Friday, December 12, 2008

UK police: 'We need crime breathalysers for PCs'

“UK police are hoping to one day develop a breathalyser-style tool for computers that could instantly flag up illegal activity on any PC it's attached to.

Detective superintendent Charlie McMurdie, architect of the UK's Police Central E-crime Unit (PCeU), said front line police ideally need a digital forensic tool as easy to use as the breathalyser, to help them deal with growing numbers of computers being seized during raids on suspects' homes.

She told “Do we need to seize five computers in a suspect's house or could we use a simple tool to preview on site and identify there's that one email we are looking for and we can then use that and interview the person now, rather then waiting six to 12 months for the evidence to come back to us?” Source: sector.

If you think about it, it doesn't seem like such a crazy idea. Years ago I fooled around with Prolog, a programming language specifically for such programs.

What she is talking about is an expert system using fuzzy logic. Very similar to programs already in existence or in development in other fields like medical diagnostics and mechanical troubleshooting.

It is fun to theorize about how such a system could actually work:

First of all, each of the areas of investigation would need to be identified and analyzed for the type of expert knowledge required to perform that specific investigative task.

By the way, this should not be confused with some of the operations that some first responder software already perform, such as automatically collecting certain types of data from a suspect computer like Internet history or suspected child porn.

Data collection, while the primary driver for beginning the analysis, is only the start. Where the expert system software comes in is in duplicating to some degree what a computer forensics expert would do with that data. The analysis part of it.

Once a specific area of investigation is identified, several things would need to happen to begin to build such a system:

1.What data must be collected for that area?

2.What type of analysis must be done?

3.What type of information (expert knowledge) is needed to properly analyze that data?

4.How can the expert system analyze the data using fuzzy logic?

5.What would trigger a “hit”?

As a computer forensics examiner and long time software designer and programmer, I find the idea very interesting and worth pursuing.

Now, who wants to give me some grant money to make this happen?

Wednesday, December 10, 2008

No Anti-Forensics Here

I recently received a comment on a specific method of anti-forensics prompted by one of my posts.  I rejected the comment and here's why:

I will not write about specific anti-forensic methods on this blog, nor will I publish comments that include such information.

For those willing to do the research, such information is available.  Just not here.

Thursday, December 4, 2008

Free Internet Email Accounts – A False Sense of Security

Lots of people have free email accounts from Yahoo, Hotmail, Google, and other vendors. And of course, the obvious reason is that they are free.

However, some people use these free email accounts for more nefarious reasons: Sending hate mail to someone, exchanging love letters with their paramour, extortion, scams, creating false alibis, etc. You name it and there is probably someone using one of these free email accounts do it.

What many of these people don't understand. And when I say these people, I am not talking about the sophisticated spammers and spoofers to use these to make a living. I am talking about your everyday computer user who decides that using one of these free accounts will guarantee their privacy or anonymity.

What can I say to those folks? Wrong!

First of all, it is relatively easy to backtrack an email from one of these accounts to the IP address. (the IP address is a unique string of numbers used by a computer accessing the Internet), of the originating computer or computer network. Now that may not get you to the actual sender's IP address if they are in a big network like a university or company, or if they are using a wireless hot-spot somewhere. Of course, if the wireless hot-spot requires an account, like many do, your information will be stored there somewhere as well. Most likely by whatever company records your usage for billing to your credit card.

But in general, if the header can be gotten, tracking the email back to its source is simple and usually only takes a few minutes.

And very few people go to the amount of effort to never access the account from some place where they can be identified if the email is tracked to that location.

But backtracking an email is only the barest of techniques for finding out who sent an email to someone using one of these free accounts.

The next step is to subpoena the email service, i.e. Yahoo or Microsoft and get the access history for the account. This will provide the investigator with the IP address, date and time for every instance the account was accessed.

From there it is a simple matter of contacting the ISP, (Internet Service Provider), such as Time Warner or Bell South and obtaining the subscriber information for each of the IP address. That will yield the name, address and payment information for each of the IP addresses.

If the email came from a university, they tend to keep access logs for all the computers on their networks as well. Even the public computers in the library. And since most universities require a user name and password to access their networks, guess what? Yep, they can track the access back to a student or faculty account.

Now I know that you techie folks will say that the IP can be spoofed and so can the MAC address of the network card on the computer. But those are techniques that the general public is not aware of and would not know how to do anyway.

Beyond backtracking emails, many people use these accounts because they are Internet based and do not require an email program like Microsoft Outlook or Outlook Express to use. The thinking here is that if there is no program to store emails, they cannot be recovered from their computer.

Wrong again.

Any time someone is using the Internet to view or compose email, those pages are being stored on the hard drive just like all other web site pages. And even if the person is diligent about erasing their Internet history, those pages can probably be recovered if the computer gets into the hands of a computer forensics expert.

Sunday, November 30, 2008

Ok, this is getting crazy.

I just saw this article from Australia about some guy that got arrested for child porn for taking pictures of toddlers swimming around in a public pool.


A quote from the article, ""That's the evidence, taking pictures of children in partial undress."

Now, I grant you that this guy was probably pretty creepy. But so far at least, being creepy isn't illegal yet.

What's next? Getting arrested for looking at kids in a public place?

Friday, November 14, 2008

How can you defend those people?

Yes, I stole the title from Mickey Sherman's book. I did buy it and read it and found it quite entertaining.

From time to time, people ask me what I do, and I tell them I am a digital forensics consultant. Which normally elicits a blank stare, so I elaborate and tell them I do forensics on computers and cell phones. Invariably they respond with, "You mean like on CSI?"

Since I have answered this question so many times, now I just go with, "Yes, just like that." If the conversation proceeds beyond that point, they normally ask me what kind of forensics work I do.

And I tell them that I work on everything from murder cases to intellectual property cases to child pornography cases

"So you help to catch people by looking at stuff on their computers?", they ask.

That is where I get to tell them that I specialize in helping to defend people charged with murder or child pornography, by looking at stuff on their computer.

And many times I get the question, "How can you help defend those people?"

So I explain, that to begin with, not everyone who is charged with a crime is guilty. My job is to make sure that all the facts come out and are put into proper context. Few of my questioners understand that the prosecution will always have an expert on their side who has examined the computer evidence and made certain claims about the evidence.

And that if the defense does not have an expert on their side, at least to advise them on how to interpret the forensics report they got from law enforcement, they can be at a serious disadvantage in defending their client.

Interpreting computer evidence is not a simple statement of facts in most cases. Those facts need to be verified and put into the proper context. It's complicated.

When they ask me why I chose to focus so much on the criminal defense side, I explain that in my opinion, that the system is out of balance. That if someone is charged with a serious crime, they are entitled to the best defense they can get since it is going to impact the rest of their life. And in some cases, it can mean the end of their life if they are facing the death penalty.

Coupled with that, if you consider that the majority of attorneys I speak to have little idea about computer forensics, defense attorneys are in dire straits without a defense expert. I have spent the last several years teaching private attorneys and public defenders about computer forensics and the impact that it can have on their cases.

There is a serious knowledge gap in existence in regard to computer forensics in the legal community and that needs to change quickly to make sure that innocent people don't go to jail because the defense counsel didn't understand that a computer forensics report is not always a clear statement of facts. Or because the defense counsel didn't understand the need to employ an expert, even if the expert only reads the report to advise them, without doing a separate analysis.

In many instances, attorneys don't even know that defense experts exist for computer forensics.

Unlike some of the other forensic sciences that deal with other types of evidence, such as DNA, computer forensics can reach into all corners of a case, especially a murder case or conspiracy to commit murder case. I have worked and continue to work on many of these cases. Every time I work a new case, I find that the need for a defense expert is not only a nice to have, but a must have, if the defense is going to be able to properly understand the ramifications of what the law enforcement computer forensics analyst has reported in the case.

When you stop to consider how much information people process through their computers and cell phones these days, realizing that this is a rich source of evidence to be used for or against someone is vital in properly preparing a case, on both sides of the aisle.

While I do other types of cases, civil and domestic and employment, my focus has been and will continue to be in the criminal defense arena.

How can I help defend those people? Because someone must or the system will simply be too lopsided for justice to be served.

Monday, November 10, 2008

Parents need to wake up! Keeping your kids safe on the Internet is your responsibility.

I can't count the number of times I have had someone tell me, “My eleven year old is better at computers than I am.”

If that is really the case, then maybe parents need to take some time out of their busy schedules to take a few computer classes, or if not, don't allow computers in the home that are connected to the Internet.

You see, the reality is this: If you can't figure out what your child is doing on the Internet, you probably should not have it in your home.

While in my opinion, some of the legislation to protect children is going too far and becoming too big-brother for my taste and the penalties for certain crimes are becoming draconian to the point of being cruel and unusual punishment, none of this seems to be curtailing the use of the Internet by predators and purveyors of child porn.

And while those activities are particularly heinous, the Internet opens up children and teens to a whole range of potentially bad things like cyber-bullying, illegal activities they can get into such as downloading stolen music and movies, and access to new “friends” you probably would rather they not hang out with.

I was reading a random message board the other day and saw a thread by a fifteen year old boy concerned because his mother had discovered his downloaded porn. Now, while fifteen year old boys will be curious, he was looking for porn involving people his own age and had downloaded child porn via Limewire. Lucky for him his parents found it rather than ICE or one of the many Operation Fairplay investigations going on that monitors the network Limewire uses to search for keywords connected to CP. Otherwise, instead of getting grounded, he would have gotten arrested.

So parents, if you insist on allowing your kids to have access to the Internet via your home computer and cannot grasp enough of the technology to check on what they are doing, here are some tips to keep your kids safe on-line:

  1. Never, ever allow your kids to have a computer connected to the Internet in a private place in the home, such as their bedrooms.
  2. Keep the computer that is connected to the Internet in a public, well traveled area in your home.
  3. Restrict the time they are allowed to be on the Internet.
  4. If you bought them a game console like an X-Box or PlayStation, make sure you know if it is connected to the Internet and follow the same rules for it as you do the home computer.
  5. If you are not computer savvy, then have someone who is take a look at the computer once in a while and have them remove applications like Limewire, or any other file sharing applications from the computer.
  6. If you allow your kids to have Myspace or Facebook pages, make sure you have an account as well and you are on their friends list so you can monitor their pages. If you don't understand the whole Myspace thing, sit down with your child and have them show you their page and help you set up an account so you can be one of their friends.
  7. Install or have someone install a monitoring program on the home computer like CyberPatrol or Net Nanny that will allow you to set what they can do on-line.
  8. Set up or have someone set up separate user profiles for you and the kids and keep your password secret from them and their password should be known by you. That way you can set the monitoring software (CyberPatrol or Net Nanny) to give them access to what you want them to have access too while not restricting your access to the Internet.
  9. Make sure your kids know that they have no right to privacy from you on the computer and that you will be monitoring their activities.

While the Internet is an awesome tool for research, hobbies, connecting and many other good things, it is also a conduit to many bad things. I have said many times that when history looks back on this age, the Internet will be considered to be the best and worst thing to happen to society, and I believe it.

Check your local area for Internet safety classes and attend them, both for your child's sake and your own. These are typically offered by local law enforcement agencies.

Here are some links to other resources:

Saturday, November 1, 2008

Hats off to the Fair Trial Initiative and remembering an old friend.

I was surfing around and decided to visit the web site for the Fair Trial Initiative. This is a great service to people accused of capital offenses and the attorneys who represent them. I had the pleasure to work with two of the fellows on the NC vs. Mark A. Bowling case. They are very dedicated lawyers who made a difference for the defense team. I applaud this program and these young attorneys who serve.

I look forward to working with more of these dedicated young lawyers on current and future capital cases where I am part of the defense team.

I did not realize that this program honors capital defenders with the J. Kirk Osborne award or that these lawyers were Osborne Fellows.

I had the pleasure not only to work on two capital cases with Kirk Osborne, (NC vs. Michelle Theer and NC vs. Jerry Lynn Stuart), but also the honor of naming this man as a friend.

Sadly, Kirk passed away suddenly during the period he was working on the Duke Lacrosse case. Like everyone who knew him, I was shocked and saddened at his passing.

Kirk Osborne was one of the most dedicated and skilled attorneys I have had the pleasure to get to know and the honor to work with over the years that I have assisted with capital defense cases.

Thursday, October 30, 2008

Computer Forensics - Ethics

I noticed that my blog is getting a lot of hits from Google searches for ethics in computer forensics. Mostly from schools and colleges, so I suppose that people are getting some homework assignments about this topic.  In doing my own research on the topic, it seems, and I cannot prove this of course, that the computer forensics curriculum at colleges for the most part are using classical ethics courses.

While there is nothing wrong with classical ethics courses, they really are not very practical when applied to a discipline like computer or digital forensics. At least not without a lot of extra explanation.

So let me explore this topic from a slightly different angle: practical application to this specific discipline.

Experts in general are sometimes accused of being biased because it is believed that they have a vested interest in the outcome of a case. On the prosecution side, the suspicion of bias can be contributed to the fact that the expert is on the payroll of the side they are testifying for. On the defense side, the accusation of “hired gun” is sometimes used to show that an expert is biased because they are getting paid to testify.

In reality, both sides are getting paid to testify, making that a weak argument for bias, in my opinion. However, that argument has been used to some effect in trying to sway juries against an expert, especially a private expert. Someone charging 150.00 to 500.00 an hour to testify seems expensive. All things are relative in that respect I think. The doctor that removed a kidney stone for me got 2500.00 for a 30 minute procedure, making his hourly rate 5000.00. Now that seems high to me!

Providing expert services is something that is sorely needed in the digital forensics arena for the simple fact that to the layman, it can sound like a pretty arcane science, with its own specialized language, tools and methods. It is not something that just anyone can do. Much like the doctor that removed my kidney stone. I wouldn't want someone who was just “interested” in medicine to do that kind of thing for me.

If the primary concern in ethical behavior in experts is whether or not they are biased, then that is what we should explore here. Especially since every code of ethics I have seen in this field states clearly that the expert should be a neutral party.

In every case I have worked, civil or criminal, I have not once gotten the impression that the expert on the other side was biased in any sort of classical sense. In particular, if we define bias as attempting to present or withhold facts in such a way as to unduly influence the outcome of a case.

The role of the expert is to find and present all the facts to the client, independent of the impact on the case. Nothing should be deliberately obscured or omitted that might be either exculpatory or incriminating. It is not the role of the expert to judge the plaintiff or defendant, nor is it the role of the expert to be an advocate. Advocacy is the job of the person's legal counsel.

Bias is only one of the ethical challenges facing any expert, including those in the area of computer forensics.

Most ethics statements will include something along the lines of the expert not having a stake in the outcome of the case. Simply put, an expert should never be working on a contingency basis, since this clearly puts the expert in the position of having to “win” to get paid. If your fees depend on making sure your side wins, then you are definitely biased and no amount of explanation will make that go away.

Perhaps one of the most important aspects of ethical behavior for an expert is one of the harder ones to judge; competency. From the outside, it is difficult to tell if the expert is really qualified until they are engaged and performing the work. However, anyone who puts their self out as an expert and attempts to do things above their competency level, is not only in danger of being unethical, they are in danger of being sued or worse.

The problem with a field like computer forensics is the lack of universally accepted standards that anyone can view and at least have an idea of the level of competency of the expert. Other experts require some sort of professional licensing specific to their field: Certified public accountants, doctors, professional engineers, lawyers etc. where they have had to pass some sort of board certification prior to being allowed to practice. Of course it was not always that way for those professions in the early days, before such boards and licensing bodies were formed. And that is the state of computer forensics today.

Without such minimum safeguards, pretty much anyone can say they are a computer forensics expert. They might not get qualified if they ever get to court, but most cases never make it that far.

Let's be honest and admit that it doesn't take much to pull the wool over a computer novice's eyes with a few well placed buzz words. Or simply the possession of a computer forensics software package. The danger here is that once the “expert” is retained and allowed to work on a case, by the time they are exposed by a a qualified opposing expert, the damage is already done.

The point here is that the minimum of ethical behavior in an expert is to not overstate their qualifications to get a case, nor to overstep their competency by taking a case where they cannot provide the level of expertise that the client expects and deserves.

From a personal standpoint, as an example, I specialize in post-mortem forensics, not incident response. So I will not take incident response cases because they are simply outside my expertise, even though I have over twenty five years of IT experience and have done my share of network security, intrusion detection, firewall programming and such. However, incident response is above that level of expertise when practiced as a forensic discipline.

If a client's needs represents an area of expertise I would not be comfortable testifying about in court, I simply won't take the case. In my mind, that should be the bar an expert sets for what cases they will accept or reject.

A final word on bias: Working hard for your client by providing the highest level of service you can is not bias. Properly doing the work, accurately and completely presenting the facts, backing up your findings with appropriate research in the field and testifying as well as you can, on behalf of your client in court, is what is expected of anyone who says they are an “expert.”

Wednesday, October 29, 2008

No pigs in a poke please!

Back in ye olde England, people used to buy things like suckling pigs at the market. I guess they still do, but this was different. A poke by the way was a burlap or other cloth bag used to store items for sell.

Some unscrupulous street vendors were quite happy to sell the unsuspecting a cat in a bag, rather than the expected suckling pig. Hence the term, don’t buy a pig in a poke, or caveat emptor; let the buyer beware. This was also the origination for the term to “let the cat out of the bag.

Now that we have that bit out of the way, let’s talk about the opposite of my previous post; coming into a possession of a used computer rather than disposing of one.

There are lots of ways to get a used computer; from a store that sells used computers; Craigslist, via the newspaper want-ads, from a family friend, from your company, or even out of the dumpster I suppose. The point here is that, unless you know the computer was cleaned up, how can you be sure that what you are buying does not contain contraband of some sort.

And how do you know if the computer was cleaned properly, effectively destroying all data from the previous owner? I know that if I come into possession of a used computer, the first thing I do is forensically wipe the entire hard drive and then reinstall the operating system and applications.

There is no way I want to have anyone else’s stuff on a machine that I own.

I am not against used computers, since they provide an econmic way to purchase computers that might otherwise be out of reach for consumers, but the reality of it is that many times that used computer was not cleaned up properly and in effect you are buying a pig in a poke.

It’s worse than that, since you can’t tell by simply “opening the bag”, i.e. browsing the files on the hard drive, since you cannot see deleted files without special software. And many of the people who purchase these used computers do not have the minimum level of skills needed to even check things like the internet history folders.

My advice if you are considering buying a used computer is to make sure that you get the operating system and application CDs, or better yet, if it is a brand name like a Dell or Gateway, get the original system restore CDs. Then when you get home, perform a full destructive restore on the computer.

That will at least give you some confidence that the computer is now cleaned up as good as you can make it.

Monday, October 27, 2008

Who’s peeking at your private stuff?

Have you ever wondered just how much your computer repair guy knows about you?

Did you know that when you drop off your computer at the repair store, you are giving up your expectation of privacy? In other words, you are giving the computer repair people full permission to look at anything in your computer. And if they decide to reveal something they find, there probably isn’t much you can do about it.

When you turn your computer over to a computer store, the employees are members of the public, and with your permission you are giving them access to your computer information.

Let me give some specific examples of what I mean by giving permission, where you mean to or not:

  • You take your computer to the repair shop to get your email fixed. When you do this, you are giving tacit permission for the repair shop to test your email account to make sure it is working. How else would they know if they fixed it? In the process of testing your email account, they are going to send and receive emails, and possibly open emails to make sure everything is ok. If they reveal something that they see in your email to a third party, you probably can’t do anything about it, since you gave them implicit permission to view your email.
  • You take your computer to the repair shop because it is running slow and ask them to check it out. In the course of doing so, they review your files and locate contraband. The next thing you know, when you arrive to pick up the computer, the police are standing there waiting for you. Guess, what? You gave the computer shop permission to examine your computer, and if they found something suspicious, you have lost your expectation of privacy.
  • You ask your local repair shop to install an upgrade of your financial software. In the process of testing the upgrade, they open your financial files, revealing your bank account information, check register, transactions, payment history and so forth. If you did not specifically tell them not to open your financial files in the process of installing the software, chances are you lost your expectation of privacy.

Check our this court decision for more information on how this can be viewed:

Other ways you can put your information into the public arena:

  • You have the hard drive in your computer upgraded to a new larger hard drive. When you get to the shop to pick it up, the computer shop gives you the old hard drive and you subsequently give it away or toss it in the trash. Under the legal concept of abandonment, you have no expectation of privacy for anything on that hard drive.
  • You work at a company that has a computer usage policy that says you are not allowed to use the computer for personal use, including personal email. The policy says that your computer is subject to inspection by the company. The company inspects your computer at some point and locates e-mails from your private Yahoo mail account in the internet cache. You would not have an expectation of privacy for those emails, even though you did not know they were in the internet cache.
  • You install Limewire on your computer and allow sharing of your downloaded files with others. After all, you want to be nice about it and participate in the network. Once you do that, you have opened your computer to the public and it is no longer protected from inspection by pretty much anyone. Especially the police who may be monitoring traffic on the Limewire network through Operation Fairplay.

Even more ways to give your information away:

  • By tossing a bunch of old floppy disks, backup tapes or CDs into the trash.
  • Giving your email password to a computer person to fix your email and not changing it after they are done.
  • Giving anyone your network password, even your corporate IT support person and not changing it later.

How can you protect yourself?

If you run a large or small business and you use a computer service company, have them sign a non-disclosure agreement.

If you must take your computer in for repair, take a written note outlining exactly what you want done and restricting access to anything else on the computer. Have them sign it in your presence and get a copy.

Of course the simplest way to protect yourself would to be sure you don’t have any personal information on your computer. Of course, in order to do that, you probably shouldn’t use one, since no matter what; you probably have something on there that is personal and private, even if it is only your email.

Tuesday, October 21, 2008

What to expect from computer forensics applications - NOT

I got a google alert on an article entitled, "What to expect from computer forenisics applications." by Kelly Hunter.

Based on the article, this illustrates exactly the kind of information that you do not want. It is full of misinformation. The author confuses forensics and anti-forensics. The author then goes on to say that forensics software is what you need to keep your computer running at its best.

I especially like this little bit of wisdom, "This kind of software is prefect for just about everyone, and that is why it is on the rise on the internet. People want to be able to take control of their computers, not the other way around. This is software that can help you do that."

Say what?

Also, the author does not mention any actual forensics software such as Encase, FTK, Winhex, or any of the other major software for computer forensics.

I suspect the author has never actually seen any forensic software, much less used or tested any of it.

Being the curious sort that I am, I went to the author's site and found even more misinformation.

For someone who purports to write about forensics and forensics software, perhaps the author should get some real information. Or at least learn to check the facts.

Sunday, October 19, 2008

Computer Forensics – Different strokes for different folks.

Now that I am back from a little R&R, I thought I would spend a few words talking about the different kinds of computer forensics and their applications. Mostly because I see a lot of posts on different forums from folks wanting get started in the field and would like to try and share some information about what computer forensics is in its three major forms.

Computer forensics can be broadly broken into three areas: Live forensics, post-mortem forensics and e-discovery.

Live forensics, which goes by the moniker incident response or network forensics, is about responding to a breach of security in an operating network or computer and capturing data for forensic analysis from that environment “live”.

A subset of live forensics is the capturing of data from an operating computer to preserve “volatile” data. Data that disappears when the computer is turned off, such as the content of the computer’s memory, the part of the computer that temporarily stores information for use during that computing session. Memory should not be confused with storage.

But in general live forensics deals with capturing data about a network intrusion or internal security breach.

To properly perform incident response work, aka live forensics, the analyst must have an excellent knowledge of network security, OSI layers, intrusion methods, data leakage, and network operating systems. Your purpose in the majority of these types of cases is finding out where a network is compromised, halting the attack and documenting the method and type of attack for possible legal action.

Incident response is the purview of network security professionals and anyone wishing to get into this field should obtain education and training in the various network security specialties.

Post-mortem computer forensics is performing a data autopsy on a “dead” system. Dead in this case meaning a computer that has been powered down, not that the computer is broken.

In the case of post-mortem computer forensics, the focus is on data recovery and analysis of stored information that resides on the computer hard drives or other types of permanent storage devices.

Post-mortem computer forensics is probably what most people have in mind when thinking about computer forensics. This is the kind of stuff you see in a lot of criminal and civil cases that involve the recovery of documents and emails and such that are used to establish user activity as it relates to a divorce or a child pornography or theft case. Post-mortem forensics figured prominently in the Scott Peterson, BTK killer, Neil Entwistle , Julie Amero and the Michael Jackson cases to name just a few.

Production of recovered e-mail, internet searches, internet maps and other information were used in these cases in some form or another.

E-discovery is another field of computer forensics that involves capturing and analyzing large amounts of data, mostly in large cases involving dozens to hundreds of computers. The focus of e-discovery is the production of relevant documents more than the recovery of deleted or hidden data. In an e-discovery case, there may be thousands of documents that must be tagged, indexed and checked for proper disclosure prior to allowing the production to be seen by either side to protect attorney-client privileges.

In many cases, improperly exposing documents that have not been reviewed has not prevented them from being entered into evidence.

E-discovery tends to be very expensive and requires specialized software to capture the documents and to then analyze, sort and produce those documents for the parties involved in a manageable form.

One of the current trends is to outsource e-discovery to off shore firms in India to reduce the costs of these types of analyses. That in itself presents some real challenges to litigators and should be approached with caution.

So there you have three major division of computer forensics, each a specialty in its own right, requiring unique tools and skills for the analyst.

Thursday, October 9, 2008

Please don't tamper with the evidence!

From time to time on cases I am working on, original evidence will be given to the attorney or the client first. Usually this is a complete working computer or a media card from a camera or a USB drive, or even a working digital camera or cell phone.

I cannot stress strongly enough that you must resist the temptation to take a quick look. That is a violation of the first and most important rule in forensics: Do not modify original evidence. Poking around in the computer or loading up the media card, etc is going to put the original evidence at risk.

And since I have to prepare a report of the evidence handling, sometimes in an affidavit, I like to be able to say that no one tampered with the evidence, especially not the attorney. Jeepers.

And don't let the family or the local computer guy touch it either. The bane of forensic computer experts is the local computer guy or the corporate IT consultant. They know not what they are doing when they mess with the computer!

They do not have a clue how to protect the evidence and they REALLY do not know how to make a complete copy of a hard drive or any other piece of electronic data.

And if you let them play sleuth, you are going to put your entire case at risk.

Operating a computer for any reason changes and destroys evidence if it is not handled forensically.

You wouldn't let the local high school lab work with the DNA evidence before you send it to a real DNA lab would you? I hope not.

It is the same thing. Computers are like a huge chunk of DNA and are just as easy to contaminate by mishandling.

Case in point: I am working on a capital murder case where the family got the computer before anyone had a chance to forensically image it. What did they do?

They took it to the local computer guy to get a copy of the hard drive.

But another attorney picked it up and said he would handle the copying.

Lo and behold when the computer gets back to the original owner, the drive is blank.

What does he do? He downloads some Linux rescue CD or something and tries to recover the data on the drive on his own.

Now I step in as the retained expert and will have to deal with this.

Does it make my job impossible? No. Does it jeopardize the evidence in the case? Tremendously. Will it be a lot more expensive for me to get my work done now? Yes.

Please don't be penny wise and pound foolish. Get the evidence to a computer forensic expert first. It will cost you a lot less in the long run if you have to retain one later and he or she has to undo all the work someone else did, not to mention the missing evidence that was destroyed and new evidence that was added becuase of operating the computer.

And the cost to forensically copy the evidence will be the same anyway.

A computer is like a digital crime scene all by itself. It can contain a vast amount of information. Stomping around in the crime scene is a bad idea. That's why they don't like it when people stomp around in a physical crime scene. It destroys evidence and adds evidence. Never a good situation when trying to collect and analyse evidence.

It's not too late to have a fun debate.

This is definately off topic for me on this blog, but I can't resist. With the last presidential debate coming up, I propose they format it differently. But, let me digress a moment.

My understanding of debate is that each team, if you will, picks a different side of a subject and presents an argument in support of their side and a rebuttal of the other side's argument. I am trying to find where this exists in any political debate where answers are never answers but are deflections, attempts to defame the record of the other side and dilute any true argument on the merits of the core issues.

So, I propose we get rid of the debate format, and have it set up like this:

Each candidate gets to be both the plaintiff and defendant for each question in turn. And they are directly, then cross examined by a prosecuting attorney and a defense attorney for each question.

They are never allowed to respond to the "testimony" of the other candidate, but must state their case via examination by the attorneys on the question at hand.

Time limits would still be imposed, and would be enforced.

I can see it now:

Senator Obama, is it a fact that you voted no for the "save the pink pygmie salamanders bill" in 2006?

Well, um.

Yes or no, Senator.


Senator McCain, is it true you voted against alternative energy bills 5 times in your career in Washintion?

Let me put that in perspectiive.

Yes or no, Senator.


Senator Obama, can you explain to the American people exactly what your economic plan is for bringing the country out of the current crisis?

Well, blah blah, and blah and we have to blah, blah.

Senator Obama, does your plan include raising taxes on businesses?

Yes it does.

And what percentage would the new tax rate be?

Um, well that is to be determined.

So you don't know what rate you plan to tax business?

That hasn't been decided at this point. We will need to perform studies and..

Senator Obama, would it be fair to say, you have no idea how much you plan to raise taxes on business?

No, I don't think so.

So, you do know how much you will raise taxes on business then?

I didn't say that...

That's right Senator, you DIDN'T say that did you? You said you have no idea.

I said we need to study the issue more.

Isn't that just a way to cover up the fact that you don't know?

I'm not covering up anything.

So you are willing to admit then that you don't know what the tax rate will be?

Yes, Um No, I don't know what the tax rate will be.

So would it be fair to say Senator that you can't predict with any accuracy the effect of a tax rate increase on business in the US and on the economy since you don't have a number for the rate yet?

Yes, it would.

Thank you Senator. No, further questions on this topic.

Senator McCain, You have repeatedly said in statements to the public that you would lower taxes. Is that a fair representation of your statements?

Yes, it is.

Senator McCain, considering the current deficit, and the just announced 850 billion dollar bailout, how do you propose that it makes any sense to cut taxes and still bring down the deficit?

Well, I have said many times that cutting business taxes is the only way to encourage investment by companies in areas that will create jobs.

Senator McCain, can you tell us exactly how many jobs will be created based on each percentage you lower taxes for business?

Well, we haven't gotten to that level of detail at this point.

So, Senator, the answer is you don't know. Is that correct?

We have good indicators that lowering taxes on business creates jobs.

How many jobs would that be in your plan Senator?

We are still working on the projections at this point.

So, you don't know then. Is that correct?


Thank you Senator. No further questions on this topic.

Now wouldn't that be a lot more fun than watching the candidate always resort to, "well he voted on this, blah blah, and he said this, blah blah.

How about some real answers to some real questions?

How about taking some responsibility for their actions and just getting on with it?

How about showing some real leadership for a change?

Browser Hijacking as a Defense in Legal Proceedings

Here is an excerpt from the article at Internet Law:

“Browser hijacking is a real phenomenon, which can become manifest through unwanted pop-ups, new ‘favorites’ that a user cannot delete, a new home page, and other forms of loss of control over one’s computer. At the same time, browser hijacking is not always responsible for the presence of unwanted spy ware and other malware. A common culprit for the transmission of these viruses is the downloading of otherwise innocent material such as games or news from disreputable Websites that infect users’ computers with spy ware and viruses, and that, in certain cases, direct users to illegal or sexually explicit Websites. “

As the article states this has been offered as a defense in cases involving contraband such as child pornography and also in wrongful termination cases involving surfing pornography while on the company computer.

The issue is that while it seems logical and should be apparent that this kind of thing can happen to the most innocent of users, juries have been decidedly less than receptive to this as a defense.

In order to mount this as a defense, it must first be established that a browser hijacker existed and was active at the time the images were downloaded. This can be difficult if the computer was subsequently cleaned up by anti-virus or anti-spy ware software. If the program doing the cleaning kept a log of what was cleaned and when, then clues can be obtained from those logs. Sadly, a lot of these programs do not keep a history of what they did.

The second and most effective challenge to this as a defense is the existence of Typed URLS. A moment to explain: The address that you type into the box at the top of your browser to go to a web site like is called a URL or Uniform Resource Locator. In common terms we call this the web site address. In truth it is a human language nickname for the real address of the web site. For instance, if I said I wanted to go see someone, I would say I was going to Bob Smith's home at 110 Cherry Lane. I can understand that and even get there if I know the way. But if I type that address into my GPS it does not see it as 110 Cherry Lane, it sees it as a set of Geographic Positioning Coordinates like, 4.567 , 123.444. The same thing happens when you type into your browser address box. The computer sees that as a string of numbers that is the real address of the server providing's web pages to you, such as (The real address for

Okay, now that you understand that what you type into the address box is a way for humans to remember web page addresses, (who would want to have to remember it is important that you understand a couple of other things. How does become

Out there in the world there are things called DNS servers. DNS stands for Domain Name Service. What the DNS server does is have a big table that matches names with actual addresses, so that when you type in, your browser (Internet Explorer or Safari or Mozilla, etc.) asks the DNS server to tell it where really is. The DNS server looks at its table, matches to the address and then tells the browser to ask that server for web pages. It works just like a giant phone book that matches Bob Smith with his phone number so you know what number to dial to talk to Bob.

Now, back to Typed URLs and why they are so pesky in this type of defense:

Just like the name implies, Typed URLs are the addresses that you the computer user types into that address box. Secretly in the background, Microsoft Windows records those in a place you can't see unless you know where to look.

When the computer hard drive is examined for evidence, that is one of the first places a forensics expert will look to see if the user was actually typing in addresses for bad sites.

But there is one way this can actually help you; if a Typed URL is a slight misspelling for a legitimate site that sent you to a porn site, then you have some evidence that can help you.

For a long time the address was a major porn site. There is no telling the number of innocent people who went there looking for (the real address for The White House). Who knows how many elementary school kids got an eyeful trying to research their homework.

Another common trick of the porn industry and insidious web sites that like to infect your computer is the old misspelling trick. A lot of these have been shut down now thankfully. For instance, if you wanted to go to but you are a poor typist like me and tend to type in, you would have gone to a porn trap site.

If these common misspellings or mis-addresses show up in your Typed URL records on the computer, you have some evidence that you did not intentionally go to a porn site.

Raising this as a defense is tricky and takes a considerable amount of skill to pull off. Not only technically, but also in front of a jury who will need a lot of verbal hand holding to understand it.

But no amount of skill or trickery will convince a jury of evidence you cannot prove. Like the Trojan Horse defense, this shifts the burden of proof from the prosecution and places it squarely on the shoulders of the defense.

There are other factors to consider as well in defending these cases, too many to go into here. But they all must be considered, weighed and presented to the defense attorney as part of the job of the forensics consultant.

No slight to attorneys in any way, but many of them are new to this type of evidence and the implications of same, and depend on the forensics consultant to make sure they understand what they have to work with and what the challenges will be in mounting such as defense from a technical standpoint. If there is one to mount at all.

Wednesday, October 1, 2008

Defeating Computer Forensics

From time to time the subject of anti-forensics (defeating computer forensics) comes up. I thought I would share some of my experience in this area to hopefully clarify some misinformation out there.

Can digital forensics be defeated? The short answer is, yes it can. But it is harder to do than most people think.

You probably have seen or even use one of the privacy programs out there, that advertise to completely remove your Internet browsing tracks or evidence of your computer usage.

While that seems really cool, the reality of it is that these products work, but with caveats.

While one may be good a removing your Internet history from the time you start using it, they typically do not go back and remove older history from the computer. Some do this some do not.

They also claim to wipe out your tracks in other areas, including wiping the deleted files from your computer. The ones that have this feature do a good job of it.

The reality of it is that most people who use these products are more interested in hiding their actions from their spouse or employer than from a forensics examiner. Simply because few people believe that their computer will ever be subjected to an examination by a computer forensics expert.

So while they do a good job of hiding your activities from your spouse or boss, they are not a cure all if you get your computer seized by police or taken in a civil case via subpoena.

So let's talk about what happens in real life when it comes to trying to defeat digital forensics:

1. Some of these tools actually create a log of their activities that details exactly what they wiped and when, including file names.
2. What the tools actually remove varies widely in success rate and is dependent in many cases on the options set by the user.
3. Wiping the unused portion of the hard drive takes a long time and few users have the patience to do it regularly.
4. None of these tools is 100% effective in wiping out all forensically useful data. You simply can't do it and still have an operational computer.
5. The average computer user is just as lazy about keeping their computer clean using these tools as they are about maintaining the security of their passwords.

The only way to completely defeat a forensics examination is to completely overwrite the entire hard drive with data such as 1s or 0s. This takes a long time, requires the use of wiping software and renders the computer inoperable until you completely reinstall the operating system. Very few people are willing to go to this extent to cover their tracks or are even aware of how to do it. And it is obviously suspicious behavior on its own.

And of course, if law enforcement is knocking on the door with a warrant, this method is not going to work anyway.

I have examined quite a few computers that have had evidence erasing software used on them (not a complete overwrite mind you). In every case, I was able to recover valid information to use in the case.

For one thing, there are files created by Windows that these tools do not address that store user activity information that can easily be located by a competent forensics examiner.

On the other side of the coin, a very savvy computer user can completely defeat any type of forensics examination and freely commit all kinds of skulduggery without fear of being caught by an examination of their computer and without using any of the tools mentioned here or wiping the hard drive on their computer.

I know how to do it and I am sure others do as well. But I am not going to tell anyone, especially not in this blog. My apologies to those budding criminal masterminds out there.

Sunday, September 28, 2008

Do you know where your credit cards are?

Credit card fraud is a nasty business.  But it becomes much nastier when you get accused and arrested for child pornography because of it.

Spokane firefighter may sue over child porn arrest.

It is becoming more and more frightening when law enforcement attempts to react so quickly to suspicion based on a thin thread of evidence collected via the internet to the point of skipping real investigation for a quick score.

In this case, I bet the fireman would have gladly allowed the police to examine his computer to make sure he did not have child porn prior to arresting him.


Saturday, September 27, 2008

Update on North Carolina Licensing for Digital Forensics

Here is a link to an article at North Carolina Business Litigation Report: North Carolina May Require Licensing For Computer Forensic Consultants, But Do We Need It?

I am absolutely for licensing Digital Forensics Examiners, separately from Private Investigators as I have stated on this blog a few times.

I am picking out some of the links from the article here so you can see what North Carolina is proposing, which I think is the correct model for handling this issue.

A draft of the proposed legislation.

The draft minutes from the June 9, 2008 meeting of the Computer Forensics Subcommittee of the Private Protective Services Board.

Excerpts from other committee meetings where this was discussed.

Many people have said that Digital Forensics should be coverd by Private Investigator Licenses. I disagree simply because of the fact that this is an entirely different field of expertise and it requires specific training and experience in a very narrow discipline, not covered in any way by Private Investigator training.

Others say that no licensing should be required, but that the court can make the decision of who is an expert. I think this is a shortsighted view. Once a matter gets to court, the damage has already been done by incompetent "experts."

Also, the vast majority of cases never make it to court. Who is going to decide if the expert was competent in those cases? Will anyone ever know?

While I realize that obtaining a license, even with the provision provided by the NC proposal does not guarantee competency, it at least establishes a floor for minimum training and experience before someone can engage the public as an expert in the field.

Whether or not you want to say the word "expert", the assumption is that someone who is offering services as a Digital or Computer Forensics Examiner, "expert" is implied, if not explicitly stated.

I say let's protect the public and get this right.

Constitution Protects Stored Cell Phone Location Information

From the Center for Democracy and Technology:

"A federal court ruled September 10th that stored cell phone location information is protected by the Fourth Amendment. The court said the government needed a warrant, based on probable cause, in order to gain access to stored cell phone location information. Other courts have required probable cause for law enforcement access to real-time cell phone location information; however, this decision is particularly important because it extends the probable cause requirement to stored location information. The Electronic Frontier Foundation, joined by CDT, ACLU and the ACLU of Pennsylvania, had argued for the warrant requirement that the court adopted in an amicus curiae brief filed in July. September 11, 2008"

You can view the Federal Court Decision here.

Ethics in Digital Forensics

I just read an article in the current issue of Forensics Magazine: Digital Insider: Ethical Practices in Digital Forensics: Part 1, by John J. Barbara.
While the article is well written, I have to take issue with some of the content.
The article addresses the ethical issues of both the primary and secondary experts in a case. While he chose to use ballistics as the scenario for this article, he promises to use a digital forensics scenario in Part 2. (Not sure why he didn’t use one to start with.)
Here is a quote from the article that I take issue with:
“In shooting situations such as this, it would not be surprising for the defense to hire another examiner to reexamine the fired projectiles. What would be the legal, moral, professional, and ethical responsibilities of the second examiner should a different conclusion be determined? Certainly, he or she will report the results to the defense counsel. However, should the second examiner also notify the prosecutor and the first examiner? Would doing so violate any attorney/client privileges? Going one-step further, should the defense counsel notify the prosecutor? This scenario is not uncommon and holds the potential for legal, professional, and ethical conflicts involving both of the examiners and the defense counsel. Presuming that the conflicting testimony is presented in court, ultimately the jury would have to decide the weight given to the each examiner’s testimony. “

Before I make my comments, let me quote Mr. Barbara’s mini-bio from the article:
“John J. Barbara is a Crime Laboratory Analyst Supervisor with the Florida Department of Law Enforcement (FDLE) in Tampa, FL. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Evidence” published by Humana Press.”

I am not picking on Mr. Barbara, but it appears he has forgotten that we use an adversarial system in the U.S. Perhaps, Florida is different, but I doubt it.

Should the second examiner notify the prosecutor and the first examiner? Not if he wants to do any more work. As far as I know, that would violate the attorney work product and the trust of the defense counsel that retained the secondary expert.

Going one-step further, should the defense counsel notify the prosecutor? Oh, you bet he will; when the time is right. If the defense counsel believes that the evidence to be presented by the expert is prejudicial based on the work of his retained expert, he will normally have the secondary expert prepare an affidavit of facts and have it served on the prosecutor in preparation for a motion to exclude that evidence. What the defense counsel must tell the prosecution and when, varies by state.

Of course I am not an attorney and I don’t play one on TV, but that has been my experience as the secondary expert in many cases.

I don’t regard either of the preceding questions raised in the article as ethical in nature. I actually would regard acting in that manner as unethical toward the attorney that has retained the secondary expert.

So, let’s get back to the core topic of ethics in digital forensics. First of all, I see no difference in the ethical code a digital forensics examiner should ascribe to than any other ethical code in forensics science.

The problem perhaps is the lack of recognition that Digital Forensics is a science.

Mr. Barbara is spot on when he says, “There are many examiners in the Digital Forensic community who are not aware that professional codes of conduct and codes of ethical practices need to be an inherent part of every examination.”

But, I disagree again when he states further along that, “Ultimately, the examiner is responsible for his or her results. Through education, training, and experience, he or she develops and enhances individual technical knowledge, skills, and abilities. This maturation process needs to include adherence to an overriding code of professional conduct or a code of ethical practices.”

Ethical practices should be part and parcel, from the very beginning of any forensic practitioner's training. Waiting until later in an examiner’s career to begin to mature into ethical conduct by adopting a code of ethical behavior puts the cart squarely before the horse.

But there is a serious problem as I see it with ethics in the Digital Forensics field: People getting into the field to make a quick buck by picking the low hanging fruit of distressed spouses, concerned employers or uninformed attorneys.

This is multiplied by the blinders being worn by state licensing boards where they are failing to recognize digital forensics as a discipline that incorporates scientific examination of evidence that requires special expertise and training, but instead think is it part of private investigation. In my mind that is a violation of the public trust, but I have been on that soapbox for a while now, so no news there.

The foundation for ethical practice is recognizing the responsibility of the examiner in performing his or her duties.. When you attend forensic courses, they will tell you that you need to be impartial. They don’t tell you that you need to be ethical or even explain what that means in the context of the forensics field.

If the examiner is working as a consultant / expert in the field, they must have a clear understanding of the impact of what they do, including some knowledge of the laws that govern the practice, and what they must do to ethically serve their clients, whether they are attorneys or private citizens.

Even in-house examiners have a responsibility to operate in an ethical manner in internal investigations, lest they inadvertently destroy another employee’s career by making a representation that is not completely correct or based in any way on speculation.

And I believe that law enforcement examiners should be of the highest ethical standard since by definition we are relying on them to protect us as part of their sworn commitment to the public they serve.

I hear a lot of comments by examiners that say, “I just find the data. Then let the lawyers sort it out.”
To operate ethically, the examiner should make sure that the evidence they find and present at least meets what I consider to be the minimal standard of a digital forensics examination: “If you can’t prove it, don’t say it.”

Presentation of digital evidence should never be on the basis of speculation. Rendering an opinion can be an explanation of why the expert believes something to be true based on examination of digital evidence, but never on speculation.

So the next time you, as a digital forensics examiner are on the witness stand and the attorney asks you, “Mr. Examiner, in your expert opinion, would it be fair to say that…..” Remember that someone’s life may be in the balance. And that is where your ethics must already be firmly engrained in all you have done and will say.

I am a member of and recommend the multi-discipline American College of Forensic Examiners.

Thursday, September 25, 2008

What they don't teach you in computer forensics school.

Having attended quite a few computer forensics schools in my time, and after talking with other practitioners getting into the forensics field, it struck me that computer forensics schools leave some things out.

I have to presume the reason for it is because this field has been dominated by law enforcement and internal investigation types or major corporations for the majority of its life. So it is probably assumed that knowing how to do all the things required to actually practice in the field are already covered by internal training or policies.

For the independent practitioner, all of the things that others do have to be done as well, but no one is providing courses or information for these tasks.

So consider this a shameless plug if you want and stop reading here.

I have decided to begin offering a Digital Forensics Practice course. In this course consultants will learn how to:

  • Properly handle evidence including all of the forms, policies and procedures they need to keep records.
  • What they need to have in their forensics lab for handling and processing digital evidence and where to get it. Not hardware or software, but little things like evidence bags, etc.
  • How to properly set up a case and manage it from start to finish including best practices for the actual analysis of the case, including documentation.
  • How to write and present standardized reports.
  • What to put in a report and how to format it properly.
  • How to assist attorneys and clients through the preservation and discovery process.
  • How to analyze the work of an opposing expert.
  • How to prepare for court testimony.
  • How to prepare a CV or resume for qualifying as an expert.
  • How to testify in court.
  • Setting up and managing case files and documentation.
  • How to determine how much to charge for their work.
  • Dealing with retained and indigent cases.
  • Ethical responsibilities of digital forensics experts.
  • How to deal with cases involving contraband, such as child porn.

The course is open to anyone, but classes are limited to 10-12 people.

I am looking for input for anything I may have missed or anything that someone would like to see covered. If you have suggestions or would like to find out more, email me at

Courses will begin in January of 2009.

Thursday, September 18, 2008

Is prison just a click away?

Let’s be honest: A lot of people like porn. They surf for it, download it from Limewire or Kazaa, talk about it, rent it from on-line and brick and mortar stores, and hear about it a lot in mainstream media. Talk of watching porn is rife in movies like American Pie, those awful National Lampoon teen comedies, slasher flicks and pretty much anything intended to appeal to the 18-25 age group these days.

Porn has been around for thousands of years and the only thing that has changed is that the media has progressed from drawings on rice paper or parchment to virtual images transmitted by computers.

A couple of years ago I worked on an “Operation Fairplay” case where a school teacher was arrested for downloading child porn from Limewire. Working with the law enforcement expert on the other side, it was determined that 90% of the “titles” downloaded that had child porn descriptions were of adult porn.

Based on the Supreme Court decision I just posted about, it is conceivable that just downloading something with a CP description could be considered illegal.

A lot of the cases I work on involve CP that appears only in the internet cache or resides in “unallocated space”, areas of a computer that users cannot see without specialized tools. It is very common for a person to be prosecuted based on these images alone, even if no effort was made to preserve the images and where there is no evidence that the person was actively searching for child pornography.

In order to understand how this can occur, you must understand how browser caching works: When you visit a web page, all of the web page is saved to your internet cache, even if you cannot see the entire page. For example, when you visit Yahoo’s home page or, the page extends far beyond what you can see at one time because the page is larger than what your monitor screen can display in a single view. So while you are looking at the top of the web page, the rest of the page is being cached to your computer, whether you intend to ever view it or not.
This also includes anything that pops up. All those pop-ups are cached to your computer’s hard drive as well.

If your computer has an “internet accelerator” installed, which is a program that makes browsing faster, you will have not only the current page you are viewing cached to your computer’s hard drive, but the accelerator will attempt to anticipate what you are going to want to view next and can download the entire web site. This is so that when you click on a link, the page will immediately appear since it has already been downloaded to your computer. Some will even attempt to download other sites that are linked to the current page.

You are not as much in control of your internet browsing as you think you are.

What this means is that if you are an avid porn surfer, you are subject to the possibility of having images downloaded to your computer that you never even saw, much less actively clicked on or downloaded.

Remember, the entire page is downloaded, not just what you see.

And if you are unlucky enough to hit a “trap site”, a site that attempts to trap you by popping up dozens of windows and locks your browser to the page, you are now having all kinds of stuff force fed to your computer’s hard drive, in spite of what you intended.

And if some of that just happens to be contraband, you can go to prison for it.

Now you have to wonder if those teen sexploitation movies like Porky’s, American Pie, and many others that are based on characters in high school are not in fact purveyors of virtual child porn under the latest ruling by the Supreme Court since they depict sexual images of what could be teens under the age of 18. Unless of course, all the kids in these movies are just dumb and are really all twenty-somethings still stuck in high school.

And then there are games like Second Life that is notorious for role-play of sexual encounters between adults and children with areas like “jail bait”. Second Life has since banned these areas under pressure from Dutch and German authorities who threatened prosecution for these “virtual child” encounters under their virtual child pornography laws.

The latest current thing in the computer world is creating “virtual” child pornography, by using programs that can “de-age” an adult or by pasting the heads of children on the bodies of adults using Photoshop or some other image editing program. Even though this is not real child pornography, is it being treated as such under the law.

The Protection Act of 2003 broadens the definition of child pornography to include cartoons, drawings and artistic depictions. In addition, a new pandering section was added. Here is an excerpt from United States v. Williams, October, 2007:

“We shall refer to it as the Act. Section 503 of the Act amended 18 U. S. C. §2252A to add a new pandering and solicitation provision, relevant por­tions of which now read as follows:
“(a) Any person who— “(3) knowingly— . . . . . “(B) advertises, promotes, presents, distributes, or so­licits through the mails, or in interstate or foreign commerce by any means, including by computer, any material or purported material in a manner that re­flects the belief, or that is intended to cause another to believe, that the material or purported material is, or contains—
“(i) an obscene visual depiction of a minor engaging in sexually explicit conduct; or “(ii) a visual depiction of an actual minor engaging in
sexually explicit conduct,
. . . . . “shall be punished as provided in subsection (b).” §2252A(a)(3)(B) (2000 ed., Supp. V). “

You can read the full decision here:

As the laws continue to tighten, the danger to regular people is being prosecuted for unintentional acts or comments that can be construed as pandering or possession. So the next time one of your buddies sends you an email with a link to a cartoon showing an adult dressed up like a child doing something with another adult, don’t click on it!

If you are tempted to take of a picture of your adorable toddler in the bathtub, make sure they are wearing clothes. And oh, by the way, better go back through those old picture albums and redact any of those bathtub pictures your parents took of you when you were a baby.

Otherwise, you just might be accused of possessing or manufacturing child pornography.

And in the climate today, just being accused is enough to destroy your life. You can forget about “innocent until proven guilty.” The damage will already have been done.

Tuesday, September 16, 2008

Creative Uses for Myspace and Facebook

Update: Based on Harlan Carvey's comment, I changed the title.

The phenomenon of MySpace and Facebook has swept the world. Social networking is definitely “where it’s at” to use an old phrase.

Other than just being a place to hook-up with friends, strangers with candy and anyone else who gets access to your profile, people are always coming up with new uses for technology:

Jury Selection: Got a list of prospective jurors you want to check out? Look them up on MySpace or Facebook or one of the other social networking sites and see what they are telling the world about themselves.

Pre-Employment screening: Check out that party animal or closet anarchist before you hire them.

Personal injury or workman’s comp. claim: Are they showing pictures of themselves totally partying out or playing football, skiing, skydiving on their profile, in spite of their serious injuries?

Volunteer screening: Want to make sure that new church volunteer isn’t misrepresenting themselves? Is their online profile, if they have one of course, showing them as a person you want hanging around your kids?

Babysitter screening: Ever wonder what your babysitter is really like?

I think if you try you can come up with dozens more ways to use the information you can gather from social networking sites, not only to find out the dirt on people, but to find out the good too.

One thing is for sure: Every new piece of technology that encourages people to interact in a public place will have its dark side. Or in this case, grey side.

Friday, September 12, 2008

Julie Amero - Wow, just Wow.

I have been following this case for a little while, and I am happy that she has been granted a new trial. I have to say that from what I have read about the forensics work in this case, it is frightening.

First, a quick refresher on the case itself:

Connecticut Teacher Gets New Trial on Web-Porn Charges

And just to get you up to speed a little further:

Commentary by the defense expert

Commentary by the prosecution expert.

Things that jump out at me as a forensic examiner:

The prosecution apparently never made a copy of the original hard drive, or the defense did not request those copies from law enforcement. Based on the tool used for the forensic "analysis" by the prosecution, it is possible they did not make a forensic image of the hard drive, but instead, worked off the original evidence. Not a best practice.

The tool used by the prosecution: Computer Cop Professional

Based on the information on the web site:

"How ComputerCOP Works: Simply drop the CD into a suspect's computer, choose to search for words/phrases from 21 categories of crime and/or search for images by type or header and scan."

So this tool requires the same level of expertise that you would need to run a virus scan on your computer?

While I suppose it is a forensic tool and it is useful for quickly examining a computer, I would hesitate to call it forensic analysis.

The defense expert used Norton Ghost to make a copy of the original hard drive. Now, while I know that you can make a bit-stream copy of a hard drive using Ghost, if you know how, why would you if you had real forensic tools at your disposal?

I am curious as to what forensic tools he used to do his analysis as well, if any.

While the main thrust of the prosecution's argument was that the Typed URLs proved that the Julei Amero was actively typing in the urls of porn sites, the defense expert makes no mention of typed urls in his commentary. I wonder why?

Of course, finding Typed URLs in the Windows resgistry is one thing, putting a person at the keyboard when they are typed is another.

It is going to be interesting to see what comes up in her new trial.

I, for one, will be interested in seeing if the forensic work gets any better. For her sake, I hope it does.

Thursday, September 11, 2008

What is digital forensics?

Below is an excerpt from an article I wrote for an upcoming issue of NC Jury View.

Whenever I speak with an attorney for the first time, two questions invariably come up: “What can you do?”, and “What can you do for me?”

It would seem that both questions are easy to answer, but in reality, it is not. Here’s why. Let’s say that you are talking to an architect and ask her the same two questions.

Since everyone already has an idea of what an architect does and what a house is, including the things normally included in a house such as kitchens and baths and bedrooms, it is simple to reply, “I can design houses’, followed by “I can design a custom house for you.”

The challenge is that few people know what digital forensics is, and for the most part, don’t really have any idea of the inner workings of a computer or digital camera or a cell phone.

So, let’s begin at the beginning: What is digital forensics?

Digital forensics is the acquisition, preservation, analysis and presentation of electronically stored information.

Acquisition is where the chain of custody begins and where there is the most danger of destroying or missing evidence. The actual task of acquisition is physically collecting potential sources of electronic evidence and then copying the data from an electronic storage device such as a computer hard drive, USB drive, media card or from a cell phone in a forensically sound manner.

Making a forensic copy of a hard drive or other electronic media is not the same as making a backup or a normal copy. A forensic copy will capture all of the data on the device, including deleted data and hidden data. A backup copy or a normal copy will not. This is where people get themselves into trouble by relying on their local computer guy to make a copy. Unless your local computer guy has the forensic tools and training, he is not going to get an exact copy of all the data and he is very likely to destroy evidence in the process. The copy your local computer guy makes will probably not stand up in court under the best evidence rules if the other side has someone to challenge it.

Preservation of the evidence is simply making absolutely certain that the original is not modified in any way and is protected from being modified, either intentionally or inadvertently. This process also happens prior to and during the acquisition of the evidence. Preserving the original is critical in order to comply with accepted standards and the Federal Rules of Evidence.

Analysis is the stage that most everyone is primarily interested in. However, before the analysis phase of the examination takes place, depending on which side of the case the examiner is on, prosecution or defense, plaintiff or defense, rules will normally have been set that govern the scope of the examination.

Is this a private search or a government search? Does it fall under the rules of 4th amendment searches or under the rules of the Electronic Communications Privacy Act?

Depending on the type of case, what the examiner can look for in the evidence may be restricted by a search warrant or by a judge or by a non-disclosure agreement. Even if this is an examination in a civil or domestic case prior to any litigation, privacy issues must be dealt with and the examiner must be cognizant of and abide by the rules of the law governing searches and disclosure.

Once the above have been decided, the forensics examiner then uses forensic tools and knowledge to recover data from the acquired evidence; data such as internet history, web pages, email, pictures, documents, spreadsheets and anything else of interest. And in the case of cell phones; call logs, text messages, ringtones, contact lists, calendars, pictures and videos.

Presentation is the final stage of the examination and involves presenting the findings of the examination to the client. Depending on the situation, the presentation of the findings may include detailed written reports with supporting data, and in some cases, testimony in a court of law.

A competent digital forensics examiner will always approach every stage of the process with the intention of having to defend his findings via testimony in a court of law, in the presence of an opposing expert, even if the possibility of litigation is slim.

Sunday, August 24, 2008

Using Inferior Language

I was having dinner the other day with my wife and son at the local Cracker Barrel. My son is graduating this semester from UNC-Pembroke in Religion and Philosophy. At one point, the conversation turned to blogging and writing in general. My son loves the Puritan writers such as Jonathan Edwards as well as the writings of Charles Spurgeon. All of them are great writers, but not easy reads.

My son is enamored with language, which is a good thing. Since he will soon have to turn to learning biblical Greek and Hebrew when he enters seminary next fall.

But the conversation was about communicating and using the language he has learned in different venues such as his blog, or in papers he writes.

He was saying that he didn’t like to use inferior language, but preferred to use the more descriptive terms and scholarly language that he had learned through his study of the Puritans and other great authors of the reformed movement.

He asked me what I thought and I explained to him that what mattered was being a good communicator. While the Puritan writers were great communicators in the language of their day, that is no longer the language of the day now.

I explained to him that to me, inferior language is not the use of common or modern terms, but using words and examples your intended audience does not understand. For instance, if you are speaking to a group of 1,000 people and you use language that 500 don’t understand, you have an audience of 500, and are failing to communicate to the other 500.

He thought that really made sense. Dad strikes another blow for old people wisdom!

And that leads me to the subject of giving expert testimony. The expert in the Lacy Peterson trial is a great example of how not to give expert testimony. His testimony was so disjointed and laced with so many terms that he assumed the jury would understand, that I had trouble following it. And I do understand the technical terms.

You can read an excerpt of his testimony here at Postcard Mysteries.

One of the ways that I use to explain technical concepts is through analogies. For instance, defragmenting a hard drive:

Imagine that you are holding a roll of quarters in your hand and you toss them up in the air. Now, if you need to get 3.00 in quarters back, you have to go all around the room and pick them up one at a time. That is a very slow and inefficient process. But if you go around the room and pick up all the quarters and put them back into a roll in your hand, getting 3.00 in quarters is very fast because they are all next to each other again. That is what the computer does when it defrags the hard drive. It puts things next to each other again so it does not have to go all over the hard drive to get something it needs.

In my mind, explaining technical concepts using easy to understand language and analogies is a far better way to communicate to an audience, the jury, when you do not have any idea of their baseline of technical expertise.

I consider using the technical jargon of my field in general conversation as speaking Klingon. I can only effectively communicate like that if I am talking to other people fluent in Klingon. And the people I normally most need to communicate with are not fluent in Klingon.

When I interviewed someone the other day for a position with our company, I asked him to explain to me what a router is and what it does. On the condition that he explained it like I was his Grandmother who never used a computer.

Because that is what you are dealing with when you talk to laypersons about technical concepts in the computer and forensic fields.

Just because computers are everywhere these days and a lot of people use them, it is irresponsible to assume that means they understand how they work.

Lots of people drive cars and have no idea how they work either


Saturday, August 23, 2008

A little housekeeping

I decided to unpublish two of my posts: The one on the Obama birth certificate issue, since it appears to be of little vaue other than a curiosity. And this is not a political rag.

And the one on Detecting Fake Digital Documents as it was a little more technical than I want this blog to be.

My purpose for this blog is to write about issues and cases, not to be a technical blog.

There are plenty of those around already.

Friday, August 22, 2008

PI Licensing for Computer Forensics

The debate goes on in many states about whether or not Computer Forensics practitioners must be licensed as Private Investigators.

The primary argument for this in most states is twofold:

Requiring a PI license will protect the public interest.

The current law covers computer forensics via the statement:
(v) Securing evidence to be used before a court, board, officer, or investigating committee.

The issue that those of us in the computer forensics field have with this is not whether or not we should be licensed. That would be a step in the right direction in my opinion. However, by lumping us in with PI's, it grants them credibility in our field by holding a license in a totally unrelated discipline, and excludes those who are qualified from practicing in the field until they obtain a PI license.

For instance, Michigan just revamped their licensing law to include computer forensics.
(viii) Computer forensics to be used as evidence before a court, board, officer, or investigating committee.

Honestly, I have no issue with obtaining a PI license in a state that requires one provided that:

The qualifications and experience I have count toward obtaining the license equally with that of private investigators. If you are going to have one law, then the qualifications should be able to be met by experience in any field you lump into the law.

That the law does not but an undue burden on the licensee to do business in that state. Of course, that is relative I suppose, since most states to not seem to have a residency requirement for licensing as long as you post a bond if required and meet the other qualifications for the license.

What is kind of nutty though is that if I obtain a PI license, then I can do anything in their business arena that I want, such as surveillance, investigations, etc.

So the catch 22 is, if I can qualify for a PI license based on my computer forensics experience, the board is potentially unleashing someone with no PI type experience on the public to perform services for which I know I am not qualified.

If a private investigator can perform forensics without any training or experience, then the licensing board is potentially unleashing an equally unqualified person on the public to perform scientific analysis of computer data.

The other part of the quandary is in states that do not require licensing of any kind for computer and cell phone forensics; the public is in a "buyers beware" situation since anyone can hang out a shingle and provide what is a scientific forensic service, even if they have never turned on a computer in their life.

To me, the right answer is to professionally license computer forensics examiners based on a state accepted competency examination, like public engineers or general contractors. Or at the very least requiring a vendor neutral certification from a nationally recognized body such as the Certified Computer Examiner certificate from the International Society of Computer Forensics Examiners.

The wrong answer is to lump what is a forensic science discipline in with a totally unrelated profession without consideration for competency in the discipline.

Musings on Cyberspace

Is child porn on the rise?

Considering the increase in arrests for child pornography and internet predators; is it an indication of a growing interest in this type of activity or an indication of how widespread this behavior is and has been for a long time? With new tools and increased attention, arrests are on the rise mainly due to better law enforcement efforts. However, the number of arrests is probably a small fraction of the number of offenders. I think it is the proverbial tip of the iceberg and that arrests will continue to rise as law enforcement and community efforts continue to improve to combat these types of crime.

Where does the responsibility lie when an on-line service provides a venue for illegal or malicious activity?

Consider the following:

Chat rooms are a huge attraction for people attempting to meet children and groom them for sexual encounters. In my mind, if this is the case, it is just like opening a public park for kids and allowing adults to hang around and interact with the children, completely unsupervised by anyone. The adults are free to groom the kids with impunity. If such a park existed, and it had the amount if illicit activity that exists in chat rooms, would it not be declared a public nuisance and shut down?

Do internet providers like AOL or MSN have any responsibility for trying to make these virtual areas reasonably safe?

Cyber bullying is becoming a weapon of choice for many who want to attack someone else, with or without cause. MySpace, Facebook and Craigslist, to name a few, are prime venues for doing just that. While people constantly violate their terms of service by creating accounts with completely false information, the desire to acquire more hits appears to be greater than the desire to protect the public from misuse of their products. Some effort to tighten up compliance with their terms of service would seem to be in order. Which leads to the next musing:

Anonymity on the Internet may very well be one of its greatest appeals and greatest potential for harm.

Consider free email accounts on the web; these are by far the communication vehicle of choice for people having extra-marital affairs, trading illegal drugs, including offshore pharmacies, sending pornography to children and conducting various illegal activities, because they think the information cannot be recovered since it is on the internet.

Consider the potential damage done by anonymous experts, who can claim to have expertise in any area from medicine to law to forensics science. They freely give advice and expert opinions to unsuspecting people with impunity, shielded by the anonymous nature of the internet.

The internet is becoming the propaganda medium of choice for everyone from businesses to Al-Qaeda. Terrorist organizations have embraced the internet as their recruiting and fund raising medium of choice. No longer just looking like a bunch of fanatics hiding in caves, they are building a web presence that is very modern and hopefully to them, appealing.

Free Speech and Identity Protection

Of course the opposite side of the argument is that anonymity protects the personal information of people who use it. That is a fair position to take I suppose. But to say that it is needed to protect our first amendment right to free speech in America would be incorrect. Of course, not all countries’ citizens have that right and need anonymity to protect themselves from their own government if they want to express a dissenting opinion about conditions or political issues in their country.

These issues will continue to be a legal and ethical struggle for some time as the explosion of internet use and technology continues to outpace legal decisions in the courts and tests the personal responsibility of individuals and the social responsibility of corporations providing services in Cyberspace.