Monday, December 27, 2010

Electronic Discovery Just Keeps Getting More Complex


I have this application that I use and it is awesome.  DropBox.  DropBox is a cloud based (Internet) application that allows me and my team to share documents and access them virtually from anywhere.  I can review and edit these documents on my desktop, my laptop, my iPad, and review them on my Android phone.  Talk about convenience.

What is so cool about the application is that it also provides automatic online backup of the documents and keeps a revision history so you can “go back” to a previous version of a document.  It even keeps deleted documents, just in case you didn’t really mean to delete that oh so important Word document.

So why write about this on a digital forensics blog?  Applications like Dropbox are the future of distributed file sharing.  There are quite a few applications that serve the same or similar purpose such as Google Docs, Windows Live Skydrive and Apple’s Mobile Me.

What’s interesting about these applications is the potential to hold discoverable electronic evidence.

The basic approach to ESI (Electronically Stored Information) cases is to follow the who, what, where and how of potential evidence. 

Who are you trying to find out information about, or who owned, modified, deleted or created a document or email.

What are you looking for?  This part is pretty well defined; Email, Documents, Spreadsheets and so forth.

Where might this evidence be stored?  This is what is getting more complicated with more storage options gaining ground in the marketplace.

How do you get the evidence?  In the old days, that was the simplest of questions; either from the computer hard drive or a floppy disk.  You would get access to the computer in question and do the evidence collection.

These days, the interrogatories for building a discovery motion needs to include the possibility of cloud storage applications like these.
Companies should also bear in mind that since these applications sync file to multiple devices, and an employee now has a copy of the files and can access them from their home computer as well as their office computer or company laptop.

When you look at obtaining electronic discovery, one of the approaches now must be:  Does the custodian of interest have access to or participate in on-line shared storage options beyond SharePoint server or a company file share.  If the company is using an on-line backup service in the cloud, will documents be available there that are not on the local computers and servers?

The beauty of applications like Dropbox is the audit trail that is automatically created when documents are modified or deleted from  Dropbox.


Dropbox also keeps a log of all events that occur:


While there is a limit to how far back you can restore a file, the history of events goes back for months.

I encourage you to think outside the box, no pun intended, when considering what you want to ask for in electronic discovery and how you might gain access to it.

Sunday, December 5, 2010

Holiday Cheer - Drive Prophet Sale

Now that the holidays are here, I thought it would be nice to put Drive Prophet on sale for the month of December.  Enter the coupon code holidays at the payment screen and receive 25% off the regular price of Drive Prophet.

You can learn more about Drive Prophet at

Sunday, November 14, 2010

Limewire–Down but not out

Image via Wikipedia
I just read a very good article over at DFI News. 

Frosted Limes- The Unintended Consequences of Shutting Down Limewire

When I saw the part about Limewire not connecting for users, I had to go see what was happening.  I opened up Limewire on my test machine and sure enough, it would not connect.
But…..It took me about five minutes to find the workaround to make it connect again.  So it appears that as long as you are not running the most current version of Limewire that has the auto update feature and you locate the “fix”, you can keep right on cruising with Limewire.
I am not going to link the “fix”, since there are plenty of alternatives out there anyway.  I just wanted to verify that Limewire might be down, but it’s not out.

Sunday, October 31, 2010

The Future of Digital Forensics Tools

Kismet, a robot with rudimentary social skills

Image via Wikipedia

I just read a great post over at Eric J. Huber’s blog, A Fistful of Dongles: The Future of Digital Forensic Tools

I would agree with everything Eric said.  However I would like to take it a bit further. Eric stopped his post at the third generation.  I have been thinking for quite some time about the Fourth Generation of digital forensics tools.

When you have completed a lot of cases, you begin to see just how repetitive and similar many cases are.  At least at the front end of the examination.  Every examination begins with the same steps, independent of the type of case it is.  I use Encase, so this will reflect the methods for that software program.

  1. Set up the case folders.
  2. Add the evidence and let it verify.
  3. Run recover folders to find any folders that have been deleted.
  4. Run file signature analysis.
  5. Compute / Re-compute hash values to make sure you get a hash value for every file.

From there you may do a lot of other things in some order depending on the case type or what you are looking for in particular. 

However, certain types of cases tend to have clusters of items of interest you want to review.  For instance, email is an ever popular item of interest in domestic cases.  As are internet history and chat logs.

While Encase has a search feature built-in that grabs Internet history, and even rebuilds web pages as part of the process, it does not go after HTML pages in unallocated space.  And that is a good thing, since you may not need to take that next, laborious step.

Having dabbled in expert systems over the years, including some programming in Prolog, etc. I believe the next major evolution in digital forensic software is going to be the application of knowledge based expert systems.  I know we in the field kid about the “Find Evidence” button, but that is not so far from reality if you think about what we do from a knowledge base perspective.

After all, there is a finite amount of evidence types to be recovered in a case.  And depending on the case type, that sub-set is reduced even further.

Automating this data recovery has been and will continue to be a large part of the evolution of digital forensic tools.  Let’s face it, once you have the format of the underlying data in hand, automating the process to extract that data is just a matter of programmer time.

However, the recovery of data is only the beginning of the process; The real work comes in sifting through the massive amount of data that can be recovered to see if it is relevant and applicable.  We try to reduce that part by performing triage in a lot of cases.  There is, after all, a limit to both available human resources and financial resources in every case.  Not to mention the time factor.  The less time you have, the less you can accomplish, simply because of the time it takes to perform both recovery and analysis tasks.

An examination can be made more efficient if the examiner has a good idea of exactly what must be found, develops a plan for the case to find that with the least amount of processing and human review, and has powerful enough forensic software to assist.

Getting back to expert systems;  One of the premises of languages like Prolog is that unlike a traditional programming language where you tell the program how to do something, expert system development is based on you telling the program what you want to do, not how to do it.

The idea of a knowledge based expert system is to capture the best knowledge available from human experts and put that into a system that can use that “expertise” in an automated way.  That has worked well in other industries where expert systems assist with diagnosis, troubleshooting and other tasks where expert knowledge is required, but not always quickly available.  Or to just simply automate repetitive tasks in those realms to free up expert resources for problems too difficult for an expert systems to handle.

In our industry, the goal would be to create a system that allows us to put in the parameters of what we already know and what we need to know.  In other words, what is the goal of the examination?  But inputting known information, setting the goals for the information that is needed, and then applying the expert system rule set via software, an expert system should be able to perform 50 to 90 percent of the examination on its own.  Then a human expert would take over and review the results, adjust the goals based on newly acquired information and refine the process for another run.

None of this would supplant the need for a real examiner to work the case, testify in court or translate the findings for non-expert consumption.

Perhaps some time in the future we really will see the “Forensicator Pro” with the “Find Evidence” button.

If you happen to have an interest in expert systems, artificial intelligence and such, below are some links.

Thursday, October 28, 2010

Limewire Forced to Close: Is It the End of File Sharing As We Know It?


Image via Wikipedia

In a recent court ruling, Limewire has been forced to close its website.  While Limewire made for a really huge target for music company lawsuits, just like Napster was in the past, the injunction missed the real target.

I just fired up Limewire on one of my test computers, and as suspected, it works just like always.  The only difference is the legal notice that pops up when you start the Limewire client.

While shutting down the Limewire website might stop the downloading of the client from Limewire, it will have no effect on the millions of clients already installed.  Interestingly, I suspect that Frostwire and the many other variants of the Limewire client will benefit greatly from the closure of the Limewire site.

Shutting down the Limewire site does not shut down the Gnutella protocol, which is the basis for the file sharing.  So if the Judge thought that this injunction would put an end to illegal music downloads, it is a big misunderstanding of the technology of file sharing.

There are a lot of alternatives to the Limewire client out there and this will just be a very small bump in the downloading road for someone looking for a method to obtain files via the peer to peer networks.

Blogger Labels: Limewire,Napster,Frostwire,Gnutella

Sunday, August 15, 2010

Spoofing Calls and Texts: The Dangerous Side of Services

Phone keypad
Image via Wikipedia
What many see as nice features and services, those who are a bit more security conscious see the potential for harm.
One such service is called spoofing.  This allows you to call someone using a completely fake phone number or any phone number you choose, and mask your identity even including faking your voice.
While this can be a useful service for those who need to mask their phone number for some reason, although it is simpler to just have your number show up as a Private Caller, you can also use this to impersonate someone else’s phone number.
Let’s say you want to lure someone to some destination.  You could easily call them with the phone number of the destination you want to lure them to, change your voice to that of the opposite gender, and tell them there is some kind of urgent reason for them to go to that location.
Would that person automatically call back the spoofed number you left to verify.  Maybe, maybe not.
Would there be any record that you did this?  How would it be found?
Personally, I see frightening potential for misuse of this kind of service.
You can also send a text message to any phone using the on-line text page for the various wireless carriers.
I tested it using Verizon’s texting page by sending text messages to myself from Lars’ phone number (Lars is one of our examiners.)  The messages were delivered with his name, but as “Unverified Sender”.  Would a child catch that distinction if the message came from “Mom” as an unverified sender?
If you are in a position to educate parents and kids about cell phone safety and text messaging safety, please let them know that this kind of stuff is possible.

Tuesday, August 10, 2010

Private Browsing: Not so private after all.

Firefox private browsing UI

Image by Vurter via Flickr

In an article published this morning over at ZDNet, by Tom Espiner, it appears that clicking on that Private Browsing mode in your Internet Explorer, Firefox, Google Chrome or Safari may not be all that private after all. 

The private browsing features in Internet Explorer, Firefox, Chrome and Safari are not as protective as they promise to be, according to new research.

Privacy modes are designed to protect a browser user from having their online activity tracked by websites or by other people who use the browser on the same computer. However, the way the features are set up means that traces of data can still be found even when the tools are used, according to researchers from Stanford and Carnegie Mellon universities.

The team developed methods to test browser privacy and gave details as to how they pieced together browsing histories. They focused on people with access to the PC after the browsing session, calling these people 'local attackers' in a paper that is due to be presented at the Usenix security conference (PDF) on Wednesday.

Local attackers can access the DNS resolution history in a cache on a machine that uses the latest versions of Internet Explorer (IE), Firefox, Chrome and Safari, enabling the intruder to reconstruct if and when a user visited a website, according to the researchers.

In addition, operating systems swap out browser memory pages during private and non-private browsing sessions, leaving traces of both types of sessions, they said. Other points of entry are browser add-ons (such as plug-ins) and extensions, which leave traces on the hard disk.”

Here is a link to the full article over at ZDNet.Co.UK

Monday, August 2, 2010

Buying a business? Change all the keys, not just the physical ones.


Image by Bohman via Flickr

I get calls from folks asking me about people getting into their networks when they have recently purchased a business from someone else, or when an employee has recently left, willingly or otherwise.

In larger businesses that have in house IT support, they probably have the IT people take care of this.  But in smaller businesses that do not have internal IT support folks, here are some things to consider when changes in personnel happen:

  1. Get all the passwords.
    First of all, require that the leaving owner or party provide all passwords for everything they have access to and test them for accuracy.  Now it is not a huge deal if you run into something that is password protected, since nearly all passwords can be broken by a knowledgeable IT person, but it can be very inconvenient and sometimes expensive.  Encrypted hard drives could leave you hanging in a big way.
  2. Get the name of the IT support company.
    If you are purchasing a business that has computers and or servers that you rely on to do your business, make sure you get the information on the who has been taking care of the computers at the business.  It may be a company or it might be the old owner’s family.  Either way, you need to know this.
  3. Check out the current IT support company or get a new one.
    Call the IT support company or person and find out if they know the current passwords.  Check them out just like you would if you were hiring them off the street.  Get references and check them.
  4. Sign agreements with your IT support company.
    Anytime you use an IT support company, you should have them sign a non disclosure agreement.  Why? Because they have access to ALL your information.  This is especially true if you are a law firm, in the medical profession, counseling or financial area and handle confidential information.  This should also be true for any internal IT support people.
  5. Does anyone have remote access permission?
    Find out if anyone accesses the network or computers remotely as part of their work and who they are.  If it is the IT support company, again, make sure you know who you are dealing with and have proper safeguards in place for your and your clients’ confidential information.
  6. Account for all the data.
    Make sure you know where all the data is.  Are there off-site backups?  Portable drives? It’s okay to be thorough.  Think of data laying around on portable drives, USB thumb drives, backup tapes or in off-site back up centers as bags of money.  You would want to account for all the money, right?
  7. Are you buying a web site or other off site service as part of the deal?
    Where is it and who is the hosting company?  Who is the registered owner of the domain name if you want acquiring a web address or email address domain as part of the deal?  Can your website be taken down or modified by someone without your permission?  Virtual assets like web sites, email addresses, on-line stores, blogs and even twitter accounts are becoming a common part of acquiring a business.  Make sure you account for all the assets, not just the physical ones.

That is a very short list, but is the minimum you should do to protect yourself and your data and your reputation.  The cost of computer hardware is nothing compared to the cost of data you need to run your business or the liability of a data leak to someone else outside of your business.

If all of that seems to be out of your technical range, and it is for a lot of folks, hire a reputable IT company to come in and do a security check for you.  They can handle things like documenting all of the computer stuff, checking on who your domain is registered to, changing the passwords, checking for any type of external access to your network via PC Anywhere, Log Me In Free, VNC, Terminal Server, etc.  They can and should also check any router you have to verify any open ports that may provide access to your business network.

Thursday, July 22, 2010

A Picture Is Worth A Thousand Words: Part 2

Given the number of downloads we have had of the images I posted in the post “A Picture is Worth A Thousand Words,” I’d say their popularity exceeded my expectations.

I was organizing my files today and came across some more images I have made for my own presentations and for use in court. I post these images in high quality because I want to share them with the community. So feel free to copy the images and use them.

As always, all I ask is that you do not modify the images and that you leave the Guardian Digital Forensics logo on the slides.

Hope you Enjoy!

Lars Daniel
Digital Forensics Examiner and Forensic Artist
Guardian Digital Forensics

This is an image I created to explain internet caching. The purpose of this image is to show that while you make look at only a portion of a web page, the computer automatically stores more information than you see without the users input.

Internet Caching

I find it easier to explain how a write-blocker works with an image like this than with words alone.

Write Blocker - How it Works

This is an image I use illustrating how data can travel. I could just say that, but I like pretty pictures!

Data Travels

Wednesday, July 7, 2010

Into The Breach: Expert Witness Testimony

Public court room in Independence Hall
Image via Wikipedia
Last week I testified as an expert witness for the first time.  While I was confident in my ability to testify to what I had done in the case, it was still a bit of a nerve wracking experience.  It was definitely intimidating to ponder upon the fact that what I said on the stand that day would go into public record and exist forever.

Luckily I have been able to learn a great deal from Larry Daniel about how a successful expert witness testimony should look, and the steps that should be taken to prepare oneself for testimony.

At CEIC 2010 I attended the Expert Witness Panel: Making It Stick, which I also gleaned some insight from that helped to prepare me for my own expert witness testimony.  The members of the panel were Larry Daniel of Guardian Digital Forensics and Lynita Hinsch of Forensics Consulting Solutions.  It was moderated by Andy Spruill of Guidance Software, Inc.

These three were a wealth of information on the entire process of preparing for expert witness testimony and what to do when you get on the stand.

At this point, I had the right knowledge in my head, I just needed to put it into practice.  From education to experience, here are some points I would like to make, reiterating much of what I learned from Larry Daniel on a weekly basis, and from the CEIC 2010 panel. 

Communicate With Your Attorney
Communicating with your attorney in a case is vital.  Expert witness testimony goes best if your attorney knows what to expect, and conversely if you do to.  It also helps if you can properly prepare your attorney, and educate them on the technical details.  I wrote a script of questions and the expected answers to those questions for my attorney.  While he did not follow it exactly, it certainly added some structure and made us both feel more comfortable.  I also explained to him the technical issues surrounding the case.  By furthering his understanding of this information, it allowed for a more precise and beneficial testimony by myself as we focused our questions and goals.

Remember Your Audience
During my testimony I took great pains to accurately explain technical information to the best of my ability while making it accessible to the judge and jury.  Keep in mind that you should be the most knowledgeable person in the room when it comes to the material of your testimony, but that means little if you cannot communicate that knowledge effectively. 

Many of us can remember that particular professor who was brilliant, but a terrible teacher because they just couldn’t get back to the beginning when they were struggling through the ins and outs of their discipline.  It would be unfortunate if we were like this professor on the stand.  We must endeavor to always keep in touch with our beginning, before we knew 10,000 acronyms and truck loads of esoteric information when explaining concepts in court.  Your audience is smart, make no mistake, but if someone was testifying to quantum mechanics and speaking as if they were talking to another expert in their field with me in the jury, I think my eyes would glaze over.

Walk the Walk
This may seem obvious, but it is important to dress and carry oneself with professionalism.  When testifying as an expert witness it is not the time to be eccentric in dress or action.  While you may be the most knowledgeable person in the room about digital forensics, do everything possible to avoid coming off as arrogant.  Show the defense and prosecution equal respect, and remember your manners. 

Work Every Case Like It Is Going to Court
A case can take a long time to get to court.  Make sure to take copious notes during your examination and to perform a thorough investigation when working a case.  Most likely you won’t get a second chance.  Since a “do over” is basically non-existent when performing an investigation, do everything in your power to get it right the first time.  Can you remember what you were doing a year ago this time?  I barely can.  Document your work thoroughly so you remember the case you worked a year ago.

There are many other points that could be made, the ones made above were ones that seemed especially salient to myself in light of my first expert witness testimony experience.

Lars Daniel
Digital Forensics Examiner and Forensic Artist

Enhanced by Zemanta

Friday, July 2, 2010

Forensic File Formats – A Primer for Attorneys

Nintendo DS Leet SpeakImage by Myles! via Flickr
I was reading some blogs this morning and happened onto a post by Susan Brenner, on her cyb3rcrim3 blog. (Not sure why a law prof uses leet speak for her blog title, lol.)

The title of the post was Ghost v. EnCase, so naturally I had to read it.

Here are a couple of relevant clips from the post.  I encourage you to read the whole post as it presents a real issue with properly defending cases involving digital forensic evidence.

Ghost v. EnCase

“I could have entitled this post “battling computer forensic software programs.” It’s about a discovery dispute in a criminal case that centered around two such programs: EnCase and Ghost.
The case is State v. Dingman, 149 Wash.App. 648, 202 P.3d 388 (Washington Court of Appeals 2009), and it arose when Robert Dingman was charged with 21 counts of theft and 33 counts of money laundering in violation of Washington state law. I’m not going to summarize the facts that supported each count, because they’re redundant."
At argument on the motion, Dingman asserted that neither his computer forensic expert nor defense counsel had access to the EnCase program. His expert, Larry Karstetter, testified that a copy of the program cost $3,607. Karstetter said that he did not use the program because it was created for use by law enforcement, and he expressed concern that its search function could contain inherent bias against the defense. He added that in all other cases in which he needed hard drive copies, the State provided the copies to him in a readable (non-EnCase) format.

A Primer on Forensic Formats for Attorneys
A great many law enforcement agencies use Encase.  It is by far the most popular computer forensic software out there.  In the over 300 cases I have done, I have had two agencies submit forensic copies in a different format: Once in FTK and once in RAW format.

Here are the different kinds of formats you can expect to see in cases and how to deal with them.
  1. Encase format or as it is also known, Expert Witness format or E01 format.  Encase  by Guidance Software, Inc.
    1. This is the “native” format for creating copies of digital evidence when the copies are made using Encase Forensic software.  The file extension for these files begin with .e01 and are numbered .e02, .e03 and so on.
  2. FTK format.  FTK, which stands for Forensic Tool Kit, is a forensic software by Access Data Corporation.  It is the second most popular forensic software in use by law enforcement in the US.
  3. DD aka RAW format.  DD format can be created by several different programs and hardware devices used to create forensic copies of hard drives and other digital media.  It is an open source format and is commonly created using the Linux dd command.
Ghost images are not included in this list because, while it is possible to create an exact copy of a hard drive using Ghost, improper use of Ghost will not create an exact copy of the hard drive.  If you don’t use exactly the right combination of command line switches, Ghost cannot create an exact copy of a hard drive.  It is not recommended for use in computer forensics when there are plenty of free tools out there that can make verifiable forensic copies of hard drives.


If your expert does not know about these various formats and how to convert them for use in his or her forensic analysis tools, your best solution is to hire a qualified expert immediately.

There are free tools available to all experts to convert between various forensic images. (In the forensic community we refer to forensic copies of hard drives or other evidence as “images”, referring to the process of creating a mirror image of the evidence.  A mirror image is an exact copy of the physical evidence medium that includes everything on the hard drive, including deleted data and the “stuff” no one can see without forensic tools in an area of the physical hard drive called unallocated space and file slack.

It is a simple process to convert EnCase .e01 images into RAW format, or to convert FTK images into EnCase or RAW format for use in other tools and vice versa.

Tuesday, June 29, 2010

Adopting a Philosophy of Learning

John CalvinImage via Wikipedia

I have a background in philosophy. My undergraduate degree was in philosophy, and I credit much of my success in digital forensics to the study of this discipline.

I am not proposing that an understanding of existentialism or Platonism is particularly useful in digital forensics. However, what I learned in the study of philosophy, at its root, is not the knowledge of different schools of thought, but how to think.

The ability to focus one’s mind on the task at hand, to bring to bear the full force of all your mental faculties on a problem is an invaluable ability that should be fostered as a digital forensics examiner.

This leads me to my next point; “Education proves you have the potential to accomplish something. Experience proves that you have.” - Larry E. Daniel

There are many exceptional conferences, training programs, and schools that can teach you a breadth of knowledge about digital forensics. But if that knowledge is not put to use, if it is not exercised, then it will fade away and eventually die.

We cannot master our field from nine to five. I learn a lot in the process of my work, but if your work day is like mine, it is filled with constant distractions; responding to emails, conference calls, consultations, and so forth.

So then, how to we turn our education into experience?

If you want to master any subject, sacrifices must be made in order for it to happen. In this case, you cannot have your cake and eat it too. We all have a limited amount of time and many things in our lives that must take priority. But many of us sure have a lot of distractions that provide us with little benefit in the long run.

To turn this education into experience, we must pursue knowledge of digital forensics through repeated study and practice. Repetition is the best schoolmaster I have ever met. To perform as best as we can, we must be disciplined to read and practice, to play with new methods of examining data when we can as often as we can

Malcolm Gladwell, in his book Outliers has said it takes 10,000 hours to become an expert in a discipline. These 10,000 hours are not composed primarily of hours doing the work itself, but in the disciplined study and practice related to the discipline.

There is little doubt in my mind that if we do not stay focused on learning and practicing our discipline, outside of our “paid” employment hours and the limited time we get to spend in training we will undoubtedly fall behind.

Lars Daniel
Digital Forensics Examiner & Forensic Artist

Enhanced by Zemanta

Sunday, June 27, 2010

Computer Forensics – The Next Ten Years

The Crystal BallImage via Wikipedia

Normally I leave it to the pundits over at PC World and other consumer type computer magazines to do their predictions of what will happen to the industry over the next ten years.  But what the heck, I can guess as good as anyone. So, after consulting my Magic Eight Ball, here we go.

1. Encryption will become the norm rather than the exception, driving live memory forensics

As computer users we need encryption to protect our personal data.  Although it is a fairly simple task to encrypt computer hard drives, USB drives and other media, very few people actually do it.  Mainly, because it is an extra step they must perform themselves to do the encryption. And it is a drive performance killer. The average computer user, who by the way, is the one that needs this the most, is the least likely to even know that their operating system includes this feature.

I think that in the next few years, we will start to see user data areas encrypted by default on new computers. Even if the operating system makers don’t really care about security of data for end users, it will be a marketing advantage to differentiate one brand from the others.  And as processors become more powerful and encryption algorithms get more efficient, it will be less of a performance hit.
What this means to us is that live memory forensics will become more important in order for us to be able to crack encryption to examine this data.

2. My phone will be my primary computer and mobile forensics will become king.

Personally, I am looking forward to the day when my phone becomes the brain of my computer.  I would still carry it around like I do now, make phone calls on it and answer the occasional short email. But when I need to work on something larger, I just slip it into a slot on a pad computer for a larger screen to surf the web, answer email, write this blog post or do my office work.  I use my laptop 98% of the time to read email, surf the web or write documents.  Not exactly heavy lifting for a computer.  It sure would be nice to just plug the phone into a slot on a nice pad computer and use that instead of dragging the laptop around.  Why bother since I carry both anyway?  Well, the phone could provide connectivity for the pad via 4G or Wi-Fi. Then there wouldn’t be a need for the pad to have those features.  So I predict the day will come when you buy a pad/phone combo where the two work together for computing power, (Think distributed processing) and connectivity.  If the iPad didn’t prove that pad computing hardware and software is truly ready for primetime, I think that the consumer market is clearly sending a message that computing in a lightweight package is what they want to buy.

But how would you use the phone if it is docked, you ask? Bluetooth device of course.

I am also predicting that this will drive the industry toward fewer mobile operating systems as phones and mobile devices become more application driven, finally making it possible to have mobile forensic tools that can address a wider variety of phones and giving access to physical data storage.

3. In the year 2020, we will still be examining Windows 7

This is a cheat really since it is 2010 and we are still examining computers running Windows XP (Released in 2001), Windows 2000 (Released in 1999) and even some Windows 98 computers.

4. The world will see more cloud computing forensics

There are quite a few definitions of cloud computing.  But the bottom line is that cloud computing represents software and data storage as a service, using the Internet as the network so people can access their stuff from anywhere.  Whether it is widely adopted by business is one thing, but the consumer market has already dived into the deep end.  One of the things I think will continue to become ever more common is always on, always connected people.  However you think of it, Facebook, Twitter, Google Apps, Windows Live Office, Hosted Exchange, Yahoo Mail and so forth are all basically software as a service where everything is stored in the “cloud”.   As forensic examiners, the collection of artifacts from local devices will become ever more important, especially from mobile devices such as phones and pad computers.

5. Forensics will get harder, not easier.

One of the primary things that makes computer (digital) forensics different from forensic sciences like DNA analysis and fingerprint analysis is the simple fact that in those disciplines, the type of evidence doesn’t change.  DNA has had the same structure for millions of years.  Only the methods to analyze it change over time as our technology gets better.  In the case of digital forensics, not only do the methods change, but the basic structure of the evidence changes with the introduction of each new file systems, encryption methods, data storage formats and new devices.
Yes, computer forensic tools will continue to get more powerful, but they will continue to chase the technology as it changes.  It will still be up to examiners to pursue constant learning to stay up with the changes in technology if they are not to be left behind.

6. The computer forensics industry will continue to grow.

It can only logically follow that as the technology becomes more prevalent and integrated into everyday life, evidence left behind by that technology will become more common.  In developed countries, the use of technology will continue to become a necessary and normal part of everyday life, so much so, that we will stop thinking about it.  In other words, we don’t have to think about natural processes like talking.  We just do it.  I see a day in the very near future that we will be the same about the personal technology we use.

As devices record more, the possibility of evidence being present in all types of legal scenarios becomes ever more likely.  To the point where one of the first questions asked in any legal procedure will be, “Did you get the data?

Check back in ten years and see how close I got.

Enhanced by Zemanta

Wednesday, June 23, 2010

A Picture is Worth a Thousand Words.

Figure 2: Simple-minded frame-of-reference exampleImage via Wikipedia
Explaining technical information in any field can be a challenge. As many of us have experienced throughout our education, sometimes the most brilliant of people make the worst teachers. An expert may be extremely proficient and capable in their field, but unable to explain  technical information to non-experts in a way they can understand.

This is probably okay if you are a brain surgeon or a rocket scientist. It is not okay if you are a forensic expert, primarily because we are required to explain our methodologies and findings to non-experts on a regular basis.

As digital forensics experts,  communicating effectively with those whom we rely on to build the framework of our examination is a requirement, not an option.

As an attorney explains to me the framework of a case, I must be able to see the places where my expertise can be of use. If I cannot relay back to the attorney why certain digital information is of value to the case, how it can be used, and what it means, then I am not doing my job.

Becoming adept at explaining technical information with language in a way that non-experts can understand is a skill that every digital forensic examiner must learn. This skill requires much practice, discipline, and experience. It also requires the expert to truly be an expert in the subject  they are attempting to explain, because a person cannot adequately teach something they do not fully understand.

While the above paragraph paints a somewhat daunting picture, there is hope. When explaining technical information, it is best to provide your listener with as many visual aids as possible.

One of the biggest challenges in explaining technical concepts to a non-expert is finding a common ground from which to begin.  It helps to not only use verbal analogies, but visual ones as well.

Enter the explanatory image or diagram.

Below are some images I have made to explain the difference between what is gathered in a logical acquisition vs. a physical acquisition. I happen to use Photoshop because I have years of training and experience in using this software.  But a simple paint diagram can be just as  effective. We have been using stick figures for thousands of years to relay information.

I use these images to give me a place to begin from where both I and the non-expert can share a common frame of reference.  Pretty much everyone is familiar with an old fashioned filing cabinet.  I have dozens of such illustrations I have made that are packed away for when I need them, and they can be especially useful in court and for CLE Classes.

The first image below is used to explain a logical acquisition by showing that all you will be retrieving is files and documents in a file directory.  Just like reaching into a filing cabinet and pulling out the files and folders you are interested in. 

The second illustration is used to explain how a physical acquisition can be used to not only get the same files and folders shown in the first illustration, but how you can also get back information that has been deleted.

I equate the recycle bin on the computer to the wastebasket in the picture.  This shows how just tossing a file in the recycle bin on the computer is just like tossing a piece of paper in a waste basket.  You can just reach in there and get it right back.

The paper shredder is how I explain unallocated space.  It is still in the computer on the hard drive, but you have to find all the pieces and electronically tape them back together.  Just like you would find the pieces in a physical paper shredder and tape them back together to reassemble a document.

I have found this method very successful in communicating technical concepts to non-technical people. Even if they don't use a computer at all, they can still understand this because they have a reference point they can relate to in their experience.

Lars Daniel
Digital Forensic Examiner and Forensic Artist

Enhanced by Zemanta

Thursday, June 17, 2010

What about computer forensics jobs?

Starbucks and EnCase Computer Forensic IIImage by 2Tales via Flickr
I have been studying the job market lately to see what jobs are out there and what some of the most common requirements are being requested by employers.  This is far from a scientific study, but I think it is educational to be looking at what employers are asking for if you are planning on making a change, entering the field or trying to plan your educational and certification routes.

Who is hiring?

The big government contractors seem to have the most openings available.  Firms like FTI Consulting, General Dynamics, Deloitte, Booz Allen, ManTech, and others that do a lot of contract work for the military and large corporations.

Most popular area for employers looking for consultants:

Washington, DC area including the surrounding environs like Reston, VA and Linthicum, MD.

Most popular software experience desired in order of preference:


Mentioned occasionally (Not enough to form a preference listing for these):
iLook, Paraben, Drive Prophet, WinHex, Helix

I saw in very few job listings, any requests for experience with Macs and no requests specifically for Mac forensic software experience. 

Most requested certifications in order of employer preference:

  1. EnCE
  2. CISSP
  3. Comp TIA Net+
  4. CFCE
  5. GCFA

Most often required certification:


Education and Experience:

The typical job listing was looking for 3 to 7 years of experience in computer forensics with or without a degree.

Entry level or junior level positions were asking for 0-2 years experience with a college degree in computer forensics / and or extensive IT / Network Security experience.

A lot of employers will accept experience in lieu of a degree, which makes sense considering that degree programs are relatively new in the field.

Salary ranges:
When posted, the salary ranges were in the 60K to 100K range depending on the level of the job.  Bear in mind that most jobs that showed salary ranges were in the Washington, DC area, so you need to calculate what that really means in living costs differential from where you are now.


Very few of the companies appear to offer relocation assistance.

Most often mentioned soft skills qualifications:

1. Excellent oral and written communication skills
2. Ability to interface effectively with clients and stakeholders.


A LOT of these jobs require either an active secret / top secret clearance.  Some will accept the “ability to obtain” a secret clearance.
Enhanced by Zemanta

Friday, May 21, 2010

Multiplayer Game Forensics, CEIC 2010

EverQuest II - The Shadow Odyssey CoverartImage via Wikipedia
If you happen to be going to CEIC 2010 in Las Vegas next week, I hope to get a chance to meet you.

I will be on the panel, Expert Witness Testimony along with Lynita Hinsch of Forensic Consulting Solutions,  and moderator Andy Spruill from Guidance Software.

Here is a link to my article in this week's DFI News on multiplayer game forensics.  In this article I did a walk through on performing a forensic examination of the popular game, Everquest 2.  In future issues, I will be doing the same for World of Warcraft and Second Life.

Multiplayer Game Forensics

Reblog this post [with Zemanta]

Thursday, May 20, 2010

Google is listening....

Google Street View Car in Hunters Point, Long ...Image via Wikipedia
Google is being sued for sniffing wireless packets with their Street View vehicles.

Google Sued for Scooping Up Wi-Fi Data

It's going to be hard to prove that these particular individuals suffered any harm from the inadvertent collection of wireless data packets while the Street View cars were in their neighborhood.

What's really going to be interesting is locating those packets and identifying them as coming from those particular people.  While it can be done, the question will be just how much data has to be sifted through to locate any tracks, if any can be found.

It does make you wonder why the Google engineer was putting sniffing code into their war-driving program to start with.  And what was the purpose of the war-driving by Google?  Is the next feature on Google Maps going to be locations of open wireless networks so you can swipe some bandwidth on the road?  I doubt it, but it does make you wonder what Google is up to.

Reblog this post [with Zemanta]

Thursday, April 29, 2010

Is anyone listening?

Marisa and the man with Dueling Cell PhonesImage by irishgirlerin via Flickr
I have been spending a lot of time in airports and on airplanes lately.  One of the things that amazes me is that people will talk on their cell phones and pretty much say all kind of things; apparently oblivious to the people around them.

I was sitting in my seat yesterday, waiting for the boarding process to complete.  A gentleman two rows ahead of me was on his cell phone.  Apparently someone had broken into his Toyota Camry and stolen his GPS unit.  I guess in the interest of time, he decided to call his insurance company from the plane while we waited.  I listened as he gave his name, his social security number and his home address to the agent on the phone.

That is basically all someone needs to steal your identity.  All provided just by being in earshot of someone on a cell phone.  Since my phone has a nice little voice recorder, I was tempted to turn it on, record and then play back his information for him.  I didn't, but it was tempting.

So, just be aware that when you are busy and using your cell phone for business or personal use in a public place, that a: You don't have any expectation of privacy if someone can overhear you.  And b:  Don't give out personal information where someone can easily hear and jot it down for later use.

Reblog this post [with Zemanta]

Tuesday, March 30, 2010

A Little Clarification

In my last post, I mentioned tool specific certifications.  Specifically the EnCE for Encase and the ACE for  Forensic Tool Kit (FTK)

I got a couple of emails and a comment or two, so I thought I would elaborate a little so there might not be any misunderstanding.

I suppose that you can get a certification in Microsoft Word and never learn grammar or learn to be a good writer.  In that case you would only be learning how the program functions and nothing about how to produce a good written product.

In the forensic world that would equate to tools like F-Response or an acquisition tool like Linen.  You can learn to use the tools to acquire evidence and never learn to handle evidence or to analyze evidence.

To take it a step further, you can get your A+ certification and not be able to actually repair a computer.  I know, I have employed some A+ certified technicians in the past who could not actually fix anything.  Not to say this is true of all A+ certified folks, but the ones I have had contact with did not reflect the level of expertise you would expect from someone certified in computer repair.

You can get a Network + certification and not really know how to design and implement a network.

The same holds true for forensic tool certifications.  You can certainly get a EnCE or ACE  and not know how to handle a full forensic examination from start to finish.

One of the issues is that for the EnCE for instance, you can buy the study guide and it comes with a crippled version of Encase.  The exercises you do with the practice copy of Encase are not very broad or even terribly relevant beyond learning what you need to know to pass the certification exam.

Tool certifications focus on how the tool handles a task and by necessity have to be limited to the functionality of that tool.  While the EnCE study guide does a fairly good job of explaining the underlying workings of what the tool is doing, it is not a comprehensive experience or education in computer forensics.

The critical parts of digital forensics is understanding the laws that pertain to the field, professional ethics, evidence handling and preservation, analysis skills and the ability to write clear reports of what you did.

All of that should support the likelihood that what you have done during your acquisition, preservation, analysis and reporting on a piece of evidence will be contested in a court of law, either civil or criminal.

So while I think that having an EnCE or an ACE is a good thing, it is not a critical thing; Don't think that I believe they are a waste of time or money.  Having an EnCE  or ACE can certainly be a good item on your CV when you go to get a job or when you go to court.  Many employers today prefer that you have one of these certifications.

I have attended Encase training in the past and found it to be excellent.  However, it was narrowly focused on the tool with some explanation of digital forensics mixed in.  Not the other way around.  So while they may touch on forensic principals in their certifications, they are not broad enough to be an overall digital forensics certification. Nor do I believe they are intended to be.
Reblog this post [with Zemanta]

Monday, March 29, 2010

Why I Got My Digital Forensic Certified Practitioner

I have written about certifications on this blog before and others have commented as well.  For the most part, I do not value most of the current certifications all that highly.  Some are better than others.  Some folks disagree with me on my views regarding certifications and that is to be expected. 

However, I did apply for and receive my Digital Forensic Certified Practitioner (DFCP), from the Digital Forensics Certification Board as a Founder.

Why do I believe this certification will prove to be of high value to digital forensic practitioners?

The following four points are from the DFCB web site:

1. The Digital Forensics Certification Board (DFCB) professional certifications are truly independent and community driven.
2. The DFCB certification program was developed with National Institute of Justice (NIJ) funding. The terms for the development of this certification program by consensus were followed.
3. The DFCB will eventually be applying for recognition by the Forensic Specialties Accreditation Board (FSAB), which is currently recognized by the American Academy of Forensic Sciences.
4. The DFCB is connected to the National Center for Forensic Science at the University of Central Florida.

While there are vendor neutral certifications out there like the Certified Computer Examiner (CCE), which is a good one, although not as comprehensive as the DFCP is going to be once it is open to non-founder applicants.  SANS Institute also offers a very good certification program which I think is bolstered by their extensive and well put together training programs.  I have a huge amount of respect for Rob Lee and his excellent group of instructors.

The EnCE and the ACE certifications are vendor specific, being from Guidance Software and Access Data, respectively, and only certify that a person can use their tools.

I will probably get around to getting my EnCE at the CEIC conference this year since I am speaking there and the test is available at the conference.   While I think that vendor certifications are limited in value, for the low cost, why not? 

The most important item above is number 3.  Accreditation by the FSAB is going to be a critical step in this certification becoming the de-facto standard for digital forensic certifications.

Other positives about the DFCB, in my opinion, is that it is neutral and independent from any money making body, vendor or testing service.

Also, if you read the key domains of knowledge, it is very comprehensive in its coverage of what must be known as a digital forensic examiner.
Reblog this post [with Zemanta]

Saturday, March 20, 2010

Attorneys are from Mars, Computer Forensics People are from Pluto

Men Are From Mars, Women Are From VenusImage by Larry He's So Fine via Flickr
We have been doing quite a few e-discovery collections over the past couple of years and there is a recurring theme to each of them; There is a definite communication barrier between attorneys and us computer forensic types.

Attorneys use words such as  mens rea, voir dire, habius corpus and in camera.  Our vocabulary includes words like bit stream copy, logical acquisition, active file collection and MD5 hash values.

Ever read the book, Men are from Mars, Women are from Venus?  Having a conversation with my wife many times goes like this:

"I know that is what I said.  But that is not what I meant!"

The problem is that she says one thing and I hear something entirely different.  That is a lot like talking to attorneys.  Attorneys are from Mars and computer geeks are from Pluto.  Well, we would be if it was still a planet.

It seems that the hardest thing to do is gather information before the collection that is accurate and means the same thing to both parties.

When an attorney says to me, "I want a copy of the hard drive."  I hear, okay, you want a bit stream forensic image of the entire physical hard drive.  Not a problem.  At least, not a problem until we find out they meant that they wanted a copy of the all of the logical files on the hard drive.  Wait a minute? What the heck is a logical file?  Can a file be illogical?  My wife certainly can, and that is one of her many endearing qualities.

When we computer forensic types think about hard drive and partitions and files, we tend to think in two realms: physical and logical.

So what's the difference anyway?

When the operating system on a computer shows you, the user, partitions, directories and files located on a physical hard drive, it shows you a logical representation of the physical data on that hard drive.  Each operating system has its own little quirks in how it likes to store, arrange and show the files it manages.

Even what most people consider to be their hard drives when they see in their file browser items like C or D or some other drive letter is a logical representation.  That C you see is not a physical hard drive.  It is a partition on a physical hard drive.  Now, of course if your hard drive only has one partition, you could say that Drive C is the physical hard drive, but you would still only be referring to the logical representation of the hard drive.  The nickname, so to speak, that the operating system gives the partition on the physical hard drive. Otherwise you would see something like hda0 or sda1.  That is what the drive would look like at a lower and not so friendly level.

The operating system shows nicknames you so you can have an idea of where your files are, using friendly names.

An easy way to think about how drive letters work is to think real names and nicknames.  My real name is Lawrence.  Let's call that my physical name.  My nickname is Larry.  Let's call that my logical name.  I can answer to either one equally well, but since, me as an operating system, represents my physical self as my logical name Larry, you don't need to know my real name to yell at me or ask me a question.

When you are browsing around in your computer, you will not see files that are deleted.  These are still there on the physical hard drive, but are not included in the logical representation that the operating system shows you. That is because, being ever so helpful, the operating system assumes that since you deleted the files, you don't want to see them anymore.  That is how many people get surprised when a forensic examination exposes all those nasty little porn files you thought were gone when you deleted them and then emptied your recycle bin.

Back to physical and logical.  The other helpful thing your operating system does is show you how much space is left on the hard drive. (I am using the logical representation here, since most of us normally think of a drive letter as a hard drive, even if it is incorrect.  It is more convenient.)

When you examine your hard drive in Windows for example, it might show you that you have 500 gigabytes in total space, followed by 75 gigabytes used and 425 gigabytes free.

Now if you asked for a copy of the whole hard drive, you were probably thinking you want a copy of that logical 75 gigabytes, not the whole physical 500 gigabytes.  It is rare in an e-discovery collection to want the whole 500 gigabytes of the physical drive.  Why?

1. Most discovery requests don't include deleted files.
2. E-discovery processing is danged expensive and is charged by the gigabyte in most cases.  Why pay any more than you have to for processing?
3. Getting to what you REALLY mean; you want all the user files from that physical 500 gigabyte drive and that logical 75 gigabytes.

So, if the collection order specifies all the user files from the entire hard drive, I got that.  No problem, you will end up with an actual collection far smaller that even the logical 75 gigabytes.

If the order specifies the entire hard drive, I am going to think; Okay, forensic bit stream copy time.  You will get the entire 500 gigabytes.

I am going to write more on this blog about the technical stuff in plain English and try to bridge the communication gap between us and the non-technical people we serve.
Reblog this post [with Zemanta]