Computer Forensics | Digital Forensics

Tool Versions in Court Cases: Three Criteria for Any Forensic Tool

larry@guardiandf.com (Larry E. Daniel) — Tue, 03 Nov 2009 17:08:00 +0000

I recently spoke at the 2009 Techno-Forensics conference on the subject; "Challenging the law Enforcement Examiner, What a Defense Expert Sees".

During the Q&A period, someone asked me if I used the same version of the tool used by the law enforcement examiners when I did my examination. I.e. did I use Encase 4.0 if they used it in their examination?

I thought it was such an interesting and timely question that I would write this post.

When I attended computer forensic training, a big deal was made about noting the version of the tool used for the examination so you could go back and duplicate the results or so it could be independently verified at a later time by someone using the same tool.

While that seems logical on the face of it, it really is not.

I use the latest verified version of the software I have at my disposal. Simply because I want to have the latest optimization and features that will allow me to do the most thorough examination possible.

Restricting myself to older versions would be a disservice to my clients.

However, I think that it is important to explain my answer a little more fully here as I did at the conference.

Any tool being used to gather and present evidence in the digital forensics field must meet three requirements:

1. Predictable

In order to create any sort of tool that finds or recovers data from a digital source, the tool must take advantage of the predictable nature of the source. In other words, if you cannot predict that a Microsoft Word file will have certain predictable characteristics, e.g. the header and footer, then how would you be able to write a tool to find the documents? Or how would a tool be able to tell of a JPG picture file was renamed to disguise its nature?
The same thing is true for verification of captured evidence. The calculation and comparison of the MD5 or SHA-1 hash value of the file must be predictable for hash analysis to have any meaning.

Repeatable

If a tool or process is to have any value, it must return the same result each time. In other words, it must be a highly accurate, repeatable process. No matter what tool is run, if the tool is accurate, it should always get the same result and should get it every time it is run against an evidence set.

Verifiable

One of the things we talk about a lot in this field is verification of tools. Especially tools that are used to gather and vet evidence. If the tool or process cannot be verified that it meets the two conditions above, then the tool cannot be used in a forensic process.

Looking at the three conditions above, then any tool used must produce the same result when examining the same data. Specifically, if one examiner reports having found a file of a type, of a certain size and at a particular sector and offset, then any examiner should be able to locate and reproduce that exact evidence with any forensic tool.

If that is not the case, then there will have to be a resolution as to why the evidence presented does not meet these criteria.

Did the examiner make a mistake?
Was the tool used not reliable? (Did not meet the three requirements above.)
Was the evidence finding simply reported incorrectly?
Is there a difference in the original evidence that is not reflected in the forensic copy?

In most cases that I have done, the error is on the human side, not on the tool side. Failing to follow good practices, or simply not understanding the tool being used are the biggest problems I see on a day to day basis.

And the winner is....

larry@guardiandf.com (Larry E. Daniel) — Tue, 03 Nov 2009 15:29:00 +0000

Congratulations to Luby Novitovic of the Chicago Inspector General's office on his winning the Drive Prophet giveaway.

Plain View Doctrine in Digital Evidence Cases — A Common Sense Approach

larry@guardiandf.com (Larry E. Daniel) — Mon, 19 Oct 2009 19:58:00 +0000

Image via Wikipedia

The recent 9th Circuit Court of Appeals of the Western District created some interest around this subject when they suggested eliminating the plain view doctrine from digital evidence.

If you want my usual different take on it, I wrote an article for DFI News. You can read it by following the link below.

Plain View Doctrine in Digital Evidence Cases — A Common Sense Approach October 19, 2009

Certifications...A Necessary Evil?

Lars@guardiandf.com (Lars Daniel) — Fri, 09 Oct 2009 01:09:00 +0000

Image by practicalowl via Flickr

I just couldn't resist the urge to chime in on this topic, especially with the buzz it has created.

As Larry Daniel's son and employee, I have had the great advantage and privilege of learning through the apprenticeship model. I also have the opportunity to incessantly bug him with a plethora of questions more or less every day.

The experience I have had through the apprenticeship model goes far beyond the realm of acquiring technical proficiency in digital forensics. I have learned through observation and emulation many other skills, many of them "soft" skills that would be extremely difficult to translate into a certification curriculum.

Furthermore, I have had the opportunity to work on dozens of cases in a relatively short time, starting at the very bottom and working my way up to being able to act as the lead examiner on cases.

However, I know that my situation is the exception and not the rule. Obviously I like the apprenticeship model, but this model does not work on a large scale. We accept forensic interns here at Guardian. Logistically we can only accept so many requests for internships. Responsibility for the bulk of the training these interns receive falls primarily on my shoulders.

Between my caseload, travel schedule, management duties, and occasional need to sleep, the training of one intern can seem a monumental task.

So my point: The apprenticeship model is not a viable model across the board.

My other point: There is a lot of great training out there and certifications can be useful.

I have taken classes, and some have been fantastic. Most recently I was at a SANS conference and received 12 hours of training on computer forensics and incident response and it was great.

Certifications, at the least, can show an ability to absorb technical information. They can also act as a reality check for those attempting to enter the field who think it is going to be like CSI: Miami. Many of them offer very useful information and experiences as you get to learn from real experts and gain knowledge of real techniques.

Certifications are also the only option to many people who have a desire to work in digital forensics since internships are sparse.

I think there is a deeper issue at the center of this, so here is my take:

Certifications can be extremely useful if, and only if, the participant is passionate about forensics and really wants to learn the material for reasons beyond getting a certification.

Otherwise they are just collecting expensive paper.

Apprenticeships are useful if, and only if, the apprentice is passionate about forensics and wants to acquire the skills and expertise for reasons beyond getting a job.

Otherwise, they are just filling a chair.

Certifications are Evil? Maybe

larry@guardiandf.com (Larry E. Daniel) — Tue, 06 Oct 2009 19:52:00 +0000

Image via Wikipedia

I was reading a guest post over on Mark McKinnon's blog, Certifications are Evil.....By John McCash , which raises some interesting and controversial questions about the state of certifications.

The problem with certifications and most licensing exams, as mentioned in the post, is that they have little to no correlation with real world work.

Memorizing all the seven OSI layers and what they do might sound impressive, but knowing how to read a log file is more practical in incident response work.

Or being able to recite the structure of an Encase evidence file might be of interest to some people, but how practical is it in working actual cases? Not much.

Even the "practicals" I have seen are really not all that practical. They seem to focus on some specific skills that relate to the certification, but ignore the real world side of how a report would be done. Especially from a non-LE standpoint.

One thing I know from having taught hundreds of hours of various computer and software courses is that training, to be effective, needs to be 20% lecture and 90% hands on practice to really get the concept to sink in.

I would advocate immersion training any day over the standard training I see out there now.

The problem is that you can't cover as much in a short time period. So the cost of the training would be greater since it would take longer.

Developing mental "muscle memory" is much like developing physical muscle memory. It takes repetition, practice and immersion.

If you think about it, training someone in computer forensics, for instance, works much better if they are being trained in an environment where they start with some limited tasks, do those tasks until they master them and then move to the next set of tasks.

Much the same way I learned karate many years ago. I have a few broken bones to remember that by.

John McCash made some excellent points about how certifications as a filter can do the opposite of what an employer wants to do by excluding qualified candidates in favor of certified candidates.

Of course that is pretty much the way of the world these days. Having a college degree is a filter used in many job postings now, even if the degree has nothing to do with the actual job. So an experienced and qualified candidate gets a form letter while the degree holder gets an interview.

Given the choice I would always prefer to train my own people through an apprenticeship model augmented with specific training.

And since I am on the subject, I am going to rant about how overpriced computer forensic training is: $3,500.00 for a week's training? I do remember my math; for 10 students that is $35,000.00.

No wonder so many are not getting properly trained when it is so expensive.

How Is Computer Forensics Different from Incident Response?

larry@guardiandf.com (Larry E. Daniel) — Wed, 30 Sep 2009 13:13:00 +0000

In response to my last post, All Computer Forensics Professionals Are Not Created Equal:

Christa M. Miller said...: Larry, if you keep computer forensics distinct from IR, doesn't that in some ways throw the baby out with the bathwater? There is really not all that much that forensic practitioners could learn from IR practitioners, compared to other "pure" forensic sources?

I was going to respond to that in a comment, but decided it would be too long to do it justice.

There is a significant difference between incident response and computer (digital forensics). However, it only becomes apparent when you analyze the different uses for the two disciplines and how they are applied.

Incident response encompasses a wide range of specialties as does digital forensics. Do they have overlap, yes. But the more specialized one becomes in one field, the more they diverge.

Incident response is actually a discipline within traditional information support services. If you look at the different jobs in information security, you begin to see how the specialization occurs and is needed:

Information Support
     Network Administration
         Server administration
             Domain, DHCP, DNS, Mail, File, Application, Database, Collaboration and Terminal servers.
         Network infrastructure
             Switches, Routers, Endpoint Security, Cabling, WAN, Internet, VPN, Wireless etc.
         Disaster recovery
             Backup and Recovery
          Telephone, VOIP

         Network Security
             Malware detection and prevention
             Perimeter protection (firewalls, etc.)
             Data leakage protection
             Intrusion detection and prevention
             Anti-Spam

Everything up to this point are the parts you need to administer a network and to prevent a need for incident response. When all of that is defeated and you have a breach, you call for the incident response person or team.

An incident response professional should have a strong foundation in all of the above since their job is to find where the breach occurred, plug the hole, get the affected server or servers back into service, and then if possible, gather evidence on the intruder for further action. Where the incident response professional differs is that they need to truly understand the low level working of a network, how breaches occur, how to locate the method of the breach, and how to mitigate the breach, i.e. kill it and close the hole.

This requires a deep understanding of hacking techniques, log analysis, malware, root kits, social engineering, hooking, terminate and stay resident (TSR) programs, port scanning, service profiling, packet forensics, routers and firewalls, daemons, hidden services, etc.

The objective of most intrusions or malware attacks on a network are to:

Steal data (intellectual property, operating or financial information)
Steal systems (Subvert control by gaining root or administrator access)
Steal storage and bandwidth (rogue FTP servers, spammers)
Steal identity information (credit card numbers, client information...)
Disrupt operations (DoS attacks, sabotage, destroy data, logic bombs, prevent access to the system by users)
Just be a nuisance by vandalizing systems.

In any event, attacks on networks are serious and have to be dealt with immediately to protect the enterprise and its clients. The larger and more complex the network, the more difficult this is to do. This is the role of the incident response professional.

Digital forensics as a discipline is more concerned in finding and documenting the actions of a person or persons in relation to other people or places or activities.

A digital forensic professional must have a strong understanding of where and how data is stored, how data is created, how to recover that data in a forensically sound manner and how to analyze the recovered data.

Acquiring Data: Where data is stored and how to get it.

There are basically two types of data that a digital forensics examiner must collect: Data from a physical device and data from other sources.

Physical Devices (Short list)

Computer Hard Drives
Solid State Devices (USB Sticks, Memory Cards, Digital Cameras, DV Cameras, etc.)
Cell Phones
Back up devices (Tapes, etc.)
GPS Devices

Other sources of data (not inclusive)

ISP records
Cell phone records
Network activity records
Off-site storage
Email databases
Email providers
Social networking sites.

The other sources of data are places where data may be stored that the examiner does not have direct access to the devices for collection, but must rely on others to provide that data.

How data is created

User created data (documents, spreadsheets, pictures, text messages, chats, web pages, social network pages, financial information...)
Program created data (software logs, registry entries, activity databases (i.e. Kazaa, Limewire, Internet browsers, VOIP programs, application software...)
User received data (email, internet downloads including pictures, programs, etc.)
Activity records (call logs, IP accesses, social networking activity, hosted email account creations, cell carrier records, GPS...)

User created data is by far the easiest to recover and analyze since it is normally the least obscured. Documents, pictures, spreadsheets, etc.

Program created data becomes more difficult to recover and analyze because most programs store information in several places, use non-human naming for data storage, and use many different formats for the data that is stored.

However those very characteristics make it very difficult for a person to completely eliminate all the artifacts that a program will leave on a system's hard drive.

What triggers a need for a digital forensic examination is typically the result of something someone has been accused of doing to someone else. It is very much a people to people examination. While incident response is mostly concerned with stopping and clearing an action, digital forensics is primarily concerned with finding out if a person committed an action. In the world of digital forensics, user attribution is the end goal. Did the person do this and can I prove that it was this person who did it? While incident response can be successful without ever identifying a person, without user attribution, digital evidence has little to no value.

To simplify it, the digital evidence trail looks like this:

This artifact (email, chat, picture) was created by this person and is connected to that person. Remember, we are looking for evidence that connects people to other people or actions.

To successfully do this kind of work, a digital forensic examiner must understand not only the technical side of the process, they must also be able to work within the legal system to ensure that the data they recover was legally obtained and can stand up to the scrutiny of a court of law, whether it is civil or criminal.

The more people and devices and evidence, the more complex the process becomes.

Hopefully this post illustrates why, as you get deeper into each of these disciplines the knowledge needed diverges significantly.

All Computer Forensics Professionals Are Not Created Equal

larry@guardiandf.com (Larry E. Daniel) — Sun, 27 Sep 2009 18:44:00 +0000

All Forensic Investigators Are Not Created Equal is the title of a blog post over at Dark Reading by John Sawyer.

I have to say that I take issue with several of Mr. Sawyer's statements in the article. First of all, he displays a complete lack of knowledge about complex forensic investigations that are conducted by law enforcement and other investigators. I suppose that trying to link together evidence from dozens of cell phones and computers in a fraud, drug trafficking or child pornography ring don't count as being as "difficult" as doing an incident response investigation.

While I am not a law enforcement examiner nor have I ever been a member of law enforcement, statements like the one below show a complete disrespect for the people who do that job:

"There are forensic "experts" who have a narrow specialization in investigating individuals. Some examples off the top of my head are law enforcement forensic examiners looking at a computer to see if it was used to send threatening e-mails, search for information on making bombs, or view child pornography. The primary, and often only, source of evidence is the suspect's computer that is sometimes accompanied with some corroborating information from the suspect's ISP or a Web/mail hosting provider.

On the extreme opposite end of the spectrum, you have those who work on a much larger scale, taking into consideration many sources of information. I'm not sure there's a good term for them -- security investigator or enterprise incident responder or similar title -- but they go far beyond looking at just one system. Logs from routers, firewalls, and a numerous other types of systems all come into play in order for the investigator to crack the case."

Mr. Sawyer got his inspiration for writing this after reading another blog post:

"So why do I mention the distinction? It's something I've believed for a while but was reminded of it again while reading "The Black Art of Digital Forensics" over at infosecurity.com. The article makes several interesting statements. The one that stuck out is that forensic investigators can't rely only on GUI tools to perform task for them (which is usually only against one system or one type of system and not ALL systems), they must understand what's going on behind the scenes for the GUI. While that's true, I'm just not sure that's going on in the real world."

While I agree that forensic investigators cannot completely rely on GUI (Graphical User Interface) forensic tools, I think the statement needs some clarification.

GUI based forensic tools like Encase, FTK, and others are fine tools and extremely powerful in the hands of a well trained and experienced examiner. The problem is that they can give a false sense of completeness if all the examiner does is run the standard scripts and review the collected data.

The statement above from the Infosecurity article smacks of the recurring theme of, "I can run command line tools. That makes me smarter than you." Something that seems to be cropping up more and more.

Should the examiner know what the graphical tool is doing to get at the data? Absolutely. Should the examiner have a good foundational knowledge of how these tools work at a low level? Yes. Does it matter if he can explain what FAT 12 is to a jury? Probably not. But if he does and he does not do his homework prior to testifying, shame on him.

The article over at Infosecurity reads more like an advertisement for a couple of new software releases than much else.

It starts off good with some discussion of the problem with relying on the MAC times (Modified, Accessed and Created) that are recorded by a computer operating system.

However it drifts away from that topic without giving any detail as to how to deal with MAC times and goes on to discuss software and civil data collection.

Hopefully it is pretty common knowledge among examiners these days that you have to verify things like MAC times before you rely on them as evidence.

In civil cases it is acceptable in many cases to only collect data that is relevant to a case without doing a full forensic copy. However, in criminal cases, it would be problematic to not have a full forensic copy of a hard drive that is going to be used in a criminal trial as that would be a major point of attack for the defense:

"Would be fair to say Mr. Examiner that the court cannot know what data you decided not to collect?"

"Mr. Examiner, given that you decided what evidence this court would be allowed to see, how can you assure the court that you did not intentionally exclude data that would prove my client's innocence?"

There is a wide difference between requirements in civil and criminal investigations. What is allowable in a civil case relies on a very different standard than that of a criminal proceeding.

Lumping incident response in with computer forensics is a mistake. They are not the same disciplines, do not have the same focus and do not have similar requirements for the investigator in either training or expertise.

While having expertise in both is an asset, to say that having expertise in one automatically qualifies an investigator in the other is simply wrong.

Getting back to law enforcement forensic experts; Working in the criminal system is much more difficult than many people in our profession give credit. Law enforcement forensic examiners must not only know how to properly conduct a computer forensic examination, they also need to understand how to do it in such as way that it will stand in up criminal court. To get to the point where a computer can be examined requires taking careful steps through a legal minefield of probable cause affidavits, search warrants, investigative reports and fourth amendment protections.

Then their work may very well be scrutinized by an opposing expert who is going to pick apart every aspect of what they did through that entire process.

While I have great respect for the professionals in the incident response area and value the contributions of folks like Harlan Carvey, I think we would all be better served if we keep the distinction between computer forensics and incident response clear.

Guardian Digital Forensics Releases Drive Prophet Professional - Forensic Edition

larry@guardiandf.com (Larry E. Daniel) — Thu, 24 Sep 2009 10:25:00 +0000

Several months ago I signed a software publishing agreement with Mark McKinnon of Red Wolf Forensics to publish Drive Prophet.

In my opinion, Drive Prophet is an outstanding tool for digital investigations, incident response, hacking cases and digital triage.

Working with Mark to bring this newest release to market has been a real pleasure. Not only is Mark an excellent developer, but he is a really nice guy to work with as well.

We have three additional versions of Drive Prophet in the works, (more about those at a later date).

You can take a look at the user manual here if you want more details on Drive Prophet.

Or you can visit Drive Prophet on the web.

New Twist On An Old Scam

larry@guardiandf.com (Larry E. Daniel) — Wed, 09 Sep 2009 14:13:00 +0000

Image via Wikipedia

I received an email the other day from the US Marines (supposedly).

"Dear Friend,
Please take some time off your busy schedule to read and respond to this email as soon as possible. I am a US MARINE serving in Iraq (Mosul) and require your help to take care of some personal financial matters for me and of course you will be adequately compensated with sum of three million dollars (USD) as your share for rendering this assistance.
You will have to give me some assurances that you will keep my identity and other information's regarding this project to yourself and will also try to adhere to the terms we will agree on, especially the safety of the part of resources that I will call my share, after you have taken the figures we will agree on as your share and how to preserve that belonging for me until I complete my service here.
I will send you more details when I have a mail from you.
Regards.
Sgt. Andrews Veach.
US MARINES (IRAQ)"

Sounds a lot like the old "I have millions of dollars I need to get out of the country" scam I have seen for years where you have a prince or a high ranking official, etc that needs for you to help them by accepting money on their behalf. Of course you would get a lot of money for providing the service. All you have to do is give them your bank account or other personal information.

In this case, outside of the obvious similar wording in the email, the fact that it came through a Japanese mail server is a dead giveaway.

From: "US MARINES" trwweq@zav.att.ne.jp
To: "US MARINES" trwweq@zav.att.ne.jp

Notice that it is signed Sgt. Andrews Veach. Odd first name since it is plural. However, if you look in the header information, the reply address is: Reply-To: sgt.vandr@gmail.com

Apparently the idea is to make this one sound legitimate by saying it is from a US Marine serving in Iraq. I hope that no one takes this seriously.

9th Circuit Court of Appeals - Plain View Opinion On Digital Evidence

larry@guardiandf.com (Larry E. Daniel) — Wed, 02 Sep 2009 01:59:00 +0000

Image via Wikipedia

Over on the SANS blog, Rob Lee posted a piece that he got from, "From Greg Haverkamp from the GIAC Certified Forensic Analysts [GCFA] Mailing list."

Sweeping 9th Circuit Decision Regarding Law Enforcement Officer Computer Forensics

It is a good summary of the opinion.

Before I get to what I have to say about this, you should also read John Barbara's article in Forensic Magazine about the Plain View Doctrine: Digital Insider: To Search or Not to Search…. the Search Continues

Also, if you are interested, here is a link to the full opinion form the 9th Circuit Court of Appeals:

11860 UNITED STATES v. COMPREHENSIVE DRUG TESTING, INC

This ruling could put a real pinch on the current practice of "find it, then get a warrant for it" approach to examining electronic media.

Basically what the court is saying is that the "plain view" doctrine isn't going to fly when law enforcement is examining a hard drive for one thing and discovers something unrelated to the investigation, then goes and gets a warrant for the new evidence."

As a new form of protection, the court is suggesting that a neutral 3rd party segregate the evidence and provide only the evidence named in the search warrant to law enforcement.

One of the dissenters in the opinion said that this was going to severely damage the ability of small police forces to do computer forensics since they cannot afford dedicated, non-investigative personnel to perform this work.

I have long held that I thought it was problematic for the investigator on a case to also be the forensic examiner, (in spite of what you see on CSI), since the investigator cannot separate what they see from what they are allowed to see. The nature of forensic examinations makes it virtually impossible to limit what the examiner sees. Only by having a third party perform the examination can evidence be properly segregated to protect the privacy of the individual, prior to the evidence being given over to law enforcement.

The burning question is will this court decision force law enforcement labs to start using third party labs, or at least, non-investigative personnel for forensic examinations?

In the example John Barbara gives in his excellent article on the plain view doctrine, he talks about how when the examiner sees the first child porn picture, they should stop and go get a warrant. Prior to this ruling, that has been the normal way of handling the discovery of new, unrelated evidence under the theory that since the examiner cannot look for pictures of one thing without looking at all the pictures, the contraband pictures are in "plain view."

That is a lot like saying that since you can't look for tax documents in a file cabinet without looking at all the documents, if you discover a document that details drug transactions that the document is in plain view once the examiner takes it out and looks at it.

This ruling changes the interpretation of what plain view is when it comes to over-seizing and examination evidence.

Bear in mind that this ruling is about government searches of digital evidence and not about private searches. Private searches are not covered by the 4th amendment and are subject to a different set of rules.

Of course, I am not an attorney and my writing is just my opinion on the matter. (My disclaimer.)

Weighing in on the CDFS

Lars@guardiandf.com (Lars Daniel) — Tue, 25 Aug 2009 13:59:00 +0000

The Digital Forensics community has, up to this point, been somewhat fragmented. Because of this it has been difficult to advance the community as a whole. This is especially true in the development of qualification guidelines for examiners, and even more so in the areas of handling legislation that impacts our profession.

However there is hope on the horizon as it appears we may have finally reached critical mass.

Over at Rob Lee's blog, SANS Computer Forensics and E-Discovery, there is a press release announcing what I believe to be good news; The Council of Digital Forensic Specialists.

I am excited to see a united front of digital forensic examiners with aims at advancing the field. I am also hopeful for the future because this represents the first steps of digital forensics becoming a responsible self-governing body.

Expectation of privacy in the public realm?

Lars@guardiandf.com (Lars Daniel) — Thu, 20 Aug 2009 03:11:00 +0000

Image via CrunchBase

Many people, especially in the younger demographic, really have no idea of the possible repercussions of sharing the intimate details of their life on social networking sites like Facebook and Myspace. It seems like every week a case comes across my desk involving evidence from social networking sites.

The following is an except from New York Times online, from the article A Facebook Teaching Moment by Randy Cohen. It illustrates a real lack of discernment as students give full disclosure of deviant behavior on their Facebook page:

Image via CrunchBase

"Strictly speaking, when these students gave her access to their Facebook pages, they waived their right to privacy. But that’s not how many kids see it. To them, Facebook and the like occupy some weird twilight zone between public and private information, rather like a diary left on the kitchen table. That a photo of drunken antics might thwart a chance at a job or a scholarship is not something all kids seriously consider. This teacher can get them to think about that."

These days social media sites are a excellent source of easily gathered evidence. If you put information on social networking sites your expectations of privacy should be minimal at best, and it definitely could come back to haunt you.

Q&A with Harlan Carvey

Lars@guardiandf.com (Lars Daniel) — Mon, 17 Aug 2009 21:44:00 +0000

Image via CrunchBase

There is an interesting interview with Harlan Carvey, author of the blog Windows Incident Response and creator of Regripper over at Help Net Security.

The topic of discussion: Q&A Windows Forensics

It has alot of great information for people trying to get into the field and the future of Windows forensic analysis.

Oh, and if you are an examiner and haven't checked out his book, Windows Forensic Analysis yet I highly recommend doing so. Even if you have the 1st edition it is definitely worth it to go ahead and get the new 2nd edition.

More People Should Listen to Forensic4Cast

larry@guardiandf.com (Larry E. Daniel) — Fri, 14 Aug 2009 02:04:00 +0000

If you have not had a chance to listen to Forensic4Cast, the podcast, you are missing some funny stuff and some excellent guest interviews. Lee and Simon do a great job with the show and it is very enjoyable. They manage to bring some humor into the digital forensics field as well as covering serious topics quite well.

Some of their past interviewees have been Rob Lee of SANS, Lance Mueller, Scott Moulton, Harlan Carvey and Matt Shannon of F-Response.

I was interviewed on the latest episode, "Not Another Kitty Porn Joke!"

Lee Whitfield of Forensic4Cast will be my guest on Talk Forensics Radio, August 30th.

My Favorite Things

larry@guardiandf.com (Larry E. Daniel) — Fri, 07 Aug 2009 01:21:00 +0000

I think over time we all find things that we like. And when we like things, we tend to want to share them with others. Here are some of my favorite things. This is not intended to be all inclusive nor is any of it in any particular order.

Favorite Newsletter:
DFI News

Favorite Discussion Forums:
Forensic Focus

Favorite Podcast:
Forensic4Cast - Lee Whitfield
Talk Forensics- My show

Favorite Organizations:
National Association of Criminal Defense Lawyers
Fair Trial Initiative
Center for Death Penalty Litigation
American College of Forensic Examiners Institute
American Society of Digital Forensics and eDiscovery
SANS Institute
North Carolina Association of Private Investigators
Vidoc Society
Missing You Foundation
National Center for Missing and Exploited Children
Innocence Project
Help Find My Child

Favorite Forensics Tools:
Encase - Guidance Software
NetAnalysis - Digital Detective
Drive Prophet - Mark McKinnon
Helix - e-Fense
RegRipper - Harlan Carvey
Hardcopy III - Voom Technologies
Metadata Assistant - Payne Consulting
SecureView Forensic - Susteen
BitPim
F-Response - Matt Shannon

Favorite Blogs and Bloggers:
Simple Justice - Scott Greenfield
Digfor - Andre Ross

I was going to list some of my favorite people, but I would probably leave someone out and offend them, so I will stop here.

Fake Security Software Steals $34 Million Monthly

larry@guardiandf.com (Larry E. Daniel) — Thu, 06 Aug 2009 13:02:00 +0000

Image by World's Saddest Man via Flickr

Sadly, this is one of the better scams out there for parting inexperienced computer users from their money. I know people who have made this "purchase", only to find out when they called me that it is completely bogus.

This malware, that claims to be a legitimate anti-virus or anti-spyware application literally takes over the user's computer, making it impossible to use, with pop-ups occurring every few seconds warning of all the infections the rogue software has detected on the user's computer.

Depending on the particular infection, the solution is as simple as doing a windows restore to a time before you got the rogue ware, to some that are extremely difficult to remove.

One of the better tools for removing this type of spyware that I have found is SuperAntiSpyware Pro. It is available as a 30 day trial.

Here is the full article on this lucrative scam:

Fake Security Software Steals $34 Million Monthly -- InformationWeek: "Fake Security Software Steals $34 Million Monthly"

Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition

larry@guardiandf.com (Larry E. Daniel) — Thu, 06 Aug 2009 03:56:00 +0000

Image via Wikipedia

If you have not read this lately, and I mean in the last year or so, the National Institute of Justice has done an outstanding job in the second edition of their guide for first responders.

You can download the guide in PDF format here:

Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition

Whether you are in law enforcement or not, it is a valuable resource and contains some very useful information. The second edition is far better than the original.

They also publish some other very useful guides and publications.

Forensic Examination of Digital Evidence: A Guide for Law Enforcement

Digital Evidence in the Courtroom: A Guide for Law Enforcement and Prosecutors

Talk Forensics - 25th Episode

larry@guardiandf.com (Larry E. Daniel) — Sun, 26 Jul 2009 14:27:00 +0000

Cover via Amazon

It's hard to believe that we have had Talk Forensics on the air for 25 weeks now. Today marks our 25th show and features Frank Bender.

Frank Bender is an autodidact forensic and fine artist. His talent for forensic facial reconstruction, working first with the Philadelphia police department, then with the FBI, TV’s Americas Most Wanted, the Scotland Yard and the governments of the Mexico and Egypt, has made him widely recognized as a leader in his field.

You can read about Frank's work in the book, "The Girl With The Crooked Nose."

You can join us on the show every Sunday at 4PM Eastern at Talk Forensics on Blog Talk Radio where you can ask the guest questions live either by calling in to the show, or by asking questions in the live chat room for the show.

If you can't make it, you can always download the shows as a podcast from the iTunes store at Talk Forensics Podcast at iTunes

Using Automated Computer Forensic Tools - Good, Bad or What?

larry@guardiandf.com (Larry E. Daniel) — Sat, 25 Jul 2009 16:41:00 +0000

Image by Extra Ketchup via Flickr

In the world of computer forensics software, each developer is consistently working to add value and features to their product to make it more attractive to the forensic investigation market.

The market leaders, Guidance Software and Access Data, both provide comprehensive forensic software packages, albeit with decidedly different approaches. And for the purist, you can purchase X-Ways forensic software, which is a GUI for their Winhex product.

There are others out there as well, such as Paraben, and Pro-Discover and more.

Beyond the comprehensive tool developers, there are many specialty tools available as well:

Belkasoft makes tools for reading chat and internet history and email.

Drive Prophet is a data gathering tool that can parse out USB device connections, recently opened files, and many other items of interest to an investigator.

Then there is RegRipper, a tool for parsing Windows registry data.

The question is, are these tools helping or hurting the quality of forensic examinations?

My immediate response to that question would be a resounding, "Yes".

Depending on the circumstances, fully automated, limited scope collection tools can be of great benefit to an investigator or examiner. If you are in a situation where you just need to look at a specific type of information, an automated tool that is built just for that purpose would be the most efficient way to go.

The problem is that the tools that are real specific don't do some things like checking for deleted files or looking inside compressed files as part of their automated routines.

While the big suites can do pretty much whatever you desire, you run into the simple, but real limitation of the time it takes to do searches in unallocated space or, heaven forbid, create an index for key word searches.

The single biggest issue I hear from the law enforcement examiners I interact with is that time is a real problem for them with the number of cases they have, or the fact that they are not dedicated to just computer forensics.

As a private consultant, waiting on machines to process data is a huge time waster since processing time is not billable. Unless of course you are conducting an forensic examination on-site due to the Adam Walsh Act. Then all the time is billable, and costs the client a considerable amount of money. Since most of these cases are indigent, the taxpayers end up footing the bill.

While automated processes are critical to performing computer forensic examinations due to the fact that a purely manual process would be prohibitively expensive and time consuming, they must be used as they are intended and not become a substitute for an actual forensic exam.

If an examiner limits themselves to what the automated tools and routines can find, they will probably miss critical evidence. From what I have seen over the last several years that I have been doing this kind of work, the majority of cases I have worked contain evidence that gets missed by examiners, both by private consultants and law enforcement examiners.

The single biggest danger in depending solely on automated tools and processes is that an examiner may be in a situation that would cause them to accept the results as "good enough" due to time or budget constraints.

The other danger in tools becoming more automated is that in the hands of an untrained examiner, they simply may not know where to go next with the tool or the examination to make sure that a thorough examination has been done.

While automated tools and routines may be able to replace an examiner's need to know how to look for some piece of data or evidence, they cannot replace the need for an examiner to know where to look and what to look for.

Those skills are probably more critical than knowing how to get a piece of data. To conduct the most efficient examination, there has to be a combination of knowing where to look first, second and so on, along with how to use a tool to extract what you need to find.

When using automated tools, an examiner must be prepared to answer the questions:

1. If the automated tool does not find it, how do I find it using a different approach?
2. Where is the most likely place to find what I need, if the evidence is not where it is supposed to be? (Automated tools can only look at where something is supposed to be.)
3. If I can only find a fragment of a piece of evidence, how do I find related evidence to collaborate the fragment?
4. If the original file I know was there is missing, how do I show that it was there at some point in the past?
5. Can I create some sort of user attribution for the evidence?
6. How do I find evidence that will help with creating a time line for the fragment?

Plus many more questions that an examiner must answer that automated tools simply cannot be created sophisticated enough to answer at this time. Perhaps in the future, expert systems will be developed to take the place of examiners, but for now, it is the examiner's skills that make the case, not the tools, no matter how good they are.

If there is anything that is needed in the field right now, it is more training, not more automation.

Digital Breadcrumb Eradicator - Maybe, Maybe Not.

larry@guardiandf.com (Larry E. Daniel) — Sat, 25 Jul 2009 13:19:00 +0000

Image by WillBurton2 via Flickr

I am always skeptical when anyone makes a claim about making data disappear.

University of Washington researchers have developed a tool that will make some data you send to another party disappear after a specified time period.

This article will self-destruct: A tool to make online personal data vanish

"Computers have made it virtually impossible to leave the past behind. College Facebook posts or pictures can resurface during a job interview. A lost cell phone can expose personal photos or text messages. A legal investigation can subpoena the entire contents of a home or work computer, uncovering incriminating, inconvenient or just embarrassing details from the past.

The University of Washington has developed a way to make such information expire. After a set time period, electronic communications such as e-mail, Facebook posts and chat messages would automatically self-destruct, becoming irretrievable from all Web sites, inboxes, outboxes, backup sites and home computers. Not even the sender could retrieve them."

I would be happy to take on that challenge. Send me a computer hard drive where someone has been using this new tool and I would be willing to bet lunch I could get back at least some of the messages.

I see it all the time where someone thinks they have protected themselves by turning off their chat logging or using on-line email programs and various other means of "hiding" their messaging activities.

Even if you are using this system, for a time, the text is going to be in the clear prior to encryption on the sending system, and it will be in the clear after decryption on the receiving system.

I think I will have one of my interns use Vanish for a couple of weeks and see what I can retrieve forensically from the hard drive.

I will post the results of that experiment in a couple of weeks.

In the meantime, I can see how this new tool, used in a certain way, could make it virutally impossible to recover messages sent between parties. As always, an advancement like this for on-line privacy becomes a boon for those who wish to hide their activities for nefarious reasons, such as terrorists and criminals.

Every tool can be used for good or bad or neutral purposes. That is the nature of the beast in computer security.

Some additional links to articles about Vanish:

Sexting - What Happens When....?

larry@guardiandf.com (Larry E. Daniel) — Sun, 19 Jul 2009 12:25:00 +0000

I was having a conversation the other day with a detective and a defense attorney and the subject of sexting came up. The defense attorney made an interesting observation; What happens when the person that received a message of an underage girl or boy turns eighteen? If they

Image by gatom0g via Flickr

still have the image in their possession, does it become child porn?

At the SANS conference, the law enforcement folks that spoke or answered questions regarding sexting among teenagers as something their district attorneys were not prosecuting unless an adult was involved.

Apparently this is becoming rampant with cases showing up more frequently all over the country, with the majority of the "sexters" being girls sending pictures to boys.

Hence, the question about what happens when they turn eighteen and become adults if anyone is still possessing the sexted pictures.

Would it be a defense to say that a person received the picture while they were a minor? Or would the possession be determined based upon them still having the picture after they become an adult?

It is going to be interesting and possibly disturbing to see where this goes over the next few years.

Here are some links on the subject of sexting.

Supreme Court Ruling: Melendez Diaz v. Massachusetts

Lars@guardiandf.com (Lars Daniel) — Sun, 19 Jul 2009 02:15:00 +0000

The guys over at Voom Technologies Inc. have posted an interesting article interpreting the recent Supreme Court decision that will require live testimony by forensics analysts.

You can check it out here:

Voom Interprets Broad Supreme Court Ruling Requiring Analysts' Live Testimony to Apply to Computer Forensics

Also, Scott Greenfield over at Simple Justice wrote an excellent post about this decision.

Courting Confrontation (Simple Justice)

Getting Ready for 2010

larry@guardiandf.com (Larry E. Daniel) — Fri, 17 Jul 2009 08:00:00 +0000

Image via Wikipedia

I know it is only July, but looking forward to next year, I thought I would write a quick post about speaking engagements.

I typically do quite a few speaking engagements each year on the topic of digital forensics for various attorney organizations, schools and paralegal associations. That is in addition to the speaking I do at computer forensic conferences. I also personally conduct a few one and two day intensive training seminars on advanced digital forensic consulting.

Having said all that, my office is currently scheduling my engagements for next year. If you are interested in having me speak to your group, at your conference or training seminar, then now would be the best time to get a commitment on my schedule for next year.

By scheduling these engagements far enough out, it allows us some flexibility in scheduling my court appearances for the cases I do during the year.

Some of my past and current speaking engagements: 2009 NACDL (National Association of Criminal Defense Lawyers Making Sense of Science Seminar), 2009 Alabama ACDL, NC Association of Private Investigators, North and South Carolina Public Defenders Conference, 2009 American College of Forensics Examiners Institute Annual Conference, Wake County Paralegal Association, University of North Carolina at Pembroke, North and South Carolina Public Defenders Investigators Conference, 2009 SANS What Works In Forensics Summit, and several others.

If you are interested in having me come speak to your organization, please contact Leslie or Dawn at 919-868-6291 to make arrangements. My schedule fills up quickly.

US Supreme Court Rules That Experts Must Testify

Lars@guardiandf.com (Lars Daniel) — Tue, 07 Jul 2009 02:17:00 +0000

Image via Wikipedia

According to a recent ruling in Melendez-Diaz v. Massachusetts by the Supreme Court, experts will be required to testify to explain their reports, examinations, or methodology.

It will be interesting to see the impact this has on the case turnover rate in labs across the country as more forensics people spend time in court rather than in the lab.

Check out Forensic Magazine's article on this ruling for a more robust treatment of the topic: Supreme Court Ruling Requires Crime Lab Analysts to Testify

On a positive note, perhaps this will help us lab-toiling examiners fight off vitamin-D deficiency by at least getting us out of the lab and into the sunshine for that brief walk from the car to the courthouse.

Road Rage on the Information Super Highway

larry@guardiandf.com (Larry E. Daniel) — Mon, 29 Jun 2009 11:13:00 +0000

Is the internet making people meaner? Or is it just giving people a chance to be mean without consequences, allowing them to channel their inner monsters in a fast and convenient way?

One of my friends who regularly appears on Hannity's Great American Panel, sent me an email he received after one of the shows; It was nasty, filled with personal attacks and vulgar references.

If you read the comments that follow many news stories on web sites for television stations and other news outlets, it is frightening to see what people post about people accused of crimes, local politicians, celebrities, and anyone else who happens to raise their ire. Veiled threats, accusations about the personal lives of the person in the news, hate speech, it's all there.

Jump on any forum and you will see posts filled with personal attacks on other posters; especially if they happen to disagree with the poster.

While I value free speech as much as anybody, it is funny that excercising that free speech is so much easier when you can remain hidden behind your keyboard. I don't think people would be so quick to say some of the things they do about a person if they were within nose-punching distance of their target.

It reminds me a lot of how agressive people can get when they are ensconced in the metal cocoon of their cars, safe from the other driver they are flipping off or tail-gating.

The anonymity of the internet gives people a feeling of invulnerability, making them more willing to say things they would not other wise say in a public forum. At least, that seems to be the case since there has not been an alarming jump in brawls and fisticuffs on the streets.

While the courts go to great lengths to protect the first amendment right of anonymous speech, it is not absolute as courts are now beginning to tackle serving anonymous defendants in internet harrassment and defamation cases.

Federal District Court Mandates the Disclosure of the Identity of Online Posters

States have passed or are considering passing cyberbullying laws and other protections for people who are the subject of on-line threats, defamation and harrassment.

I have to admit that some of the posts can be a bit amusing if you recognize the unintended irony that some poster's messages contain; "I think they should rip that guy's genitials off and feed them to the dogs while he watches. Be back in a few, got to check on the cookies I have in the oven for the grandbabies."

Ouch!