Monday, June 29, 2009

Road Rage on the Information Super Highway

Is the internet making people meaner? Or is it just giving people a chance to be mean without consequences, allowing them to channel their inner monsters in a fast and convenient way?

One of my friends who regularly appears on Hannity's Great American Panel, sent me an email he received after one of the shows; It was nasty, filled with personal attacks and vulgar references.

If you read the comments that follow many news stories on web sites for television stations and other news outlets, it is frightening to see what people post about people accused of crimes, local politicians, celebrities, and anyone else who happens to raise their ire. Veiled threats, accusations about the personal lives of the person in the news, hate speech, it's all there.

Jump on any forum and you will see posts filled with personal attacks on other posters; especially if they happen to disagree with the poster.

While I value free speech as much as anybody, it is funny that excercising that free speech is so much easier when you can remain hidden behind your keyboard. I don't think people would be so quick to say some of the things they do about a person if they were within nose-punching distance of their target.

It reminds me a lot of how agressive people can get when they are ensconced in the metal cocoon of their cars, safe from the other driver they are flipping off or tail-gating.

The anonymity of the internet gives people a feeling of invulnerability, making them more willing to say things they would not other wise say in a public forum. At least, that seems to be the case since there has not been an alarming jump in brawls and fisticuffs on the streets.

While the courts go to great lengths to protect the first amendment right of anonymous speech, it is not absolute as courts are now beginning to tackle serving anonymous defendants in internet harrassment and defamation cases.

Federal District Court Mandates the Disclosure of the Identity of Online Posters


States have passed or are considering passing cyberbullying laws and other protections for people who are the subject of on-line threats, defamation and harrassment.


I have to admit that some of the posts can be a bit amusing if you recognize the unintended irony that some poster's messages contain; "I think they should rip that guy's genitials off and feed them to the dogs while he watches. Be back in a few, got to check on the cookies I have in the oven for the grandbabies."

Ouch!
Reblog this post [with Zemanta]

Saturday, June 27, 2009

Tales From the Dark Side

I have quite a few colleagues who work for law enforcement or who are in private practice like myself, but who primarily work for law enforcement.

They like to kid me about being on the "dark side" since I do quite a lot of cases on the criminal defense side of things.

I have to say that I am beginning to appreciate that humorous jibe more and more. For one thing, having worked as the opposing expert on so many cases, it has given me an opportunity to learn a great deal about being a better primary expert.

I also do a lot of civil and domestic cases, either as the primary (plaintiff) or the opposing (defense) expert.

Working as the opposing expert across from very good forensic examiners at the North Carolina SBI and the various law enforcement agencies in North Carolina and some other states, I believe I have gained a lot of insight I would not otherwise have if I only worked as a primary expert.

Nothing prepares you for how an expert is going to dissect your work like doing exactly that; dissecting the work of excellent forensic examiners.

It tends to condition you to look at your own work with a critical eye that you might not otherwise employ when readying your case examination for litigation.

You also begin to learn the most common weaknesses in most examinations and how to avoid them.

While I tend to do a lot of defense work, mostly because that is what I am most well known for, I take the same approach to all the cases I do; never underestimate the opposing expert.

There are some excellent forensic examiners out there and some that are not so excellent. I am grateful that I have had the chance to work across from so many excellent ones.

Much to the frustration of my publisher's acquisition editor, I have not yet submitted my book proposal for a book on advanced case analysis.

Perhaps a good title for it would be "Tales from the Dark Side."

Reblog this post [with Zemanta]

Friday, June 26, 2009

The Temptation to Get Technical

Every now and then, I get tempted to write a technical post on this blog. The problem is, that would go against what my intentions were for this blog all along; To bring issues and news to the lay reader about digital forensics.

Then I get tempted to start another blog on technical subjects. But there are plenty of those out there already.

Since I already, and very sporadically, write reviews on my other blog, Digital Forensic Tool Reviews, I wonder if it would be worth the time to write a third blog considering the projects I already have on the table.

I have to admit that the temptation to write a blog on Encase Tips and Tricks is quite strong at the moment. My staff is calling me crazy.

But to limit a blog just to Encase seems too narrow, even though I can think of dozens of posts right off the top of my head for it.

By too narrow, I mean that would leave out cool stuff that I think would be helpful to other examiners that are not Encase specific.

For instance, did you know that Versa Check .vdf files are in Microsoft Jet (i.e. MS Access) format and you can open them in MS Access and review the entries without having access to the Versa Check software?

It is amazing the amount of knowledge "stuff" you accumulate over the years doing this kind of work.

I think as practicing examiners we tend to take a lot of that for granted. Just "stuff" we know how to do from spending the thousands of hours doing what we do.

Little things like that add up to a lot of useful knowledge that is hard to find since you don't need it until you need it. Then you may not encounter it again for a long time.

I remember a case not too long ago that required scraping the old Mozilla browser history out of unallocated space. Since it is in the mork file format, it is a bit of a challenge since it does not have a set "footer" you can look for. So you end up figuring out what the header looks like, searching for the header, then manually scraping out the database file by visually identifying the end of the file. Then you can take that recovered file into NetAnalysis or some other program to actually read it.

What you do realize over time in this practice is the sheer enormity of "stuff" there is to know, and how much of it is a discovery process considering the thousands of different software programs that can produce evidence, and the ever growing size of raw evidence to process.

As someone who loves to teach, the temptation to write and publish some of this information tends to nag at me from time to time.

Like everyone else, there is always the time constraint of "when would you get it done?" In the "post or die" world of blogging, you have to post on a regular basis, which can require a significant investment in time. After all that, there is no guarantee that anyone will find your blog, much less read it.

So I will continue to ponder whether or not I want to write yet another forensics blog that is more technical in nature.

For now, back to non-techical articles.
Reblog this post [with Zemanta]

Tuesday, June 23, 2009

Channeling Your Inner Packrat For Data Recovery

Six hard disk drives with cases opened showing...Image via Wikipedia

Beginning back in 1982 when I started fixing computers, I developed a reluctance to throw perfectly good, but used parts in the trash. This was especially true with anything connected to data storage. Of course, everything ages out to the point where the likelihood of ever seeing something like a 5.25 floppy again become pretty minuscule.

On many occasions, digging through my "salvage" bin meant the difference between recovering the data on a hard drive or zip disk and never seeing that data again.

Zip drives. Photo by :en:User:Hephaestos Feb.Image via Wikipedia


While everyone has a limit on storage space, at least I do in my forensic lab, there are things that I routinely try to hold on to, "just in case".

Exotic SCSI controllers, odd media readers like Zip drives, old tape drives and of course, good but aged hard drives.


When you get a hard drive in that will not spin up, chances are it is an electrical problem rather than a mechanical problem. If you can locate an identical hard drive with working electronics, you can quickly swap out the PC board on the drive and many times, get the drive working again.

The large drive is a 5.25" full-height 11...Image via Wikipedia


When you get in a drive that has an obvious mechanical problem, i.e. the bearings are screaming when it spins up, there is no reason not to retain the drive for the electronics.

And when you can't find that old wide SCSI controller or tape drive in your salvage area, you can certainly find computer stores that carry old parts that will be happy to sell you their "junk".

In data recovery, one man's junk is truly another man's treasure.

Reblog this post [with Zemanta]

Wednesday, June 17, 2009

Computer Forensics: Criminal vs Civil, Whats The Difference?

Here is a good article by Steve Burgess.

Computer Forensics: Criminal vs Civil, Whats The Difference?

Steve is highly regarded in the field for his expertise in data recovery.

Geolocation - The good and the bad

As more and more applications add geolocation as a feature to their offerings, it gives me pause when I think about the implications of this technology.

I see this technology as a two-edged sword.

On the positive side, the ability to find someone based on geolocating their cell phone via twitter or locating someone via their browser, (See Opera 10 for more on this), can be a very good thing in criminal investigations or search and rescue efforts for the missing.

I was talking to Joe Finder on the phone the other day, and mentioned one of the Twitter phone apps that broadcasts your location when you tweet. That took us into a conversation on how that information might be used in various ways.

Being the suspicious type, (working in my field will do that to you), my take on it is that it could be the ultimate stalker tool.

Just think about the possibilities of following someone famous or not so famous on Twitter so you can see their location when they tweet from their phone. If you are in the general area, you can hone in on them fairly closely.

Personally, I have no desire to have my physical location published to the world. While my browser gives up my general location via my IP address, that only gets you as far as the town that is reported via some whois tools.

Of course, on the other hand, if I was in the trunk of someone's car or trapped in a building, finding me would be one of my paramount concerns. So from that standpoint, giving out my location as specifically as possible would be a very good thing.

You also have to wonder if we are moving toward a voluntary Orwellian society where we are giving up more and more personal information to the world that can easily be tracked by people with whom we have no intention of sharing.

I am curious as to what you readers think. Post a comment with your opinions on this if you feel like sharing.
Reblog this post [with Zemanta]

Friday, June 12, 2009

SANS What Works Summit in Forensics and Incident Response

If you have not registered for the upcoming SANS summit,  I encourage you to do so.  It is going to be very informative and fun. (Well, fun in a super geeky sort of way.)
I will be on the panel: Forensic Challenges from the Court Room.
The question I will be tackling is: 
If you were working the defense on a case, what would your basic strategy be to create doubt in the plaintiff's digital evidence?
Considering that I can talk about that subject for hours, condensing the answer down to three slides was a challenge.
Honestly, I am looking forward to hearing what my co-panelists have to say.  These are some really smart people:
 
Craig Ball — Attorney and Computer Forensic Expert
Gary Kessler — Associate Professor of Computer & Digital Forensics and director of the M.S. in Digital Investigation Management, Champlain College;
Dave Kleiman — Computer Forensic, E-Discovery, and Litigation Expert
Bret Padres — Director, Digital Forensic Laboratory, Stroz Friedberg
Dr. Doug White — Director, FANS laboratory at Roger Williams University; President of Secure Technology, LLC.; ISFCE Representative
 I am also looking forward to hearing from folks like Harlan Carvey, Mark McKinnon, Ovie Carroll, Jesse Kornblum and a bunch of others that Rob Lee has managed to snag for the conference.
I hope to see you there.

Monday, June 8, 2009

Is Digital Forensics a Science?

I was reading a well thought out post by Michael Cloppert over at Sans, titled, "Is Digital Forensics a Science?”

Interestingly enough, Gary C. Kessler raised the same question and doubts during his presentation at Techno Security in Myrtle Beach last week.

I must respectfully disagree with both of them on several points.

Michael and Gary both asked the right underlying question, “Is computer science a science?” If computer science is not a science, then it seems that the question is moot. So there is little point in further debate on the subject.

However, forensic science does not, per se, need to meet the requirements of the classical sciences.

First of all let's deal with the domains of classical sciences. There are the meta-sciences such as mathematics and philosophy, and the natural sciences. Then there are the engineering disciplines.

The answer according to Juraj Homkovic, in his book “Theoretical Computer Science”, published by Springer, is that computer science is an independent science because it uses parts of the meta science, natural science and engineering domains.

His definition of computer science is; “Computer science is the science of algorithmic processing, representation, storage and transmission of information.”

The emphasis is on algorithmic processing and information.

While the meta sciences such as mathematics and philosophy study determinism, randomness, truth, knowledge and simulation, natural sciences investigate through observation and experimentation the
concrete processes and objects using hypothesized models to determine what is possible or not possible.

It is the boundary between what is possible to solve and impossible to solve that qualifies computer science as a science. Juraj asks the important question, “Are there well defined problems that cannot be solved automatically, (by a computer, regardless of the processing power of contemporary, or futuristic ones)?” According to Juraj, the answer to this question is yes.

Moving on to the definition of forensic science, here is how the American Academy of Forensic Sciences defines it:

What is Forensic Science?

The word forensic comes from the Latin word forensis: public; to the forum or public discussion; argumentative, rhetorical, belonging to debate or discussion. From there it is a small step to the modern definition of forensic as belonging to, used in or suitable to courts of judicature, or to public discussion or debate. Forensic science is science used in public, in a court or in the justice system. Any science, used for the purposes of the law, is a forensic science. “ American Academy of Forensic Sciences

With those two definitions in hand, it would seem to settle both questions; Computer science is a science and digital forensics is computer science used in public, in a court or justice system. I could easily end this here and be satisfied that I answered the original question to my satisfaction. But, where would the fun be in that?

Instead, I would like to address some of the very interesting questions raised by Michael Cloppert in his SANS post.

Before I do that, I wanted to make the point, for example, of the difference between a pathologist and a forensic pathologist. Pathology is a specialty within the greater body of medical science and involves determining natural causes of death and disease. Forensic pathology requires additional training in the determination of unnatural causes of death.

In my way of thinking, digital forensics works in much the same way; digital forensics requires additional training to recover and analyze physical data for the purpose of determining the presence or absence of evidence for use in a legal proceeding.

Michael raises the point of immutable natural laws as being defining when one considers if a field is a field of science. I have to point out that biology suffers greatly from the lack of such laws and is still considered a science.

When you look at computers, I would have to argue that we do have some immutable laws, that no matter how much we might want to change them, they are not mutable.

Since I am making up the list, I get to name them after me. So here we go with Daniel's Laws of Digital Forensics.

1.Any amount of data that is unmodified will always produce the same hash value independent of its source. (This assumes the hashing tool is accurate and that the source is not failing, etc..)
2.All data transfer is subject to Shannon's law.
3.No computing machine can act on its own without human intervention. (No piece of computational hardware works without input first from a human programmer, even if it is electromechanical.)

I thought Micheal's post was both entertaining and informative. But as one of the “reasonable nerds”, I do have to disagree.

I feel that I also need to point out that many of the accepted forensic sciences are not in fact real science because they do not pass the definition of any of the scientific domains. At the end of the day, many attorneys will tell you that forensic science is whatever the judge allows into evidence.

Here are some of the forensic sciences that, in my mind, do not pass the requirements to be real science: Tool marks, shoe prints, ear prints, lip prints, finger prints, handwriting analysis, lie detection, bite mark analysis, and many more.

To fully understand how the legal system views forensics, it is important to know that it depends on a legal definition of scientific evidence, not an academic definition.

The legal system in the USA uses the Daubert or Frye tests for admissibility of scientific evidence and that ruling is made by a judge in each case where such evidence is challenged.

Digital forensics or computer forensics has passed those tests on many occasions.

One of the quirks of our legal system is that bad science, once admitted as evidence, sets a legal precedence for more of the same bad science to be admitted in other cases. Thus creating a false empirical basis of legitimacy for pseudo-sciences in the legal system. Coupled with the resistance of prosecutors to re-open cases where people were convicted based on what is now recognized as pure foolishness, whether nor not computer forensics is a “real science” seems like a small question after all.

Sunday, June 7, 2009

Digital Forensics Awards at Forensic4Cast

Lee Whitfield over at Forensic4Cast  has put together an awards program for digital forensics.  They are accepting nominations from now until June 21st.

The categories are:


  • Outstanding Contribution to Digital Forensics (Individual)
  • Outstanding Contribution to Digital Forensics (Company)
  • Best Digital Forensic Article/Blog Posting
  • Best Digital Forensic Blog
  • Best Digital Forensic Book
  • Best Computer Forensic Hardware Tool
  • Best Computer Forensic Software Tool
  • Best Phone Forensic Hardware Tool
  • Best Phone Forensic Software Tool
  • Digital Forensic Examiner of the Year
  • Lifetime Achievement Award
  • The Huh? Award (chosen by Simon)
All but the ‘Huh?’ award are open for nominations and voting.

Visit the site for the full rules and explanation.

Saturday, June 6, 2009

Law Enforcement Only?

Lee Whitfield over at Forensics4Cast posted a very good piece on the subject of law enforcement only tools and training, along with the disparity of pricing between law enforcement consumers and private consultants.

You can read his post along with reader comments here.

I have to say that I am in agreement with Lee on this subject and have been for a long time.  As a consultant who does a lot of criminal defense work, I am puzzled by the animosity I get from law enforcement people at conferences.  If I want to have a conversation with anyone from law enforcement, I have to avoid mentioning that I do criminal defense work.  Otherwise the majority of them get defensive and start making claims about how perfect the law enforcement examiners are.  In other words, I am wasting my time working for the defense, since their evidence is infallible.

The way I see it, I have no issue working for either side, since the job of a forensics examiner is to gather evidence, both incriminating and exculpatory.  As Sergeant Friday used to say "Just the facts, ma'am."

I am also puzzled by law enforcement "discounts" for tools and software.  In my opinion, the discounted price is the real price and private companies are getting up charged.

Where did this practice come from?  I suspect it is there to discourage private consultants or at the minimum to handicap them by making tools and software more expensive.  It reminds of the practice of charging overtime when a serviceman comes to your home or business after hours.  That practice started, not as a means to recover additional costs on the part of the service company, but simply to punish customers who called for after hours service.  It was desigend to discourage after hours calls by invoking a contrived penalty on those who had the audacity to interrupt the serviceman's weekend.

A few years ago, Guidance Software considered restricting customer access to their message boards by forcing all private users into a "Consultant's Forum" and denying them access to the forums used by law enforcement.  Fortunately, they came to their senses before they ended up losing a lot of clients who have to pay a premium for their products to other companies.

I believe in the free exchange of information to advance the field for every exmainer, regardless of who they work for or what kind of cases they take.  Digital forensics, as a discipline, is not predicated on what kind of case it is used to analyze.  Attempting to give one side an advantage by keeping secrets, restricting training or price gouging certain classes of customers is counter-productive for everyone.

The same holds true for associations that exclude certain classes of examiners by the types of cases they work.  It is a lot like cutting off your nose to spite your face.  By refusing to interact with examiners who may work on the other side from you in cases just keeps you from learning about how they view the opposing side's work, keeps you from gaining knowledge that can prevent problems for you in cases and does nothing  help everyone to learn and avoid common mistakes.

As people who practice a discipline that is in the realm of forensics, open discourse is the best way to improve the field and advance knowledge for everyone.

In the famous words of Forrest Gump, "That is all I have to say about that."

Wednesday, June 3, 2009

Please enter your username and password

From time to time, people will forward an email to me asking me if it is legitimate. I received one this morning from a client of mine. As usual, it posed a very legitimate sounding premise, in this case, regarding a webmail account being over limit. It went on to give a web address where the user could go to resolve the "issue" by entering their username and password.

Computer password screen


If you have an account with an online service, bank or other company, they will never send you an email asking for your login information. They already have it.


As these phishing scams continue to get ever more sophisticated, it is easy to fall into the trap of good wording or high quality web site spoofing. Please remember that your bank, your credit card companies, or any other on-line service you use does not need for you to tell them anything about your account. They already have it.

As always, use caution when using the internet.