Saturday, January 31, 2009

Talk Forensics - My New Radio Show

I am launching an internet based radio show, "Talk Forensics."  Each show will feature an expert in one of the many fields of forensics.  Listeners will be able to ask questions of the guest expert either by calling in to the show or by using the chat box at the show web page.

I will also have as guests, members of law enforcement and attorneys.

To listen to the show, you will need to go to Blog Talk Radio and register as a user.  Then you can listen to any of the hundreds of radio shows available, including mine.

To get to my show, you will go to Talk Forensics Radio  .  That will take you directly to my show page.

The show airs each Sunday afternoon at 4PM Eastern time.

Some of my upcoming guests are:

Dr. Michael Baden of the HBO series Autopsy.  Dr. Baden is probably the most well known forensic pathologist in the country.

Dr. Lawrence Kobilinsky, of the John Jay College of Criminal Justice.  Dr. Kobilinsky has appeared many times on the Nancy Grace show and the Discovery Channel.

Mickey Sherman, author of "How can you defend those people?."  Mickey was recently on the Dr. Phil show and appears often on Fox News and CNN.

Dr. Nathan Strahl, MD and Forensic Psychiatrist and author of books on forensic psychiatry.

Mike Craig, an expert in the training and handling of cadaver dogs and rescue dogs.  Mike trains and donates dogs to law enforcement agencies all over the US.

Hunter, "Gator" Glass, a well known gang expert who has appeared on Nancy Grace, the History Channel and has consulted for the military and law enforcement on gangs.  Hunter is also a forensic artist and received training at the FBI academy's forensic art school.

Ben Levitan, a communications expert who holds patents in wireless communications and worked on the committee to write the standards for cell phones and wiretapping.  Ben has appeared on Nancy Grace as an expert and also on other television and radio shows.

Monty Clark, President of the NC Association of Private Investigators.  With over thirty years of experience in private investigations, Monty is a wealth of knowledge about this field.

Those are just some of the guests I have lined up with more to come.

I will be airing a pre-launch show tomorrow at 4PM.  I will not have a guest, but you are welcome to join in and help me to iron out any bugs prior to our official launch next week.

Since I will not have a guest, I will be taking questions in my specialty, computer forensics.

Got a question you want addressed on the show?  Send it to me and I will make sure it gets asked, even if you can't tune in live.  Then you can hear the answer later via the podcast.

Talk to you then!

Wednesday, January 28, 2009

Man finds U.S. military secrets on secondhand MP3 player

This is the kind of thing I wrote about in an earlier post. Scary, ain't it?

Article Link

This is what we in the forensics and security fields would call "data leakage." It is easy for this to happen, and hard to prevent, even for the military it seems.

Cell Phone Features I Would Like To See

I want my cell phone to have a GPS unit that automatically allows me to call nearby businesses when I search for a particular kind of business.  So, I should be able to look up a category, have the phone find the nearby businesses and then when I select one, I should have the option to call that business.  Wouldn't that be handy?

I want my cell phone to be hooked into the latest phone book for whatever location I am in so I can look up a business by name and location and call that business.  Without having to go through my browser or call 411.

I want an emergency button on my phone that I can press that will automatically call police and give my name and location.  And I want it to ping them until they find me, even if I am moving. (i.e. kidnapped)

I want cell phones to have a universal language, like the old Hayes Command Set that will let me talk to any phone using the same commands.  (Yes, I want my forensics to get easier without having to buy so many expensive products.)

Those are features I would like to see in my cell phone.  I bet you have a few too.

Wednesday, January 21, 2009

Internet Predators - The Entrapment Defense

My standard disclaimer:  I am not an attorney and what ever I say about legal stuff is my opinion and should not be considered legal advice in any way.

A ruling on appeal in the Guilford County, NC Supreme Court that appeared in North Carolina Lawyers Weekly in the January 12th edition, caught my eye.

The ruling was on whether or not the defendant should have been granted jury instruction on entrapment by the judge during his initial trial.

What stands out in this ruling is how the court viewed his right to have the jury given instructions on entrapment.

First let me quote the court's definition of entrapment:

"The essence of entrapment is the inducement by law enforcement officers or their agents of a person to commit a crime when, but for the inducement, that person would not have committed the crime.

A clear distinction is to be drawn between inducing a person to commit a crime he did not contemplate doing, and the setting of a trap to catch him in the execution of a crime of his own conception.

Because of its significance in determining the origin of the criminal intent, when the defense of entrapment is raised, defendant's predisposition to commit the crime becomes the central inquiry.


The defendant's burden to produce credible evidence of entrapment serves to prevent him from obtaining instructions on defenses supported by mere conjecture or speculation but is not intended to be so rigorous as to keep the jury from receiving instructions on and deciding defenses for which supporting evidence exists.

Defense argues that his lack of a history of such conduct, along with deputies' failure to find any evidence of child pornography or prior chats with minors upon their search of defendant's residence, raises the inference that defendant lacked predisposition.


In the absence of evidence tending to show both inducement by government agents and that the intention to commit the crime originated not in the mind of the defendant, but with law enforcement officers, the question of entrapment has not been sufficiently raised to permit its submission to the jury.  Where a defendant has not met this initial burden of production, the state need not present any evidence regarding predisposition  Thus, it is the defendant's burden to produce some credible evidence of lack of predisposition"

Here is the kicker:

"A trial court may properly refuse to instruct a jury on entrapment when the defendant required little urging before acquiescing to requests by undercover officers."

Basically what the court is saying is that not having any evidence of prior offenses involving children and the absence of any type of child porn or child erotica is not enough to claim lack of predisposition by itself.  What got the court to rule against this defendant was the fact that he had prior chats with adults of a sexual nature and arranged to meet with another adult for sex.

Additionally, the defendant admitted to having had prior sexual conversations with persons who claimed to be underage.  Coupled with the fact that the defendant did not appear to have any problems talking with the undercover officer who stated several times during the chat that "she was a 14-year old high school student and a virgin... The defendant took the more active role in their conversation and in planning their meeting. "

Entrapment is about two things, intent and predisposition.  Was the defendant predisposed to commit a crime based on prior behavior and actions and did the defendant intend to commit a crime that he conceived in his own mind.

The inference of lack of predisposition cited here due to the lack of law enforcement to find prior history of crimes related to children when they searched his home, supported only one prong of the defense.  And that support crumbled when the defendant admitted to having sexual conversations with other adults on the internet prior, coupled with his admission that he had sexual conversations with minors prior to this offense, even though no record was found to support it.

The second prong broke because he did not show any signs of concern about the offense he was committing even when he was told explicitly that the person he was chatting with was an underage female.

You can look at that like a tug of war.  Who is pulling harder on the rope over the length of the contest?  The officer or the defendant?

As you can see, the entrapment defense is difficult and tricky and the burden of proof lies squarely on the shoulders of the defense.

Sunday, January 18, 2009

MMORPG - On Line Game Forensics

MMORPG - Massively Multiplayer Online Role Playing Game.

As you can see, that is a mouthful, so most people shorten the full moniker to the acronym, mmorpg. So, what about online game forensics?

Why is game forensics important and should not be overlooked? Online games have reached a level of popularity that means that you will more than likely encounter this type of evidence in a case a some point. World of Warcraft alone claims millions of subscribers. And that is just one game of literally dozens of online game titles.

A little background for those who don't play games online. MMORPGs are just one flavor of many types of online games. MMORPGs would include such games as World of Warcraft, Sims Online, Everquest, Everquest 2, Second Life, Age of Conan, Hello Kitty Adventure Island, and many many more.

However, that list does not include other types of on-line games such as Party Poker, Red Baron, Call of Duty, Enemy Territory, Quake and so many others, I cannot begin to list them all here.

My point is that most of these can be sources of valuable forensic evidence if you know to look and know where to look.

For the purpose of this blog, I am not going to go into the technical details of where to look. I will tell you what you can find however and how it can be useful from a evidentiary standpoint.

Most of these games keep logs of their activities. In addition to the automatic logs kept by the games, many times players will keep additional log files by setting in-game logging to occur.

Many logs are created automatically by the games. I will use Everquest 2 as my example. Everquest 2 keeps a log for every time it is started, when it updates, and makes notes when it closes a game session.

In addition, inside the files in the program directory you will find the names of the player's accounts and characters (avatars) that they play.

Everquest 2 also keeps a handy little file that captures the most recent commands sent to the game by the player. This is not something the player is aware of, since they have no control over it.

The majority of these automatically generated logs have date and time stamps in them, so even if the date and time of the file is changed by someone, the original time stamp may still be in the log for recovery.

Everquest 2 keeps a log of when the game was installed, when it was last logged in, and the session times. By analyzing the all of the logs, you can determine play session times and dates.

If the player has turned on in-game logging, you have a treasure trove of information. In-game logging records everything the player types into the game, with time stamps, as well as everything anyone else in the game types in a message to the player.

By analyzing in-game logging files, you can determine dates and times of play sessions along with the length of time for each session.

And of course you get all the conversations the person had while playing the game, if they are using the game interface for chatting via the keyboard.

However, bear in mind that many players also use voice chat to talk directly to other people in the game using a microphone and headset. Those conversations you won't get.

People are people and when they interact with others, online affairs and other relationships can bubble up. Some people get addicted to these games and play them many, many hours per week. Sometimes to the exclusion of all else in their lives.

And in online games, the only representation you get of the person is their game avator and chats, whether they are text or voice. Is it easy for a person to get attached to another's online persona. And that persona can be entirely made up to suit the person projecting that persona, for whatever reason they may have to do so.

Be aware that child predators also see these games as a place to groom potential victims.

Are you handling a case of child neglect? Could game logs show what the person was doing instead of caring for a child?

Could game logs reveal a connection to someone that will help solve a missing person case?

Can the presence of a game lead you to look for other information such as forum memberships and posts?

Data is everywhere. Not all of it is relevant. But the only way to know is to look. Don't overlook possible evidence just because it is a game.

Internet Predators - Stupid is as stupid does.

Those immortal words of Forrest Gump could be the watch phrase of many people who do things most of us would consider to be, well, less than smart.

In the case of Internet predators, it is dead on the money.

I have Google alerts set up to send me an email whenever certain news stories pop up on the Internet. One of them is stories about Internet predators.

What is both amazing and frightening about that is the sheer number of these alerts I get every day and the variety of the people getting arrested; doctors, lawyers, mayors, police officers, priests, ministers, school teachers, dentists.

What does an Internet predator look like? Look around you, they could be anyone. Even your best friend or your kid's soccer coach.

Now I am not trying to alarm anyone by making that statement. It is truly a statement of fact, sad to say.

But on to the point of my post: Stupid is as stupid does.

What makes any man, and these are pretty much one hundred percent men being arrested, especially an older man, think that a young girl has any interest in having a sexual conversation with them over the Internet? Or even more ridiculous, that a thirteen or fourteen year old girl has any interest in seeing some old guy's genitalia?

What pushes these people over the edge far enough to believe that these kids want to meet them for sex? Is it some kind of chemical imbalance? Have they lost all grip on reality?

What the heck are they doing in these chat rooms in the first place? Is there no oversight at all in chat rooms that should be a safe haven for kids?

Where are the parents? Oh wait, these guys are chatting with cops. Where are the cops' parents? (Ok, that was just to be silly.)

Back on a serious note, should chat rooms for kids be monitored? Personally, I think they should be. Force a pop-up that tells anyone entering a chat room for kids that they will be monitored. And then actually do it. Of course, kids being kids, they will find a way to get around these restrictions.

While law enforcement is doing a great job catching predators in these chat rooms, that is not going to help the child that gets caught up in one of these chats. While it may reduce the number of predators out there, it won't get them all.

The only real possibility for protecting kids on the Internet is parental supervision.

And that is all I have to say about that.

The Science and Art of Computer Forensics Part 2

If you missed The Science and Art of Computer Forensics - Part 1, you should read it first of course.
At this point I am going to backtrack a bit and talk some more about how a computer forensics investigation works.
If you need some background on what computer forensics is, please see my previous post,  What is digital forensics?
Once a computer or other data storage evidence has been collected, it must be forensically copied and then analyzed.  There are specific steps that must be taken in every case to ensure that the evidence is properly handled, stored, and analyzed.
Now that the computer is in the hands of the computer forensics analyst in the lab, the analysis can begin in earnest.
What the analyst can search for on the computer has already been determined in the search warrant for the evidence.  Based on the parameters of the warrant, the investigating detective or the prosecutor may ask for the analyst to search for specific keywords that may be relevant to the case.  These keywords are normally developed out of the investigation, either from other evidence or from witness statements.  They may also ask that the analyst focus on specific time periods surrounding the commission of the crime.
Items that normally come into play in many investigations are Internet history, keyword searches performed on the computer, email, documents, pictures and financial records to name a few.  This is not meant to be an exhaustive list.
With the parameters of the investigation in hand, the analyst will open a new case in whatever software he or she uses for forensic analysis.  It will most likely be Encase by Guidance Software since they have the vast majority of the forensic software market world wide.
(Note that I am skipping all of the copying, verification, hashing and other technical details that are not really needed for this article.)
Once the analyst creates a new case in the forensic software program, he or she will add the evidence to the case.  This puts everything into the forensic software program so it can be analyzed and creates storage for the results of the analysis in the case specific storage locations used by the lab.
All of this so far is still science.  No art involved.
The analyst will perform the searches and data recovery needed to find items relevant to the case, compile those facts into a report and present them to the investigating detective.  The detective at that point will present those findings to the prosecutor assigned to the case for review. 
It may not happen exactly like that or in that order, but it will happen, as that information becomes part of the story that will be told to a jury.
What happens subsequent to that process is where the art comes in.  The prosecution will interpret those facts and include them in their version of what happened.  Not always, but in many cases, those facts will be used in a context that is favorable to the prosecution, independent of whether or not the context correctly supports the facts.
What did I just say? Did that make any sense?  Let me illustrate:
In a capital murder case I worked several years ago, a woman was accused of conspiring with her paramour to murder her husband.  In this case, a search was performed on the key phrase, "body bag."  This was used in the case to show that search hits for the phrase "body bag" came up over thirty times. (I don't remember the exact number at this point.)
Now that sounds pretty ominous if left alone.  However, the search hits all came from a single E-Bay page.  Over thirty hits, but only one page, and only one search.  With no evidence that anything was purchased from those pages.  Couple that with the fact that the accused was a collector of medical curiosities and regularly searched on E-bay for old medical devices; Is that a relevant fact or a red herring?  It all depends on how you tell the story, and whether, as Paul Harvey would opine, you heard "The rest of the story."
What about more common terms like murder?  Have you ever searched for something that in your mind is completely benign until you begin to look at it from the standpoint of being accused of a crime?
Ever search for terrorism?  How IEDs are made?  Choking?  Ever searched on Google for information on a particular drug?  What about kidnapping?  Knot tying techniques?
All of those can be just something you want to know about and mean nothing more, unless you are suspected of a crime. Then they can become an electronic witness against you.  Unless of course, they are put into the right context.
How could you put something like that into the proper context?  By following your trail to the end and not just stopping when you see the tracks.  That is what an expert should do; Make sure that the whole trail is followed to its logical conclusion so that facts can be presented in the correct context.  After all, two stories may ring of truth, but only one can really be the truth.

Saturday, January 17, 2009

The Science and Art of Computer Forensics - Part 1

I am putting a disclaimer right at the beginning of this post: I am not an attorney and everything I say about the legal system is solely my opinion.  I am over-simplifying in several areas so I don't get too technical.  If you really want to know about file systems, or computer forensics, I can suggest several excellent and boring books that go into painful detail.  I read them so you don't have to!

Your first question could be, "Why did he say that art and science thing backwards?"

When it comes to computer forensics, the science must precede the art.  I'll get to the art part in a little bit.

In order for there to be such as thing as computer forensics, certain scientific things must be in place:

A very clear understanding and definition of the structure and operation of data storage methods and media.

Beginning at the point where a device, such as a hard drive, is designed and engineered to store data at an electro-mechanical level and on to the point where software is developed to manage that stored data, nothing is available to either recover or analyze.

Prior to any data being available for recovery and analysis, hardware and software must be designed, input devices created and some method for determining how and when data will be stored and managed must be made available.

Today we call that conglomeration a computer.  Lest we get stuck in the paradigm of computers being a computer tower with a screen, a keyboard and a mouse, the most widely used computing platform today is probably the cell phone.  Nothing at all like a desktop or laptop computer.

How does all this relate to the science of computer forensics?  Let's begin at the beginning:

The first job of computer forensics software is to recover data that has been lost or obscured in some way; deleting data, hiding data or obscuring data through steganography or encryption.

The second job of computer forensics software is to locate data by allowing it to be found though various means:  Displaying all types of file formats, searching for relevant key words, displaying files inside of files (compression archives like a .zip file), email containers and the like.

The third job of forensics software is to re-build certain types of data by locating and restructuring it so it can be analyzed; data such as web pages, internet history and  files that are only partially complete.

All of the above must be done, in a forensic sense, while preserving the integrity of the original data to insure that nothing is accidently changed by the software, rendering the evidentiary value of the data useless.

All of that is science.  Or to be more precise, it is hardware and software engineering.

With all of those tools at hand, a forensic examination of a computer or other device that stores data, begins by finding facts.  Facts in this case that should be considered to be absolutes.  Does file a exist?  If it does, that is a fact.

Does a letter written and stored on the computer hard drive from subject a to subject b exist? If it does, that would be considered a fact.

Now you may ask, if all of that science stuff can do all of that, where does the art come in?

If things were really that simple, there would be no art needed in computer forensics.  The reality is that simply establishing that a fact is present, does not put that fact into context.

And when you begin to cross over into the legal system, context is everything.

A little about the interaction of computer forensics and the legal system; Whenever the existence of a fact is in dispute, to the point where it must enter the legal system, it is because some party has been injured or believes that they have been injured by another party.

In the case of criminal law, the purpose is to identify beyond a reasonable doubt the identity of the injuring party to subject them to the penalties of the law they have violated in order to protect society as a whole from any further actions by the accused.

While we all want to believe that our system is there to provide justice for the victim, the real purpose is the protection of the public as a whole, not an individual.

In a civil case, the purpose is to prove by a preponderance of evidence, that the injuring party is in fact at fault and should be held responsible for their actions.

How does one go about proving their case?  Have you ever heard the expression, "There are always two sides to every story?

Let's walk through the process together.  First of all, I am making this very simple to illustrate my points about computer forensics.  The actual legal system is extraordinarily complex.  That is why we all need attorneys who are schooled and skilled in the practice of law.

In any case, the process is similar from the standpoint that there are two sides to a story.   The story of the  accused and the story of the accuser.

In a homicide case, the accuser is the state and the victim's story is told through the prosecutor, since the victim obviously cannot speak for themselves.

On the other side is the defense counsel who is the advocate for the accused and tells their side of the story.

Each side gathers all of the facts available in the case and develops a theory of what happened.  This theory is developed into a story that will be told to a jury to try and convince the jury that their story is the most accurate and therefore the jury should vote for their version of what happened.

In our system in the US, the prosecution always goes first because they bear the burden of proving that the accused is guilty beyond a reasonable doubt.  (Not beyond a shadow of a doubt, which is a common mangling of the phrase.)  Remember that in our system, the accused is innocent until proven guilty.  A little fact that seems to get lost by the bloggers and pundits out there that like to follow cases.

On a personal note, I find it disturbing that people will treat a criminal case like a sporting event, rooting for one side or the other, making horrendous remarks about people, (Yes, the accused is still a "people") and generally acting like jerks.  Sadly, that attitude and behavior is also present in our national news and talk shows.

As each side reviews the facts and evidence and formulates a theory that will become the skeleton upon which will hang their story, they rely on many different sources of information.  These sources of information are witness statements, timelines, crime scene evidence, statements by the accused, and forensic evidence.

Contrary to what you see on television, forensic evidence is not always as cut and dried as one would be led to believe.  That is why there are experts who work on both sides of a case.  The people who gather and analyze forensic evidence can and do make mistakes, both in the gathering, preservation, analysis and presentation of the analysis.  Even when the forensic evidence is properly processed and presented to an attorney, be it the prosecutor or the defense, there is still the possibility that the counselor will not adequately understand the information being given to them simply because the science is out of their area of expertise.  Attorneys are typically not experts in DNA or anthropology or gangs or computer forensics.

This is where the experts enter the arena in many cases.

To be continued....

Friday, January 16, 2009

Obfuscation - Challenging Computer Evidence The Wrong Way.

From our friends over at

I was reading an article the other day in Forensics Magazine by Don Lewis, a Forensic Computer Analyst with the Lakewood, CO Police Department, titled, "The Hash Algorithm Dilemma – Hash Value Collisions "

What struck me was his telling of an experience he had while testifying in a case where the defense attorney asked him about this subject.

Try not to let your eyes glaze over as you read the following excerpt from the article:

"When I testified recently a defense attorney brought this subject up. The testimony went something like this.
Q. “Mr. Lewis, are you aware that the MD5 algorithm has been compromised?”
A. “Yes, I am.”

Q. “So, its use to authenticate evidence is no longer valid!”
A. “No, the use of the MD5 algorithm is still a valid function for authentication.”

Q. “Why is that?”
A. “There are multiple uses for hash algorithms. One is cryptography (encryption), another is identification, and another is authentication. In digital evidence forensics, we use hash algorithms for known file identification and evidence authentication, which differs from its use in encryption.”

The questions and answers went on while the eyes of the jury glazed over. At the conclusion of the trial, the jury provided feedback to the District Attorney, and indicated that this line of questioning got too complex for them to understand and did not seem relevant to the case being tried."

No kidding!

When I see examples like this, I am wondering if the defense attorney had the good sense to consult with an expert of his own. If he did and the advice he got was to use this line of questioning, then the attorney should make sure to drop the expert from his list of people to call.

The first thing that jumps out is that by asking this type of question, it appears the defense had no defense regarding the computer evidence in the case.

Attempting to obfuscate the issue is not going to endear you or your client to the jury. In fact, it is my opinion that it would only weaken your case. By the time the expert gets done answering this line of questioning, you have probably lost the jury for any further questioning regarding the computer evidence.

Of course, the alternative explanation could be that the defense attorney was attempting to discredit the prosecution expert by asking this obscure and irrelevant question. The danger in this is twofold: First, you better know the correct answer if you are going to do this. Why? Because if they get it wrong, you need to be able to demonstrate the correct answer if you are planning to try to use this to discredit the expert's subject matter knowledge.

Second, if they get it right, as Mr. Lewis did, was it a gain or a loss for you?

I think this is dangerous ground unless you already have good reason to believe that you can discredit the expert's knowledge. Attempting to discredit the expert is, in my mind, the last thing you should do. Meaning, that you have no other avenue of challenging the evidence presented.

Maybe the defense in this case really had no defense for whatever computer evidence may have been presented by the prosecution. There is no way to know from the excerpt above.

Perhaps the strategy was to so confuse the jury regarding the computer evidence that they would ignore it in considering their verdict. Seems like a pretty weak strategy if you ask me.

Having testified in cases where complex computer evidence needed to be challenged and explained to a jury so they could use the information in making a verdict decision, I can tell you can the last thing you really want to do with a jury is obfuscate.

Unless of course, you have no other defense.

Tuesday, January 13, 2009

Parents - Time to talk to your kids about child porn.

These days, it's not enough to have to talk to your kids about drugs, internet safety, driving and all the other stuff that they are dealing with. Now you have to talk to them about child porn as well.

I have noticed an alarming trend in recent news reports regarding kids being arrested for manufacturing and receiving child porn. Child porn that they are making and sending to their friends. Called "sexting", a variation of texting, kids are taking nude or semi-nude pictures of themselves and others and sharing them with boyfriends and girlfriends via their cell phones.

Here are some recent articles about several kids getting arrested for this:

Teens face child porn charges in "sexting"

Teen Girl Faced Child Porn Charges for E-Mailing Nude Pictures of Herself to Friends -- Update

Two Teen Girls Face Child Porn Charges ... For Their Own Pictures

Police blotter: Teens prosecuted for racy photos

Those are just a few of the many recent articles about this. One article where a boy posted nude photos of his ex-girlfriend on his Myspace page was so offensive, I did not post it.

Now I am waiting to see if they are going to start creating public service ads in the vein of : This is your camera phone. This is your camera phone in federal court.

The bottom line is that we as parents need to help our kids protect themselves from themselves in areas we never imagined just a few years ago.

Friday, January 9, 2009

Twitter - Finally making the leap

Ok,  so I downloaded TweetDeck and I am now actually communicating on Twitter versus just letting it auto feed my blog post titles.

I can't say that the interface for TweetDeck is terribly intuitive.  But once you start to get used to it, it is pretty neat-o.  Yes, I actually said neat-o.

Must Read Electronic Discovery Rulings

This is an excellent article from on the recent rulings on Electronic Discovery that you should be aware of.

E-Discovery Rulings: 2008 in Review

Thursday, January 8, 2009

Linux tool speeds up computer forensics for cops.

This post is more technical than I normally like to put on this blog, but since someone asked the question, I am going to respond.

Dave Allen asked: “Did you ever make any comments with regards to the Linux tool speeds up computer forensics for cops?”

Linux tool speeds up computer forensics for cops

I read the article when it was published back in March of 2008. I did not comment then as I did not consider it to be of much consequence.

What they are talking about is basically a “live” preview tool for use by law enforcement officers. These types of tools have been around for quite a while.

The other reason I did not comment on it at the time is that I could not find a way to preview the tool or even a white paper on it. The best option would be to download and test it as I do with any interesting forensics tool I can find.

Here is a link to the school project page where you can see what little is actually listed about this software.

Click on the Image Preview System (SIMPLE) link in the table on the left side of the page.

The issue with the news article is in the title, “Linux tool speeds up computer forensics for cops.” That is simply a mis-statement. What the tool is designed to do is to allow police to preview a system on site to see if there is any evidence that would require the computer to be seized and analyzed at the computer forensics lab. In the sense that they can exclude computers from forensic analysis, it can help to reduce the backlog of computers sitting in the forensics lab to be analyzed, but it does not speed up the analysis process.

The tool does not address acquiring evidence or saving evidence for use in court at a later time. That is not its purpose.

On the practical side, even having such a tool offers only situational benefits when you consider that the process of previewing images on a computer can take hours. And having police spend hours at a site previewing images may not be the most efficient use of their time. Of course, they are only looking for a “first hit” scenario that shows the presence of contraband on the computer and not a full analysis.

Be aware that in order for the officer to use live preview software, he or she must be trained to properly boot the computer using the forensic environment boot CD. What you don't want to happen is for the officer on the scene to inadvertently contaminate the evidence by improperly handling the computer during the live preview process, leaving an opening for those pesky defense experts like me.

I am not sure of the laws down under so I cannot speak to the issue of warrantless searches there, but in the USA, considerable care must be taken by police not to illegally obtain evidence by fishing around on a suspect's computer even if they are using a forensically sound method.

Issues and benefits of “live preview” boot CDs

I might as well address this as it seems to be the next logical question.

There are a number of bootable live Linux CDs available. Probably the most widely used is the Helix CD by E-fense. With the release of Helix 2008 R3, it is a lot more useful now. The older release was having significant trouble booting newer systems.

And that is the number one issue with live CDs. They will not boot every system due to the large variety of hardware configurations in computers.

The advantage of live CDs from a forensic standpoint is that you can perform anything from a simple image preview to a full analysis depending on the CD you are using. The Penguin Sleuth Kit contains the Autopsy open source forensics software that is designed to do forensic analysis.

What I normally use live CDs for is to acquire a forensically sound copy of a computer in the field. This is especially useful for laptop computers where it is very difficult to remove the hard drive from the machine. The downside is that depending on the age of the computer, acquiring a forensic copy of the hard drive can be very slow since you are using the hardware of the subject computer to do the processing.

Also, I always prefer to use a hardware based write blocking system to copy computer hard drives and only resort to live CDs in special circumstances.

The purpose of live preview CDs is to make it easier for law enforcement officers in the field to preview a system. To do this, the live preview CD must be easy to use. The current live CDs out there are not particularly user friendly with many of them requiring you to use the Linux command line to perform operations rather than a nice friendly graphical interface.

Another downside to live CDs is that they are notoriously slow performing some operations. Especially previewing images. And many of them crash when attempting to deal with large numbers of images on a computer. That is probably more a function of the hardware than the software, since you don't get to choose the hardware configuration of the computer you are previewing.

Wednesday, January 7, 2009

Help a blogger out, will ya?

One of the things about being a blogger is that you sometimes suffer from the dreaded "writer's block." Not so much from the standpoint that you can't write, but from the standpoint of not having a topic worthy of writing about.

That is when I get tempted to write technical articles for this blog. However, when I started this, I made a commitment to bringing this technical subject to attorneys and the public in plain language.

So, if you have something you would like to see on this blog, send me an email. If you see an interesting article somewhere you think would benefit my readers, send it along and I will see about posting it.

The only rules are: I don't write about anti-forensics and I don't give away my trade secrets.

The Jury Expert

If you are not already reading the publications from the American Society of Trial Consultants, I recommend it. Not only for attorneys, but for practicing forensics experts.

The more you know, the more value you can bring to the table for your clients.

Sometimes, experts lock themselves into their narrow little world of technicalities, restricting their ability to assist clients through the whole process. Reading publications like this will help you as an expert to better understand the primary audience for your testimony; The Jury.

The ASTC publishes an excellent newletter. You can visit their site and download the newsletters by clicking on the link below.

American Society of Trial Consultants

I am also adding this to my resource links.

Tuesday, January 6, 2009

Myspace gives clues to cops

Interesting story from our local news.

Myspace gives clues to cops

Metadata - Dangerous Stuff

Here is the best article I have seen on this topic.

Metadata -
What is it and what are my ethical duties?

Not only does it explain in plain English what metadata is, it contains legal opinions on the topic and practical advice on dealing with Metadata in the legal community.