Digital Evidence
Alton Sizemore Jr.
Summerford Accountancy, PC
CYBER CRIME and
Civil Litigation
DIGITAL EVIDENCE
COLLECTION AND
ISSUES
Introduction


Speaker: Alton Sizemore Jr.
Qualifications
–
–
–
–
–
Univ. of Alabama BS in Accounting
CPA in Florida and Alabama
Certified Fraud Examiner
FBI Agent for 25 years (Retired)
Previously assigned to the Jacksonville,
Kansas City, Philadelphia Field Offices,
FBIHQ and Birmingham
– Summerford Accountancy, PC - Director of
Investigations
Professional Associations





American Institute of CPAs
Alabama Society of CPAs
Florida Institute of CPAs
Certified Fraud Examiners Assoc.
Professional Advisory Board
Culverhouse School of Accountancy
University of Alabama
Proper Seizure and
Collection of
Digital Evidence




What is Computer Crime
What is Digital Evidence
How do you properly seize and
collect digital evidence
But First………
ICE FISHING
What is Computer Crime
Computer Crime

Use of computers to commit crime, store illegal information
or data, or target critical infrastructures
– Obtaining information without authorization
– Obtaining classified information without
authorization
– Access to any non-public computer
– Access to a protected computer**
**Defined as a computer used by a
financial institution or the U.S.
Government.
TYPES OF CYBER CRIME
• Computer Intrusions
• Identity Theft
• Intellectual Property Right Matters
• Credit Card Fraud
• Child Pornography
• Online Extortion
• Growing Internationally Spawned Matters
Since 1996 . . . Trends Indicate?

Pending cases increased 130%

Informations and indictments increased 110%

Arrests UP 950%

Convictions increased 88%
* FBI Case Statistics
IFCC INTERNET
COMPLAINTS





2001
2002
2003
2004
2005
49,863
75,063
124,509
207,449
231,493
Internal
1999
Remote
Internet
57%
28%
1998
51%
54%
24%
1997
44%
35%
47%
52%
38%
39%
1996
0%
10%
20%
30%
40%
% of Respondents Reporting Attack
CSI/FBI 1999 Computer Crime and Security Survey
Source: Computer Security Institute
54%
50%
60%
2005 COMPUTER CRIME
AND SECURITY SURVEY






56% OF 693 RESPONDENTS DETECTED
SECURITY BREACHES IN THE LAST 12
MONTHS
693 RESPONDENTS REPORTED $130
MILLION IN LOSSES
TOP LOSS : VIRUS $43 MILLION
UNAUTHORIZED ACCESS $31 MILLION
THEFT OF PROPRIETARY INFO $31
MILLION
FINANCIAL FRAUD $3 MILLION
COST OF RECENT MAJOR
CYBER ATTACKS AND
INVESTIGATIONS

SLAMMER WORM : $945M - $1.2B
CODE RED : 2.6 BILLION
LOVE BUG : 10 BILLION

(ALL BASED ON WORLDWIDE ESTIMATES)


This is a Denial of Service
ATTACK …
Where do you start?
Computer Evidence

From a technical standpoint,
“computer evidence” is any data
recovered from a computer, piece of
digital media or other form of
“magnetized” media that store data
in electronic or binary format.
– Computer Evidence and Digital
Evidence are one and the same
Digital evidence:

is information of probative value
stored or transmitted in digital form
(*SWG-DE 7/14/98)*Scientific Working Group on Digital
Evidence
Digital Evidence is Latent



Invisible to the naked eye
Easily destroyed, altered, or
otherwise tainted
Can be processed only by specially
trained and equipped individuals
Criminal Use of Personal
Computers

Computers allow
criminals several
benefits that allow
them to avoid
detection
 Remoteness from
crime scene
 Anonymity
– Hiding your identity

Data encryption
Where Computer Evidence
May Be Located

Why is this important?
– Computers as the target of the crime

System intrusions
– Computers as the instruments of the crime


How was it used to commit the crime?
Solicitation of Minors, Harassment, Prescription
Fraud, Identity Theft, Counterfeiting
– Computers as the repository of the evidence


Does this hold the evidence needed?
Fraud, Embezzlement, Child Pornography, Homicide,
Bank Robbery
Computer Crimes








Email Extortion
Threats
On-line Child
Pornography
On-line Gambling
Offshore Money
Laundering Websites
Organized Crime
Cyber-Terrorism
Infrastructure Attacks
Hate Crimes








On-line
Threats/Stalking
On-line Narcotic Sales
Computer Component
Theft
Viruses/Worms
Telecommunication
Fraud
Chip Fraud
Counterfeiting
Securities Fraud
The computer can be the tool, target, or storage medium
Types of Cases - 2002
CR NIPC MISC
1%
1% 5%
NFIP
25%
DT
2%
VCMO
40%
OC
3%
NFIP – National Foreign Intelligence Program
DT – Domestic Terrorism
WCC – White Collar Crime
OC – Organized Crime
VCMO – Violent Crimes & Major Offenders
CR – Civil Rights
NIPC – National Infrastructure Protection Computer
MISC - Miscellaneous
WCC
23%
NFIP
DT
WCC
OC
VCMO
CR
NIPC
MISC
Files and Location of
Evidence

Files Generated by the Computer
– Swap Files
– Internet History Files
– Cookie Files
– Log Files
– Print Spool Files
– Temporary Files
Files and Location of
Evidence

Secured and Hidden Files
– Encrypted Files
– Compressed Files
– Password Protected
– “Hidden” Files
– Steganography
– Files with Changed File Extension
Files and Location of
Evidence

Other Locations of Evidence
– Windows Registry
– Deleted Files
– Hidden Partitions
– RAM Slack & Disk Slack
– Enhanced Metafiles
– Bad and Lost Clusters
– Unallocated Space
Hardware

The computer
components
– Central Processing
Unit (CPU)
– Monitor
– Keyboard
– Mouse
– Internal cards
– RAM
– Hard Drive Trays
Peripheral Devices

Printers
Peripheral Devices






Zip drive
DAT tape drive
Magneto optical drive
Scanners
Hubs
Digital Cameras
– And there are many
types
What Does Digital Evidence
Look Like?

Typical hard drive
from a desktop
computer
– Numerous types,
sizes, models and
brands
What Does Digital Evidence
Look Like?

Inside of the desktop hard
drive
What Does Digital Evidence
Look Like?

Floppy Diskette
– 3 ½ inch
What Does Digital Evidence
Look Like?

Zip disk cartridge
What Does Digital Evidence
Look Like?


DDS (Digital Data
Storage) Cartridge
DAT (Digital Audio
Tape) Tape
What Does Digital Evidence
Look Like?

CD – ROM
What Does Digital Evidence
Look Like?

Magneto Optical
cartridge
What Does Digital Evidence
Look Like?



Cellular
phones
Digital
cameras
Pagers
What Does Digital Evidence
Look Like?

Personal
Digital
Assistants
What Does Digital Evidence
Look Like?

Thumb drives are
portable hard
drives that fit on a
key ring and can
store (today) about
2 gigabytes of data
– Many allow
biometrics data
encryption
What Does Digital Evidence
Look Like?
Search Operations Search Steps






Secure the Location
Secure the Computers
Site Survey
Sketch & photograph site
Conduct Interviews
Data Seizure
– Shut Down
– Attach external media
– Reboot w/ write
protection
– Attach to Network?





Bag & Tag
– Shut Down
– Label Connections
– Dismantle
Equipment
“Hard Copy” Evidence
Transportation of
Evidence
Storage of Evidence
Documentation
E-Discovery




90% of American Corps. Are involved
in litigation
Avg. $1B Corp. faces 147 cases at
any given time
Litigation costs these firms $8
million annually
E discovery - top litigation burden
New Rules for E-Discovery
Rule 16: The Pre-Trial
Conference






(ESI) electronically stored information
Partied in civil litigation must meet within
30 days of the filing of the lawsuit
Identify what data is “accessible”
Which records will be shared
What format (usually original format)
Establish ground rules for sharing data
New Rules for E-Discovery
Rule 26 Privilege, Disclosure,
Discovery Scope &
Limitations


Parties must disclose ESI and
hard copies that may be used to
support it’s claims or defenses.
Parties must produce ESI that is
Relevant, nor Privileged and
reasonably accessible
What is not Reasonably
Accessible?






Magnetic Backup
Unintelligible legacy data
Fragmented data after deletion
Unplanned output from databases
different from designed uses
Requirement: Save this data anyway
Not knowing contents – is not
unreasonably accessible
Exceptions to Not Reasonably
Accessible



If the requesting party can show “Good
Cause” for getting it.
The requesting party must be able to
show its need outweighs the burden
and cost to retrieve and produce the
information.
The judge Orders it!
Rule 26 (f) (3)
Create a Discovery Plan






Where data is located
How ESI is preserved
Time and Cost involved in retrieving
ESI
How ESI can be searched and
retrieved
What data is privileged
In what format ESI can be produced
Rule 34
ESI Production and Forms



ESI is equal to paper documents
Parties must produce documents in
the form they are ordinarily kept or a
“Reasonably usable format”
Parties must state the form they
intend to use
Rule 37
Safe Harbor Provisions



Parties should establish a routine
good-faith operation of an
information system
Courts can’t impose sanctions if data
is lost and a good-faith routine
operating system was in place.
CANNOT delete information in
anticipation of litigation
What to do





Your entire organization should be
committed to meeting litigation
requirements
Document your ESI retention policy in
writing
Employ systems to control your data
Identify “Reasonably Accessible” ESI
Manage information as potential evidence
What to do - continued




Store only data you need
Know what and where your data is
Ensure outside council knows your
policies
Establish a scheduled, predictable
routine for retention and deletion that
is tied to records management policy
Examples of data seizure


1993 World Trade
Center Bombing
Two computers of
data
Examples of data seizure


1995 OK City
bombing
If printed, data
would fit into
footlocker
Examples of data seizure


9/11/2001
More data seized
than in the Library
of Congress
Gigabytes Processed Per
Year
120000
100000
80000
60000
40000
20000
0
FY 1998
FY 1999
FY 2000
FY 2001
FY 2002
IT AINT OVER TILL IT’S
OVER


Don’t assume just because a System
has been damaged that the Digital
Evidence may be irretrievable….
Seeing is believing
IT AIN’T OVER TILL IT’S
OVER
IT AIN’T OVER TILL IT’S
OVER
GOOD INTENTIONS
Final Comment


Digital Evidence is some of the most
fragile and complex evidence you
will come in contact with
If ever in doubt contact a Computer
Forensics Examiner for advice
QUESTIONS ?