Digital Investigations in Academic Environments Presented by: Tony Martino Senior Forensic Examiner AMRIC Associates Ronald Longo Principal Member Keane & Beane P.C. About the Presenter – Anthony Martino ● Senior Forensic Examiner – AMRIC Associates ● Director of the Northeast Cyber Forensic Center at UC ● Adjunct faculty - cyber security and forensics ● Retired Sergeant from Utica Police Department ● Member of the U.S. Secret Service ECTF ● Over 10 years experience in the digital forensics field ● Expert witness qualifications in state and federal courts About the Presenter – Ronald Longo Principal - Keane & Beane, P.C. White Plains, NY Fishkill, NY • Attorney specializing in Public Sector Labor Law and Education Law for over 30 years • Prior Experience as Assistant Town Attorney for Labor Matters, School Personnel Administrator and County Personnel Dept. Employee • Past President of New York State Public Employer Labor Relations Association Topics ● Digital evidence and forensics ● Forensics vs IT ● Data preservation & eDiscovery ● Conducting internal investigations with digital evidence ● Special considerations for academic environments ● Designing digital device usage policies ● Case studies Digital Evidence 5 Digital Forensics • The ability to conduct analysis of digital data in a manner that: • Does not alter the original information • Conforms to industry accepted practices • Provides repeatable results • Meets the standards necessary to support criminal, civil or internal litigation Digital Forensics Capabilities • Recovery of deleted information • Analysis of user activity • Timeline creation of data changes • User attribution for activity on shared systems • Preservation of data for future analysis or litigation Digital Forensics Limitations • Forensics is not magic • Data that is not there can not be found • Data that has been corrupted or destroyed can not be restored to its original form • The recovery of deleted data is limited in scope and not guaranteed • Forensic examinations involve the application of scientific processes. The result is not always a smoking gun. Forensics vs IT Data Preservation & eDiscovery ● Digital data is volatile and easily destroyed or corrupted – Routine system processes – User activity – Intentional destruction – Well meaning “investigations” – Expired retention periods Data Preservation & eDiscovery ● Early preservation is paramount – Take systems offline – Create forensically sound duplicates – Locate external data – Identify log files or other surveillance information Example: Cellular Phone Evidence VS Where is the Evidence? Handset Service Provider Recent Call logs Account Information Contacts Historical Call Logs * Email Text Messages / Logs * Text Messages Location History * Images / Videos Location History Social Media Internet History * Subject to legal process and service provider retention policies. Service Provider Data The amount, type and retention period for data can vary widely between carriers. – Legal process required – ECPA – Preservation Internal Investigations Internal investigations are commonplace, but challenging – Trust may be hard to define – Most protections are outward facing – Digital evidence is commonplace – Policies may be inconsistent or silent on issues related to digital evidence – Some evidence is likely to exist on private devices – Privacy and confidentiality needs may conflict with investigative needs Internal Investigations Basic steps – Get legal assistance ASAP – Involve as few people as necessary – Consider after hours or sneak & peek operations – Preserve data and backups of potential evidence to protect against destruction due to long litigation waits – Adhere to legal and contractual limitations on searches and interviews – Get expert assistance Internal Investigations Interview Preparation Internal Investigations Interviews – Create a comfortable atmosphere – Be non-confrontational – Seek the truth. Not a predetermined outcome – Have and display empathy – Ask open ended questions – Shut up and listen – Use recording devices if permitted Academic Environments Special Considerations – Privacy needs – FERPA, local policies etc. – Students are likely far more technologically advanced – Educational goals and best practices for preventing improper faculty / students relationships are sometimes in conflict Academic Environments Educators have high public profiles – Outside influences can interfere with investigations – Fear of public exposure can reduce cooperation – Even unsubstantiated claims of impropriety with children can have catastrophic consequences • Investigation secrecy • Support for suspected staff members Designing Usage Policies Goals – To allow the use of technology to further the goals of the institution • Instructional needs • Community involvement – – – Parents Media To create an information infrastructure that allows access to information in a safe environment that is appropriate for a wide range of ages Designing Usage Policies User attribution is a must – Unique user names and passwords Shared devices are commonplace – Mandate use of only personal credentials Data exfiltration can be serious – Removable media – Dissemination of institutional data Designing Usage Policies Personal assignment of institution owned devices is common – Acceptable use – Personal use allowable? Social media is a double edged sword – Excellent mechanism for reaching the public – Can be a dangerous place for faculty & students to mix Every faculty / staff member should have an official communication mechanism – All communications with students/parents should be mandated to occur within this medium Designing Usage Policies User attribution is a must – Unique user names and passwords Shared devices are commonplace – Mandate use of only personal credentials Data exfiltration can be serious – Removable media – Dissemination of institutional data Designing Usage Policies Bring Your Own Device (BYOD) – Becoming more popular in corporate, government and academic environments – Can reduce technology needs and costs for the institution – Can increase employee productivity – Can lead to serious data security issues Designing Usage Policies Strong BYOD policies are a must – What specific devices are allowed – What are the required security standards – Prohibitions against data exfiltration – Employee separation policy • Cleansing of institution data from device • Examination of device before separation • Disconnection of device from connectivity to institution Case Study 1 Faculty member utilized social media and other non-official mechanisms to communicate with students – In violation of district policy Complaints from parents over the content of communications are filed with school district – Ability to monitor or perform discovery on non-official media is difficult – Much of the evidence has been deleted or otherwise destroyed – The integrity of evidence collected from student's personal online accounts can be easily questioned Case Study 2 Faculty member is found to have inappropriate content on a district owned laptop computer – Faculty member admits that the content is his, but insists he did not place it on district computer – Subsequent forensic examination of the computer found that the content was automatically place on the computer by a backup process that occurred when a cellular phone was plugged in to the laptop. – District has no policy that prohibits the connection of personal devices to institution computers Case Study 3 A review of log files by IT shows that an employee has been utilizing a faculty office computer to view pornographic material. – A review of attendance logs shows that the employee in question was not actually present when the infractions occurred – A forensic examination of the computer showed that the browsing activity could be attributed to a different employee – Lax institutional policy on safeguarding user credentials allowed one employee to gain access to the passwords of his supervisor and co-workers and gain access to an unknown amount of sensitive data. About AMRIC Associates Capabilities – Digital Forensic Examinations – Private Investigation Services – Interviews & Interrogations – Surveillance – Expert Witness Testimony Contacts 6444 Fly Road East Syracuse, New York 13057 315.437.5500 www.amric.com tonymartino@amric.com Questions