Professional Documents
Culture Documents
Forensics
Make sure you know the basics.
By Lisa Sweetingham
Court TV
Types of Evidence
• Documents
• Spreadsheets
• Emails
• Programs
• Attachments
• Databases
• Internet Activity
• Temporary Files
”In short, the average computer is about as secure
as a wet paper bag, and it is one of the last places
where you would want to hide valuable data or use
to communicate secret or sensitive information.”
Rick Maybury
Bootcamp week 182: Email and PC security
Connect
July 5, 2001
Fun Statistics
• About 31 billion emails are sent daily and is expected to double
by 2006
(IDC Email usage forecast and analysis, www.sims.berkeley.edu/research/projects/how-much-info-2003)
The large hard drives in use today can have slack space as
large as:
• Steganography
– Hiding in plan sight
– Need the correct tool & maybe password to
retrieve
– S-Tools
Password Breaking
• Passwords
– MS-Office Files
– Compressed Files (*.zip)
– Applications like Quickbooks
– Web mail logins
– Other logins via web interfaces
• Utilities
– PTK, Password Tool Kit
– Lost Password
Difference in Forensic Tools
• No one tool does everything
• Know the tools strengths & Weaknesses
• Example
– FTK preprocesses and builds and index &
EnCase post processes – no index
• Where do I start?
???QUESTIONS???
Laws stuff & Computer
Forensics
Computer Forensics vs Electronic Discovery
• Sexual Harassment
• Wrongful Terminations
• Divorce
• Child Custody
• Corporate Fraud
• Employee Terminations
• Pornography
A Few Cases
• Electronic production may be required
– Anti-Monopoly, Inc. vs Hasbro, Inc., 1995 WL 649934
(S.D.N.Y. Nov. 3, 1995)
Source: adapted from Computer-Based Discovery in Federal Civil Litigation by Kenneth J Withers. 2000
Sedona Conference
• a non-profit, non-partisan law and policy think-
tank - http://www.thesedonaconference.org
• WG1: Electronic Document Retention and
Production, purpose is to develop principles and
best practice guidelines concerning electronic
evidence retention and production.
• 14 proposed guidelines that were developed as
a joint collaboration between attorneys in the
public and private sector, judges, and other
experts.
Criminal - FRYE
• This later evolved into the Frye Standard, Frye v. United
States 293 F. 1013 (DC Cir. 1923). The Frye standard
basically looks for ‘general acceptance’ in the related
field. The court’s gatekeeper role was to be
conservative in nature. This gate keeping function was
to keep unproven ‘science’ out of the courtroom. This
works well until a case came before the court that
involved a scientific issue that was new, thus there had
not been enough time to gain ‘general acceptance’. This
was becoming an issue in the courts and then finally
there was Daubert.
Criminal – FRE702
• Rule 702. Testimony by Experts
• If scientific, technical, or other specialized knowledge will
assist the trier of fact to understand the evidence or to
determine a fact in issue, a witness qualified as an
expert by knowledge, skill, experience, training, or
education, may testify thereto in the form of an opinion or
otherwise, if (1) the testimony is based upon sufficient
facts or data, (2) the testimony is the product of reliable
principles and methods, and (3) the witness has applied
the principles and methods reliably to the facts of the
case.
• http://www.law.cornell.edu/rules/fre/rules.htm
Criminal – Daubert/Kumho
• In Daubert the Court charged trial judges with
the responsibility of acting as gatekeepers to
exclude unreliable expert testimony
• Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579
(1993)
• Court in Kumho clarified that this gatekeeper
function applies to all expert testimony, not just
testimony based in science.
• Kumho Tire Co. v. Carmichael, 119 S.Ct. 1167 (1999).
Searching – Legal Stuff
• Work with the attorney/investigator to
develop reasonable search terms &
criteria
E-Discovery Pitfalls
• Having no electronic discovery plan or pursuing discovery of
electronic evidence in a haphazard manner.
• Not understanding that delete does not mean delete.
• No backup policy or documented retention policy
• Failure to fully discontinue document destruction practices.
• Ignoring certain “hard to deal with” sources of evidence
• Underestimating email use
• Claiming to have produced everything or turning over electronic
evidence late in the game
• Failure to image hard drives of departing employees
• Inexperienced people conducting well-intentioned computer
forensics investigations
• Shouldering the electronic discovery burden alone
– Michele Lange & Linda Sharp, Daily Journal, June 16, 2003
Chain of Custody
• Guard yours/Question theirs
• Was the file altered during the imaging process?
• Was the file altered during the analysis?
• How sound was the capture process?
• Was the image forensically sound? Did it need to be?
• How secure is the data during analysis? While it was
stored?
• From what media is the analysis being done? From the
original? From an image?
• Who handled and processed the data? Can you prove
the data is still sound?
The Chain
• There needs to be a process in place to
preserve the Chain of Custody.
– Have client document everything done to or
on the computer from the time on the incident
and the time a computer forensic specialist
receives or images the computer media.
– NEVER work on original media
– Never trust the suspect’s operating system
– Maintain Chain of Custody
– Document Everything
Preserve the potential evidence
• QZO, Inc. vs Moyer, 594 S.E. 2d 541 (S.C. Ct App.
2004)
– The specialist discovered the hard drive had been reformatted a
day before the defendant delivered the computer to the
corporation, which erased any evidence that may have been on
the computer. The trail court granted the corporation’s motion
for sanctions and entered the default judgment in favor of the
corporation.
• Renda Marine, Inc. v. United States, 58 Fed. Cl. 57 (Fed.
Cl. 2003).
– The US Army Corps of engineers did not change its policy or
procedures to preserve emails after it had been put on notice
that litigation might be pending. Thus the court order that they
produce the backup tapes at their own expense and provide
access to relevant hard drives.
What can come down from the
Bench?
• Decisions on preservation & spoliation
• Defining scope of discovery
• Issues on on-site inspection, imaging, and
backup tapes
• Cost allocations
• Sanctions or unfavorable instructions
Sarbanes-Oxley
• Companies are required to have a game plan for preserving any
potential evidence
• The most severe penalties are for those who destroying records
(including electronic) with fines up to 5 million and up to 20 years in
jail
• Section 802 – Evidence preservation duties (includes deleted
documents)
• Section 301 – Must receive and investigate complaints and
allegations of fraud
• Sections 302, 404, & 806 – Effective Internal Investigations
• Sections 301, 302, & 404 – Evidence of due diligence
• Sections 302, 404, 409 – Rapid Response, Expedient, efficient, &
thorough
http://www.encase.com/corporate/whitepapers/downloads/Sarbanes-Oxley.pdf, by John Patzakis and Victor Limongelli
* New Incident Response Mandates under Gramm-Leach-Bliley, Guidance Software, March 2005
Websites worth a Look
• http://www.law.cornell.edu/rules/frcp/overview.htm
• http://www.kenwithers.com/ *a good one that I like*
• http://www.e-evidence.info/
• http://www.nsrl.nist.gov/index.html
• http://www.ojp.usdoj.gov/nij/sciencetech/ifs.htm
• http://www.ojp.usdoj.gov/
• http://staff.washington.edu/dittrich/forensics.html
• http://www.usdoj.gov/criminal/cybercrime/searching.html
• http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.ht
m
• http://www.atlccs.com/index.html
Two Worlds Collide
(Lawyers & Geeks)