicates the presence of an encrypted drive or volume. Photograph these icons and immediately seek the assistance of a trained examiner.
If you complete this triage and do not detect any suspicious items, then disk encryption is likely not present, and you can proceed accordingly.
If you need help with a planned seizure or with forensic data analysis, Contact Flashback Data today. We work with law enforcement and DA’s around the country and provide faster turnaround than your local RCFL or state crime lab.
CALL US AT 866-786-5700 FOR A FREE CONSULTATION.
Securing Digital Evidence in a Water Emergency
/in Data Recovery, Digital Forensics /by Russell ChozickWater and electrical devices do not mix, especially if the device contains valuable data. When you’re on scene in a water emergency, the decisions you make in handling potential digital evidence can have huge impacts down the line in your department’s ability to recover evidence and use it to make a case. We’d like to share a few on-scene tips to help protect digital evidence that may be damaged by water.
How Water Damages Electronic Devices
Before we talk about what to do with a device in water, it helps to understand the two most common ways that water actually damages electronic devices.
Electrical Damage
Water is rarely pure water. It contains dissolved electrolytes, such as sodium chloride (table salt). Pure water is a very poor conductor of electricity, but when it contains ions (sodium and chloride), it can act as a good conductor of electricity. So, if this ion-filled water commonly known as tap, coastal, lake, river, or sewage water comes into contact with any electronic device in an ON state, it is going to make connections in places where there should be no connections. This can result in a large current, which in turn, damages the circuit.
Corrosion
Corrosion is another problem when water is involved with electronic devices. Corrosion happens when you have long-term exposure to water. The electrical connections within electronic devices are made of metal. When that metal comes into contact with water, it starts corroding and converting to another non-conducting compound. The additional ions that water contains can speed up this process of corrosion. If the metal connection between two parts of a circuit is sufficiently corroded, the connection is broken and the electronic device stops working.
What To Do On Scene
The decisions you make on scene in a water emergency can have significant impacts on your department’s ability to recover and analyze digital evidence for future use. We recommend the following steps to help protect the integrity of digital evidence in a water emergency:
1) Assume The Device Was Powered On
Technically, it matters whether a device is in the ON state of OFF state when disaster strikes. If the device is in its OFF state, it is very possible that it will start working as long as you dry and clean it up sufficiently before turning it on, as the dried water can no longer make any undesired connections. This can be done using rice, solvent, or other methods that will absorb or displace the water content without leaving anything to interfere with the circuit.
Unfortunately, when most disasters or accidents strike, devices found are in an unknown state. It is unknown if the device was originally in the OFF or ON state. The most conservative approach from a data recovery perspective is to assume the device was ON and has short-circuited.
2) If It’s Dry, Keep It Dry
This may sound obvious, but even a good-intentioned effort to wipe down a device with a damp cloth can do permanent damage. If a digital device has dried after a flood, storm or fire, it’s best to keep it dry. Simply get the device as it is to your digital crime lab and make sure they know it may have water damage. If there are contaminants on or inside the media, an accredited crime lab will follow specific protocols when recovering data to address any potential contaminants.
3) If It’s Wet, Keep it Wet
If the device is still wet, DON’T TRY TO DRY IT! Trying to dry a wet electronic device on scene is usually done with the best of intentions, but it’s a mistake from a data recovery perspective. As noted above, it’s not the actual water that does the damage, but the ions and contaminants in the water. If you try to dry the device you may be ensuring that those ions stay in places they shouldn’t be. The most conservative approach is to package the media with a wet towel and immediately send it to the digital crime lab.
4) If It’s Submerged, Keep It Submerged (In Distilled Water)
In a flood emergency, you may find digital devices that are completely submerged. In this situation, don’t try to dry the device. Instead, place the device in a bucket of distilled water and get it to a digital crime lab. Remember that it’s the extra ions from things like salt or other contaminants in the water that damage the device, not the water itself. Distilled water is, by definition, pure water that doesn’t contain the additional ions that can do damage.
It sounds counterintuitive to bring water to a flooded crime scene, but if you need to secure digital evidence during a flood emergency, a few gallons of distilled water could help you make the case.
If you need help recovering digital evidence that may have water damage, contact Flashback Data. We’ve worked with devices damaged by hurricanes, floods, fires and sabotage. We are the first private crime lab accredited under the same specifications as the FBI and state labs. We can help you prepare, recover, analyze and use digital evidence especially in unique and time-sensitive cases.
CALL US AT 866-786-5700 FOR A FREE CONSULTATION.
3 Questions to Ask When Hiring a Private Digital Crime Lab
/in Digital Forensics /by Russell ChozickThe 6 to 18 month backlog to process digital evidence at almost every state crime lab and RCFL is forcing law enforcement agencies to consider alternatives, especially for high-profile and time-sensitive cases. Private labs and digital forensics services are available to help, but law enforcement needs to be aware of the differences in working with a public lab and a private lab or expert. Here are the three most important questions to ask a private digital forensics lab or service before you hire them:
1) What accreditation does your lab maintain?
The same third-party organizations that offer accreditation to state and federal crime labs are also available to private labs. This isn’t a question you ever have to ask a state lab, but it’s a “must” before working with any private lab. Maintaining accreditation through a third party organization, such as ASCLD/LAB-International, ensures that the lab follows specified policies and procedures, validates tools, and keeps its team trained and competent within their field of expertise. Is it possible to get a great forensic analysis from a lab that isn’t accredited? Of course it is, but an accreditation makes the evidence much more bullet proof in court.
2) Can I review a sample, redacted findings report?
This is another question you would rarely ask a state lab. They typically have such a high volume of cases that their reports are standardized and can be somewhat limited. With a more manageable case load, private labs are able to conduct more in-depth investigations and provide more detailed explanations of their findings within a report. Always ask for a redacted lab report to review in order to get a sense of the quality of reporting. Of course, quality does not just mean more detail. The report should be clear, concise and easy for a case agent and district attorney to understand. Forensic examiners at private labs frequently testify in court, so it’s also important to ask for the CV of the examiner who will work on your evidence.
3) How much will it cost?
OK, you probably won’t forget to ask this one, but it’s the biggest difficulty of dealing with a private lab. While public labs aren’t free, their cost has already been included in your department’s budget, regardless of how long their backlog is. You’re going to have to fight for some budget authority, even if the payoff is easy to justify with something like reduced surveillance overtime. You should ask the private lab if they have options that can be structured like a budget line item. Many labs have “case work packages” where you pay a fixed amount for a budget year that can be applied to specific cases as needed. The flexibility and fast turnaround times available with private digital forensics labs like Flashback Data offer huge benefits to law enforcement agencies. It’s important to know how and when to engage a private lab in a way that will get your case completed quickly and ensure that any evidence can stand up in court.
If you’re interested in getting the help of a private digital crime lab for better, faster forensic investigation contact Flashback Data.
CALL US AT 866-786-5700 FOR A FREE CONSULTATION.
Top 3 Mistakes Made On Scene with Digital Evidence
/in Digital Forensics /by Russell ChozickDigital devices have become so ubiquitous that virtually every crime scene now includes one or more pieces of digital evidence in the form of a mobile phone, laptop, desktop, tablet or another device. Performing a proper forensic analysis on this type of evidence can take time, but it’s often decisions and actions taken during the initial evidence collection that can make or break the case. In our experience as an outsourced digital crime lab for local, state and federal law enforcement, these are the three biggest mistakes we see made on scene.
1) Failure to Isolate a Seized Mobile Device From Cellular or Wireless Networks
Of course, the purpose of seizing a device is to analyze and investigate the information it contains, but having physical control of a digital device doesn’t mean you automatically control access to the data on that device. If a mobile device can connect to a cellular or wireless network, the evidence it contains is automatically at risk.
Mobile devices are constantly syncing with cloud-based services that store photos, contacts, emails and other documents. While convenient for most uses, these background processes can corrupt or destroy digital evidence.
The greater risk to the evidence is that the device’s owner, or anyone with the right password, can remotely wipe or lock the device. This capability is a standard option on most mobile phones and many computers, and it doesn’t require much technical knowledge to execute.
There are rare instances where you want a seized device to operate as normal for a brief time, but if you seize a device to have it forensically examined, you’ll want to isolate it from cellular, wireless and Bluetooth connectivity as soon as possible. The options for doing this will depend on the status of the device and the details of the case.
If the device is on and accessible, you can simply turn off access to any remote connection by putting the device in airplane mode and turning off wireless and Bluetooth capability.
If the device is on, but not accessible, you have two options. First, you can power the phone down and/or remove its battery. This can alter data on the device, so be careful. The best option is to physically shield the device from receiving RF signals using a Faraday bag or box.
The way to be sure that you make the right choice is to plan ahead. You should expect every seizure to include at least one digital device, and the more options you consider ahead of time, the better prepared you’ll be, and the safer your evidence will be.
2) Powering On a Computer
When a computer is seized, it can be very tempting to turn it on to look for obvious evidence. In some cases of terrorism or other immediate threat, powering on a computer may be necessary. However, there are so many background processes that go on when a computer powers up, that it’s almost always a mistake from the perspective of proper digital evidence handling.
Just think of your own computer. When you log on in the morning, your computer will connect to a network, run a virus check, check for software updates, sync with a cloud-based server, etc. It’s difficult to stop all these things from happening. Even if these processes don’t impact the specific evidence that’s important to a case, the mere fact that the computer is connected to the Internet means that the information is at risk of being remotely deleted or modified.
If a seized computer is off, and you don’t need it on immediately, don’t turn it on.
Digital forensic examiners have special equipment that allows them to access a computer’s storage devices without actually turning the computer on. Some departments have mobile or “field” versions of this equipment in order to conduct an on-scene analysis without corrupting the evidence. If you’re planning a seizure and you’ll need immediate access to the information on a computer or hard drive, plan accordingly to protect the digital evidence.
3) Failure to Identify and Label All Digital Evidence and Derivative Media
The final mistake that we often see relates to improperly identifying and labeling all pieces of digital evidence and their derivative media.
It’s common to seize a desktop computer and think of it as a single device. It’s a computer, right? Wrong. From a digital forensics perspective, every component of that computer that can store data is a separate piece of digital evidence that requires the same level of labeling and chain of custody documentation.
For example, a computer may have 2 internal hard drives and a flash drive connected via USB port. Each of these pieces of media has its own serial number and must be tracked in relation to the seized computer.
Even mobile phones can have multiple storage media such as expandable storage, in addition to its SIM card.
When you seize a computer or other digital device, be aware that it may technically be multiple devices from a forensics perspective, and ensure that each device and its derivative media is properly recorded and secured. The DA will thank you later.
If you’re planning a significant seizure of digital evidence and want the assistant of a private, accredited digital crime lab to ensure the evidence is seized, processed and examined quickly and efficiently, contact Flashback Data.
CALL US AT 866-786-5700 FOR A FREE CONSULTATION.
Options for Dealing With the Digital Forensics Backlog
/in Digital Forensics /by Russell ChozickLaw enforcement and prosecutors face a daunting 6 – 18 month backlog to process digital evidence through an RCFL or state computer forensics lab. Unfortunately, the grim reality of public budgets and the explosive growth of digital evidence means that this backlog is not going away any time soon.
The only question is how your department will deal with it.
Option 1 – Do Nothing
You may opt to simply accept that digital evidence will take a long time to forensically examine. If you expect that a cell phone seized in a drug case will take at least six months to process, you won’t expect to get much actionable intelligence from it. The cost in this case is more than just the hassle factor. That intelligence you miss will likely cost you more in surveillance overtime or more investigative resources while you wait for that cell phone evidence to be processed. In future posts, we’ll explore some of the hidden ways that a backlog can cost your department big bucks in terms of overtime or lost opportunities.
Option 2 – Build Your Own Digital Forensics Lab
Many departments can make a case that an in-house digital forensic lab is worth the investment. Creating your own digital forensic lab is a big investment of both money and time. It requires that you have a good understanding of your forensic needs and that you set appropriate expectations about what and when a new lab can actually deliver. At Flashback Data, we’ve worked with lots of law enforcement clients who have chosen to build their own lab. In future posts, we’ll share some of their lessons learned so you don’t repeat their mistakes.
Option 3 – Outsource Your Digital Forensics to a Private Lab
Outsourcing your digital forensics to a private lab can be a quick and effective way to address your backlog, especially for complex, time-sensitive cases. There are a lot of private labs and solo practice examiners out there, and it’s important to choose a partner that is experienced in dealing with law enforcement and has the credentials and accreditation that can stand up to a legal cross-examination.
Flashback Data has been providing outsourced digital forensics services to federal, state and local law enforcement since 2004. Our digital forensics lab was the first private lab accredited under the same standards as FBI and state forensics labs. Our experienced examiners can work with your investigators to help plan, preserve, investigate and examine virtually any digital evidence in any format or condition. Our accreditation and experience mean that we can support our forensic reports through depositions and cross-examination, if necessary.
CONTACT FLASHBACK DATA to get help with your backlog today.
CALL US AT 866-786-5700 FOR A FREE CONSULTATION.
Digital Forensics Hack – $I File Parser – Free Download
/in Digital Forensics /by Russell ChozickDigital forensics software has come a long way in providing tools to help digital forensic examiners do their jobs more efficiently. However, when you’re performing hundreds or thousands of examinations per month, you still find yourself doing a lot of repetitive, manual work. The experts at Flashback Data have created a nifty productivity tool to simplify a standard part of almost every digital forensic examination: processing the Recycle Bin for deleted files.
Most digital forensics software can help you find and extract the digital footprints of a deleted file on a Windows computer, but analyzing the most important part of these footprints can be a real bear when there are hundreds or thousands of deleted files. Flashback Data has created a tool to batch process the administrative or “$I” files that a Windows computer creates when a file is sent to the Recycle Bin.
What the Recycle Bin Does Behind the Scenes
When a file is deleted through the recycle bin on a computer with the NTFS file system, several things will occur. First the NTFS $MFT entry is updated with a new record number for a parent. Basically, that means its parent now becomes the Recycle Bin instead of its original location. Next, the file is given a new name. Instead of the original name it now becomes named $R with six random characters and the original file extension. For example if a file was named “dog.txt” it could become “$R24E32E.txt”. In addition, a paired administrative file is created. This administrative file starts with $I and then has the same six random characters and the original extension. So, the paired administrative file using the example above “$R24E32E.txt” would be “$I24E32E.txt”. These $I files contain a good deal of information, even when the paired $R file is overwritten.
The $I files contain:
Accessing This Data
There aren’t tools that specifically parse only this information out of these files quickly, so this is why we made the Flashback Data $I File Parser. You can take all of your $I files for your case (you can use your favorite forensics tool to get these) and put them in a directory. Point the program to it, set an output CSV file and click the “Create CSV’ button.
The program will parse all of the files into a CSV for you with the following fields:
You can download this tool here (UPDATED VERSION 2/28/17 – V0.95). Good luck!
If you need a more in-depth forensic analysis of your data, please CONTACT US for a free consultation or CALL US AT 866-786-5700.
3 Critical Mistakes To Avoid When Hiring A Digital Forensic Examiner
/in Digital Forensics /by Russell ChozickIf you’re looking to hire a digital forensic examiner to address the backlog in your crime lab, we have a few tips to help you avoid making a bad hire. We’ve been in the business for 17 years, have hired over 50 examiners, and have interviewed hundreds more.
Here are our top 3 things to avoid:
1. HIRE THE IT GUY.
Obviously, a digital forensic examiner must be extremely knowledgeable and comfortable working with technology. However, technical skills are probably part of the job that is easiest to learn. A great forensic examiner needs to have excellent written communication skills in order to prepare a clear, understandable report that a non-technical officer, attorney or judge can understand. He or she may also need to appear in court to defend the evidence, so great presentation skills are also a must.
2. CERTIFICATIONS ARE NOT THE SAME AS ABILITIES
There is a big difference between certifications, qualifications, and abilities. In our experience, some of the worst digital forensic examiners have almost every certification available but don’t have the ability to tie the objectives, investigation, report and testimony together in order to complete a successful case. On the other hand, we’ve seen examiners with fewer than two certifications and seemingly limited qualifications, who can easily lay the foundation for the evidence through a clear, meticulous report while supporting the results in a clear and easily understood manner that carries weight in the court system.
3. KNOWING HOW TO USE FORENSIC SOFTWARE IS DIFFERENT THAN KNOWING HOW IT WORKS
Avoid examiners who are only experts at operating forensic software. We call these “button pushers” and we’ve developed a rule of thumb for identifying them. If their CV or email signature only includes acronyms “EnCE” or “ACE”, then I know I need to dig deeper. These are certifications offered by the forensic software vendor (EnCase or AccessData) to certify that the examiner is well versed on how to operate the software. This type of certification does not imply that the examiner knows how the software operates or understands its strengths and weaknesses. In addition, a good examiner may need to use lots of different software tools for a single case. If a candidate’s credentials are based only on the ability to operate a few pieces of software, it won’t take much complexity for that person to be in over his head.
WHAT TO LOOK FOR
Enough of what NOT to do, here are the three key attributes we look for in every examiner we hire at Flashback Data:
Meticulous – A great examiner must be meticulous about what they see, do and conclude. What data is there? What data is supposed to be there? What data is not there? Once the examination process begins, a great examiner must note all their actions, communications and thoughts within the case so it can be duplicated if necessary. A great examiner must also identify findings both large and small as accurately as possible.
Resourceful – Very few cases can be completed with a cookie-cutter approach. A great examiner must understand the needs of the case, and be able to use the specific hardware and software tools the case demands. A great examiner must also know when to ask for help from peers in the industry.
Presenter – Digital forensics can be highly technical, and a great examiner must be able to translate that complex process into a simple report that can be understood by a 6th grader. A great examiner must also be able to present well, be sharp, appear confident and well mannered, yet have the discipline to not overstate their findings or boast in court.
If you are relying on certifications, make sure one of them is CFCE (Certified Forensic Computer Examiner). This certification focuses more on the examination process rather than just one or two tools.
If finding and interviewing digital forensic examiner candidates is wearing you out, CONTACT FLASHBACK DATA. We have highly credentialed examiners with years of experience in complex cases. Our turnaround time is usually measured in days instead of months or years and our digital crime lab is accredited under the same program as the FBI and state crime labs.
GET HELP TODAY! CALL 866-786-5700 FOR A FREE CONSULTATION!
3 Words Never To Use When Talking About Digital Evidence in a Courtroom
/in Digital Forensics /by Russell ChozickAt work, a “copy”, “ghost” or “mirror” of your data can help you collaborate with coworkers or quickly recover a lost or corrupted file.
In a courtroom, any of these three terms can get you into trouble.
WHAT EXACTLY ARE YOU COPYING, GHOSTING OR MIRRORING?
The trouble arises from what exactly is being copied. Most ways of copying, ghosting or mirroring a drive focus on what is called the “allocated data”. That is, all the data that your computer uses and can be easily found on the drive. The problem is, this allocated data is only part of the story and isn’t typically part of a copy, ghost or mirror of a device. This is where you can get into trouble in court when using these terms.
Drives also have “unallocated data” or what most operating systems call “free space”. This unallocated data can include deleted files, system log files, Internet search history and other hardware-related data. This unallocated data can be a treasure trove of evidence for forensic examiners, especially in cases where someone may have tried to destroy, delete or tamper with digital records. If a copy, ghost or mirror of a drive is introduced as evidence in a court, it may not include this valuable unallocated data.
“VERIFIED FORENSIC IMAGE”
Instead of using a copy, ghost or mirror, digital forensic examiners use what is called a “verified forensic image” when working with and presenting digital evidence.
A forensic image is an exact copy of all the 1s and 0s on every physical sector on a piece of media (hard drive, flash drive, etc) including allocated and unallocated data.
An examiner can “verify” a forensic image by comparing the “hash value” of the drive copy to that of the original. The hash value of a drive is a numeric value of fixed length that uniquely identifies the data on that drive. If the hash value of the copy matches that of the original, then the copy is a “verified forensic image”.
USE IN THE COURTS
In contentious cases or those that involve attempts to destroy or tamper with evidence, using digital evidence that is based on a “copy”, “ghost” or “mirror” of an original drive is an invitation to have that evidence declared inadmissible. Using a “verified forensic image” can avoid these traps in the courtroom.
If you’re concerned about your department’s ability to manage complex digital evidence in ways that will hold up in court, CONTACT FLASHBACK DATA. Our digital crime lab is accredited under the same program as the FBI and state crime labs. We can help you plan, gather, protect, examine and defend almost any form of digital evidence.
GET HELP TODAY! CALL 866-786-5700 FOR A FREE CONSULTATION!