Wednesday, August 27, 2014

Are you really anonymous on the TOR network? Federal Cybersecurity Director Found Guilty on Child Porn Charges

Federal Cybersecurity Director Found Guilty on Child Porn Charges


"Tor is free software that lets users surf the web anonymously. Using the Tor browser, the traffic of users is encrypted and bounced through a network of computers hosted by volunteers around the world before it arrives at its destination, thus masking the IP address from which the visitor originates. "

"As the acting cybersecurity chief of a federal agency, Timothy DeFoggi should have been well versed in the digital footprints users leave behind online when they visit web sites and download images.

But DeFoggi—convicted today in Maryland on three child porn charges including conspiracy to solicit and distribute child porn—must have believed his use of the Tor anonymizing network shielded him from federal investigators.
He’s the sixth suspect to make this mistake in Operation Torpedo, an FBI operation that targeted three Tor-based child porn sites and that used controversial methods to unmask anonymized users."

Link to the full article.

What's the takeaway?  Never believe you are completely secure in your dealings with any method of communication.

Friday, February 7, 2014

Computer investigator pleads guilty to misrepresenting credentials

" A Rye private investigator who has received $23,000 from the state since 2006 to do computer forensic investigations for indigent defendants pleaded guilty last week to misrepresenting some of her investigative certifications on her company’s website.
Judith Gosselin, owner and sole employee of J.A.G. & Co. in Hampton, claimed to be a “certified computer examiner” and to be trained as an ethical hacking forensic investigator when she wasn’t, according to court records.
Gosselin, who has worked for the state, federal public defender offices, and civil and criminal defense attorneys here and outside the state, avoided jail time in exchange for her guilty plea to a misdemeanor charge of unfair and deceptive business practices. She did receive a 12-month suspended jail sentence.
She was fined $2,000, ordered to reimburse the state’s indigent defense fund $3,500 for her work on a recent case and to “not ever accept any criminal case in the state of New Hampshire in any capacity,” according to her sentencing order.
A current count of Gosselin’s cases was not available last week. But while testifying for the defense in a criminal trial in Rockingham County in 2008, Gosselin said she had done 154 computer-related investigations, had been an expert witness in 36 cases and had testified in five trials on criminal and civil matters. She was then charging $254 an hour, according to her trial testimony. She has been doing computer investigations since 2000, according to her resume.  "
Make sure you read the whole article as this is an interesting case.

Wednesday, November 6, 2013

Anal probes? A new kind of abduction scenario that started with clinched butt cheeks.

Forget about aliens and UFOs.  Instead of watching the sky, apparently we need to be watching the police.

"The incident began January 2, 2013 after David Eckert finished shopping at the Wal-Mart in Deming.  According to a federal lawsuit, Eckert didn't make a complete stop at a stop sign coming out of the parking lot and was immediately stopped by law enforcement.    
Eckert's attorney, Shannon Kennedy, said in an interview with KOB that after law enforcement asked him to step out of the vehicle, he appeared to be clenching his buttocks.  Law enforcement thought that was probable cause to suspect that Eckert was hiding narcotics in his anal cavity.  While officers detained Eckert, they secured a search warrant from a judge that allowed for an anal cavity search. 

Eckert's attorney, Shannon Kennedy, said in an interview with KOB that after law enforcement asked him to step out of the vehicle, he appeared to be clenching his buttocks.  Law enforcement thought that was probable cause to suspect that Eckert was hiding narcotics in his anal cavity.  While officers detained Eckert, they secured a search warrant from a judge that allowed for an anal cavity search.
The lawsuit claims that Deming Police tried taking Eckert to an emergency room in Deming, but a doctor there refused to perform the anal cavity search citing it was "unethical."
But physicians at the Gila Regional Medical Center in Silver City agreed to perform the procedure and a few hours later, Eckert was admitted.

What Happened

While there, Eckert was subjected to repeated and humiliating forced medical procedures.  A review of Eckert's medical records, which he released to KOB, and details in the lawsuit show the following happened:
1. Eckert's abdominal area was x-rayed; no narcotics were found.
2. Doctors then performed an exam of Eckert's anus with their fingers; no narcotics were found.
3. Doctors performed a second exam of Eckert's anus with their fingers; no narcotics were found.
4. Doctors penetrated Eckert's anus to insert an enema.  Eckert was forced to defecate in front of doctors and police officers.  Eckert watched as doctors searched his stool.  No narcotics were found.
5. Doctors penetrated Eckert's anus to insert an enema a second time.  Eckert was forced to defecate in front of doctors and police officers.  Eckert watched as doctors searched his stool.  No narcotics were found.
6. Doctors penetrated Eckert's anus to insert an enema a third time.  Eckert was forced to defecate in front of doctors and police officers.  Eckert watched as doctors searched his stool.  No narcotics were found.
7. Doctors then x-rayed Eckert again; no narcotics were found.
8. Doctors prepared Eckert for surgery, sedated him, and then performed a colonoscopy where a scope with a camera was inserted into Eckert's anus, rectum, colon, and large intestines.  No narcotics were found.
Throughout this ordeal, Eckert protested and never gave doctors at the Gila Regional Medical Center consent to perform any of these medical procedures.
"If the officers in Hidalgo County and the City of Deming are seeking warrants for anal cavity searches based on how they're standing and the warrant allows doctors at the Gila Hospital of Horrors to go in and do enemas and colonoscopies without consent, then anyone can be seized and that's why the public needs to know about this," Kennedy said. "

Here is a link to the full story.

Here is a link to the PDF of the lawsuit.

Monday, October 28, 2013

Is Your GPS Bracelet Listening?

Here is an article from The Crime Report about some GPS bracelets that have a cellular telephone capability built into the bracelet.

The implications are interesting, to say the least.

Caution: Your GPS Ankle Bracelet Is Listening

Thanks to Sarah R. Olson at the NC Indigent Services for sharing this link with me.

Tuesday, October 22, 2013

Computer Forensics Job Opening

The Baltimore Police Department has an opening for a Computer Forensics examiner.

The link to the post is here:

Computer Forensic Examiner Opening

Job Title:Computer Forensic Examiner I
Closing Date/Time:Fri. 11/08/13 4:30 PM Eastern Time
Salary:$25.07 - $31.23 Hourly
$45,630.00 - $56,836.00 Annually
Job Type:MERIT
Location:Towson, Maryland

Thursday, August 29, 2013

Cell Tower Dumps

Cell Tower Dumps are used in cases where the FBI or local law enforcement is attempting to determine a cell phone number or numbers that can be used to investigate a crime.

I have seen cell tower dumps in several cases I have handled.  Here is an excellent article about this investigative technique from Ars Technica.

It is well worth the read.

How “cell tower dumps” caught the High Country Bandits—and why it matters

Tuesday, July 2, 2013

Friday, December 14, 2012

The Perils of Using the Local Computer Shop for Computer Forensics

In a recent article posted by the Association of Certified E-Discovery Professionals, Robert Hilson writes about the loss of priveledge documents due to the Attorneys' "absent" supervision.

"It is a familiar story. A client discloses thousands of privileged documents from an electronic universe of many millions due to alleged failures to supervise a computer consultant. The mistaken production results in a heated clawback motion, in which a judge finds that the attorneys did not take the “reasonable steps” required by law to prevent the disclosure.

Those are the facts arising from Blythe v. Bell, a little-reported lawsuit over the control of a sportswear manufacturer in Hickory, North Carolina. The case, in a state business court in Catawba County, bears uncanny resemblance to the high profile J-M Manufacturing skirmish and countless more suits that are either unreported or have yet to happen."
"Hickory Brands hired a service provider called Computer Ants, whose owner and operator, Thomas Scott, testified to never having performed forensic services in the context of a lawsuit.  Scott, who the defendants tasked with producing documents responsive to search terms from a total of 308 million potentially relevant files on 35 computers and six servers, had previously worked as a truck driver and a security manager for Bass Pro Shop."
The result was the delivery of 1,700 sensitive documents to the opposing counsel that resulted in a heated clawback motion, in which the judge found that the attorneys did not take the "reasonable steps" required by law to prevent the disclosure.
This case highlights what I wrote about in "Digital Forensics for Legal Professionals" on selecting an expert and the difference between a computer expert and a forensic examiner.
I cannot express strongly enough the risk associated with picking a computer for digital forensics contractor to use in civil and criminal cases. 
A recent experience helps to illustrate this:
I recently testified in a military court where the government was offering an expert for a fraud case and I was asked to explain the difference between hiring someone with my background versus the alternative expert, a government employee, who had a Masters Degree in Network Security, but did not have any forensic training or experience.
To his credit, he freely expressed that he did not know anything about forensic examinations, how to craft language to get information from ISPs or how to find the custodian of records for same.
I explained for the court, specifically the military judge, prosecutor and defense counsel how to go about tracking an IP address from the service provider and connect it to a particular subscriber.  As well and the process for locating information regarding on-line fraud on a computer.
The result was that the court approved me as the expert for the defense, however, the prosecutor immediately withdrew the charges.  So I did not get hired.  But the important thing is that I got a chance to educate a judge and some attorneys on the difference between a qualifed examiner and a network security administrator.
While he had tons of expertise in what he does, it is not what we do as forensic examiners.  As the case I mentioned above points out, failing to hire the right kind of expertise is risky for clients and attorneys.
And while it can be an expensive mistake in a civil case, it can be devasting in a criminal case where a person's freedom and perhaps even their life is in the balance.

Monday, November 26, 2012

Casey Anthony - Detectives Miss Google Searches

Apparently, this is the case that will never be resolved, in spite of the fact that the case has been tried and the defendant acquitted.

When I located these searches on the computer in January of 2009, I brought them to Jose's attention so he would be aware of them.  I gave Jose anlaysis of the searches in February of 2009 at the AAFS conference in Denver, CO.

While I am not going to re-hash the computer forensics, nor will I get into a debate with other people who have examined the evidence after the trial, I will say that I verified the time stamps based on the evidence I had, which was the forensic images of the Anthony's computers, all of the OCSO computer forensic reports and supplemental or derivative data and I am confident in my analysis.

I watched Nancy Grace last night that made me reflect on this case a bit more.  First of all, if you watched Nancy Grace, and other media outlets for that matter, a lot was made of this missed evidence. 

What bothers me the most about the media reports, is that they are reporting on unverified results of an analysis done by someone far after the fact.  One of the major points that Nancy Grace spent a lot of time harping on was the time stamps.  Since she did not like the time stamp being an hour eariler than reported, she ignored it and kept showing the later time stamp in her program.  With comments, that of course, lead to the only possible conclusion, that Casey Anthony did these searches and she has to be guilty.  She had to be at the computer because of such and such. She opines that if only the OCSO had found the searches, the case would have concluded differently.

Then, later on she reports that "According to one expert, there were 84 chloroform hits".  Well, I addressed this eariler as did several other people in the forensic community.  The "other expert" was wrong.  This was verified by me personally before and during the trial,  as well as others who had the evidence after the trial.  But, those little "facts" don't seem to deter people like Nancy Grace and other media outlets from spouting all kinds of stuff, without verification.

I also find it interesting, that in all of this, Nancy Grace's opinion is that the way the defense team knew about the internet searches was probably because Casey told them about it.  Or, maybe the evidence just magically appeared, hovering in the air in front of the defense team lawyers.  All they have to do is read a little more of Jose's book to determine the source of the evidence provided to the defense team.  Or, they could simply take a look at the defense witness list that included only three names and was made public months before trial.  But, I suppose that is a little too much work to do.

It is funny in a morbid sort of way that Nancy Grace talks about how she cares about the truth, but apparently in her world, the truth has  nothing to do with facts.  Especially if the facts are an "inconvenient truth".

Probably the most disturbing thing I saw was Sandra Cawn-Osborne's response; "I wasn't told to search for suffocation."  One thing I will say to that is that she was not alone in the analysis of the computer forensics, she had help from her supervisor, who was a teacher in the Digital Forensics Master's program at the University of Central Florida.  Ponder that one.

That leads to what I really want to point out in this post;  It does not matter what "side" you are on in a case, what matters is that you understand what is at stake and act accordingly. 

This was a death penalty case and the stakes were the highest they can be: Taking a person's life. 
In the Anthony case, like many death penalty cases I have done, we have to ignore the media, the pundits and the arm chair experts and do our jobs without making any judgements about the defendant or anyone else in the case.  As a forensic examiner, our job is to find everything that may be of use in the case; good, bad or indifferent, and properly interpret that for the legal team.  Not to make moral judgements or drink the media coolaid.

That means that you have to be extremely thorough and that you have to keep asking yourself, "Did I miss anything?  Could I have looked elsewhere?  Did I follow good procedure to make sure I covered all the potential bases for evidence that may exist?"

What makes murder cases harder to do than some other types of cases is that your examination is not limited to a specific type of evidence artifact.

For instance, in child pornography cases, you are looking for a specific set of artifacts to support or attack a charge.  In financial cases, your focus will be on financial records, email between participants and so on.  In an alleged rape case you may be looking for text messages, videos, voicemails and email as well as internet history.

But in a murder case, you will be looking a much wider range of potential evidence, including evidence about timelines, computer activity, conversations, communications, and so on.  You may need to examine evidence involving witnesses and the victim.  All of this is to make sure that the legal team has everything that is related to the case, but not just a data dump.  Whatever you find and produce has to be properly presented and interpreted so the legal team can understand it in the framework of the case. And it must be checked and double checked for accuracy.  Is that time stamp what it appears to be? (See my recent post on computer time.)

The other thing we have to keep in mind, at least I do, is I always operate on the belief that anything I can find, they can find, and I conduct my examinations accordingly.

The media is acting like this is the first time someone has missed some critical piece of digital evidence in case.  Let me assure you, that is not the case.  What makes this such a huge deal is that it is an extremely high profile case that the media just loves to beat like a dead horse since it has a very large following of people who are invested in the case, for what ever their reason may be.  It's good TV and drives ratings.

For us as forensic examiners, this case should be studied as a cautionary tale.  Be thorough, verify, verify again, get help if you need it.

Wednesday, August 15, 2012

A Brief History of Time : Forensic Time

Time.  It is so embedded in our lives that we cannot even think without thinking of it as it forms the context within which we live.  And it would be fun to ramble on about time, from Einstein's concept of Space-Time to the neurologists' discovery that time is "perceived" to even the current thinking that time, if it had a beginning, must have an end, which drives the physics people a little nuts since they can't use the infinity symbol in their calculations.  At least at the quantum level. Plus it puts a bit of a pinch in the whole "Diamonds are forever" thing.

Anyway, since I am sitting in my hotel in Kansas City unable to get some sleep before I catch a ridiculously early flight to Chicago in the morning,  I was thinking about time in forensics and it occurred to me, which sometimes I can be Captain Obvious,  that forensics is all about time; specifically about the past time.  Forensics is a backward looking discipline, and unless you are in a science fiction novel or movie, it is never predictive from a time standpoint.

How many times, (see what I mean?), have you heard some TV detective ask the coroner or forensic pathologist about the "time of death"?  He or she never answers with, "Tomorrow about 5 PM."

In the world of digital forensics, time is a factor in just about every case.  It is inescapable, since when something occurred is critical to knowing if it is relative or not.

Did that phone call happen before or after the car accident?  What about the text message?  Were the computer files downloaded on a particular date?  Did the user modify the times to cover up their tracks when editing that contract?

Those and dozens of other questions about time are posed in almost every case I know of.  But, how reliable are those times?

You see, we tend to think in general that the time on the computer is correct, or the time on the cell phone is right on.  But can those times be relied upon to "prove" that such and such occurred when we think it did?

The answer is yes and no.  In fact, getting the times right is one of the most critical and difficult parts of any digital forensics case. 

MAC Times:

Modified, Accessed and Created dates and times in computer forensics are highly relied upon in many examinations.  And they are one of the most common to get wrong.  But, how can it be that an examiner would get the times wrong?

Point 1: One of the fundamental aspects of examining digital evidence is to check the time on the device from which the evidence is collected.  Yet, I am reading forensic reports every day that do not have the time of the device in the report.  If you don't get the time from the device, how do you have any idea that the time on the hard drive, cell phone, GPS device, or video unit are correct?  Well, to put it simply, you don't.

Now you may be thinking, "Wait just a darn minute here. Cell phones always have the correct time because they get their time from the cellular system."  And my reply would be, "Not so my forensic friend.  You can set your phone to stop syncing with the network for its time and set it to what ever you please.  You could take some pictures, send some texts, make some calls and the phone would stamp them with the date and time it thinks it is."  And of course I have to qualify that statement with, "It depends on the phone of course."  But off hand, try it with your iPhone and you will see what I mean.

Point 2: Are you in the zone?  It can be a little embarrassing for a forensic examiner to make a big deal out of the time stamps occurring before or after the incident happened, only to find out on the witness stand he forgot to adjust his forensic software for the time zone of the device. Oops.

Or to not realize that some parts of the country have no respect for that pesky daylight savings time and therefore don't change with the rest of us "normal" people.

Or to not notice that the time stamps for a piece of evidence are in GMT or UMT depending on your preference and don't calculate the offset for that GPS record.

What about call detail records?  Is the time of the phone call based on the time at the local switch, or it is based on the time at the data center for the phone's carrier?

Point 3: Are you sure?  One of the simplest mistakes to make as a forensic examiner is to assume that you are correct without checking your facts.  What's the expression? Check yourself before you wreck yourself?  We should all print that out in big letters and staple it up over our forensic work areas.

MAC times on computers are not always what they seem.  In fact, they are rarely what they seem to the point that you should be suspicious if any date and time stamp unless you know for sure why and how it was recorded.  The thing is, MAC times on computers are recorded based on the function or activity that is occurring that causes the time stamp to change.

And since different operating systems also treat time stamping differently, it can be even more confusing.  For instance, Windows NT and Windows XP have different delays before they will create a new time stamp.  Windows Vista and forward don't even bother to update the last accessed date any more, so that time stamp becomes moot from a forensic standpoint.

And, to make it even more fun, different operating systems use different date formats, such as Epoch time, absolute time and so forth.

Does the MAC OS record time stamps like Windows? Of course not.  Nor does Linux or Unix.

Does an activity on a MAC cause time stamps to be recorded the same as the corresponding activity on a Windows computer.  Nope.

How about that thumb drive you have there.  Is it formatted FAT32? Then it will handle time stamps differently from your Windows computer that is formatted NTFS.

Time is embedded all over the place.  It's in the file systems of computers and media storage devices, embedded inside pictures and documents and PDF files.  How about that facsimile machine's transaction log?  Its in the header of emails.

So when you are doing an examination, what kinds of things should you always be asking yourself about a date and time stamp?

Do I know what the time was on the device that stamped the time on the evidence?
Do I know what time zone applies?
Did I set the offset in my forensic software correctly?
Do I know what caused the stamp to be created and or changed and why?
Did I get the offset or conversion right from UMT, EPOCH or Absolute time right?

You could write a whole book just on computer time stamps. I'm not, but you could if you wanted to.

Just remember as you are writing that forensic report: Check yourself before you wreck yourself.