To clarify a question that I’ve had from some of my old clients recently, I am still doing a limited amount of Computer Forensic consulting as a 1099 contractor, even though I have closed down Patrick Computer Forensics Inc. I can still be contacted through enquire@PatrickComputerForensics.com and or the other email address at this domain you have on file. I will be prioritizing law firms with whom I have an existing relationship, but will take on cases from new clients only if I’m sure I can provide outstanding service.
FTK Imager 3.0 was released this week and is available for download. It’s free (as in beer) and it has a simple function to mount a forensic image as if it were a hard drive (read only by default) as well as support for a few more file systems such as exFAT and ext4fs. The FS support is also included in the simultaneous FTK 3.2 release (which is not free) which is particularly interesting, since last I knew, major competitor EnCase by Guidance doesn’t support ext4fs [PDF] – however X-Ways Forensic does.
Some bugs in the mounting feature have been reported and are being worked on according to AccessData’s support forums. However I tested the feature with 3 forensic images that I made for testing, and it worked perfectly on all 3. The mount process was quick and simple. There are of course numerous other solutions for mounting disk images, however I’ve tended to find them to be either onerous, limited, or non-free. This little feature will be great for scanning an image file with AV, or for making data available to 3rd party software that doesn’t have forensic file support.
Today I was having a discussion with someone who manages in-house Electronic Discovery for a large firm, and for pretty much the first time, I laid out my take on where eDiscovery will go over the next 5 years. Like many practitioners of the digital evidence field, I’m well acquainted with the Electronic Discovery Reference Model (EDRM) and I was looking at how this firm used 2 different products to deal with eDiscovery. One was CT Summation, and the other was a well respected eDiscovery tool. The big issue with most ED tools is that they don’t remotely cover all 9 parts of the EDRM model. The tool that this firm was using only covers the middle parts: Processing, Review, Analysis and Production. It doesn’t help you manage your information, nor identify sources of potentially relevant data, not help you perform a litigation hold, nor a collection.
The future of eDiscovery is a single end-to-end solution and if I had to bet, the first company to produce such a solution is going to be AccessData. I came to this conclusion based both on discussions I’ve had with friends of mine who work at AD, by which I’ve gleaned some insight into their driving ambition, and also by the recent merger of AccessData and CT Summation. (I’d probably categorise it as a buyout rather than a merger since the core management team from AD is running the new AccessData Group.)
I’ve used AccessData software for about 7 years now, and other than a brief period with FTK2 being RS (that’s an old army expression for basically unusable) AD is the clear leader in the development of the technology of digital evidence. From the point of view of the EDRM, AD’s toolset covers everything from litigation hold to production. But my prediction is that the next big thing in eDiscovery will address that nebulous far left part of EDRM: Information Management.
The big thing for corporations with a substantial involvement in litigation (any company that has deep enough pockets to be a target) will be a 2 part eDiscovery focused IM feature.
Part 1 will be real time indexing. Under current methodologies, indexing usually happens after identification of potential sources, either after the collection as part of the processing phase, or as part of a quasi-live collection effort, albeit with a delay between pushing the indexing agent out to the custodian and the completion of the indexing to pre-qualify data for collection.
Part 2 will be an implementation of reasonable retention policies. Many cases where sanctions occur could have been avoided if the offending party had established reasonable retention policies, and followed them, or where a retention policy in implementation didn’t protect against accidental destruction of data from regular processes. This implementation will ensure that data is held for the requisite time by either restricting untimely deletion, or by reminding the user of their obligations prior to permitting an early delete and logging the exception. This 2nd part can also be combined with the preservation function by allowing additional retention rules to go into effect upon receipt of a litigation hold, such as extending the retention period globally, or extending retention on a class of data (email, docs) or a source of data (specific users) and/or raising the security level required to delete files.
So that’s my thoughts. I’d be interested to hear feedback and I’ll try to raise some discussion at some digital evidence forums I frequent.
Remember that Eddie Murphy movie The Distinguished Gentleman? Well his character – Thomas Jefferson Johnson – happens to have the same name as the deceased former incumbent congressman, and so Johnson runs a campaign based on name recognition on the basis that people will just vote for the “name you know”. It works, he’s elected to congress, and hilarity ensues.
Recently I’ve seen three people locally get hit by the “Live Antivirus” malware. One of the things I learned from years doing computer crime work is that scammers often use name recognition to make you drop your guard. They’ll tell you that something comes from Microsoft, Yahoo or Google because you know and likely trust those brands. (They often play the religion card if they really want your money, but that’s a topic for another post I guess.) If you’re on the internet and running Windows, then you’re familiar with the “Windows Live” branding, especially for Hotmail or Messenger.
“Windows Live” “Live Antivirus” See what they did there?
So after seeing an advertisement for a free virus scan, using a name that’s vaguely familiar, my clients clicked on the link, download the software to their computer, and are then confronted with continual nagging warnings that their computer is infected, and would they like to pay for an “upgrade” to remove the infections? The rum is that the only infection is generally the malware that’s “warning” them. I watched it report network intrusions even when no network connection was active, and report viruses in files that weren’t on the computer. The other wonderful feature of this malware is that it stops you from running real AV, the registry editor, the control panel, and all the other methods you’d normally think of removing bad software.
Thankfully the technology was reasonably simple once you know what you’re dealing with. This software had only 3 artifacts, an executable file which was placed in your data files area instead of the usual “Program Files” area and 2 registry entries: one in the global “run” key, and a second in the user’s “run” key. These registry keys are one way for Windows to know what programs to load when the computer first starts up.
Removal was simple if you are comfortable with the registry and safe mode. Thankfully, in safe mode, the programs in the Run keys aren’t run, which means this nasty piece of software couldn’t get into memory and stop me from accessing the registry editor. The first time I cleaned it, I started by inspecting the Run key and found the offending entry. It stuck out like a HumVee in a lot full of compacts because it was the only program that wasn’t in the Program Files folder, plus the name wasn’t recognisable to me, and after doing hundreds of registry inspections, I pretty much know what to expect. Having found where it was hiding, I simply deleted the file and the 2 registry keys, rebooted the PC and it was gone.
I then counseled my client about not installing software from advertisements on the internet and general internet safety.
It’s a bit much to expect that everyone on the internet know everything they are looking at, and what they are installing, but just remember to spend an extra minute before installing something just because the name sounds familiar. Perform a quick search on Google for “Live Antivirus” and the first 3 entries are all about how this is “rogue” software.
As President Reagan used to say: “Trust but verify”.
This case will get a lot of press due to it’s relation to ballplayer drug testing, but in the computer forensic world, this case is generating a lot of email and forum traffic. The case is extensive and the issues involved are complex, so I’m not going to even try to rehash it all. There are multiple search warrants for the same information, but in short, the government sought the test results of 10 ballplayers, got access to the computers with all the test results, and somehow the investigators got access to results of people outside the scope of the warrants.
The majority decision creates 5 new rules, but the first 2 are creating the big buzz:
1. Magistrates should insist that the government waive reliance upon the plain view doctrine in digital evidence cases. See p. 11876 supra.
2. Segregation and redaction must be either done by specialized personnel or an independent third party. See pp. 11880-81 supra. If the segregation is to be done by government computer personnel, it must agree in the warrant application that the computer personnel will not disclose to the investigators any information other than that which is the target of the warrant.
There is a specific issue here that differentiates it from a normal case. That is, that the warrant was for specific records on a computer, whereas in a normal investigation, the warrant would be for indeterminate potential evidence on a computer. So if for example in a drug dealer case, you’re searching the computer for anything relevant to drugs, and you come across child exploitation material, the plain view doctrine applies to the first image you find, and then you go and get a warrant to cover an extended search for contraband using the first image as your basis. Here however you are dealing with a limited scope search.
In the e-discovery field, you get this all the time. You are producing certain relevant records, and the opposing side doesn’t get access to the rest of the data. This is what we’re dealing with here: a production of records, not a general investigative process on the computer as in most criminal forensic cases.
Back during my fraud specialisation from 2003-2007, I did a bunch of cases investigating attorney malfeasance. In those cases, I worked as if having a Chinese Wall, and made sure that only certain information was released to the investigating police detectives. I even had partial document production with redaction of the non-relevant (and privileged) paragraphs. It’s really not that hard to do, and it’s not a major cost impediment. Even if you are a small agency where your examiner is part forensics, part detective, you can still compartmentalise results.
If the court’s proposed orders are applied to all computer forensics, then there’s a major issue, but if they are limiting the new orders to limited scope searches for records on 3rd party systems, then this seems a very reasonable result. With the high profile of this case, I expect an appeal is inevitable.
Patrick Computer Forensics Inc. is offering a free electronic discovery / computer forensics seminar for attorneys and their staff in Memphis. This half hour presentation is entitled “Metadata, what is it, and how does it win cases?”. As well as explaining metadata in easy to understand terms, the seminar will show examples of sources of metadata, and case studies where metadata was pivotal.
The devil is in the details.
As I indicated in a previous post on this issue, I expected that the ACE being free to obtain would somehow lead to a greater revenue stream for AccessData. Well thanks to a post by “rayp” on the Forensic Focus forums, the revenue stream has become apparent. It seems you are required to do 2 AccessData training courses in the first year in order to keep your certification.
Now in order to keep my CFCE, I need to have a certain amount of training over 3 years, but I can receive this through any reputable training body, and even count time I spend training others so long as it’s only counted once per year.
Clearly the ACE is not actually free in the long term, but you weren’t really expecting that it would be, right?
With the downturn in the economy, the foreclosures and the credit crunch, employee fraud, theft and general malfeasance is on the rise. If you don’t want to take my word for it, do a search on employee fraud rise and read a few of the results. I’ve been seeing these kinds of cases here in Memphis too.
What follows is practical advice about what to do when employee fraud happens in terms of preserving evidence for a later investigation and trial. Note that this is not legal advice. Hence the first thing to do is call your lawyer. The way it works in Tennessee is that forensic consultants are retained by a lawyer, not directly by the public, so your lawyer’s involvement is not optional.
Let’s start at the point where you discover your employee’s malfeasance.
Document your actions. Who, date/time, what, where.
Firstly, if that employee has a dedicated workstation, immediately remove that workstation from your network. If the workstation is turned off, DO NOT TURN IT ON. Take the computer box (you don’t need the monitor and cables) and place it in a locked room or cabinet. If it’s a notebook computer, keep the power cable with the computer.
If you turn on the computer, it’s like walking through a crime scene. You leave your own fingerprints and footprints everywhere, and you may accidentally walk all over your evidence and destroy some of it. Resist the urge to look yourself, you’ll only hurt your case later on. (Note that once forensic preservation has been done, you can look all you want.)
If it is turned on, you’re going to need advice directly from a forensic computer expert, so contact us quickly. The permutations about how to deal with a live PC for forensics are too many to cover in this article.
Restrict that employee’s access to your computer network. If you have a central file server, or email server, these are potential sources of evidence and you don’t want your suspect employee trying to access them to cover their tracks.
If your employee has any portable computing devices owned by the company, e.g. a notebook computer, PDA, thumbdrive or mobile phone, take these back now and keep them with the workstation in the locked room/cabinet.
Check your backups. You are making regular backups of essential systems like your file server and your email server right? Check to make sure these backups have been conducted, and put aside your backup tapes or drives. Do not do new backups over old ones after an incident as you may inadvertently destroy evidence.
Get your system forensically preserved as soon as possible. Forensic imaging allows the preservation of all electronically stored evidence so that you can keep running your business. In situations like these, forensic preservation can be done out of hours to minimize disruption to your business.
Once your system has been forensically preserved, you can continue to do business, and decide on a course of action with your lawyer. A forensic examination on preserved evidence can be carried out weeks, even years after the preservation has been performed. If your case becomes a criminal issue, the forensic images can be turned over to law enforcement with a fully documented chain of custody, or your computer forensic expert can testify if the examination has already been performed.
Today, whilst contemplating the birthday of the USA, I recalled that today is also the 2nd anniversary of the first time I ever worked forensics in the US. For the 7 years before moving, I worked computer forensics for the Queensland Police Service in Australia, an agency with over 10,000 police officers and almost 3000 staff and responsible for an area bigger than Texas.
We had just moved over in June 07 to be closer to my wife’s family while her brother was serving in Iraq, and a friend I knew through IACIS needed someone available on short notice to do some work on the holiday. I had planned to go see the fireworks in Munford, but the opportunity to get back into the business was too good so I spent all day doing on-site acquisitions.
As a celebration both of our nation’s birthday and the 2nd anniversary of Patrick Computer Forensics (albeit unincorporated at that point) I’m offering a $100 discount on any forensic work retained in the next week. (Retainer and minimums apply, see the Rates page.)