Sunday, September 28, 2008

Do you know where your credit cards are?

Credit card fraud is a nasty business.  But it becomes much nastier when you get accused and arrested for child pornography because of it.

Spokane firefighter may sue over child porn arrest.

It is becoming more and more frightening when law enforcement attempts to react so quickly to suspicion based on a thin thread of evidence collected via the internet to the point of skipping real investigation for a quick score.

In this case, I bet the fireman would have gladly allowed the police to examine his computer to make sure he did not have child porn prior to arresting him.

Sheesh.

Saturday, September 27, 2008

Update on North Carolina Licensing for Digital Forensics

Here is a link to an article at North Carolina Business Litigation Report: North Carolina May Require Licensing For Computer Forensic Consultants, But Do We Need It?

I am absolutely for licensing Digital Forensics Examiners, separately from Private Investigators as I have stated on this blog a few times.

I am picking out some of the links from the article here so you can see what North Carolina is proposing, which I think is the correct model for handling this issue.

A draft of the proposed legislation.

The draft minutes from the June 9, 2008 meeting of the Computer Forensics Subcommittee of the Private Protective Services Board.

Excerpts from other committee meetings where this was discussed.

Many people have said that Digital Forensics should be coverd by Private Investigator Licenses. I disagree simply because of the fact that this is an entirely different field of expertise and it requires specific training and experience in a very narrow discipline, not covered in any way by Private Investigator training.

Others say that no licensing should be required, but that the court can make the decision of who is an expert. I think this is a shortsighted view. Once a matter gets to court, the damage has already been done by incompetent "experts."

Also, the vast majority of cases never make it to court. Who is going to decide if the expert was competent in those cases? Will anyone ever know?

While I realize that obtaining a license, even with the provision provided by the NC proposal does not guarantee competency, it at least establishes a floor for minimum training and experience before someone can engage the public as an expert in the field.

Whether or not you want to say the word "expert", the assumption is that someone who is offering services as a Digital or Computer Forensics Examiner, "expert" is implied, if not explicitly stated.

I say let's protect the public and get this right.

Constitution Protects Stored Cell Phone Location Information

From the Center for Democracy and Technology:

"A federal court ruled September 10th that stored cell phone location information is protected by the Fourth Amendment. The court said the government needed a warrant, based on probable cause, in order to gain access to stored cell phone location information. Other courts have required probable cause for law enforcement access to real-time cell phone location information; however, this decision is particularly important because it extends the probable cause requirement to stored location information. The Electronic Frontier Foundation, joined by CDT, ACLU and the ACLU of Pennsylvania, had argued for the warrant requirement that the court adopted in an amicus curiae brief filed in July. September 11, 2008"

You can view the Federal Court Decision here.

Ethics in Digital Forensics

I just read an article in the current issue of Forensics Magazine: Digital Insider: Ethical Practices in Digital Forensics: Part 1, by John J. Barbara.
While the article is well written, I have to take issue with some of the content.
The article addresses the ethical issues of both the primary and secondary experts in a case. While he chose to use ballistics as the scenario for this article, he promises to use a digital forensics scenario in Part 2. (Not sure why he didn’t use one to start with.)
Here is a quote from the article that I take issue with:
“In shooting situations such as this, it would not be surprising for the defense to hire another examiner to reexamine the fired projectiles. What would be the legal, moral, professional, and ethical responsibilities of the second examiner should a different conclusion be determined? Certainly, he or she will report the results to the defense counsel. However, should the second examiner also notify the prosecutor and the first examiner? Would doing so violate any attorney/client privileges? Going one-step further, should the defense counsel notify the prosecutor? This scenario is not uncommon and holds the potential for legal, professional, and ethical conflicts involving both of the examiners and the defense counsel. Presuming that the conflicting testimony is presented in court, ultimately the jury would have to decide the weight given to the each examiner’s testimony. “

Before I make my comments, let me quote Mr. Barbara’s mini-bio from the article:
“John J. Barbara is a Crime Laboratory Analyst Supervisor with the Florida Department of Law Enforcement (FDLE) in Tampa, FL. An ASCLD/LAB inspector since 1993, John has conducted inspections in several forensic disciplines including Digital Evidence. John is the General Editor for the “Handbook of Digital & Multimedia Evidence” published by Humana Press.”

I am not picking on Mr. Barbara, but it appears he has forgotten that we use an adversarial system in the U.S. Perhaps, Florida is different, but I doubt it.

Should the second examiner notify the prosecutor and the first examiner? Not if he wants to do any more work. As far as I know, that would violate the attorney work product and the trust of the defense counsel that retained the secondary expert.

Going one-step further, should the defense counsel notify the prosecutor? Oh, you bet he will; when the time is right. If the defense counsel believes that the evidence to be presented by the expert is prejudicial based on the work of his retained expert, he will normally have the secondary expert prepare an affidavit of facts and have it served on the prosecutor in preparation for a motion to exclude that evidence. What the defense counsel must tell the prosecution and when, varies by state.

Of course I am not an attorney and I don’t play one on TV, but that has been my experience as the secondary expert in many cases.

I don’t regard either of the preceding questions raised in the article as ethical in nature. I actually would regard acting in that manner as unethical toward the attorney that has retained the secondary expert.

So, let’s get back to the core topic of ethics in digital forensics. First of all, I see no difference in the ethical code a digital forensics examiner should ascribe to than any other ethical code in forensics science.

The problem perhaps is the lack of recognition that Digital Forensics is a science.

Mr. Barbara is spot on when he says, “There are many examiners in the Digital Forensic community who are not aware that professional codes of conduct and codes of ethical practices need to be an inherent part of every examination.”

But, I disagree again when he states further along that, “Ultimately, the examiner is responsible for his or her results. Through education, training, and experience, he or she develops and enhances individual technical knowledge, skills, and abilities. This maturation process needs to include adherence to an overriding code of professional conduct or a code of ethical practices.”

Ethical practices should be part and parcel, from the very beginning of any forensic practitioner's training. Waiting until later in an examiner’s career to begin to mature into ethical conduct by adopting a code of ethical behavior puts the cart squarely before the horse.

But there is a serious problem as I see it with ethics in the Digital Forensics field: People getting into the field to make a quick buck by picking the low hanging fruit of distressed spouses, concerned employers or uninformed attorneys.

This is multiplied by the blinders being worn by state licensing boards where they are failing to recognize digital forensics as a discipline that incorporates scientific examination of evidence that requires special expertise and training, but instead think is it part of private investigation. In my mind that is a violation of the public trust, but I have been on that soapbox for a while now, so no news there.

The foundation for ethical practice is recognizing the responsibility of the examiner in performing his or her duties.. When you attend forensic courses, they will tell you that you need to be impartial. They don’t tell you that you need to be ethical or even explain what that means in the context of the forensics field.

If the examiner is working as a consultant / expert in the field, they must have a clear understanding of the impact of what they do, including some knowledge of the laws that govern the practice, and what they must do to ethically serve their clients, whether they are attorneys or private citizens.

Even in-house examiners have a responsibility to operate in an ethical manner in internal investigations, lest they inadvertently destroy another employee’s career by making a representation that is not completely correct or based in any way on speculation.

And I believe that law enforcement examiners should be of the highest ethical standard since by definition we are relying on them to protect us as part of their sworn commitment to the public they serve.

I hear a lot of comments by examiners that say, “I just find the data. Then let the lawyers sort it out.”
To operate ethically, the examiner should make sure that the evidence they find and present at least meets what I consider to be the minimal standard of a digital forensics examination: “If you can’t prove it, don’t say it.”

Presentation of digital evidence should never be on the basis of speculation. Rendering an opinion can be an explanation of why the expert believes something to be true based on examination of digital evidence, but never on speculation.

So the next time you, as a digital forensics examiner are on the witness stand and the attorney asks you, “Mr. Examiner, in your expert opinion, would it be fair to say that…..” Remember that someone’s life may be in the balance. And that is where your ethics must already be firmly engrained in all you have done and will say.

I am a member of and recommend the multi-discipline American College of Forensic Examiners.

Thursday, September 25, 2008

What they don't teach you in computer forensics school.

Having attended quite a few computer forensics schools in my time, and after talking with other practitioners getting into the forensics field, it struck me that computer forensics schools leave some things out.

I have to presume the reason for it is because this field has been dominated by law enforcement and internal investigation types or major corporations for the majority of its life. So it is probably assumed that knowing how to do all the things required to actually practice in the field are already covered by internal training or policies.

For the independent practitioner, all of the things that others do have to be done as well, but no one is providing courses or information for these tasks.

So consider this a shameless plug if you want and stop reading here.

I have decided to begin offering a Digital Forensics Practice course. In this course consultants will learn how to:

  • Properly handle evidence including all of the forms, policies and procedures they need to keep records.
  • What they need to have in their forensics lab for handling and processing digital evidence and where to get it. Not hardware or software, but little things like evidence bags, etc.
  • How to properly set up a case and manage it from start to finish including best practices for the actual analysis of the case, including documentation.
  • How to write and present standardized reports.
  • What to put in a report and how to format it properly.
  • How to assist attorneys and clients through the preservation and discovery process.
  • How to analyze the work of an opposing expert.
  • How to prepare for court testimony.
  • How to prepare a CV or resume for qualifying as an expert.
  • How to testify in court.
  • Setting up and managing case files and documentation.
  • How to determine how much to charge for their work.
  • Dealing with retained and indigent cases.
  • Ethical responsibilities of digital forensics experts.
  • How to deal with cases involving contraband, such as child porn.

The course is open to anyone, but classes are limited to 10-12 people.

I am looking for input for anything I may have missed or anything that someone would like to see covered. If you have suggestions or would like to find out more, email me at larry@guardiandf.com

Courses will begin in January of 2009.

Thursday, September 18, 2008

Is prison just a click away?

Let’s be honest: A lot of people like porn. They surf for it, download it from Limewire or Kazaa, talk about it, rent it from on-line and brick and mortar stores, and hear about it a lot in mainstream media. Talk of watching porn is rife in movies like American Pie, those awful National Lampoon teen comedies, slasher flicks and pretty much anything intended to appeal to the 18-25 age group these days.

Porn has been around for thousands of years and the only thing that has changed is that the media has progressed from drawings on rice paper or parchment to virtual images transmitted by computers.

A couple of years ago I worked on an “Operation Fairplay” case where a school teacher was arrested for downloading child porn from Limewire. Working with the law enforcement expert on the other side, it was determined that 90% of the “titles” downloaded that had child porn descriptions were of adult porn.

Based on the Supreme Court decision I just posted about, it is conceivable that just downloading something with a CP description could be considered illegal.

A lot of the cases I work on involve CP that appears only in the internet cache or resides in “unallocated space”, areas of a computer that users cannot see without specialized tools. It is very common for a person to be prosecuted based on these images alone, even if no effort was made to preserve the images and where there is no evidence that the person was actively searching for child pornography.

In order to understand how this can occur, you must understand how browser caching works: When you visit a web page, all of the web page is saved to your internet cache, even if you cannot see the entire page. For example, when you visit Yahoo’s home page or MSNBNC.com, the page extends far beyond what you can see at one time because the page is larger than what your monitor screen can display in a single view. So while you are looking at the top of the web page, the rest of the page is being cached to your computer, whether you intend to ever view it or not.
This also includes anything that pops up. All those pop-ups are cached to your computer’s hard drive as well.

If your computer has an “internet accelerator” installed, which is a program that makes browsing faster, you will have not only the current page you are viewing cached to your computer’s hard drive, but the accelerator will attempt to anticipate what you are going to want to view next and can download the entire web site. This is so that when you click on a link, the page will immediately appear since it has already been downloaded to your computer. Some will even attempt to download other sites that are linked to the current page.

You are not as much in control of your internet browsing as you think you are.

What this means is that if you are an avid porn surfer, you are subject to the possibility of having images downloaded to your computer that you never even saw, much less actively clicked on or downloaded.

Remember, the entire page is downloaded, not just what you see.

And if you are unlucky enough to hit a “trap site”, a site that attempts to trap you by popping up dozens of windows and locks your browser to the page, you are now having all kinds of stuff force fed to your computer’s hard drive, in spite of what you intended.

And if some of that just happens to be contraband, you can go to prison for it.

Now you have to wonder if those teen sexploitation movies like Porky’s, American Pie, and many others that are based on characters in high school are not in fact purveyors of virtual child porn under the latest ruling by the Supreme Court since they depict sexual images of what could be teens under the age of 18. Unless of course, all the kids in these movies are just dumb and are really all twenty-somethings still stuck in high school.

And then there are games like Second Life that is notorious for role-play of sexual encounters between adults and children with areas like “jail bait”. Second Life has since banned these areas under pressure from Dutch and German authorities who threatened prosecution for these “virtual child” encounters under their virtual child pornography laws.

The latest current thing in the computer world is creating “virtual” child pornography, by using programs that can “de-age” an adult or by pasting the heads of children on the bodies of adults using Photoshop or some other image editing program. Even though this is not real child pornography, is it being treated as such under the law.

The Protection Act of 2003 broadens the definition of child pornography to include cartoons, drawings and artistic depictions. In addition, a new pandering section was added. Here is an excerpt from United States v. Williams, October, 2007:

“We shall refer to it as the Act. Section 503 of the Act amended 18 U. S. C. §2252A to add a new pandering and solicitation provision, relevant por­tions of which now read as follows:
“(a) Any person who— “(3) knowingly— . . . . . “(B) advertises, promotes, presents, distributes, or so­licits through the mails, or in interstate or foreign commerce by any means, including by computer, any material or purported material in a manner that re­flects the belief, or that is intended to cause another to believe, that the material or purported material is, or contains—
“(i) an obscene visual depiction of a minor engaging in sexually explicit conduct; or “(ii) a visual depiction of an actual minor engaging in
sexually explicit conduct,
. . . . . “shall be punished as provided in subsection (b).” §2252A(a)(3)(B) (2000 ed., Supp. V). “

You can read the full decision here: http://www.supremecourtus.gov/opinions/07pdf/06-694.pdf

As the laws continue to tighten, the danger to regular people is being prosecuted for unintentional acts or comments that can be construed as pandering or possession. So the next time one of your buddies sends you an email with a link to a cartoon showing an adult dressed up like a child doing something with another adult, don’t click on it!

If you are tempted to take of a picture of your adorable toddler in the bathtub, make sure they are wearing clothes. And oh, by the way, better go back through those old picture albums and redact any of those bathtub pictures your parents took of you when you were a baby.

Otherwise, you just might be accused of possessing or manufacturing child pornography.

And in the climate today, just being accused is enough to destroy your life. You can forget about “innocent until proven guilty.” The damage will already have been done.

Tuesday, September 16, 2008

Creative Uses for Myspace and Facebook

Update: Based on Harlan Carvey's comment, I changed the title.


The phenomenon of MySpace and Facebook has swept the world. Social networking is definitely “where it’s at” to use an old phrase.

Other than just being a place to hook-up with friends, strangers with candy and anyone else who gets access to your profile, people are always coming up with new uses for technology:

Jury Selection: Got a list of prospective jurors you want to check out? Look them up on MySpace or Facebook or one of the other social networking sites and see what they are telling the world about themselves.

Pre-Employment screening: Check out that party animal or closet anarchist before you hire them.

Personal injury or workman’s comp. claim: Are they showing pictures of themselves totally partying out or playing football, skiing, skydiving on their profile, in spite of their serious injuries?

Volunteer screening: Want to make sure that new church volunteer isn’t misrepresenting themselves? Is their online profile, if they have one of course, showing them as a person you want hanging around your kids?

Babysitter screening: Ever wonder what your babysitter is really like?

I think if you try you can come up with dozens more ways to use the information you can gather from social networking sites, not only to find out the dirt on people, but to find out the good too.

One thing is for sure: Every new piece of technology that encourages people to interact in a public place will have its dark side. Or in this case, grey side.

Friday, September 12, 2008

Julie Amero - Wow, just Wow.

I have been following this case for a little while, and I am happy that she has been granted a new trial. I have to say that from what I have read about the forensics work in this case, it is frightening.

First, a quick refresher on the case itself:

Connecticut Teacher Gets New Trial on Web-Porn Charges

And just to get you up to speed a little further:

Commentary by the defense expert

Commentary by the prosecution expert.

Things that jump out at me as a forensic examiner:

The prosecution apparently never made a copy of the original hard drive, or the defense did not request those copies from law enforcement. Based on the tool used for the forensic "analysis" by the prosecution, it is possible they did not make a forensic image of the hard drive, but instead, worked off the original evidence. Not a best practice.

The tool used by the prosecution: Computer Cop Professional

Based on the information on the web site:

"How ComputerCOP Works: Simply drop the CD into a suspect's computer, choose to search for words/phrases from 21 categories of crime and/or search for images by type or header and scan."

So this tool requires the same level of expertise that you would need to run a virus scan on your computer?

While I suppose it is a forensic tool and it is useful for quickly examining a computer, I would hesitate to call it forensic analysis.

The defense expert used Norton Ghost to make a copy of the original hard drive. Now, while I know that you can make a bit-stream copy of a hard drive using Ghost, if you know how, why would you if you had real forensic tools at your disposal?

I am curious as to what forensic tools he used to do his analysis as well, if any.

While the main thrust of the prosecution's argument was that the Typed URLs proved that the Julei Amero was actively typing in the urls of porn sites, the defense expert makes no mention of typed urls in his commentary. I wonder why?

Of course, finding Typed URLs in the Windows resgistry is one thing, putting a person at the keyboard when they are typed is another.

It is going to be interesting to see what comes up in her new trial.

I, for one, will be interested in seeing if the forensic work gets any better. For her sake, I hope it does.

Thursday, September 11, 2008

What is digital forensics?

Below is an excerpt from an article I wrote for an upcoming issue of NC Jury View.

Whenever I speak with an attorney for the first time, two questions invariably come up: “What can you do?”, and “What can you do for me?”


It would seem that both questions are easy to answer, but in reality, it is not. Here’s why. Let’s say that you are talking to an architect and ask her the same two questions.

Since everyone already has an idea of what an architect does and what a house is, including the things normally included in a house such as kitchens and baths and bedrooms, it is simple to reply, “I can design houses’, followed by “I can design a custom house for you.”

The challenge is that few people know what digital forensics is, and for the most part, don’t really have any idea of the inner workings of a computer or digital camera or a cell phone.

So, let’s begin at the beginning: What is digital forensics?

Digital forensics is the acquisition, preservation, analysis and presentation of electronically stored information.

Acquisition is where the chain of custody begins and where there is the most danger of destroying or missing evidence. The actual task of acquisition is physically collecting potential sources of electronic evidence and then copying the data from an electronic storage device such as a computer hard drive, USB drive, media card or from a cell phone in a forensically sound manner.

Making a forensic copy of a hard drive or other electronic media is not the same as making a backup or a normal copy. A forensic copy will capture all of the data on the device, including deleted data and hidden data. A backup copy or a normal copy will not. This is where people get themselves into trouble by relying on their local computer guy to make a copy. Unless your local computer guy has the forensic tools and training, he is not going to get an exact copy of all the data and he is very likely to destroy evidence in the process. The copy your local computer guy makes will probably not stand up in court under the best evidence rules if the other side has someone to challenge it.

Preservation of the evidence is simply making absolutely certain that the original is not modified in any way and is protected from being modified, either intentionally or inadvertently. This process also happens prior to and during the acquisition of the evidence. Preserving the original is critical in order to comply with accepted standards and the Federal Rules of Evidence.

Analysis is the stage that most everyone is primarily interested in. However, before the analysis phase of the examination takes place, depending on which side of the case the examiner is on, prosecution or defense, plaintiff or defense, rules will normally have been set that govern the scope of the examination.

Is this a private search or a government search? Does it fall under the rules of 4th amendment searches or under the rules of the Electronic Communications Privacy Act?

Depending on the type of case, what the examiner can look for in the evidence may be restricted by a search warrant or by a judge or by a non-disclosure agreement. Even if this is an examination in a civil or domestic case prior to any litigation, privacy issues must be dealt with and the examiner must be cognizant of and abide by the rules of the law governing searches and disclosure.

Once the above have been decided, the forensics examiner then uses forensic tools and knowledge to recover data from the acquired evidence; data such as internet history, web pages, email, pictures, documents, spreadsheets and anything else of interest. And in the case of cell phones; call logs, text messages, ringtones, contact lists, calendars, pictures and videos.

Presentation is the final stage of the examination and involves presenting the findings of the examination to the client. Depending on the situation, the presentation of the findings may include detailed written reports with supporting data, and in some cases, testimony in a court of law.

A competent digital forensics examiner will always approach every stage of the process with the intention of having to defend his findings via testimony in a court of law, in the presence of an opposing expert, even if the possibility of litigation is slim.