Wednesday, August 3, 2016

Pokemon Go: The Perfect Storm of Novelty and Nostalgia

Have you noticed more people than normal exhibiting traits of the aptly named "text neck"? It sure seems like I have.  Well, statistics would seem to verify our observations.  Pokemon, created by Satoshi Tajiri in 1995, is one of the most successful franchises in history, and is still breaking new ground twenty years after its inception. What we have is the perfect storm of novelty and nostalgia.  The idea of Pokemon Go, while not the first, is without question the most successful iteration of what is known as a" location-based augmented reality game".

Basically, in Pokemon Go you create a character whose objective is to locate Pokemon (mythical creatures) who appear on your phone, and then catch them by throwing (swiping your finger on the screen) a Pokeball.  Whats makes Pokemon Go such a phenomenon is that you can't play this game sitting at home, it requires that you go outside in the fresh air. You are a Pokemon Trainer, traveling to locations in the real world where the Pokemon roam, and the Boomers and Millennials play.

Anything that gets people moving can be seen as having a level of redeeming value, but just as with any new technology or application, Pokemon Go represents unique issues in our increasingly plugged in and distracted age.   The National Safety Counsel (NSC) released a survey reporting the use of cell phones while driving showing that 74% of participants use Facebook while behind the wheel.  Now take into account that mobile users are spending more time on Pokemon Go than Facebook.  

Pokemon Go related car accidents are already being reported due to distracted driving, with Pokemon Trainers crashing into police cruisers and into power poles.   This is not a surprise to the forensic examiners at Guardian Digital Forensics.  Our experts have performed forensic examinations on thousands of cell phones, and have seen firsthand the problem and potentially lethal outcome of distracted driving since the advent of text messaging.  While distracted driving is an obvious issue related to any popular mobile application,  there are also reports of suspects using Pokemon Go to lure robbery victims and stealing the cell phones of Pokemon Go players at gunpoint.

Cell phone forensic experts and forensic tool creators alike are hard at work figuring out how to parse the data created by Pokemon Go.  If the popularity of this game persists (and it shows no sign of waning), then forensic data recovered from Pokemon Go will be coming to litigation near you.  Pokemon Go represents another set of forensic artifacts that can be used to determine user activity alongside the staples such as text messages, emails, messaging applications, videos, pictures, Internet history, and a myriad of other data types; all of which forensic examiners can recover from a cell phone, including data that is believed to be deleted.

The work of a digital forensic expert is never done in our rapidly changing digital world.  When it comes to forensic artifacts, we "Gotta Catch'Em All". 

Saturday, July 2, 2016

Adnan Syed Gets New Trial - The Serial Podcast

After several months since the hearing regarding two key elements from the first trial where Adnan Syed was convicted of killing his high school girlfriend, he has been given a new chance at freedom.

In an opinion handed down a couple of days ago, the Judge in the case granted Mr. Syed a new trial based on the AT&T call detail evidence.

The original records used by the prosecution in the trial to show that Mr. Syed was in the general area of the location where the decedent's body was found, were flawed by the fact that AT&T in their own documentation clearly stated that the location information for those incoming calls were unreliable.

In spite of the fact that the prosecution's expert did everything he could during his testimony to convince the judge that AT&T was wrong and his opinion was correct, it did not work.

The fact that was in contention was that AT&T had a clear statement on the cover sheet for the records that said that location information for incoming was unreliable.

Justin Brown was the lead attorney for the defense in this hearing and my friend Jerry Grant was the testifying expert for the defense.

I can share with you that Justin Brown, Jerry Grant and I put in a lot of time not just on this hearing, but also on this one issue to make sure that the judge heard the truth about the records in spite of claims to the contrary by the prosecution.

I want to say thank you to everyone at the "Serial" podcast for doing such an amazing job at analyzing and publicizing this case and to Justin Brown, his co-counsel, Christopher Nieto, and to Jerry Grant, a good friend and excellent expert for making this become a reality for Mr. Syed.

Monday, November 17, 2014

Cell Phone Tracking via Call Detail Records

We live in a world today where individuals’ movements and locations are being recorded in many different ways.  These movements and locations are commonly being used as evidence in civil, criminal and domestic litigation.  It is of paramount importance that anyone who is involved in litigation that uses cellular location evidence understands the appropriate and inappropriate use of this type of location data.

Recent decisions by some courts have made it possible for government agencies to obtain real time tracking information using an individual’s cellular phone or other cellular device without having to show probable cause or obtain a search warrant.
Additionally, the government and courts continue to maintain the position that obtaining historical call detail records for an individual does not require probable cause or a warrant since the person holding the cell phone is voluntarily providing their location data to a third party, namely the cellular service provider.  However, obtaining real time geo-location of a cell phone via the emergency 911 (E911) system in many cases requires either a warrant or permission from the cellular carrier.

What is Cellular Data Analysis?

Cellular data analysis is the process of collecting, analyzing and presenting the approximate location of a cell phone or other cellular device based on data obtained from the wireless company or in some rare cases, from the device itself. 
There are several types of cell phone location data that can be collected and examined;
·       Carrier based location data is collected by obtaining historical call detail records for a particular phone from the cellular carrier along with a listing of the cell tower locations for that carrier.  This data is then analyzed for the purpose of generally placing a cell phone in a location on a map.  This is NOT triangulation.
·       Cellular data  in the form of “pings”, which is  real time geo-location tracking of a cellular phone or other cellular device by activating the emergency 911 system (E911), which will then use either a network based or handset based method for locating the phone and will provide a location estimate generated via triangulation of the phone handset.
·       Law enforcement may issue a warrant or use an exigent circumstance application to get real-time call detail activity for a phone.  This is the same type of data contained in a historical call detail record but is provided in real time.
·       Cellular data may come from the device itself in the form of GPS location data either from an application running on the phone, a geo-tagged picture or some other data point.
It is important to understand about geo-location of a cellular phone or other cellular device is that the accuracy of the geo-location is dependent on a number of factors, not the least of which is the ability of the analyst to properly interpret and present the data and the methods used to present the information.

How is Cellular Data Analysis Used?

Cellular data analysis is used quite often in criminal cases to attempt locate a person of interest, either as they go about their criminal enterprises, or in relation to a particular incident or crime.
This type of analysis is also used in civil litigation involving vehicle accidents, property damage claims and other types of cases where the location of a particular cell phone at a particular time is of interest.

What about Triangulation?

The term triangulation is often misused and applied to the analysis of historical call detail records.  Call detail records only contain information about a single cell tower that was used when a call was made.  To triangulate the location of any phone or object you have to have a minimum of three points or more of reference.

Is There an Accurate Way to Track a Cell Phone Location?

Yes, but it can only be done in real time by using the cellular system or the cellular phone’s GPS unit to track the phone.
There are basically three ways to locate a phone using technology:  Handset based GPS, network based triangulation and hybrid location.
By law, cell phones are supposed to contain a GPS chip for the purpose of locating the phone in an emergency.  However, even today, not every phone has GPS capability. 
The most accurate way to locate a phone is by activating the phone’s on board GPS unit and allowing that to provide the phone’s location back to the wireless company for transmittal to authorities.  Handset based GPS location is supposed to be accurate within 50 feet. 
The second way to locate a cell phone is by triangulating the phone using network based location services.  What this does is calculate the position of the cell phone relative to three or more cell towers using round trip delay, and provides that location information back to the wireless company.
The third way to locate a cell phone uses a combination of network based triangulation and local wireless router locations.  However, this is not in common use to the best of my knowledge at this time.
When a cell phone user calls 911 on their cell phone, the 911 operator will get a cell tower location, a sector and in some cases a GPS location for the phone.
However, these locations can be off up to several thousand feet from the actual location of the phone.  In order to make sure that the GPS location is as accurate as possible, the PSAP (Public Safety Access Point) operator should manually update the location from their terminal.

Is cell tower tracking evidence junk science?

Generally locating a cell phone based on its historical call detail records for towers used at particular dates and times is an acceptable method and is based on the simple fact that cell phones do connect to cell towers .  From that standpoint, it is not junk science. However it is a science that is easily misinterpreted and misstated when prepared and or presented by persons not qualified to do this type of analysis.  The concept of plotting the locations of cell towers on a map is simple.  Understanding and explaining the underlying technical issues and considerations is extremely complex.

Is there a good use for cellular location evidence?

 Properly applied and interpreted cell phone location evidence can be helpful in many cases.  The issue is the overstatement of the accuracy of the phone’s location.
For instance, if the phone is using a cell tower in a particular town where an incident occurred and the person who was in possession of the phone claims to have been in a different town, it is a simple presentation to dispute the person’s claim.
Another good use is for tracking a phone across a distance based on cell tower usage.  While the analyst cannot claim a particular road was used, the cellular evidence can certainly illustrate for a jury that the phone did in fact travel from one city to another or some area to another.
In a recent case cell tower evidence was used to show that a phone call was made near the location of the defendant’s home and a subsequent call was located near his place of employment.  At issue was whether or not it would be possible for the defendant to travel to another location, commit a burglary and still make it to the location near his work in the time span between the calls.  By combining the cell phone locations, time estimates from Google Maps and the location of the burglary, the jury was convinced that the defendant could not have committed the burglary and still made it to the location of his work in rush hour traffic in Washington, DC.
Cellular evidence can also be used to show that a phone was near a particular area of interest with some reasonable confidence.   And with more data points, this kind of analysis can be helpful in showing that even if the analyst cannot determine why the phone picked a particular tower, dozens of uses of the same tower in a short time would lend itself to showing that the phone was using that tower over other towers nearby on a consistent basis.
The other side of cellular evidence is the use of call detail records to show communications via voice, data or text in the context of a timeline.  In a recent case involving a tractor trailer truck involved in an accident it was clear from the call detail records that the driver was not using his cell phone near the time of the accident for phone calls or text messages.  The issue for the attorneys who brought in an expert in the case was the time stamps on the cell detail records.  Initially it appeared at the times for the phone calls were within minutes of the accident.  However, once it was determined that the time stamps were dependent on the time zone of the cellular switch used to handle the call, the time was over an hour prior to the accident.  In this case, the truck driver was in the Eastern Time zone when the accident occurred, but the switch that processed the calls was in the Central Time zone and some of the calls reflected the time from the switch. Once the time stamps from the call detail records were moved an hour earlier, the issue was resolved.

Thursday, November 13, 2014

Jodi Arias - Computer Evidence Destroyed by the Police?

The defense in the Jodi Arias case has raised a significant issue of evidence tampering by the police in this case.  The motion alleges that evidence was purposely deleted from the victim's computer while it was in the custody of the police.

You can read the full article here.

Wednesday, August 27, 2014

Are you really anonymous on the TOR network? Federal Cybersecurity Director Found Guilty on Child Porn Charges

Federal Cybersecurity Director Found Guilty on Child Porn Charges


"Tor is free software that lets users surf the web anonymously. Using the Tor browser, the traffic of users is encrypted and bounced through a network of computers hosted by volunteers around the world before it arrives at its destination, thus masking the IP address from which the visitor originates. "

"As the acting cybersecurity chief of a federal agency, Timothy DeFoggi should have been well versed in the digital footprints users leave behind online when they visit web sites and download images.

But DeFoggi—convicted today in Maryland on three child porn charges including conspiracy to solicit and distribute child porn—must have believed his use of the Tor anonymizing network shielded him from federal investigators.
He’s the sixth suspect to make this mistake in Operation Torpedo, an FBI operation that targeted three Tor-based child porn sites and that used controversial methods to unmask anonymized users."

Link to the full article.

What's the takeaway?  Never believe you are completely secure in your dealings with any method of communication.

Friday, February 7, 2014

Computer investigator pleads guilty to misrepresenting credentials

" A Rye private investigator who has received $23,000 from the state since 2006 to do computer forensic investigations for indigent defendants pleaded guilty last week to misrepresenting some of her investigative certifications on her company’s website.
Judith Gosselin, owner and sole employee of J.A.G. & Co. in Hampton, claimed to be a “certified computer examiner” and to be trained as an ethical hacking forensic investigator when she wasn’t, according to court records.
Gosselin, who has worked for the state, federal public defender offices, and civil and criminal defense attorneys here and outside the state, avoided jail time in exchange for her guilty plea to a misdemeanor charge of unfair and deceptive business practices. She did receive a 12-month suspended jail sentence.
She was fined $2,000, ordered to reimburse the state’s indigent defense fund $3,500 for her work on a recent case and to “not ever accept any criminal case in the state of New Hampshire in any capacity,” according to her sentencing order.
A current count of Gosselin’s cases was not available last week. But while testifying for the defense in a criminal trial in Rockingham County in 2008, Gosselin said she had done 154 computer-related investigations, had been an expert witness in 36 cases and had testified in five trials on criminal and civil matters. She was then charging $254 an hour, according to her trial testimony. She has been doing computer investigations since 2000, according to her resume.  "
Make sure you read the whole article as this is an interesting case.

Wednesday, November 6, 2013

Anal probes? A new kind of abduction scenario that started with clinched butt cheeks.

Forget about aliens and UFOs.  Instead of watching the sky, apparently we need to be watching the police.

"The incident began January 2, 2013 after David Eckert finished shopping at the Wal-Mart in Deming.  According to a federal lawsuit, Eckert didn't make a complete stop at a stop sign coming out of the parking lot and was immediately stopped by law enforcement.    
Eckert's attorney, Shannon Kennedy, said in an interview with KOB that after law enforcement asked him to step out of the vehicle, he appeared to be clenching his buttocks.  Law enforcement thought that was probable cause to suspect that Eckert was hiding narcotics in his anal cavity.  While officers detained Eckert, they secured a search warrant from a judge that allowed for an anal cavity search. 

Eckert's attorney, Shannon Kennedy, said in an interview with KOB that after law enforcement asked him to step out of the vehicle, he appeared to be clenching his buttocks.  Law enforcement thought that was probable cause to suspect that Eckert was hiding narcotics in his anal cavity.  While officers detained Eckert, they secured a search warrant from a judge that allowed for an anal cavity search.
The lawsuit claims that Deming Police tried taking Eckert to an emergency room in Deming, but a doctor there refused to perform the anal cavity search citing it was "unethical."
But physicians at the Gila Regional Medical Center in Silver City agreed to perform the procedure and a few hours later, Eckert was admitted.

What Happened

While there, Eckert was subjected to repeated and humiliating forced medical procedures.  A review of Eckert's medical records, which he released to KOB, and details in the lawsuit show the following happened:
1. Eckert's abdominal area was x-rayed; no narcotics were found.
2. Doctors then performed an exam of Eckert's anus with their fingers; no narcotics were found.
3. Doctors performed a second exam of Eckert's anus with their fingers; no narcotics were found.
4. Doctors penetrated Eckert's anus to insert an enema.  Eckert was forced to defecate in front of doctors and police officers.  Eckert watched as doctors searched his stool.  No narcotics were found.
5. Doctors penetrated Eckert's anus to insert an enema a second time.  Eckert was forced to defecate in front of doctors and police officers.  Eckert watched as doctors searched his stool.  No narcotics were found.
6. Doctors penetrated Eckert's anus to insert an enema a third time.  Eckert was forced to defecate in front of doctors and police officers.  Eckert watched as doctors searched his stool.  No narcotics were found.
7. Doctors then x-rayed Eckert again; no narcotics were found.
8. Doctors prepared Eckert for surgery, sedated him, and then performed a colonoscopy where a scope with a camera was inserted into Eckert's anus, rectum, colon, and large intestines.  No narcotics were found.
Throughout this ordeal, Eckert protested and never gave doctors at the Gila Regional Medical Center consent to perform any of these medical procedures.
"If the officers in Hidalgo County and the City of Deming are seeking warrants for anal cavity searches based on how they're standing and the warrant allows doctors at the Gila Hospital of Horrors to go in and do enemas and colonoscopies without consent, then anyone can be seized and that's why the public needs to know about this," Kennedy said. "

Here is a link to the full story.

Here is a link to the PDF of the lawsuit.

Monday, October 28, 2013

Is Your GPS Bracelet Listening?

Here is an article from The Crime Report about some GPS bracelets that have a cellular telephone capability built into the bracelet.

The implications are interesting, to say the least.

Caution: Your GPS Ankle Bracelet Is Listening

Thanks to Sarah R. Olson at the NC Indigent Services for sharing this link with me.

Tuesday, October 22, 2013

Computer Forensics Job Opening

The Baltimore Police Department has an opening for a Computer Forensics examiner.

The link to the post is here:

Computer Forensic Examiner Opening

Job Title:Computer Forensic Examiner I
Closing Date/Time:Fri. 11/08/13 4:30 PM Eastern Time
Salary:$25.07 - $31.23 Hourly
$45,630.00 - $56,836.00 Annually
Job Type:MERIT
Location:Towson, Maryland

Thursday, August 29, 2013

Cell Tower Dumps

Cell Tower Dumps are used in cases where the FBI or local law enforcement is attempting to determine a cell phone number or numbers that can be used to investigate a crime.

I have seen cell tower dumps in several cases I have handled.  Here is an excellent article about this investigative technique from Ars Technica.

It is well worth the read.

How “cell tower dumps” caught the High Country Bandits—and why it matters