Sunday, July 26, 2009

Talk Forensics - 25th Episode

It's hard to believe that we have had Talk Forensics on the air for 25 weeks now.  Today marks our 25th show and features Frank Bender.

Frank Bender is an autodidact forensic and fine artist. His talent for forensic facial reconstruction, working first with the Philadelphia police department, then with the FBI, TV’s Americas Most Wanted, the Scotland Yard and the governments of the Mexico and Egypt, has made him widely recognized as a leader in his field.

You can read about Frank's work in the book, "The Girl With The Crooked Nose." 

You can join us on the show every Sunday at 4PM Eastern at Talk Forensics on Blog Talk Radio where you can ask the guest questions live either by calling in to the show, or by asking questions in the live chat room for the show.

If you can't make it, you can always download the shows as a podcast from the iTunes store at Talk Forensics Podcast at iTunes
Reblog this post [with Zemanta]

Saturday, July 25, 2009

Using Automated Computer Forensic Tools - Good, Bad or What?

K-9 the Robot DogImage by Extra Ketchup via Flickr

In the world of computer forensics software, each developer is consistently working to add value and features to their product to make it more attractive to the forensic investigation market.

The market leaders, Guidance Software and Access Data, both provide comprehensive forensic software packages, albeit with decidedly different approaches.  And for the purist, you can purchase X-Ways forensic software, which is a GUI for their Winhex product.

There are others out there as well, such as Paraben, and Pro-Discover and more.

Beyond the comprehensive tool developers, there are many specialty tools available as well:

Belkasoft makes tools for reading chat and internet history and email.

Drive Prophet is a data gathering tool that can parse out USB device connections, recently opened files, and many other items of interest to an investigator.

Then there is RegRipper, a tool for parsing Windows registry data.

The question is, are these tools helping or hurting the quality of forensic examinations?

My immediate response to that question would be a resounding, "Yes".

Depending on the circumstances, fully automated, limited scope collection tools can be of great benefit to an investigator or examiner.  If you are in a situation where you just need to look at a specific type of information, an automated tool that is built just for that purpose would be the most efficient way to go.

The problem is that the tools that are real specific don't do some things like checking for deleted files or looking inside compressed files as part of their automated routines.

While the big suites can do pretty much whatever you desire, you run into the simple, but real limitation of the time it takes to do searches in unallocated space or, heaven forbid, create an index for key word searches.

The single biggest issue I hear from the law enforcement examiners I interact with is that time is a real problem for them with the number of cases they have, or the fact that they are not dedicated to just computer forensics.

As a private consultant, waiting on machines to process data is a huge time waster since processing time is not billable.  Unless of course you are conducting an forensic examination on-site due to the Adam Walsh Act.  Then all the time is billable, and costs the client a considerable amount of money.  Since most of these cases are indigent, the taxpayers end up footing the bill.

While automated processes are critical to performing computer forensic examinations due to the fact that a purely manual process would be prohibitively expensive and time consuming, they must be used as they are intended and not become a substitute for an actual forensic exam.

If an examiner limits themselves to what the automated tools and routines can find, they will probably miss critical evidence.  From what I have seen over the last several years that I have been doing this kind of work, the  majority of cases I have worked contain evidence that gets missed by examiners, both by private consultants and law enforcement examiners.

The single biggest danger in depending solely on automated tools and processes is that an examiner may be in a situation that would cause them to accept the results as "good enough" due to time or budget constraints.

The other danger in tools becoming more automated is that in the hands of an untrained examiner, they simply may not know where to go next with the tool or the examination to make sure that a thorough examination has been done.

While automated tools and routines may be able to replace an examiner's need to know how to look for some piece of data or evidence, they cannot replace the need for an examiner to know where to look and what to look for.

Those skills are probably more critical than knowing how to get a piece of data.  To conduct the most efficient examination, there has to be a combination of knowing where to look first, second and so on, along with how to use a tool to extract what you need to find.

When using automated tools, an examiner must be prepared to answer the questions: 

1. If the automated tool does not find it, how do I find it using a different approach?
2. Where is the most likely place to find what I need, if the evidence is not where it is supposed to be?  (Automated tools can only look at where something is supposed to be.)
3. If I can only find a fragment of a piece of evidence, how do I find related evidence to collaborate the fragment?
4. If the original file I know was there is missing, how do I show that it was there at some point in the past?
5. Can I create some sort of user attribution for the evidence?
6. How do I find evidence that will help with creating a time line for the fragment?

Plus many more questions that an examiner must answer that automated tools simply cannot be created sophisticated enough to answer at this time.  Perhaps in the future, expert systems will be developed to take the place of examiners, but for now, it is the examiner's skills that make the case, not the tools,  no matter how good they are.

If there is anything that is needed in the field right now, it is more training, not more automation.

Reblog this post [with Zemanta]

Digital Breadcrumb Eradicator - Maybe, Maybe Not.

Disappearing ink.Image by WillBurton2 via Flickr
I am always skeptical when anyone makes a claim about making data disappear.

University of Washington researchers have developed a tool that will make some data you send to another party disappear after a specified time period.

This article will self-destruct: A tool to make online personal data vanish 

"Computers have made it virtually impossible to leave the past behind. College Facebook posts or pictures can resurface during a job interview. A lost cell phone can expose personal photos or text messages. A legal investigation can subpoena the entire contents of a home or work computer, uncovering incriminating, inconvenient or just embarrassing details from the past. 

The University of Washington has developed a way to make such information expire. After a set time period, electronic communications such as e-mail, Facebook posts and chat messages would automatically self-destruct, becoming irretrievable from all Web sites, inboxes, outboxes, backup sites and home computers. Not even the sender could retrieve them."

 I would be happy to take on that challenge.  Send me a computer hard drive where someone has been using this new tool and I would be willing to bet lunch I could get back at least some of the messages.

I see it all the time where someone thinks they have protected themselves by turning off their chat logging or using on-line email programs and various other means of "hiding" their messaging activities.

Even if you are using this system, for a time, the text is going to be in the clear prior to encryption on the sending system, and it will be in the clear after decryption on the receiving system.

I think I will have one of my interns use Vanish for a couple of weeks and see what I can retrieve forensically from the hard drive.

I will post the results of that experiment in a couple of weeks.

In the meantime, I can see how this new tool, used in a certain way, could make it virutally impossible to recover messages sent between parties.  As always, an advancement like this for on-line privacy becomes a boon for those who wish to hide their activities for nefarious reasons, such as terrorists and criminals.

Every tool can be used for good or bad or neutral purposes.  That is the nature of the beast in computer security.

Some additional links to articles about Vanish:

Reblog this post [with Zemanta]

Sunday, July 19, 2009

Sexting - What Happens When....?

I was having a conversation the other day with a detective and a defense attorney and the subject of sexting came up. The defense attorney made an interesting observation; What happens when the person that received a message of an underage girl or boy turns eighteen? If they

SextingImage by gatom0g via Flickr

still have the image in their possession, does it become child porn?

At the SANS conference, the law enforcement folks that spoke or answered questions regarding sexting among teenagers as something their district attorneys were not prosecuting unless an adult was involved.

Apparently this is becoming rampant with cases showing up more frequently all over the country, with the majority of the "sexters" being girls sending pictures to boys.

Hence, the question about what happens when they turn eighteen and become adults if anyone is still possessing the sexted pictures.

Would it be a defense to say that a person received the picture while they were a minor? Or would the possession be determined based upon them still having the picture after they become an adult?

It is going to be interesting and possibly disturbing to see where this goes over the next few years.

Here are some links on the subject of sexting.

Reblog this post [with Zemanta]

Saturday, July 18, 2009

Supreme Court Ruling: Melendez Diaz v. Massachusetts

The guys over at Voom Technologies Inc. have posted an interesting article interpreting the recent Supreme Court decision that will require live testimony by forensics analysts. 

You can check it out here:

Voom Interprets Broad Supreme Court Ruling Requiring Analysts' Live Testimony to Apply to Computer Forensics 

Also, Scott Greenfield over at Simple Justice wrote an excellent post about this decision.

Courting Confrontation (Simple Justice)
Reblog this post [with Zemanta]

Friday, July 17, 2009

Getting Ready for 2010

Windows CalendarImage via Wikipedia
I know it is only July, but looking forward to next year, I thought I would write a quick post about speaking engagements.

I typically do quite a few speaking engagements each year on the topic of digital forensics for various attorney organizations, schools and paralegal associations. That is in addition to the speaking I do at computer forensic conferences. I also personally conduct a few one and two day intensive training seminars on advanced digital forensic consulting.

Having said all that, my office is currently scheduling my engagements for next year. If you are interested in having me speak to your group, at your conference or training seminar, then now would be the best time to get a commitment on my schedule for next year.

By scheduling these engagements far enough out, it allows us some flexibility in scheduling my court appearances for the cases I do during the year.

Some of my past and current speaking engagements: 2009 NACDL (National Association of Criminal Defense Lawyers Making Sense of Science Seminar), 2009 Alabama ACDL, NC Association of Private Investigators, North and South Carolina Public Defenders Conference, 2009 American College of Forensics Examiners Institute Annual Conference, Wake County Paralegal Association, University of North Carolina at Pembroke, North and South Carolina Public Defenders Investigators Conference, 2009 SANS What Works In Forensics Summit, and several others.

If you are interested in having me come speak to your organization, please contact Leslie or Dawn at 919-868-6291 to make arrangements.  My schedule fills up quickly.

Reblog this post [with Zemanta]

Monday, July 6, 2009

US Supreme Court Rules That Experts Must Testify

Supreme Court of the United StatesImage via Wikipedia

According to a recent ruling in Melendez-Diaz v. Massachusetts by the Supreme Court, experts will be required to testify to explain their reports, examinations, or methodology.

It will be interesting to see the impact this has on the case turnover rate in labs across the country as more forensics people spend time in court rather than in the lab.

Check out Forensic Magazine's article on this ruling for a more robust treatment of the topic: Supreme Court Ruling Requires Crime Lab Analysts to Testify

On a positive note, perhaps this will help us lab-toiling examiners fight off vitamin-D deficiency by at least getting us out of the lab and into the sunshine for that brief walk from the car to the courthouse.
Reblog this post [with Zemanta]