Thursday, October 30, 2008
While there is nothing wrong with classical ethics courses, they really are not very practical when applied to a discipline like computer or digital forensics. At least not without a lot of extra explanation.
So let me explore this topic from a slightly different angle: practical application to this specific discipline.
Experts in general are sometimes accused of being biased because it is believed that they have a vested interest in the outcome of a case. On the prosecution side, the suspicion of bias can be contributed to the fact that the expert is on the payroll of the side they are testifying for. On the defense side, the accusation of “hired gun” is sometimes used to show that an expert is biased because they are getting paid to testify.
In reality, both sides are getting paid to testify, making that a weak argument for bias, in my opinion. However, that argument has been used to some effect in trying to sway juries against an expert, especially a private expert. Someone charging 150.00 to 500.00 an hour to testify seems expensive. All things are relative in that respect I think. The doctor that removed a kidney stone for me got 2500.00 for a 30 minute procedure, making his hourly rate 5000.00. Now that seems high to me!
Providing expert services is something that is sorely needed in the digital forensics arena for the simple fact that to the layman, it can sound like a pretty arcane science, with its own specialized language, tools and methods. It is not something that just anyone can do. Much like the doctor that removed my kidney stone. I wouldn't want someone who was just “interested” in medicine to do that kind of thing for me.
If the primary concern in ethical behavior in experts is whether or not they are biased, then that is what we should explore here. Especially since every code of ethics I have seen in this field states clearly that the expert should be a neutral party.
In every case I have worked, civil or criminal, I have not once gotten the impression that the expert on the other side was biased in any sort of classical sense. In particular, if we define bias as attempting to present or withhold facts in such a way as to unduly influence the outcome of a case.
The role of the expert is to find and present all the facts to the client, independent of the impact on the case. Nothing should be deliberately obscured or omitted that might be either exculpatory or incriminating. It is not the role of the expert to judge the plaintiff or defendant, nor is it the role of the expert to be an advocate. Advocacy is the job of the person's legal counsel.
Bias is only one of the ethical challenges facing any expert, including those in the area of computer forensics.
Most ethics statements will include something along the lines of the expert not having a stake in the outcome of the case. Simply put, an expert should never be working on a contingency basis, since this clearly puts the expert in the position of having to “win” to get paid. If your fees depend on making sure your side wins, then you are definitely biased and no amount of explanation will make that go away.
Perhaps one of the most important aspects of ethical behavior for an expert is one of the harder ones to judge; competency. From the outside, it is difficult to tell if the expert is really qualified until they are engaged and performing the work. However, anyone who puts their self out as an expert and attempts to do things above their competency level, is not only in danger of being unethical, they are in danger of being sued or worse.
The problem with a field like computer forensics is the lack of universally accepted standards that anyone can view and at least have an idea of the level of competency of the expert. Other experts require some sort of professional licensing specific to their field: Certified public accountants, doctors, professional engineers, lawyers etc. where they have had to pass some sort of board certification prior to being allowed to practice. Of course it was not always that way for those professions in the early days, before such boards and licensing bodies were formed. And that is the state of computer forensics today.
Without such minimum safeguards, pretty much anyone can say they are a computer forensics expert. They might not get qualified if they ever get to court, but most cases never make it that far.
Let's be honest and admit that it doesn't take much to pull the wool over a computer novice's eyes with a few well placed buzz words. Or simply the possession of a computer forensics software package. The danger here is that once the “expert” is retained and allowed to work on a case, by the time they are exposed by a a qualified opposing expert, the damage is already done.
The point here is that the minimum of ethical behavior in an expert is to not overstate their qualifications to get a case, nor to overstep their competency by taking a case where they cannot provide the level of expertise that the client expects and deserves.
From a personal standpoint, as an example, I specialize in post-mortem forensics, not incident response. So I will not take incident response cases because they are simply outside my expertise, even though I have over twenty five years of IT experience and have done my share of network security, intrusion detection, firewall programming and such. However, incident response is above that level of expertise when practiced as a forensic discipline.
If a client's needs represents an area of expertise I would not be comfortable testifying about in court, I simply won't take the case. In my mind, that should be the bar an expert sets for what cases they will accept or reject.
A final word on bias: Working hard for your client by providing the highest level of service you can is not bias. Properly doing the work, accurately and completely presenting the facts, backing up your findings with appropriate research in the field and testifying as well as you can, on behalf of your client in court, is what is expected of anyone who says they are an “expert.”
Wednesday, October 29, 2008
Some unscrupulous street vendors were quite happy to sell the unsuspecting a cat in a bag, rather than the expected suckling pig. Hence the term, don’t buy a pig in a poke, or caveat emptor; let the buyer beware. This was also the origination for the term to “let the cat out of the bag.
Now that we have that bit out of the way, let’s talk about the opposite of my previous post; coming into a possession of a used computer rather than disposing of one.
There are lots of ways to get a used computer; from a store that sells used computers; Craigslist, via the newspaper want-ads, from a family friend, from your company, or even out of the dumpster I suppose. The point here is that, unless you know the computer was cleaned up, how can you be sure that what you are buying does not contain contraband of some sort.
And how do you know if the computer was cleaned properly, effectively destroying all data from the previous owner? I know that if I come into possession of a used computer, the first thing I do is forensically wipe the entire hard drive and then reinstall the operating system and applications.
There is no way I want to have anyone else’s stuff on a machine that I own.
I am not against used computers, since they provide an econmic way to purchase computers that might otherwise be out of reach for consumers, but the reality of it is that many times that used computer was not cleaned up properly and in effect you are buying a pig in a poke.
It’s worse than that, since you can’t tell by simply “opening the bag”, i.e. browsing the files on the hard drive, since you cannot see deleted files without special software. And many of the people who purchase these used computers do not have the minimum level of skills needed to even check things like the internet history folders.
My advice if you are considering buying a used computer is to make sure that you get the operating system and application CDs, or better yet, if it is a brand name like a Dell or Gateway, get the original system restore CDs. Then when you get home, perform a full destructive restore on the computer.
That will at least give you some confidence that the computer is now cleaned up as good as you can make it.
Monday, October 27, 2008
Have you ever wondered just how much your computer repair guy knows about you?
Did you know that when you drop off your computer at the repair store, you are giving up your expectation of privacy? In other words, you are giving the computer repair people full permission to look at anything in your computer. And if they decide to reveal something they find, there probably isn’t much you can do about it.
When you turn your computer over to a computer store, the employees are members of the public, and with your permission you are giving them access to your computer information.
Let me give some specific examples of what I mean by giving permission, where you mean to or not:
Have you ever wondered just how much your computer repair guy knows about you?
You take your computer to the repair shop to get your email fixed. When you do this, you are giving tacit permission for the repair shop to test your email account to make sure it is working. How else would they know if they fixed it? In the process of testing your email account, they are going to send and receive emails, and possibly open emails to make sure everything is ok. If they reveal something that they see in your email to a third party, you probably can’t do anything about it, since you gave them implicit permission to view your email.
You take your computer to the repair shop because it is running slow and ask them to check it out. In the course of doing so, they review your files and locate contraband. The next thing you know, when you arrive to pick up the computer, the police are standing there waiting for you. Guess, what? You gave the computer shop permission to examine your computer, and if they found something suspicious, you have lost your expectation of privacy.
You ask your local repair shop to install an upgrade of your financial software. In the process of testing the upgrade, they open your financial files, revealing your bank account information, check register, transactions, payment history and so forth. If you did not specifically tell them not to open your financial files in the process of installing the software, chances are you lost your expectation of privacy.
Check our this court decision for more information on how this can be viewed:
Other ways you can put your information into the public arena:
Check our this court decision for more information on how this can be viewed:
You have the hard drive in your computer upgraded to a new larger hard drive. When you get to the shop to pick it up, the computer shop gives you the old hard drive and you subsequently give it away or toss it in the trash. Under the legal concept of abandonment, you have no expectation of privacy for anything on that hard drive.
You work at a company that has a computer usage policy that says you are not allowed to use the computer for personal use, including personal email. The policy says that your computer is subject to inspection by the company. The company inspects your computer at some point and locates e-mails from your private Yahoo mail account in the internet cache. You would not have an expectation of privacy for those emails, even though you did not know they were in the internet cache.
You install Limewire on your computer and allow sharing of your downloaded files with others. After all, you want to be nice about it and participate in the network. Once you do that, you have opened your computer to the public and it is no longer protected from inspection by pretty much anyone. Especially the police who may be monitoring traffic on the Limewire network through Operation Fairplay.
Even more ways to give your information away:
Even more ways to give your information away:
By tossing a bunch of old floppy disks, backup tapes or CDs into the trash.
Giving your email password to a computer person to fix your email and not changing it after they are done.
Giving anyone your network password, even your corporate IT support person and not changing it later.
How can you protect yourself?
If you run a large or small business and you use a computer service company, have them sign a non-disclosure agreement.
If you must take your computer in for repair, take a written note outlining exactly what you want done and restricting access to anything else on the computer. Have them sign it in your presence and get a copy.
Of course the simplest way to protect yourself would to be sure you don’t have any personal information on your computer. Of course, in order to do that, you probably shouldn’t use one, since no matter what; you probably have something on there that is personal and private, even if it is only your email.
How can you protect yourself?
Tuesday, October 21, 2008
Based on the article, this illustrates exactly the kind of information that you do not want. It is full of misinformation. The author confuses forensics and anti-forensics. The author then goes on to say that forensics software is what you need to keep your computer running at its best.
I especially like this little bit of wisdom, "This kind of software is prefect for just about everyone, and that is why it is on the rise on the internet. People want to be able to take control of their computers, not the other way around. This is software that can help you do that."
Also, the author does not mention any actual forensics software such as Encase, FTK, Winhex, or any of the other major software for computer forensics.
I suspect the author has never actually seen any forensic software, much less used or tested any of it.
Being the curious sort that I am, I went to the author's site and found even more misinformation.
For someone who purports to write about forensics and forensics software, perhaps the author should get some real information. Or at least learn to check the facts.
Sunday, October 19, 2008
Computer forensics can be broadly broken into three areas: Live forensics, post-mortem forensics and e-discovery.
Live forensics, which goes by the moniker incident response or network forensics, is about responding to a breach of security in an operating network or computer and capturing data for forensic analysis from that environment “live”.
A subset of live forensics is the capturing of data from an operating computer to preserve “volatile” data. Data that disappears when the computer is turned off, such as the content of the computer’s memory, the part of the computer that temporarily stores information for use during that computing session. Memory should not be confused with storage.
But in general live forensics deals with capturing data about a network intrusion or internal security breach.
To properly perform incident response work, aka live forensics, the analyst must have an excellent knowledge of network security, OSI layers, intrusion methods, data leakage, and network operating systems. Your purpose in the majority of these types of cases is finding out where a network is compromised, halting the attack and documenting the method and type of attack for possible legal action.
Incident response is the purview of network security professionals and anyone wishing to get into this field should obtain education and training in the various network security specialties.
Post-mortem computer forensics is performing a data autopsy on a “dead” system. Dead in this case meaning a computer that has been powered down, not that the computer is broken.
In the case of post-mortem computer forensics, the focus is on data recovery and analysis of stored information that resides on the computer hard drives or other types of permanent storage devices.
Post-mortem computer forensics is probably what most people have in mind when thinking about computer forensics. This is the kind of stuff you see in a lot of criminal and civil cases that involve the recovery of documents and emails and such that are used to establish user activity as it relates to a divorce or a child pornography or theft case. Post-mortem forensics figured prominently in the Scott Peterson, BTK killer, Neil Entwistle , Julie Amero and the Michael Jackson cases to name just a few.
Production of recovered e-mail, internet searches, internet maps and other information were used in these cases in some form or another.
E-discovery is another field of computer forensics that involves capturing and analyzing large amounts of data, mostly in large cases involving dozens to hundreds of computers. The focus of e-discovery is the production of relevant documents more than the recovery of deleted or hidden data. In an e-discovery case, there may be thousands of documents that must be tagged, indexed and checked for proper disclosure prior to allowing the production to be seen by either side to protect attorney-client privileges.
In many cases, improperly exposing documents that have not been reviewed has not prevented them from being entered into evidence.
E-discovery tends to be very expensive and requires specialized software to capture the documents and to then analyze, sort and produce those documents for the parties involved in a manageable form.
One of the current trends is to outsource e-discovery to off shore firms in India to reduce the costs of these types of analyses. That in itself presents some real challenges to litigators and should be approached with caution.
So there you have three major division of computer forensics, each a specialty in its own right, requiring unique tools and skills for the analyst.
Thursday, October 9, 2008
I cannot stress strongly enough that you must resist the temptation to take a quick look. That is a violation of the first and most important rule in forensics: Do not modify original evidence. Poking around in the computer or loading up the media card, etc is going to put the original evidence at risk.
And since I have to prepare a report of the evidence handling, sometimes in an affidavit, I like to be able to say that no one tampered with the evidence, especially not the attorney. Jeepers.
And don't let the family or the local computer guy touch it either. The bane of forensic computer experts is the local computer guy or the corporate IT consultant. They know not what they are doing when they mess with the computer!
They do not have a clue how to protect the evidence and they REALLY do not know how to make a complete copy of a hard drive or any other piece of electronic data.
And if you let them play sleuth, you are going to put your entire case at risk.
Operating a computer for any reason changes and destroys evidence if it is not handled forensically.
You wouldn't let the local high school lab work with the DNA evidence before you send it to a real DNA lab would you? I hope not.
It is the same thing. Computers are like a huge chunk of DNA and are just as easy to contaminate by mishandling.
Case in point: I am working on a capital murder case where the family got the computer before anyone had a chance to forensically image it. What did they do?
They took it to the local computer guy to get a copy of the hard drive.
But another attorney picked it up and said he would handle the copying.
Lo and behold when the computer gets back to the original owner, the drive is blank.
What does he do? He downloads some Linux rescue CD or something and tries to recover the data on the drive on his own.
Now I step in as the retained expert and will have to deal with this.
Does it make my job impossible? No. Does it jeopardize the evidence in the case? Tremendously. Will it be a lot more expensive for me to get my work done now? Yes.
Please don't be penny wise and pound foolish. Get the evidence to a computer forensic expert first. It will cost you a lot less in the long run if you have to retain one later and he or she has to undo all the work someone else did, not to mention the missing evidence that was destroyed and new evidence that was added becuase of operating the computer.
And the cost to forensically copy the evidence will be the same anyway.
A computer is like a digital crime scene all by itself. It can contain a vast amount of information. Stomping around in the crime scene is a bad idea. That's why they don't like it when people stomp around in a physical crime scene. It destroys evidence and adds evidence. Never a good situation when trying to collect and analyse evidence.
My understanding of debate is that each team, if you will, picks a different side of a subject and presents an argument in support of their side and a rebuttal of the other side's argument. I am trying to find where this exists in any political debate where answers are never answers but are deflections, attempts to defame the record of the other side and dilute any true argument on the merits of the core issues.
So, I propose we get rid of the debate format, and have it set up like this:
Each candidate gets to be both the plaintiff and defendant for each question in turn. And they are directly, then cross examined by a prosecuting attorney and a defense attorney for each question.
They are never allowed to respond to the "testimony" of the other candidate, but must state their case via examination by the attorneys on the question at hand.
Time limits would still be imposed, and would be enforced.
I can see it now:
Senator Obama, is it a fact that you voted no for the "save the pink pygmie salamanders bill" in 2006?
Yes or no, Senator.
Senator McCain, is it true you voted against alternative energy bills 5 times in your career in Washintion?
Let me put that in perspectiive.
Yes or no, Senator.
Senator Obama, can you explain to the American people exactly what your economic plan is for bringing the country out of the current crisis?
Well, blah blah, and blah and we have to blah, blah.
Senator Obama, does your plan include raising taxes on businesses?
Yes it does.
And what percentage would the new tax rate be?
Um, well that is to be determined.
So you don't know what rate you plan to tax business?
That hasn't been decided at this point. We will need to perform studies and..
Senator Obama, would it be fair to say, you have no idea how much you plan to raise taxes on business?
No, I don't think so.
So, you do know how much you will raise taxes on business then?
I didn't say that...
That's right Senator, you DIDN'T say that did you? You said you have no idea.
I said we need to study the issue more.
Isn't that just a way to cover up the fact that you don't know?
I'm not covering up anything.
So you are willing to admit then that you don't know what the tax rate will be?
Yes, Um No, I don't know what the tax rate will be.
So would it be fair to say Senator that you can't predict with any accuracy the effect of a tax rate increase on business in the US and on the economy since you don't have a number for the rate yet?
Yes, it would.
Thank you Senator. No, further questions on this topic.
Senator McCain, You have repeatedly said in statements to the public that you would lower taxes. Is that a fair representation of your statements?
Yes, it is.
Senator McCain, considering the current deficit, and the just announced 850 billion dollar bailout, how do you propose that it makes any sense to cut taxes and still bring down the deficit?
Well, I have said many times that cutting business taxes is the only way to encourage investment by companies in areas that will create jobs.
Senator McCain, can you tell us exactly how many jobs will be created based on each percentage you lower taxes for business?
Well, we haven't gotten to that level of detail at this point.
So, Senator, the answer is you don't know. Is that correct?
We have good indicators that lowering taxes on business creates jobs.
How many jobs would that be in your plan Senator?
We are still working on the projections at this point.
So, you don't know then. Is that correct?
Thank you Senator. No further questions on this topic.
Now wouldn't that be a lot more fun than watching the candidate always resort to, "well he voted on this, blah blah, and he said this, blah blah.
How about some real answers to some real questions?
How about taking some responsibility for their actions and just getting on with it?
How about showing some real leadership for a change?
“Browser hijacking is a real phenomenon, which can become manifest through unwanted pop-ups, new ‘favorites’ that a user cannot delete, a new home page, and other forms of loss of control over one’s computer. At the same time, browser hijacking is not always responsible for the presence of unwanted spy ware and other malware. A common culprit for the transmission of these viruses is the downloading of otherwise innocent material such as games or news from disreputable Websites that infect users’ computers with spy ware and viruses, and that, in certain cases, direct users to illegal or sexually explicit Websites. “
As the article states this has been offered as a defense in cases involving contraband such as child pornography and also in wrongful termination cases involving surfing pornography while on the company computer.
The issue is that while it seems logical and should be apparent that this kind of thing can happen to the most innocent of users, juries have been decidedly less than receptive to this as a defense.
In order to mount this as a defense, it must first be established that a browser hijacker existed and was active at the time the images were downloaded. This can be difficult if the computer was subsequently cleaned up by anti-virus or anti-spy ware software. If the program doing the cleaning kept a log of what was cleaned and when, then clues can be obtained from those logs. Sadly, a lot of these programs do not keep a history of what they did.
The second and most effective challenge to this as a defense is the existence of Typed URLS. A moment to explain: The address that you type into the box at the top of your browser to go to a web site like www.yahoo.com is called a URL or Uniform Resource Locator. In common terms we call this the web site address. In truth it is a human language nickname for the real address of the web site. For instance, if I said I wanted to go see someone, I would say I was going to Bob Smith's home at 110 Cherry Lane. I can understand that and even get there if I know the way. But if I type that address into my GPS it does not see it as 110 Cherry Lane, it sees it as a set of Geographic Positioning Coordinates like, 4.567 , 123.444. The same thing happens when you type www.yahoo.com into your browser address box. The computer sees that as a string of numbers that is the real address of the server providing yahoo.com's web pages to you, such as 22.214.171.124 (The real address for yahoo.com.)
Okay, now that you understand that what you type into the address box is a way for humans to remember web page addresses, (who would want to have to remember 126.96.36.199) it is important that you understand a couple of other things. How does www.yahoo.com become 188.8.131.52?
Out there in the world there are things called DNS servers. DNS stands for Domain Name Service. What the DNS server does is have a big table that matches names with actual addresses, so that when you type in www.yahoo.com, your browser (Internet Explorer or Safari or Mozilla, etc.) asks the DNS server to tell it where www.yahoo.com really is. The DNS server looks at its table, matches www.yahoo.com to the address 184.108.40.206 and then tells the browser to ask that server for web pages. It works just like a giant phone book that matches Bob Smith with his phone number so you know what number to dial to talk to Bob.
Now, back to Typed URLs and why they are so pesky in this type of defense:
Just like the name implies, Typed URLs are the addresses that you the computer user types into that address box. Secretly in the background, Microsoft Windows records those in a place you can't see unless you know where to look.
When the computer hard drive is examined for evidence, that is one of the first places a forensics expert will look to see if the user was actually typing in addresses for bad sites.
But there is one way this can actually help you; if a Typed URL is a slight misspelling for a legitimate site that sent you to a porn site, then you have some evidence that can help you.
For a long time the address www.whitehouse.com was a major porn site. There is no telling the number of innocent people who went there looking for www.whitehouse.gov (the real address for The White House). Who knows how many elementary school kids got an eyeful trying to research their homework.
Another common trick of the porn industry and insidious web sites that like to infect your computer is the old misspelling trick. A lot of these have been shut down now thankfully. For instance, if you wanted to go to www.microsoft.com but you are a poor typist like me and tend to type in www.microfost.com, you would have gone to a porn trap site.
If these common misspellings or mis-addresses show up in your Typed URL records on the computer, you have some evidence that you did not intentionally go to a porn site.
Raising this as a defense is tricky and takes a considerable amount of skill to pull off. Not only technically, but also in front of a jury who will need a lot of verbal hand holding to understand it.
But no amount of skill or trickery will convince a jury of evidence you cannot prove. Like the Trojan Horse defense, this shifts the burden of proof from the prosecution and places it squarely on the shoulders of the defense.
There are other factors to consider as well in defending these cases, too many to go into here. But they all must be considered, weighed and presented to the defense attorney as part of the job of the forensics consultant.
No slight to attorneys in any way, but many of them are new to this type of evidence and the implications of same, and depend on the forensics consultant to make sure they understand what they have to work with and what the challenges will be in mounting such as defense from a technical standpoint. If there is one to mount at all.
Wednesday, October 1, 2008
Can digital forensics be defeated? The short answer is, yes it can. But it is harder to do than most people think.
You probably have seen or even use one of the privacy programs out there, that advertise to completely remove your Internet browsing tracks or evidence of your computer usage.
While that seems really cool, the reality of it is that these products work, but with caveats.
While one may be good a removing your Internet history from the time you start using it, they typically do not go back and remove older history from the computer. Some do this some do not.
They also claim to wipe out your tracks in other areas, including wiping the deleted files from your computer. The ones that have this feature do a good job of it.
The reality of it is that most people who use these products are more interested in hiding their actions from their spouse or employer than from a forensics examiner. Simply because few people believe that their computer will ever be subjected to an examination by a computer forensics expert.
So while they do a good job of hiding your activities from your spouse or boss, they are not a cure all if you get your computer seized by police or taken in a civil case via subpoena.
So let's talk about what happens in real life when it comes to trying to defeat digital forensics:
1. Some of these tools actually create a log of their activities that details exactly what they wiped and when, including file names.
2. What the tools actually remove varies widely in success rate and is dependent in many cases on the options set by the user.
3. Wiping the unused portion of the hard drive takes a long time and few users have the patience to do it regularly.
4. None of these tools is 100% effective in wiping out all forensically useful data. You simply can't do it and still have an operational computer.
5. The average computer user is just as lazy about keeping their computer clean using these tools as they are about maintaining the security of their passwords.
The only way to completely defeat a forensics examination is to completely overwrite the entire hard drive with data such as 1s or 0s. This takes a long time, requires the use of wiping software and renders the computer inoperable until you completely reinstall the operating system. Very few people are willing to go to this extent to cover their tracks or are even aware of how to do it. And it is obviously suspicious behavior on its own.
And of course, if law enforcement is knocking on the door with a warrant, this method is not going to work anyway.
I have examined quite a few computers that have had evidence erasing software used on them (not a complete overwrite mind you). In every case, I was able to recover valid information to use in the case.
For one thing, there are files created by Windows that these tools do not address that store user activity information that can easily be located by a competent forensics examiner.
On the other side of the coin, a very savvy computer user can completely defeat any type of forensics examination and freely commit all kinds of skulduggery without fear of being caught by an examination of their computer and without using any of the tools mentioned here or wiping the hard drive on their computer.
I know how to do it and I am sure others do as well. But I am not going to tell anyone, especially not in this blog. My apologies to those budding criminal masterminds out there.