Digital Forensics Investigation

advertisement
Computer Forensics Challenges of 2008;
The major issues effecting the
use of digital forensics in family
law cases in South Carolina.
Presented by
Steven M. Abrams, J.D., M.S.
Abrams Millonzi Law Firm, P.C.
Steven M. Abrams, Esq. Computer Forensics Examiner
Attorney at Law (SC), Private Investigator (NY)
Computer Forensics Bio
 1983 – 2008 (25yr)







Trained under Military and Law
Enforcement Supervision – NCJA,
NW3C, NYPD, FBI, SLED
350 CF Cases
75% Domestic Relations
Law enforcement work: USSS, FBI,
Mt. Pleasant PD, ...
Member: HTCIA, SCALI, ALDONYS,
IEEE
Permanent Member: SLED PI Business
Advisory Committee
Instructor: Numerous CLEs, Seminars,
US and Foreign Governments




What we will cover today:
Issues confronting the use of
Computer Forensics in Family Court
Common Abuses of the Discovery Process.
Need to Check Licenses and Credentials of
Computer Forensics examiners.
Need to critically evaluate CF evidence.
Lack of Uniform rules for E-Discovery in
State Courts.
Computer Forensics?
Computer forensics, also called cyberforensics and digital
forensics, is the application of computer investigation
and analysis techniques to gather evidence suitable for
presentation in a court of law. The goal of computer
forensics is to perform a structured investigation while
maintaining a documented chain of evidence to find out
exactly what happened on a computer and who was
responsible for it.
Why do Computer
Forensics?
Forget dumpster diving. Computers harbor more personal
information and secrets than anyone can discard into a 20gallon trash container. A typical computer holds
information people once stored in wallets, cameras, contact
lists, calendars, and filing cabinets. Computers are the
treasure trove of personal contacts, personal finance, and
correspondence.
Practically every investigation - can benefit from the proper
analysis of the suspect's computer systems."
- Incident Response, Investigating Computer Crime, Pg.88
Family Law Matters are particularly
suited to digital forensics.





Home Computers, Cell Phones are usually
jointly owned and used marital property.
Household financial records often on home
computer. Hidden assets traceable on PC.
Increasingly paramours contacted by
computer – email & websites / cell phone .
Arrangements for liaisons made using computer;
flight and hotel reservations.
Pornography, Pornography, Pornography…
A Typical Digital
Forensics Investigation
An actual domestic relations case example
The names of the parties have been changed to protect their identities.
Scenario









Domestic Relations Matter
Lisa - Wife of client having an affair.
Paramour: “Michael”
Email Address: “Metro6969@alt.com”
Lisa has installed new web cam
Explicit emails recovered referring to web cam
Michael claims to be 41 years old
Lisa has taken a trip to ??
Goal: Locate Paramour (and Lisa)
Procedure – Search for web cam
related content




MPG’s are a popular movie format, along
with MOV and WMV.
Search for MPGs turn up many fragments
and some link (lnk) files containing
information about movies accessed on this
computer.
One “lisa” movie link file found, but lisa
movie itself is not found on hard drive
It may contain important evidence
Evidence - LisaMOV00396.LNK
Shortcut File
Link target information
C:\Documents and Settings\lisa\My
 LisaMOV00396[87073].lnk.html
Local Path
Documents\My
eBooks\LisaMOV00396.MPG
Volume Type
Fixed Disk
Volume Serial Number
3C16-A175
File size
0
Creation time (UTC)
N/A
Last write time (UTC)
N/A
Last access time (UTC)
N/A
Optional fields
Relative Path
..\My Documents\My
eBooks\LisaMOV00396.MPG
Working directory
C:\Documents and Settings\lisa\My
Documents\My eBooks
Procedure



Do a keyword search for
“LisaMOV00396.MPG”
There were no files by that name on the
hard drive
Search Recycler for LisaMOV00396.MPG
Evidence – INFO2.DAT

Recycle Bin Index …
Filename
Dc73.MPG
Original
Name
C:\Documents and Settings\lisa\My Documents\My
eBooks\LisaMOV00396.MPG
Date
Recycled
7/22/2006 2:34:03 PM
Removed
from Bin
No
(Movie has been renamed Dc73.MPG by Recycler, and is still intact!)
Evidence – DC73.MPG
Listen to the accent in the speaker’s voice
Procedure – Search hard drive
for “metro6969”


A keyword search for “metro6969” turns
up many explicit emails between Lisa and
Michael.
One email contains Michael’s business
email signature, probably by accident.
Evidence - Email
(Signature from paramour’s deleted email
recovered with FTK)
…
Michael E. Smith
Metropolitan Plumbing Co., Inc.
Procedure – Look up Company


Using accent as a guide (New England)
Search for Business Filings on D&B for
“Metropolitan Plumbing Co.”
Business Report from D&B
Comprehensive Business Report
Company Name: METROPOLITAN PLUMBING CO INC
Address: HICKSVILLE, MA 02799
Phone: (508) 632−6969
FEIN:00-000000
Associated People:
Business Contacts:
MICHAEL SMITH, SSN: 025−55−0000,
Date Last Seen: Apr, 2005
HICKSVILLE, MA 02799
MICHAEL SMITH, SSN: 025−55−0000, PRESIDENT,
Date Last Seen: Apr, 2006
Procedure – Use SSN to
Locate Paramour

Using IRBSearch.com person search
lookup SSN… to produce background
report on paramour.
Evidence – Background Report
Subject Information:
Name: MICHAEL E SMITH
Date of Birth: 04/1965
Age: 41
SSN: 025−55−0000 issued in
Massachusetts between 01/01/1971 and 12/31/1973
Active Address(es):
MICHAEL E SMITH − 591 MARKET ST, FRANCIS MA 02099−1513,
NORFOLK COUNTY (May 1993 − Sep 2006)
SMITH MARY ANNE (508) 540−1234
Eureka!
It’s now a simple matter to place Michael
under surveillance and have him lead us
to Lisa, who is waiting for him at a local
roadside motel.
Issues confronting the use
of CF in Family Court
Issue #1: Willful Spoliation –
An increasingly common
occurrence
Issues effecting CF in Family law Matters:
#1 Issue: Spoliation
Willful deliberate spoliation is becoming an
increasingly common occurrence in
domestic relations matters.
Typical example of willful spoliation
You are called in to examine a computer
produced in response to a court order.
Upon opening the case of the eight year
old computer, which you note was
missing the screws that hold the
cover closed, you observe the
following…
Actual Evidence Photo 1
Dust Bunnies !
Actual Evidence Photo 2
Cob Webs!
Actual Evidence Photo 3
Actual Evidence Photo 4
The Hard Drive was
Pristine,
almost sterile.
Rule # 1: Parties cheat in e-discovery,
especially in domestic relations cases.


Never assume that material produced
during the course of electronic discovery is
complete or authentic; Use forensic
evidence to establish authenticity.
Electronic data is fragile and easily lost
or manipulated.
Rule # 1: Parties cheat in e-discovery,
especially in domestic relations cases.



Opposing counsels are usually wellmeaning, but clients are often beyond
their control.
Clients often have an unreasonable
belief that they will not get caught.
Hire a knowledgeable computer
forensics expert to review materials
produced during electronic discovery.
Most common method of spoliation:
Wiping Programs (Anti-forensics)
Wiping software makes data recovery difficult or
impossible by deleting and overwriting data on
the hard drive.
Wiping can be detected in two ways:
 Detect disk wiping by examining the data in disk
sectors for regular patterns indicative of wiping.
 Detect wiping software with Gargoyle
Investigator™ Forensic Pro software.

2nd Most common method of
spoliation:
Evidence Tampering
Includes any attempt to alter the data on the
hard drive




Most commonly done by reformatting hard drive
and reloading the O/S (Windows).
The original data is usually at least partially
recoverable from a reformat / reload.
Other tampering includes changing time and
date stamps on files to pre or post date them.
Rarely, we have seen one spouse fabricate
evidence to appear as if other spouse was
responsible for data remaining on hard drive.
How can evidence tampering
be detected?
Analysis of artifacts within several key areas of the hard
drive can lead to conclusive evidence of willful spoliation
and evidence tampering. (For example: reformatting HD)
The key areas include;
 Windows Registry
 Link files – shows files that were on system and when
 Event Logs – shows when/if system clock reset
 Disk Partition and System Directory Meta Data – shows
when hard drive reformatted and Windows install date.
 Keyword searches for deleted data in unallocated Drive
Freespace.
 Deletion dates obtained from Recycler INFO2 structure
The Windows Registry

The Windows Registry conceptually can be
thought of as a special directory where
Windows and other software programs
store system data needed for proper
operations of the operating systems and
installed software. User activity within
Windows is tracked and stored in the
Registry.
The Files that constitute the
Windows XP Registry

Windows/System32/config/ directory





System
Software
SAM
Security
documents and settings/User/

Ntuser.dat
Metadata
What is metadata?
 Metadata gives any kind of data context.
Any item of data is a description of
something. Metadata is a type of data
where the something being described is
data. Or, as it is often put, metadata is
data about data.
Microsoft Office Metadata
Microsoft Office files include metadata
beyond their printable content, such as
the original author's name, the
creation, modification, and access
date and time of the document, and the
amount of time spent editing it.
Unintentional disclosure can be awkward
or even raise malpractice concerns.
Metadata is essential as a means of
determining the install date for Windows
and date of hard drive formatting.



Folders (subdirectories) are just a special type of
file. As such they have file creation date and
time meta data associated with them.
The Windows folder and the system32 subfolder
(among others) are created when Windows is
installed. The creation date metadata on the
Windows folder can tell you when Windows was
installed. This can indicate that the hard drive
has been tampered with.
The metadata on the root folder, and on the bad
cluster and partition files can tell you when the
partition was created, usually when the drive
was formatted.
Metadata is discoverable!
Williams v. Sprint/United Mgmt. Co., 2005 U.S. Dist.


LEXIS 21966 (D. Kan. Sept. 29, 2005).
The Williams court established the following standard:
[W]hen a party is ordered to produce electronic
documents as they are maintained in the ordinary course
of business, the producing party should produce the
electronic documents with their meta data intact, unless
that party timely objects to production of meta data, the
parties agree that the meta data should not be
produced, or the producing party requests a protective
order. Id.
Typical Case Example : W v. H




Custody matter between W and her
former husband H.
W has joint custody with H over 4 yr old
daughter. (W increasingly erratic behavior.
Possibly dangerous.)
H and his new wife seek sole custody
W allegedly tells a friend via email that
“she will sooner kill the child and H,
then turn her over to his custody.”
W v. H



Attorney for H issues subpoena for W’s
computer so he could have the emails
examined.
W’s attorney files motion to quash
subpoena
On July 20, Judge issues order from bench
for W to turn computer over to her
attorney so it can be examined by H’s
expert.
W v. H




On July 25th signed order arrives at W’s
attorney’s office.
On July 27th W brings computer to her
attorney’s office for examination.
I examine and copy computer in W’s attorney's
office on August 1st.
During my exam, I take the following photos
of the computer:
Evidence Photos from Aug 1st
Hard drive pristine! 
W v. H – Forensic Evidence
EnCase Image from W’s Hard Drive






Case Information:
Case Number: 2005-29
Evidence Number: 1
Unique Description: Maxtor 4GB
Examiner: SM Abrams
Notes:
Maxtor 4GB from Dell Tower

--------------------------------------------------------------

Information for E:\image\maxtor4gb:



















Physical Evidentiary Item (Source) Information:
Drive Interface Type: USB
Drive Model: Maxtor 8 4320D5 USB Device
[Drive Geometry]
Bytes per Sector: 512
Cylinders: 525
Sectors per Track: 63
Sector Count: 8,437,500
Tracks per Cylinder: 255
Source data size: 4119 MB
Sector count: 8437500
MD5 checksum:
bf7c9baa773530bb3300fbf3aa5c5f60
SHA1 checksum: 6a3965440b9df1a4b61a2e12ff555ec60238f42d
Image Information:
Segment list:
E:\image\maxtor4gb.E01
Image Verification Results:
MD5 checksum: bf7c9baa773530bb3300fbf3aa5c5f60 : verified
SHA1 checksum: 6a3965440b9df1a4b61a2e12ff555ec60238f42d : verified
W v. H – Forensic Evidence
EnCase Image from C’s Hard Drive
Data on hard drive largely consisted of 0x35, or
ASCII 5’s
“555555555555555…”
In binary this is “00110101” which is a
common wiping pattern.
W v. H – Forensic Evidence
Windows First Run Log dated 7/25
File: Frunlog.lnk
Full Path: maxtor4gb\Part_1\NO NAMEFAT32\WINDOWS\Recent\Frunlog.lnk
Alias:
Extension: lnk
File Type: Shortcut File
Category: Other
Subject:
Created: 7/25/2005 5:48:42 PM
Modified: 7/25/2005 5:48:44 PM
Accessed: 7/26/2005
W v. H – Forensic Evidence
Registry files created 7/25/05
File: SYSTEM.DAT
Full Path: maxtor4gb\Part_1\NO NAMEFAT32\WINDOWS\SYSTEM.DAT
Alias:
Extension: DAT
File Type: Windows 9x/Me Registry File
Category: Other
Subject:
Created: 7/25/2005 10:37:22 PM
Modified: 7/26/2005 6:17:06 PM
Accessed: 7/26/2005
W v. H – Forensic Evidence
Registry files created 7/25/05
File: USER.DAT
Full Path: maxtor4gb\Part_1\NO NAMEFAT32\WINDOWS\USER.DAT
Alias:
Extension: DAT
File Type: Windows 9x/Me Registry File
Category: Other
Subject:
Created: 7/26/2005 6:13:06 PM
Modified: 7/26/2005 6:17:06 PM
Accessed: 7/26/2005
W v. H – Forensic Evidence
W’s password file created on 7/25
File: MARY.PWL
Full Path: maxtor4gb\Part_1\NO NAMEFAT32\WINDOWS\MARY.PWL
Alias:
Extension: PWL
File Type: Windows PWL file (new)
Category: Other
Subject:
Created: 7/25/2005 5:37:22 PM
Modified: 7/25/2005 5:37:24 PM
Accessed: 7/26/2005
W v. H – Forensic Evidence
Scandisk runs as part of Windows9x install on 7/25
File: SCANDISK.LOG
Full Path: maxtor4gb\Part_1\NO NAMEFAT32\SCANDISK.LOG
Alias:
Extension: LOG
File Type: Unknown File Type
Category: Unknown
Subject:
Created: 7/25/2005 8:22:54 PM
Modified: 7/25/2005 8:22:56 PM
Accessed: 7/25/2005
W v. H – Forensic Evidence
W deleted files in attempt to cover up
7/25 Windows install
Recycle Bin Index
Filename: Dc0.TXT
Original Name: C:\SETUPXLG.TXT
Date Recycled: 7/25/2005 5:48:41 PM
Removed from Bin: Yes
W v. H – Forensic Evidence
W swapped HD in Dell Dimension XPS
•The computer was manufactured by Dell.
•Dell maintains online inventory of all systems
shipped. Dell reported that W’s computer was
shipped on 10/15/1997 with an IBM 6.4GB hard
drive.
•I found a Maxtor 4.0GB hard drive installed in
W’s machine. It was not the original hard
drive!
Who upgrades by putting in a smaller / older
hard drive than the original?
W v. H
Conclusion and Consequences

I determined:







Drive was swapped.
The replacement hard drive had been wiped with “5’s”.
Windows was installed on evening that W found out about court
order arriving at her attorney’s office.
Possibility W may still have original hard drive.
W faced contempt of court for not producing HD.
H opted for civil contempt because we felt W still had
original hard drive, and failed to produce it.
Case settled before RSC hearing.
Possible Remedies for Spoliation
Least Serious
 Monetary Sanctions
Less Serious
 Negative Inference
Most Serious
 If P, Dismiss Case
 If D, Strike Answer, Default Judgment
Consequences of cheating
on e-discovery :
Dismissal of Plaintiff’s case
QZO, Inc. v. Moyer, 594 S.E.2d 541 (S.C. Ct.
App. 2004).
Summary: The Appellate Court affirmed
dismissal in this trade secret case where a former
corporate officer had “reformatted” his hard drive
a day before delivering the computer to the
plaintiff’s expert pursuant to a court order.
Consequences of cheating
on e-discovery :
Strike Δ’s Answer, Default Judgment
Commissioner v. Ward, 2003 N.C. App. LEXIS 1099 (N.C
Ct. App. 2003). Docket #: 02-838
Summary: The defendants refused to cooperate in discovery matters which
required plaintiff's counsel to file three different motions to compel. At one
of the storage locations the plaintiff found DAT tapes, discs, cassettes,
videos, CD ROMs and other electronic data. The DAT tapes were obsolete
and the data could not be accessed without knowledge of the underlying
software. The defendant admitted accessing the tapes at an earlier time,
but refused to answer questions about the software during deposition
proceedings. The Court found that the defendants had willfully and
intentionally refused to comply with the discovery order and the lower court
struck the defendant's answer and prevented defendants from defending
and granted default judgment against certain claims. The Appellate Court
affirmed the ruling.
Consequences of cheating
on e-discovery:
Negative Inference
Arndt v. First Union Nat'l Bank, 613 S.E.2d 274 (N.C. Ct. App. 2005).
Docket #: COA04-807
Summary: An employer appealed the decision of the jury awarding a former employee wages lost
as a result of a unilateral change to his bonus plan. On appeal, the Court affirmed the rulings of
the lower court including an adverse inference imposed for failure of the employer to issue a
litigation hold after litigation was apparent. The employer failed to preserve certain e-mail and
profit and loss electronic documents. The adverse inference instruction read as follows, "Evidence
has been received that tends to show that certain profit and loss statements and E-mails were in
the exclusive possession of the defendant, First Union; and, [sic] have not been produced for
inspection, by the plaintiff or his counsel, even though defendant, First Union, was aware of the
plaintiff's claim. From this, you may infer, though you are not compelled to do so, that the profit
and loss statements and the E-mails would be damaging to the defendant. You may give this
inference such force and effect as you think it should have, under all the facts and circumstances.
You are permitted this inference, even if there is no evidence that the defendant acted
intentionally, negligently or in bad faith. However, you should not make this inference, if you find
that there a [sic] fair frank and satisfactory explanation for the defendant's failure to produce the
documents."
Consequences of cheating
on e-discovery:
Negative Inference
Arndt v. First Union Nat'l Bank
Summary: An employer appealed the decision of
the jury awarding a former employee wages lost
as a result of a unilateral change to his bonus
plan. On appeal, the Court affirmed the rulings
of the lower court including an adverse inference
imposed for failure of the employer to issue a
litigation hold after litigation was apparent. The
employer failed to preserve certain e-mail and
profit and loss electronic documents.
Negative Inference Language
Arndt v. First Union Nat'l Bank
"Evidence has been received that tends to show that
certain profit and loss statements and E-mails were in
the exclusive possession of the defendant, First Union;
and, [sic] have not been produced for inspection, by the
plaintiff or his counsel, even though defendant, First
Union, was aware of the plaintiff's claim. From this, you
may infer, though you are not compelled to do so, that
the profit and loss statements and the E-mails would be
damaging to the defendant. You may give this inference
such force and effect as you think it should have, under
all the facts and circumstances. You are permitted this
inference, even if there is no evidence that the defendant
acted intentionally, negligently or in bad faith. However,
you should not make this inference, if you find that there
a [sic] fair frank and satisfactory explanation for the
defendant's failure to produce the documents."
Issues confronting the use
of CF in Family Court
Issue #2: Unqualified and
Unlicensed Computer Forensics
Practitioners
July 27, 2007 http://www.usdoj.gov/usao/cae
BOGUS EXPERT IN COMPUTER FORENSICS
SENTENCED TO 21-MONTH PRISON TERM
FOR PERJURY
FRESNO – United States Attorney McGregor W.
Scott announced today JAMES EARL EDMISTON,
36, of Long Beach, California, was sentenced by
United States District Judge Lawrence J. O’Neill in
Fresno to a prison term of 21 months for his
convictions of two counts of perjury. He will also be
required to serve a term of supervised release of 36
months upon his release from custody.
.
EDMISTON had been retained by at least two
Fresno criminal defense attorneys to provide
computer forensic analysis in several child
sexual exploitation prosecutions.
As part of his work on those cases, EDMISTON prepared and executed
declarations under penalty of perjury in which he claimed that he had
been a computer consultant for twelve (12) years, that he had a
master’s degree in computer engineering from the California Institute of
Technology, and that he had been qualified as an expert witness in
computers and their online usage by numerous state and federal courts
throughout California.
An investigation revealed that EDMISTON did not, in fact, have degrees
from the California Institute of Technology, the University of California
at Los Angeles, or the University of Nevada at Las Vegas, as he alleged.
Court documents show that EDMISTON also concealed his prior criminal
record that includes a prison term that he served in the mid-1990s as a
result of forgery convictions in the California Superior Court, Los
Angeles County.
Despite a lack of credentials to do so,
EDMISTON did, in fact, testify under oath as an
“expert” in cases in courts in California.
In sentencing EDMISTON to prison, Judge
O’Neill specifically commented that,
“the defendant’s crimes went to the very
heart of the judicial system which is
designed to seek the truth in each case.”
35 States Requiring PI Licenses for
Computer Forensics and
E-discovery Practitioners
Arizona, Arkansas, Connecticut, Florida,
Georgia(?), Hawaii, Illinois, Indiana, Iowa,
Kansas, Kentucky, Maine, Maryland,
Massachusetts, Michigan, Minnesota, Montana,
Nebraska, Nevada, New Hampshire, New Jersey,
New Mexico, New York, North Carolina, North
Dakota, Ohio, Oregon, South Carolina,
Tennessee, Texas, Utah, Vermont, Virginia, West
Virginia, Wisconsin
(As of 7/2007)
SC law requires Computer Forensic
Practitioners to be licensed.





PI License (SC Title 40, Chap. 18) “securing evidence”
for a civil or criminal legal proceeding.
Exempts Licensed Attorney, CPA, or Engineer
Exempts employees doing internal investigation for
employer, unless employer is a PI Agency.
SC Attorney General Opinion (April 2007) SLED to
promulgate specific regulations for computer
forensics firms. SLED CF Committee working on stiffer
regulations now.
Out of state CF vendors must be licensed in SC if
evidence collected here, or destined for use in a legal
proceeding here. (Accountability, Long Arm access)
Issues confronting the use
of CF in Family Court
Issue #3: lack of uniform rules for
e-discovery in state court.
Need for certainty in e-discovery matters
heard in State Court as there is in Federal
Court under the revised FRCP.



FRCP 2006 revisions have leveled the playing
field in federal court in matters involving
discovery of electronically stored information.
Comparable revisions in the State rules of civil
procedure are needed to promote certainty and
fairness to all parties, and to simplify the job of
the court.
National Conference of Commissioners on
Uniform State Laws – Model Rules
Take Home Message
1.
2.
3.
4.
Check Licenses and Credentials of CF
examiners. (Degrees vs Certification)
Question validity of CF evidence.
Consider Stiffer Sanctions for willful
spoliation to curb abuses of the
discovery process.
Promote the adoption of Uniform rules
for E-Discovery in State Courts.
Questions?
Abrams Millonzi Law Firm, P.C.
Abrams Computer Forensics
1558 Ben Sawyer Blvd., Suite D
Mount Pleasant, SC 29464
(843) 216-1100
steve@abramsforensics.com
Download