Sued or Suing: Introduction to Digital Forensics
-
Upload
anyck-turgeon-cfegrcpceficcipccisocba -
Category
Business
-
view
51 -
download
0
Transcript of Sued or Suing: Introduction to Digital Forensics
WHAT SHOULD YOU KNOW AND PREPARE FOR
UPON HIRING A DIGITAL FORENSICS EXPERT?
By Anyck Turgeon
August 2015
Table of Contents
1) Defining your needs 2) Introduction to digital forensics 3) Demystifying different types of digital forensics 4) Pros and cons of using digital forensics 5) Understanding digital evidence 6) Admissibility of digital forensics evidence 7) Where can you find digital evidence? 8) Example of crimes being resolved with digital forensics
Case Scenario #1: Fraud, cyber-security & money laundering Case Scenario #2: Trafficking Case Scenario #3: Murders Case Scenario #4: Incidents, Accidents & Disasters
7) Objectives & 5 main stages of digital forensics 8) Digital forensics methodology 9) Why use digital forensics experts? 10) Risks of self-collection 11) Engaging digital forensics experts 12) Q&A
Examples of digital forensics you may want/need:
- Locating erased data
- Attesting to authenticity of records
- Neutral/impartial/evidence based analysis of digital devices
Defining Your Needs
Examples of evidence you may want/need:
- Original financial statements, bank records and tax filings
- Authenticated legal to HR contracts and/or documents
- Timestamped activities from logs
- Timeline of events by participants or by filed claim(s)
- Deleted/damaged records (including re-formatted hard drives, moved email messages, etc.)
- Untampered contextual evidence (e.g. video feed from separate traffic camera recordings and cell phones demonstrating an accident from different angles plus satellite feed)
- Overlooked data (hiding evidence within massive amounts of changed records, root kit, file slack, versioning, etc.)
Introduction to Digital Forensics
DIGITAL FORENSICS: “The use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitation or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations.”
American Academy of Forensic Sciences Reviews,
AnalyzesProtects
DIGITAL EVIDENCE
Demystifying Digital Forensics
Computer Forensics involves the preservation, identification, extraction, documentation, and interpretation of computer media for evidentiary and root cause analysis
Methods of computer forensics are:
Discovering data on computer system Securing potential evidence sometimes validated through contextual analysis (e.g. correlating 3+ independent sources) Recovering deleted, encrypted, or damaged file information Monitoring live activity Detecting violations of corporate policy
Cyber & Social Media Forensics
Hacking Forensics
IoT, Car, Cloud, Contextual Forensics
Ability to SEARCH
Through a massive amount of data
Quickly
From several devices
Thoroughly
In any language
And REPORT
Efficiently
Accurately
Convingsingly
Pros & Cons of Digital Forensics
DIGITAL FORENSICS Advantages Disadvantages
Required
Expertise
Tools (over 80 tools continuously updated)
Cost
Potential exposure of privileged documents
DIGITAL EVIDENCE: “Any data that is recorded or preserved on any medium in or by a computer system or
other similar device, that can be read or understand by a person or a computer system or other similar device. It includes a display, print out or other output of that data.”
Understanding Digital Evidence
5 Rules of Evidence 1) Admissible Based on Relevance (Federal Rules of
Evidence 401 and 402 + FRCP Rule 26(b)(1))
Must be relevant and prepared to be used in court or other resolution approach
2) Authentic (FRE 901(a))*
Evidence must be validated (DF methodology)
3) Complete
Offer an unbiased representation of the facts with sufficient context and validation
4) Reliable
No question about authenticity and veracity
5) Believable
Clear, well represented and easy to understand by a jury
Top 5 Considerations of
Digital Evidence:
o Circumstantial (hearsay) status
o Easily altered, damaged, or destroyed
o Latent as fingerprint or DNA
o Fragile
o Can be Time sensitive
Admissibility of Digital Forensics
5 Rules for Admissibility of Digital Evidence
1) Authenticity/Reliability
2) Traceability
3) Repeatability
4) Data integrity
5) Confidentiality/Security
The Federal Rules of Evidence (FRE) were codified in 1975 with the intention of assisting
and guiding parties and courts, in both civil and criminal matters, on the admission of
evidence. In civil matters, the Federal Rules of Civil Procedure (FRCP) also addresses the
manner in which facts or tangible items are admitted as evidence.
Rule 803(6) and 803(7) provide exceptions to the hearsay rule permitting the admission of evidence if the source of the records is sufficiently reliable.
To be admissible in court, digital forensics experts must prove :
That there is/was/has been no tampering
All evidence is fully accounted for
Their complete knowledge of all aspects of the appropriate domain of digital forensics, legal requirements, evidence handling and storage and documentation procedures related to the evidence that they are asked to locate, analyze and report on.
All types of civil, criminal, military and administrative cases use digital forensics whereas activities and evidence that are captured through digital media (such as: - computers, - printers, - home appliances, - vehicle ECUs and CANs (cars, drones,
UAVs, planes, helicopters, scooters, boats, satellites, etc.)
- robots, - electric, cooling, alarm and/or lighting
systems with remote access, - sensor-based controllers, - cell phones, - tablets, etc.) and used FOR RESOLUTION.
Digital Forensics can be cost prohibitive but… with more than 9.4 Billion devices be
connected under the Internet of Things (IoT/IoE), digital forensics should be used in
95% of legal cases by 2020.
Where Is Digital Evidence?
Example of crimes being resolved through digital forensics:
o Computer security breach & identity theft
o Fraud & money laundering
o Copyright violations & intellectual property infringement
o Trafficking investigations (narcotics, armament, human, organ, slavery, etc.)
o Threats, kidnappings and ransom (especially randomware), murders
o Burglary, fires & disasters
o Suicide to terrorist activities and counter-terrorism
o Defamation & cyber-bullying
o Administrative investigations
o Sexual assault, stalking & child pornography
o Divorce & child custody
“Digital forensics has become an indispensable tool
in the practice of law” State Bar of CA (2010)
Solving Crimes
Costs Benefits
Proportionality doctrine
Case scenarios: - Fraud, cyber-security and money
laundering cases to”
- identify criminal activities and parties
from their altered cell phone, printer
and computer records
- analyze complex financial transfers
through advanced ratio analysis of
accounting/financial/taxation reports
(especially when restated) and
- document intent through email
communications and recordings
How Is Digital Forensics Used:
Case scenarios: - Fraud, cyber-security and money
laundering cases to:
- identify criminal activities and parties
from their altered cell phone, printer
and computer records
- analyze complex financial transfers
through advanced ratio analysis of
accounting/financial/taxation reports
(especially when restated) and
- document intent through email
communications and recordings
- Drug trafficking, human trafficking,
organ trafficking cases to:
- demonstrate usage of social media
groups for recruitment,
- show the processing of the complex
and anonymous financial
transactions via the Deep Web using
Bitcoins and
- intentional use of online application
to confirm delivery of goods
How Is Digital Forensics Used:
Case scenarios:
Using Digital Forensics
- Murders through:
- deleted online search logs
- airline reservations using counterfeited IDs
- encrypted receipts for purchase of illegal
guns
- recorded shooting with picture of
perpetrators captured from traffic signal
camera
Case scenarios:
- Fires, car accidents and plane
crashes/explosions through:
- captured ECU/CAN data
- transmitted signals
- analyzed and reconciled activities
Using Digital Forensics
- Murders through:
- deleted online search logs
- airline reservations using counterfeited ids
- encrypted receipts for purchase of illegal
guns and,
- recorded shooting with picture of
perpetrators captured from traffic signal
camera
Objectives & Steps of Digital Forensics
Identify what data could versus should be recovered. Numerous parsing tools are used to identify damaged/deleted/corrupted data. Keyword searches are used to retrieve content about specific topics. Other forensic approaches and tools may be used.
Represent and testify about the evidence discovered (often using data visualization tools) in a manner that is understood by lawyers, non-technical staff/ management, and is suitable as evidence as determined by the Court.
Physically and/or remotely obtain possession of the computer, all network mappings from the system, and external physical storage devices. A mirror image is created with secure hash.
Ensure compliance with evidentiary maintenance requirements.
Identify, classify and prioritize all sources of evidence. Request access directly or indirectly. Secure authorization (including subpoenas).
• Preservation • Collection • Validation • Identification
• Analysis • Interpretation • Documentation and • Presentation
DF OBJECTIVES:
Acquisition
Approval
5 MAIN STEPS OF DIGITAL FORENSICS:
Analysis
Reporting
Storage / Disposal
Digital Forensics Methodology
1) Discuss potential crimes 2) Develop crime theories 3) Assess all evidence and digital items to investigate 4) Agree on retainer, activities to be completed, terms of engagement and payments 5) Obtain approval 6) Secure digital devices, data and evidence to investigate (including timestamped photos) 7) Document hardware and software system(s) plus configuration (decide to shut down or not) as part
of chain of custody 8) Transport the system(s) to a secure location 9) Create timestamped mirror image 10) Make Bit Stream Backups (at a minimum 3) 11) Authenticate data (original and copies) 12) Protect system 13) Itemize all easily accessible content 14) Evaluate swap file, file slack and unallocated spaces revealing all content used by systems and apps 15) Evaluate Program Functionality 16) Identify File, Program and Storage Anomalies 17) Access content of protect files (as applicable and authorized) 18) Develop keyword list (with legal parties if possible) 19) Analyze data 20) Document all findings and deliver tracked analysis report(s) to all appropriate parties 21) Provide expert consultation and/or testimony 22) Abide by court and jurisdictional storage/disposal requirements
Why Use a Digital Forensics Expert?
5 Rules of Digital Evidence
1) Admissible / Relevant
2) Authentic
3) Complete
4) Reliable
5) Believable
Digital Forensic experts are trained to:
- Locate relevant evidence from massive
amounts of sources and data segments
- Avoid destruction and/or corruption
- Ensure security and non-spoliation (chain of
custody) over long periods of time and parties
- Prove the reliability and authenticity of the
data (through mirror images and hash)
- Offer summarization reports with advanced
data visualization tools for believable
evidence
- Testify about the admissibility, authenticity,
completeness, reliability and believability of
the captured evidence
Attorneys attempting trying
to locate files on computers
without proper training may
end up corrupting the entire
data set, become liable for
tampering with evidence
and, will not be able to
testify about the validity of
the data through Court-
recognized forensic
methodology.
Nearly everyone can turn a computer on and take a file so, here is why they should not:
• Inadmissibility of evidence (due to lack of traceability and repeatability)
• Under-collection (missing critical case evidence that was intentionally deleted or unintentionally
corrupted and requires forensic expertise for identification recovery)
• Failure to disclose relevant content reliably = affirmative misrepresentation
• Destruction or corruption of files (starting with changes to metadata or turning off upon defrag)
• Spoliation, invasion of privacy, intrusion upon seclusion and other tort liability
• Inability to maintain the chain of custody (digital records require on-going maintenance)
• Lack of proper authentication and separation of access plus duty
• Bad preservation and extensive degradation of the digital environment may result in faulty physical
sectors and destruction of data
• Knowingly accessing a protected computer without authorization or intentionally accessing a computer
without authorization (without warrant/subpoena/written authorization)
• Charges for tampering with evidence
• Professional rule violation for client misrepresentation
• Conflicting responsibilities (attorney becomes a fact witness (in violation of Rule 3.7))
• The attorney’s testimony required to authenticate evidence may also endanger attorney-client privilege
upon all communications
• Unfair representation of your client’s interest in comparison with opposing party
• Firing of attorney based on negligence, deception and inadequate representation
WHY TAKE SUCH RISKS WHEN…
A 2006 survey of civil trials estimated that experts appear in 86% of cases with an average of
3.8 experts per trial.
Risks of Self-Collection
Engaging a Digital Forensics Expert
Main Qualifications of DF Experts: • Extensive and on-going training, LICENSING and
certifications in digital forensics (GCFE/GCFA/ GNFA/CGFI) and computer security (CISSP/C:CISO/CISM)
• Insured
• Fledged with operating systems, networks, databases, security tools and applications
• Strong analytical & presentation skills (data science) for concise but complete reporting
• Master all rules of evidence (e.g. handling, authentication, analysis, interpretation, documentation, storage, destruction)
• Ability to offer expert testimony in court (FRE 901(b)(1))
• Neutral fact-finding & robust legal background
Failure to verify licensing status may result in expensive civil ($5,000/day) and criminals ($10,000/day) cumulative fines.
To establish admissibility of expert under FRE 702, DF experts must have particular technical qualifications or use industry methodologies (Daubert + Kumho Tire Co. v. Carmichael), and provide relevant and reliable testimony.
Top 10 Engagement Topics:
1) Qualifications of Expert
2) Case charges
3) Case history
4) Child pornography liability
5) Fees
6) Contract – Attorney agent status
– Attorney-client privilege
– Work doctrine covering mental impressions, conclusions, opinions or legal theories
– Report(s) & exhibits - (FRE 26(a)(2) protects report drafts)
– Necessary testimony
7) Case chronology & theories
8) Sought-after evidence
9) Warrants & subpoenas
10) Keyword search
M-CAT Enterprises, LLC 111 Congress Avenue, Suite 400 Austin, Texas 78726 O: (512) 535-0012 F: (512) 469-6306 www.MCATEnterprises.com
Anyck Turgeon CFE, GRCP, C:CISO, CBA, PI, EP, CDS CRMP, CEFI, SMIA, CCIP Founding Chief Executive Officer (CEO) & Chief Information Security Officer (CISO)
Q & A