I do not think that word means what you think it means

“I do not think that word means what you think it means”

–          Inigo Montoya, The Princess Bride

As with any other scientific specialty, computer investigations have their own lexicon of ideas and terms. Many of them are foreign enough that a layman will require an explanation just to understand them, but several are words with which most people will be familiar that have a distinct meaning in the context of forensic examination of electronic evidence.  Some of these are outlined below.


Both the standard idea – “a picture” and the forensic meaning are used. The forensic term “image” refers to a forensically sound capture of evidence into a file format that allows for examination. It is an exact duplicate of the original device’s data, in a new format. “Bob took an image of the hard drive and then photographed an image of the computer from which it came.”


Typically not used by experts in the traditional meaning “to obtain” but rather in the forensic sense “to obtain an image of (see above)” – when an expert says that they “acquired the hard drive” they normally mean that they made a forensic image of it, not that they got their hands on it.


Not the fried potatoes you have for breakfast, but a mathematical formula used to represent the unique fingerprint of a file.  “I compared the hashes of the two files and determined they were identical.”


This is a particularly troublesome term.  In computer forensics, this indicates that the computer has ‘touched’ the file in some way, whether by a user or by the computer’s own internal programs.  Files are often “accessed” by things like virus scanners that occur without the user’s knowledge.  This is in distinct contrast to the layman’s concept of “accessed” on a computer – meaning a user interacted with a file, by opening it, for example.


Like accessed, this term can be confusing and is often the source of misunderstanding by non-experts.  If an expert says that a web page is “viewed” they mean that it was loaded in a browser.  It does not necessarily indicate that human eyes saw the whole page – or indeed that any of it was actually seen.  Forensic analysis can sometimes give strong indications that a page was actually seen by human eyes – perhaps by showing that information on a page was followed by a web search of that information, or that a link in a page was clicked on – but ultimately, there is no incontrovertible evidence that a human being has “viewed” a web page on the computer.


When we think about the phrase “deleted files” most of us think of this as an intentional action.  We imagine a user selecting some files and dragging them to the Recycle Bin or hitting their Delete key.  In actuality, deleted information can often be deleted by the normal operation of the computer, as is the case with Temporary Internet Files.  It is therefore important that the understanding of the term “deleted” and its usage in a particular situation be well-defined.

As you can see from these few examples, when using precise terms-of-art in a legal setting, it is crucial that the speaker and the listener both be understanding the term in the same way.  Ensuring this is the case is one of the keys to a successful computer forensic examination.



Whole Truth

The Whole Truth

We have all heard the words: “Do you swear to tell the truth, the whole truth, and nothing but the truth.” But what does that mean today? Drug companies write thousands of pages of disclaimers, and public servants lie about extramarital affairs all the time. So what is “the truth”?

I recently had a case where my client’s computer was placed under a preservation order by the courts. He was prohibited from deleting any files on his computer. He was accused of having many files that he was not supposed to have, therefore the opposing council ordered a complete forensic examination of his computer, and asked me to provide them with a copy of my evidence files.  My client asked me to look for any deleted files, or files that he was “not supposed to have.” I performed a forensic examination of his computer hard drives and found nothing of interest and no evidence that he had deleted anything.

On a Sunday night, after I had done my examination, I received a frantic call from my client. Opposing council’s forensic computer expert had written a report stating that he had found considerable proof that my client had deleted “hundreds of files.” My client emphatically maintained that he had not deleted anything, so I reassured him that I would look into the report from the opposing expert.

The opposing expert stated that he had found an “Evidence Eliminator” on my client’s computer which was used to destroy hundreds of files. I was shocked; I had done a thorough examination and had found no evidence of malfeasance. I felt confident that my client had not deleted any files. I quickly returned to my exam machine and re-opened the case.

The first thing I found was there were indeed around seven hundred files that had been deleted.  How could I have missed that?  I then looked for a file mentioned in the opposing expert’s report called, “SymEraser,” and to my astonishment there it was, as we say in Texas, “Bigger than Dallas!” Wow, I started to believe that I had failed my client. Before I lost all hope that I was doing my job properly, I quickly ran a Google search for “SymEraser.”

I discovered that “SymEraser” is a file included in Norton Antivirus, Symantic Antivirus, and various other Norton and Symantic packages that include antivirus software.  It was not an evidence eliminator, it was a virus eliminator. OK, that’s not too bad, I thought, but what about all those files? There were definitely hundreds of deleted files. I re-examined them. They were all deleted from a folder called “virdef.” They were in fact, Virus Definition files. My client had not deleted them; Norton Antivirus had deleted them when it had updated the computer to a newer set of definitions! This was not the blatant act of a human, but rather an automatic function of a piece of software.

I had done my forensic examination and had not found anything malicious or suspect. Opposing side’s expert had done his examination and had found quite a lot. So what was the truth? The truth was that files were deleted during a time that my client was not supposed to delete files. The truth was that there is a software program called SymEraser, which eliminates things. That was the truth.  Fortunately for my client, it was not the whole truth!


A Digital Forensics Primer

A little understanding of electronic evidence and digital forensics goes a long way. Because there are some terms of art that mean one thing to a forensic investigator and another to a layperson, it is important that you familiarize yourself with a bit of the lexicon before engaging a digital forensics firm.  This primer will help with the most commonly misunderstood terms.


When we talk about acquiring evidence in forensic investigations, we aren’t talking about receiving it.  An art dealer may say “I acquired a rare Picasso while in London” – meaning he took possession of it.  When a digital investigator talks about “acquisition”, they mean obtaining a forensically-sound copy of the evidence.  This may be either an “image” or a “clone” – both defined below.


When we talk about an image, we are talking about a bit-by-bit copy of the source material into a file (or series of files) to be used in the investigation.  The image files are not accessible without specialized software and some popular formats support compression and encryption.  You may hear images talked about in “flat-file” format – where a 20GB drive produces a 20GB file, which can also be split into segments for more convenient storage.  All popular e-discovery and forensics platforms can read flat files.  You may also hear about “EnCase” or “E01″ files.  These are a compressible, encryptable format for use in Guidance Software’s EnCase investigation software.  Accessing an image does not modify the data it contains and no specialized hardware is needed.


A clone is a copy of one hard drive to another.  It is readable in the same way the original drive is and can be put in an enclosure and connected via USB for perusal.  It is not uncommon to create both an image for the forensic investigator and a clone for the client to look through.  A clone will be modified if it is not accessed through specialized hardware that prevents writes to the disk (a write-blocker).


Not the shredded potatoes, but a mathematical function used to fingerprint a digital file or disk.  The most popular are MD5, SHA-1 and SHA-256.  You may hear some discussion of MD5 and SHA-1 being “broken” – but this vulnerability is mostly theoretical insofar as its application in e-discovery.  The “weakest” of the three – MD5 – only has a 1 in 340 trillion trillion trillion chance of being inaccurate.  By comparing hash values, we can identify matching files very quickly.  We can also use it to verify that a data has remained unchanged by comparing the original hash value with the current one.


Carving is the process by which deleted file can be recovered long after the computer’s file system has forgotten about them.  You may also hear this referred to as “raw recovery” sometimes.  Most files have a defined structure.  By searching through the media for this “file signature” it is possible to recover fragments of files or even entire files years after they were deleted.

Unallocated Space

When you save a file to disk, the computer makes an “allocation” of space on the disk for that file.  When you delete that file, the entry corresponding to it is removed from the allocation table.  That space is now unallocated.  Unallocated space is that area of the disk that the file system has marked as available for use.  It is often possible to recover hundreds or thousands of files from unallocated space.


The area of a disk is divided into units called clusters.  Files start at the beginning of a cluster for ease of organization.  If a file is not precisely the size of a cluster (a rarity to be sure) then there will be some space left between the end of the file and the beginning of the next cluster.  This is slack.  It is possible that remnants of a previous file will be readable from slack space on a disk.


Metadata is simply “data about data.”  There are two types commonly referred to:  filesystem metadata and program metadata.  Filesystem metadata includes the security permissions, dates of last access, last write and creation and whether a file is hidden, compressed or archived.  Program metadata is information written into a file by an application.  In the case of Microsoft Word, this can include the Author, Organization, Date of Last Printing and even a journal of changes and commentary in a collaborative document.


Also called sanitizing, scrubbing, erasing, zeroing and many other things, wiping a drive involves overwriting every location on the drive with new information.  Because each location can only contain one value at a time, overwriting renders the previous data unrecoverable.  As many of my colleagues and I have been saying for quite some time, regardless of what old wives’ tales you may hear, a single-pass overwriting of data renders it permanently and irrevocably unrecoverable.  You may hear of three-pass, seven-pass and even thirty-five-pass erasure.  This is unnecessary overkill.  One pass is sufficient to defeat all known methods of data recovery.

smashed hard drive

How Not to Be Subtle

connectors1-225x300We recently received a hard drive turned over by a former employee of our client. The drive would not work and had been sent in for data recovery. Indeed, when we brought it into the lab, the drive was not powering on. It was time to do a little investigation.

Examining the drive connectors, we noted some deep scoring on the connectors that was not consistent with any accidental scratches we might expect to see if a drive had been improperly disconnected. A photograph of the scratches can be seen at right. The scratches have been marked in the right-hand frame.

Having determined that there had been some deliberate and intentional damage done to the drive, we continued to investigate – this time, with a keener eye for other intentional damage that may have been inflicted on the drive.

pins-300x225When we removed the logic board, there was very apparent damage to the connecting pins.  Several were bent in odd directions and folded over.

There was also significant strike damage to the plastic housing the pins sit in, with a chunk missing and a large abrasion on the outward-facing edge.

We also noted some chipping of the metal in the area adjacent to the damage on the pin housing.  The damage was consistent with a small screwdriver, like one might have in an eyeglass repair kit, being slid underneath the logic board and repeatedly being rammed back and forth.

Turning over the logic board and inspecting the area which contacts these now-bent pins under a micrstrikepath-300x225oscope was startling.  It confirmed our hypothesis regarding the damage.  The strike path of the screwdriver is defined by the scrapes on the soft board and the chipping away of the thin metal on the pin contacts.  Here we see at least four distinct strike paths, which caused a great deal of damage to the logic board.  With these contacts damaged, the drive’s internal hardware would be unable to connect to the processors on the board.

More inspection of the logic board indicated that not only had some circuit paths been severed, but an entire resistor had been violently snapped off and gone missing!  There was also pin damage on the semiconductor (seen at left – follow the arrow marked “path of screwdriver” all the way to the large chip and note the damage in a straight line across the entire board.)

That settled it.  This board would never work again.

resistor-300x225But wait!  Our database indicated we had a similar drive in our parts inventory.  A quick check indicated a perfect match.  Ten minutes later, we began forensic imaging of the drive evidence.  Not only had the former employee left mounds of evidence regarding intentional destruction of evidence, but it hadn’t actually gained him anything.  The recovery was 100% successful and productive and our client has even more evidence to use against the former employee in court.

crime scene


They say you always remember your first one.

The deceased was brought into the lab and laid out on a cold, hard table. Instruments were laid out on the table beside them, some eerily familiar and others strange and arcane. In a few moments, we were inside, looking at the innards that held the secrets to the end of a life cut short. What had happened that had struck this one down in his prime? Who was responsible?

A few minutes work and the major organs were out, sent on for further examination. All that was left was a shell – nothing left of what made this one glow in life.

Into the lab we went. Here, the organs had been hooked up to all manner of odd devices by a multitude of wires. Electricity coursed through the leads and the organs began to stir!  A scientist sat nearby, making notations on a pad about each item. Soon, each organ was functioning as it had in life. What story would they tell? Would we find the perpetrator of this dastardly deed? Would the victim have their revenge from beyond the grave?

They had separated the brain into its sections: short term memory here, long term there, thoughts over here, auditory center here, visual center there. Such a complex device! The long-term memory was connected through several wires into a box. From the box, another long wire led into a computer.

As the monitor began to flicker into operation, the most wondrous thing occurred! There before me on the screen were the victim’s memories! Here, we could see the moment of birth; over here were memories of a youth spent playing games with a close friend. The mood darkened. I saw memories of the friend – more sinister-looking now – involving our dear departed in some nefarious scheme. There were forged letters written, accounting entries backdated, fraud, deception and theft. The poor victim had no idea he was being used, so blindly he trusted his friend.

Our victim had been trusting, but he had not been a fool. All along, he had kept a journal. And oh what a journal it was! Every detail of his day had been written out in explicit detail. Every time the villain forged a letter, the true circumstances had been dutifully recorded in the journal. Every backdated document had it’s true date exposed. The minutiae of life was laid out truthfully, recorded simply for the sake of having an accurate record. I think his friend had realized it at some point. Unable to determine the location of the journal, he had instead decided to eliminate the journaler.

The fiend had turned on him. He had injected a deadly virus in hopes of destroying his memory. He had prattled on about all manner of bland things in an attempt to make the victim forget about what he had seen. He reset the clocks constantly – I suppose to drive him mad, or to confuse his journaling. Eventually, it came to violence – the trauma to the brain had been severe, leading to a quick and messy end.

Yet, our hapless victim was steadfast to the last. Each event was recorded with the same clarity, scribing a horrific story of the destruction of a faithful friend through the machinations of one who had fallen to a life of lies.

The trial was short. The entries in the journal peeled back the veneer of lies that had been presented by the defense in the case. In the end, the jury realized that the defendant had betrayed his faithful companion to cover up his crimes. He had taken advantage of the trust they had established and tried to use it against him. The evidence was overwhelming and irrefutable.

“Guilty,” the foreman intoned solemnly “of capital spoliation resulting in the death of a Dell Inspiron laptop.”

You always remember your first one, they say. I sure remember mine.




About Specialization

The professions of medicine and law are somewhat similar: they are expensive, often painful and we hope we feel better when the procedure is over than we did when we started.

Suppose one day you went to the dentist for a filling and while you were there, you mentioned that you were scheduled for heart s2urgery the next week.  If he told you that he could perform your bypass, would you take him up on the offer?

In medicine, most people understand the idea that specializations exist and why.  Medicine is a complex field and it makes sense to choose someone whose expertise relates to your particular problem. It’s not a question of whether your doctor knows what to do to fix your problem, but rather whether he knows what to do when things don’t go as planned.

It’s interesting that this same attitude does not always translate over to the law – and specifically to the field of digital examinations. Too often we are called in to clean up a botched examination after unqualified people have “had a go” at developing evidence on a computer or mobile phone.

The field of e-discovery has many specializations. Some of these are equipment-based: tape restorations, outdated discs, rare or arcane operating systems or applications. A vendor won’t be able to perform in this case because they lack the ability to connect your data to the platform they use for processing.  It is when the specialization is knowledge based, like with digital forensics, that we run into a particularly dangerous issue.

In order to properly handle, acquire and view a hard drive or other devices, some specialized hardware and software is necessary. The baseline cost for a capable complement of equipment is around $10,000 – a sum that is within reach for almost every business. As a matter of fact, there are many people who advertise digital forensics services with little more than the baseline equipment, a week of classroom training and no practical experience in either computers or investigation.

Why has this happened? The answer is simple:  businesspeople saw a revenue stream that they were not tapping and looked into “what is necessary” to conduct an examination on a digital device.  That week-long basics course allows them to speak about the field as if they understand it (and to sound like an expert to someone who knows nothing about the field), while the equipment adds the rarified air of being a “specialist” whose toolkit contains mystical and unusual devices.

Some examinations may be extremely simple and straightforward.  The computer has not been tampered with or mishandled, no evidence is hidden and the investigation requires no analysis or conclusions.

When a novice conducts these types of examinations, the entire process may go smoothly – adding to their client’s perception of them as an expert.  Many times, no testimony is required – or if there is testimony, no opposing expert exists to counter it.
What happens when the examination is not so straightforward?  What if the system clock was changed to backdate documents?  What if key evidence has been securely erased with a third-party application?  What if you need to correlate evidence among several related devices?  These are not investigative results you can achieve with the press of a button, or after a week’s tutoring.  Many times, modification or manipulation of data will go completely undetected by an unskilled investigator.

Another key function of an experienced professional investigator is to provide some context for the investigation.  Let us suppose that there is evidence of backdating of the system clock and it is detected.  Knowing how frequently backdating occurs in similar cases suddenly becomes vitally important.  Being able to state in court that an event is rare, based on your personal knowledge over hundreds of examinations and your discussions with other recognized experts in the field is much more powerful than saying it’s rare because you heard it in a class last week.

Being able to conduct complex analysis and provide expert opinions are hallmarks of the professional digital investigator – not the use of a particular tool or program.  Anyone can buy a hammer, but owning a hammer doesn’t make you a carpenter.

When you have important evidence on a computer or cell phone, being able to evaluate your options early can save a mountain of heartache down the road – contacting an expert first and getting an idea about the complexity and difficulty of the case will allow you to choose the best path for your investigation and to ensure that you make the best use of every dollar you spend.


Complex software

The World’s Most Sophisticated Software

There is a tendency in the electronic evidence field to lose sight of the fact that, although the battleground is different, the way the war is fought is the same.  Electronic discovery motions are still discovery motions, destruction of electronic evidence is still spoliation and computer forensic investigations are still investigations.

Because of the jargon in the field and the general aura of complexity that surrounds computers, it’s not unusual in the electronic discovery industry to get tunnel vision regarding data and fail to get the bird’s-eye view of the case.

A law firm doesn’t “process some documents” – they review them. A large body of evidence is sorted in a specific way: duplicate items are cast off early in the review by people without any particular expertise in the law or the case. As the body of evidence becomes smaller, the difficulty of review goes up. More knowledgeable reviewers filter out irrelevant documents, further reducing the data. Finally, a reviewing attorney conducts a review, using their knowledge of the law and the details of the case to determine the relevancy and importance of documents and how they fit into the case. A meticulous review will often uncover facts that were previously unknown – often facts that nobody was even looking for.

In many cases, the tendency to view electronic discovery as a machine – hard drives go in this side, PDFs come out that side – does a great disservice to the e-discovery industry and the legal field as a whole. That is not to say document processing is not good – indeed, it’s vital to be able to quickly bring terabytes of data under control and extract relevant, reviewable evidence. It’s the industry’s growing reliance on software rather than people that are dangerous.

A computer’s greatest strength is also its greatest weakness: they do exactly what they are told to do. Tell a computer to determine if “akshul” is spelled correctly and it will search through a dictionary, apply some criteria common to English and ask if we mean “actual” instead. This is the strength in computing.  Regardless of the spelling ability of the operator, the computer knows the right answer.

However, ask a computer to correct this phrase: “eye sea ewe” and it will pass it on as perfectly spelled. Here is where the fault of over-reliance on software lies.  Even a schoolchild can identify this as out of place and interpret it correctly, but the computer simply does what it’s told to do: check each word and if it’s correctly spelled, move on.

Sophisticated software exists to mitigate some of these issues. “Fuzzy searching” allows you to enter keywords and returns hits that are “close” to what you’re searching for – perhaps a keyword was spelled wrong, with two letters reversed.  Fuzzy searching will return this as a possible hit for review. There is also software that uses “conceptual searching” – looking for ‘law’ also produces hits relating to ‘legal’ and ‘court’ – an amazing development that continues to grow more sophisticated.

At the top-end, software costing millions of dollars is trying to put some of the knowledge and experience of reviewers into a package that can automate a process that was once completely human. In many cases, it is astonishingly successful if it’s properly configured and implemented.

Still, fooling a computer is often easier than fooling a human. A computer looking for an email regarding illegal stock trades may have a host of keywords: ‘drop’ ‘price’ ‘downturn’ ‘bottom’ ‘loss’ ‘sell’ and so forth, but it won’t see what you do in this exchange:

“How’s it going today?”
“Everything is the Titanic today, jump ship.”

The message is clear as a bell, but our software passes right over it, foiled by the lack of human experience that Joe Everyman has.

In the end, digital investigation is still investigation. Between our ears, we have an amazingly powerful computer, continually upgraded and updated. Capable of nuanced understanding and on-the-fly decryption of previously unknown data, it has never been matched in the technological world. An expert investigator can provide information that is beyond the foreseeable capability of computer software. He can provide opinion answers to general questions, he can point to the absence of things that should be somewhere, he can identify deception, dishonesty and evasion and he can feed ideas into the case.

In the end, the strength of humans in electronic discovery is simply that they are humans.


Head crash


Recently, we received a hard drive for investigation as part of litigation. This drive had come from the work computer of an employee terminated by our client six months prior, now the subject of the litigation.

When we received the drive, it was apparent that it had been tampered with. Hard drives typically come with stickers over one or more of the case screws.  These stickers are there to allow the manufacturer to void the warranty when the drive is opened by an unauthorized person. In this case, the sticker was punctured and the screw was exposed. Most electronic evidence and investigations firms would have to stop at this point and send the drive out for data recovery. Fortunately, ‘sending the drive out for data recovery’ for us requires walking across the lab – not FedEx.

We moved the drive into our clean room, as is our policy with drives we know to have been previously opened by a third party.  After we removed the remaining case screws, we opened the drive to have a look inside.  The first glance was not encouraging – there  had been a “head crash” – the term for an impact between the delicate read/write heads and the surface of the disk.

In a hard drive, the heads hover over the disk, ‘flying’ at an altitude measured in micrometers. The disk is rotating at extremely high speed; a typical laptop drive spins at 5400 RPM, about three-hundred-sixty miles per hour. Imagine then what happens when there is a failure and the two come in contact!

In this case, a section of the platter’s magnetic coating had been stripped away by the impact and the heat caused by the friction had caused ‘stiction’ – the drive head had become temporarily fused to the surface of the drive. There were even human fingerprint smudges on the normally sterile surface of the drive!  Internal mechanical components were replaced, the surfaces were cleaned, the logic board was replaced and we began the electronic evaluation of the drive.

A bit of explanation here will help you understand the rest of the story. Most hard drives have multiple platters on which data is stored. Additionally, the platters are two-sided. If a drive has two platters, it has four surfaces on which data can be stored. These are labeled starting from zero, so a four-surface disk has Surface 0 – Surface 3. Normally, control of these surfaces is out of a user’s control, but we have the capability to control and read these surfaces independently.

As we began to read from the bottom upward, things began looking better – Surfaces 3, 2 and 1 all read fine and we were able to recover the data from them.  Surface 0 would be the key – not simply because it contained 25% of the useable read of the drive, but because it contained the internal ‘map’ of the drive, the file system and some internal software used to make the drive work.  We might only have one chance to read the data, because another head crash would possibly cause additional damage.

We began the recovery of data from Surface 0 and it was reading, when the dreaded crash of the drive happened. We had managed to salvage some data, the question was – would it be enough? We moved the recovered data over to forensics for analysis.

The new drive was connected to our analysis array and powered on. We looked at the drive using specialized computer forensics software and – lo and behold – we had data. A quick sort of the data and a bit of analysis later, we had determined that the drive we had received (which should have had data from Spring of 2008 on it) had not been accessed since the beginning of 2006. The drive had been switched out for a “dummy” drive that was then tampered with.  Someone figured that the drive would be unusable and so nobody would be the wiser.




women snooping

When Snooping Becomes a Crime

Many people have seen advertisements on the internet offering software that will let you monitor activity on a computer. These ads bark “Catch a Cheating Spouse” or “Secretly Monitor Email” or “Spy on Your Computer.” In many circumstances, this type of software is not only sneaky, it’s criminal.

Common Features

There are many different types of monitoring and logging software and not all of them use the same methods or have the same results. Let’s look at some of the most common features:

Keylogging: Also called keystroke recording, this software intercepts every key pressed and records it. Because it doesn’t rely on anything visual, it can capture passwords that are obscured on screen as well as commands that don’t make a visual change, such as the CTRL-C command used by many applications to Copy something.

Screen Capture:  This can be event-based or time-based.  Every time the selected criteria is met, the software takes a screenshot (a picture of what’s displayed on the screen) and records it.  By looking at the screenshots, it is possible for a layperson to see information that would be difficult for them to find any other way (such as pornography.)

Window Capture: If one looks at the applications running on a computer, nearly all have a very clear “Title” in the upper-left hand corner. As this article is being written, the title visible on this computer is “When Snooping Becomes a Crime.doc – Microsoft Word”. Window capture applications log the title of open windows and the time and date they are opened and closed. This can produce a significant amount of detail into the activity on the computer, including names of webpages viewed, documents opened and emails sent and received.

It is not uncommon for monitoring software to have multiple methods of capturing and reporting information – indeed, many will have all the features noted above.

What the Law Says

The United States Code is the body of laws that are commonly referred to as “Federal Law”. In this case, 18 U.S.C. §1029, 18 U.S.C. §1030, 18 U.S.C §2510 and 18 U.S.C. §2701 are the applicable statutes. 18 U.S.C §1030 is part of the Fraud and False Statements chapter, 18 U.S.C §2510 is part of the Wire and Electronic Communications Interception chapter (a/k/a the Wiretap Act) and 18 U.S.C §2701 is part of the Stored Wire and Electronic Communications chapter.

Applying the law

Subsection (a)(2)(C) of 18 U.S.C §1030 states that one has committed a crime if he “intentionally accesses a computer without authorization or exceeds authorized access, and thereby obtains—information from any protected computer if the conduct involved an interstate or foreign communication;” In this case, any computer that accesses the internet is involved in interstate communication. Punishment is up to 10 years for a first offense.

Subsection (a)(2)(C) of 18 U.S.C §2510 states that one has committed a crime if he “intentionally intercepts, endeavors to intercept, or procures any other person to intercept or endeavor to intercept, any wire, oral, or electronic communication;” This is the whole purpose of the software in most cases. There are exemptions when the interceptor is a party to the communication or when one of the parties has given consent to the interception. This is why you see such wordy logon screens at corporations letting you know that you are consenting to monitoring. Punishment is up to 5 years for a first offense.

Subsection (a)(2)(C) of 18 U.S.C §2701 states that one has committed a crime if he “intentionally accesses without authorization a facility through which an electronic communication service is provided… and thereby obtains, alters, or prevents authorized access to a wire or electronic communication while it is in electronic storage in such system” This portion refers to things like logging into someone’s webmail account and reading or deleting emails or signing on to an instant messenger network as someone else and receiving saved Ims.  Punishment is up to 1 year for a first offense.

All three of these statutes also have civil fines associated with them, thousands of dollars in some cases. Add to this the cost of hiring an attorney to defend you in a criminal case and a separate attorney to defend you in your civil case and the costs could easily surpass $100,000 not counting what might be a sizable judgement should you lose the civil case.

In closing, be aware of the dangers when “investigating” your own computer and leave it to the professionals.


Two Common Pitfalls of Encryption

Technology follows a predictable path as it develops. New technologies are developed to address a small, but specific criteria. Over time, the user-friendliness of the technology increases, leading to adoption by a larger portion of the userbase. Eventually, the technology is easy enough to use that nearly everyone is a user.

Email is an example of a technology that followed this path. From its original use – communications between computer-savvy members of government and academia, on through usage in corporations and the technophiles in the public at large – to today, when it is extremely rare to encounter someone who doesn’t use email on a daily basis.

For the general population, encryption sits on the border today. In its earliest incarnations, it was difficult to use and confusing for the novice user. Over time, it progressed into more user-friendly applications. Currently, some Windows Vista versions have strong encryption built into the operating system. In a couple of years, the question won’t be “Do you encrypt your important files?” but rather “How do you encrypt your important files?”

Often, while technology is making its final transition into user-friendliness, there is a period where the average user is left in limbo: unable to evaluate the strengths and weaknesses of a product due to unfamiliarity with the technology but also reliant on it. This is where we find ourselves today. As a computer forensics investigator, I have the opportunity to see how users at varying levels of sophistication actually use their computers. Which people use a certain technology? What is their level of sophistication? Was the decision to use this technology made out of some specific need or because it was dictated to them by another party?

Keeping in mind all of that, there are two common problems with encryption that we frequently see in either the forensics or data recovery labs: insecure encryption and too-secure encryption. I’ll explain the latter term below – it’s not as nonsensical as it may seem.

Insecure Encryption

The purpose of encrypting your data is to secure it from unauthorized access. In this regard, you can imagine your encryption is like a safe in the physical world. You choose your level of security based on a number of factors, such as cost, complexity and protection.

To the average user, there are two levels of security:  password-protected and not. If a file is password-protected, this user judges the level of protection by the complexity of the password. Microsoft Word offers a commonly-known example. A user can choose to password-protect a Microsoft Word document, locking out certain functions for someone who does not know the password. Depending on the level of security chosen, the unauthorized user may not be able to edit, print or even open and view the document.

What many users do not know is that most versions of Microsoft Office use an encryption scheme that can be circumvented by specialized software, breaking the passwords in a matter of seconds.  Even recent versions are vulnerable to a more technical attack, but still within the reach of many individuals and all businesses with the will to access the protected file.

This weakness is dangerous because – like the safe in the real world – an encrypted file screams out “There is something valuable in here!  I took time out to give this information special protection and it’s worth your while to find out why!”  In effect, you are drawing attention to the very data you wanted to protect – and once identified, it is easily accessed by determined users.

The caution here is to ensure that the protection you use will withstand the efforts of those to whom you wish to deny access. A ninety-nine dollar safe will stop most of us from ever being able to access the contents, but it will hardly slow a professional thief down. Thus, if you believe your data is valuable enough to be the target of professionals, the “ninety-nine dollar safe” version of encryption is not enough for you.

Too-Secure Encryption

You’ve determined that you have valuable data that must be protected against professional and proficient attackers. After consultation with an expert and testing of software, you’ve chosen and implemented a strong encryption scheme. All the computers in all the world working for the rest of your life would not be able to decrypt it. Your data is secure!

This morning, your CFO tells the IT Help Desk of a problem he’s having. One of the earliest adopters of the technology, he was glad to finally be able to prevent unauthorized access to the company books. He regularly changes his passwords and makes them sufficiently complex that they cannot be guessed, using numbers, letters, capitals and punctuation in them and ensuring that they are always longer than 14 characters.

The problem is, he seems to have forgotten the password.

In a moment, encryption has gone from being an asset – securing your data from prying eyes – to an enemy, holding your data for the ransom of one correct password.

In some real-world cases, the encryption used was weak and could be bypassed or otherwise decrypted using many computers ‘brute-forcing’ – trying every possible combination of letters and numbers until the password is found.

In this case, the encryption used is strong – the passwords sufficiently long and complex that guessing them using brute force would take hundreds or even thousands of years. The chances are that your data is lost until some point in the future where computers are drastically more powerful than they are today. Regardless of what conspiracy theorists think, mathmatics theorists can show that the amount of processing power required to decrypt today’s strong encryption schemes exceeds the total processing power of all computing devices in the world. This means that even if you have a friend at the NSA, they can’t help you get your Quickbooks back.

The Conclusion

Encryption can provide you with great peace of mind, knowing that your private data is safe and it is a valuable addition to your commonly used software.

Selection of software and hardware to protect your data is extremely important. Evaluate your needs and select an encryption scheme that suits you. Be sure that the actual security is on par with the advertised security.

Remember: using strong encryption prevents anyone without the key from accessing the data in our lifetimes – even you!

Look for an explanation of commercially-available encryption and a comparison of features in an upcoming post.