Thursday, July 22, 2010

A Picture Is Worth A Thousand Words: Part 2

Given the number of downloads we have had of the images I posted in the post “A Picture is Worth A Thousand Words,” I’d say their popularity exceeded my expectations.

I was organizing my files today and came across some more images I have made for my own presentations and for use in court. I post these images in high quality because I want to share them with the community. So feel free to copy the images and use them.

As always, all I ask is that you do not modify the images and that you leave the Guardian Digital Forensics logo on the slides.

Hope you Enjoy!

Lars Daniel
Digital Forensics Examiner and Forensic Artist
Guardian Digital Forensics

This is an image I created to explain internet caching. The purpose of this image is to show that while you make look at only a portion of a web page, the computer automatically stores more information than you see without the users input.

Internet Caching

I find it easier to explain how a write-blocker works with an image like this than with words alone.

Write Blocker - How it Works

This is an image I use illustrating how data can travel. I could just say that, but I like pretty pictures!

Data Travels

Wednesday, July 7, 2010

Into The Breach: Expert Witness Testimony

Public court room in Independence Hall
Image via Wikipedia
Last week I testified as an expert witness for the first time.  While I was confident in my ability to testify to what I had done in the case, it was still a bit of a nerve wracking experience.  It was definitely intimidating to ponder upon the fact that what I said on the stand that day would go into public record and exist forever.

Luckily I have been able to learn a great deal from Larry Daniel about how a successful expert witness testimony should look, and the steps that should be taken to prepare oneself for testimony.

At CEIC 2010 I attended the Expert Witness Panel: Making It Stick, which I also gleaned some insight from that helped to prepare me for my own expert witness testimony.  The members of the panel were Larry Daniel of Guardian Digital Forensics and Lynita Hinsch of Forensics Consulting Solutions.  It was moderated by Andy Spruill of Guidance Software, Inc.

These three were a wealth of information on the entire process of preparing for expert witness testimony and what to do when you get on the stand.

At this point, I had the right knowledge in my head, I just needed to put it into practice.  From education to experience, here are some points I would like to make, reiterating much of what I learned from Larry Daniel on a weekly basis, and from the CEIC 2010 panel. 

Communicate With Your Attorney
Communicating with your attorney in a case is vital.  Expert witness testimony goes best if your attorney knows what to expect, and conversely if you do to.  It also helps if you can properly prepare your attorney, and educate them on the technical details.  I wrote a script of questions and the expected answers to those questions for my attorney.  While he did not follow it exactly, it certainly added some structure and made us both feel more comfortable.  I also explained to him the technical issues surrounding the case.  By furthering his understanding of this information, it allowed for a more precise and beneficial testimony by myself as we focused our questions and goals.

Remember Your Audience
During my testimony I took great pains to accurately explain technical information to the best of my ability while making it accessible to the judge and jury.  Keep in mind that you should be the most knowledgeable person in the room when it comes to the material of your testimony, but that means little if you cannot communicate that knowledge effectively. 

Many of us can remember that particular professor who was brilliant, but a terrible teacher because they just couldn’t get back to the beginning when they were struggling through the ins and outs of their discipline.  It would be unfortunate if we were like this professor on the stand.  We must endeavor to always keep in touch with our beginning, before we knew 10,000 acronyms and truck loads of esoteric information when explaining concepts in court.  Your audience is smart, make no mistake, but if someone was testifying to quantum mechanics and speaking as if they were talking to another expert in their field with me in the jury, I think my eyes would glaze over.

Walk the Walk
This may seem obvious, but it is important to dress and carry oneself with professionalism.  When testifying as an expert witness it is not the time to be eccentric in dress or action.  While you may be the most knowledgeable person in the room about digital forensics, do everything possible to avoid coming off as arrogant.  Show the defense and prosecution equal respect, and remember your manners. 

Work Every Case Like It Is Going to Court
A case can take a long time to get to court.  Make sure to take copious notes during your examination and to perform a thorough investigation when working a case.  Most likely you won’t get a second chance.  Since a “do over” is basically non-existent when performing an investigation, do everything in your power to get it right the first time.  Can you remember what you were doing a year ago this time?  I barely can.  Document your work thoroughly so you remember the case you worked a year ago.

There are many other points that could be made, the ones made above were ones that seemed especially salient to myself in light of my first expert witness testimony experience.

Lars Daniel
Digital Forensics Examiner and Forensic Artist

Enhanced by Zemanta

Friday, July 2, 2010

Forensic File Formats – A Primer for Attorneys

Nintendo DS Leet SpeakImage by Myles! via Flickr
I was reading some blogs this morning and happened onto a post by Susan Brenner, on her cyb3rcrim3 blog. (Not sure why a law prof uses leet speak for her blog title, lol.)

The title of the post was Ghost v. EnCase, so naturally I had to read it.

Here are a couple of relevant clips from the post.  I encourage you to read the whole post as it presents a real issue with properly defending cases involving digital forensic evidence.

Ghost v. EnCase

“I could have entitled this post “battling computer forensic software programs.” It’s about a discovery dispute in a criminal case that centered around two such programs: EnCase and Ghost.
The case is State v. Dingman, 149 Wash.App. 648, 202 P.3d 388 (Washington Court of Appeals 2009), and it arose when Robert Dingman was charged with 21 counts of theft and 33 counts of money laundering in violation of Washington state law. I’m not going to summarize the facts that supported each count, because they’re redundant."
At argument on the motion, Dingman asserted that neither his computer forensic expert nor defense counsel had access to the EnCase program. His expert, Larry Karstetter, testified that a copy of the program cost $3,607. Karstetter said that he did not use the program because it was created for use by law enforcement, and he expressed concern that its search function could contain inherent bias against the defense. He added that in all other cases in which he needed hard drive copies, the State provided the copies to him in a readable (non-EnCase) format.

A Primer on Forensic Formats for Attorneys
A great many law enforcement agencies use Encase.  It is by far the most popular computer forensic software out there.  In the over 300 cases I have done, I have had two agencies submit forensic copies in a different format: Once in FTK and once in RAW format.

Here are the different kinds of formats you can expect to see in cases and how to deal with them.
  1. Encase format or as it is also known, Expert Witness format or E01 format.  Encase  by Guidance Software, Inc.
    1. This is the “native” format for creating copies of digital evidence when the copies are made using Encase Forensic software.  The file extension for these files begin with .e01 and are numbered .e02, .e03 and so on.
  2. FTK format.  FTK, which stands for Forensic Tool Kit, is a forensic software by Access Data Corporation.  It is the second most popular forensic software in use by law enforcement in the US.
  3. DD aka RAW format.  DD format can be created by several different programs and hardware devices used to create forensic copies of hard drives and other digital media.  It is an open source format and is commonly created using the Linux dd command.
Ghost images are not included in this list because, while it is possible to create an exact copy of a hard drive using Ghost, improper use of Ghost will not create an exact copy of the hard drive.  If you don’t use exactly the right combination of command line switches, Ghost cannot create an exact copy of a hard drive.  It is not recommended for use in computer forensics when there are plenty of free tools out there that can make verifiable forensic copies of hard drives.


If your expert does not know about these various formats and how to convert them for use in his or her forensic analysis tools, your best solution is to hire a qualified expert immediately.

There are free tools available to all experts to convert between various forensic images. (In the forensic community we refer to forensic copies of hard drives or other evidence as “images”, referring to the process of creating a mirror image of the evidence.  A mirror image is an exact copy of the physical evidence medium that includes everything on the hard drive, including deleted data and the “stuff” no one can see without forensic tools in an area of the physical hard drive called unallocated space and file slack.

It is a simple process to convert EnCase .e01 images into RAW format, or to convert FTK images into EnCase or RAW format for use in other tools and vice versa.