Archive for April, 2009

North Carolina licensing of Computer Forensic Examiners (result)

Sunday, April 19th, 2009

Larry Daniels has reported via the ForensicFocus forums that North Carolina will now exempt forensic computer examiners from licensing in North Carolina. That’s 2 good results in the same week.

Montana Computer Forensic Examiner – PI Licensing

Monday, April 13th, 2009

A win for sanity today when the Montana legislature passed HOUSE BILL NO. 354. Refer to section 3(k). This new bill exempts those who perform forensic examination in Montana from licensing as a private investigator, so this is wider than just exempting those in the digital evidence field.

Jimmy Weg, of the Montana DCI who assisted with the bill (independently, in regard to his private practice, offered to work with the licensing agency if they feel that a separate licensing scheme for Computer Forensic Examiners is necessary.” However, concerning criminal matters, Weg says he is “is unaware of any forensics-certified examiners in MT who do criminal defense work, so the implications of PI licensing could have a chilling effect on the ability of defendants to obtain qualified assistance”.

Hopefully the Montana legislation can be used to help other state legislatures in the crafting of their PI licensing requirements as they effect the forensics field.

North Carolina licensing of Computer Forensic Examiners (update)

Thursday, April 9th, 2009

I’ve just been informed that the hearing on Bill S584 is now calendared for Thursday April 16. It has been changed a couple of times already, so consider this subject to change.

North Carolina licensing of Computer Forensic Examiners

Wednesday, April 8th, 2009

Yesterday was supposed to be the reading and feedback day for the North Carolina bills to require licensing of Computer Forensic and Electronic Discovery professionals. Essentially, they plan to lump our profession in with Security Guards and gumshoes.

My colleagues in NC inform me that the reading was canceled due to a conflict with a budget hearing. Initial reports indicated tomorrow Thursday April 9th as the day, but the most recent advice I’ve received is that it won’t be tomorrow and will more likely be next week.

Senator Fletcher Hartsell coordinates the presentation of bills in the Senate Judiciary Committee. His office number is (919) 733 7223.


As I indicated in my FAQ page, the American Bar Association is against licensing of Computer Forensics professionals as Private Investigators. Joe Howie wrote a great piece called “Impact of State Licensing of Private Investigators on Digital Forensics” in the ABA’s Law Technology Today journal, June 2008 edition.

He does a great job of differentiating Computer Forensic Examiners from PIs. (He refers to as Digital Forensic Examiners or DFEs.)

First he addresses the methods PIs use to obtain evidence:

When a client hires a private investigator (“PI”) to investigate a third-party or a specific incident, the PI may employ various means, none of which will involve giving the third-party the right to be present, telling the third party that the investigation is underway or telling the subject of the investigation the names of those being contacted. In an undercover or clandestine investigation the PI may talk with or record the subject or make observations regarding the subject at the subject’s home, place of business or worship, or while engaged in civic or associational activities, all without notifying the subject that his or her discussions or actions are being noted for possible use later on.

Then he differentiates Computer Forensic Examiners

Digital forensics and litigation support can both involve the gathering, analysis and presentation of data that is secured with the full knowledge and consent of the owner of the data or of data that was obtained pursuant to judicial process where the owner of the data was aware of the inquiry and had the opportunity to raise any objections or concerns in a court of law prior to producing or making the data available.

The major difference between how I operate, and how a PI operates is that I always operate either with the consent of the owner of the computer systems, or under a court order which the owner is aware of. I have not performed a covert acquisition since my early days with the police, and I have no intention of doing one as a non-government examiner.

N.B. No disrespect is intended to PIs and Security Guards. You perform a valuable service. It’s just that requiring a PI license for a Computer Forensic Examiner is like requiring an Aviation Mechanic to have a pilot’s license.

Adam Walsh Act (part 2)

Saturday, April 4th, 2009

The Adam Walsh Act places restrictions on examination of evidence by the defense in Child Exploitation Material cases. In the simplest terms, any evidence must be examined either at the Law Enforcement Agency, or at the Courthouse.

In my last post, I covered the issue of lack of control of your environment and the resultant problem with sterile environment. I’m not going to rehash that.


There is a major increase in the cost of forensic computer examination of a case under these restrictions. To understand this, you need to know how services are billed.

Examiners only bill for their actual time spent working, not for “machine time”.

A really basic examination of a computer will take at least 3 days. A large part of this is the indexing time. Indexing is the process by which computer forensic software generates a database of search terms, generates hashes of files for known file filtering (KFF) and does some internal sorting of data to make it more manageable. Indexing takes hours. I’ve had big cases with multiple evidence items where indexing took days. This time is not billed.

Part of why this time is not billed is because the examiner will be performing other work during this time that may not be related to the case at hand. Indexing time is a great time to do your daily tech reading, do research, write up the case report from the previous case, or eat lunch.

Running a virus scan on mounted evidence is another exercise that burns up an hour or two of time and isn’t usually fully billed. Some of the reporting functions can take time. If you have to do a duplicate system restore and boot, that’s going to take an hour or more.

However, when you are sitting in a government facility, you don’t stop the clock. This is because you can’t multitask because you aren’t going to bring another case with you to multitask on, and you’re not going to check your mail, do web research, admin tasks, etc on a government computer. You can’t even leave the room to get coffee because you’re leaving a running forensic workstation unattended, which is fine if it’s your lab and you can lock it up, but you don’t control the room. So while a basic 3 day examination might have 8 hours billable in the lab, in an Adam Walsh Act case, it’s 24 hours billable. At a standard billing rate of $250/hour, that’s an additional $2000 on a really basic case. On any case with a large amount of data, this could easily climb to tens of thousands of dollars. In fact, most cases I know of, the examination cost well over $10k.

Additionally, there is prep time that you are going to bill. Getting your workstation packed up and moved and so on. Plus, before you leave the government facility, you’re going to blow away all your work product except your forensic reports because the indexing processes for example produces thumbnails of contraband material with is now on your forensic workstation. So you have to add in a hour or 2 for wiping the 3 drives.

So one of the most noticeable effects of the Adam Walsh Act amendments is a major increase in defense costs. And of course, you don’t get costs awarded to you if you successfully defend your criminal case.

Now let me be clear about one thing: I am completely in favour of limiting access to contraband material. CEM is disgusting, and I’ve seen things that I’d happily forget ever seeing if I could. There is no good reason for the average citizen to have this contraband material in their possession… ever.

However, defense lawyers are officers of the court, and serving an important function, and forensic computer examiners are the only people able to properly test the government’s claims against the evidence for the defense. If it’s acceptable for the prosecutor, the judge and the jury to hold onto this evidence during the trial, it should be acceptable for the defense team. If any of the defense take a personal copy of this material, they should be prosecuted. If they retain the material after the court process is completed, they should be prosecuted.

The defendant is entitled to a fair trial, and the right to test the evidence.

Adam Walsh Act, Tennessee, and questionable “Expert” witnesses

Friday, April 3rd, 2009

Susan Brenner has an article on her CYB3RCRIM3 blog about the chilling effects of the Adam Walsh Act putting the fear of God into people, esp the defense regarding dealing with child exploitation material. (CEM is one of the nicer terms for child porn, and the one I generally use since it was in favour at QPol where I used to work.)

I have dealt with the restrictions of the Adam Walsh Act from the defense examiner side, and personally feel that some of the restrictions are onerous to say the least. You are basically requiring a forensic examiner to transplant part of his laboratory to a government facility to conduct the examination, which is forensically unsound, because one of the major issues with forensics is the “sterile environment” concept.

Part of the sterile environment is the examiner having control of all access to their evidence. In a government facility, you most certainly do NOT have control of your environment. I’ve never known a proper examination of a computer to take less than a few days, so you’re leaving your gear there overnight, unattended, in a room and building over which you have no control. And you can’t just take your equipment back to the office with you at the end of each day, because the examination process potentially creates copies of contraband material on your exam machine.

The government also has a habit of refusing to grant access to the original evidence. A properly trained examiner doesn’t want this access in order to manipulate the evidence on the original, but rather to make the forensic copy themselves, or to get a hash and validate the supplied copy.

But enough about the joys of the Adam Walsh Act. The case referred to in Ms Brenner’s blog is STATE OF TENNESSEE v. RE´LICKA DAJUAN ALLEN No. E2007-01018-CCA-R3-CD.

What really makes this case interesting is the absolutely wrong statements made by the defense “expert” witness. Now I’ve never heard of Mr Herbert Mack, and I can’t seem to find anything about him outside this case through a few google searches. Seriously though, this guy shouldn’t have passed a Daubert challenge, and the prosecutor was weak on not challenging him.

Here commeth the whoppers:

He said that, given the large number of images allegedly contained on the computer, he would not be able to remember the specifics of the information without taking the computer hard drive from the sheriff’s department.

One of the golden rules of forensics is: document everything important. You should have a notepad recording every procedure, every search you conduct, and any pertinent results. Forensic software also lets you produce volumous reports of files and meta data – none of which need contain contraband – if the quantity of material is too much for your notes. In fact, production of a file list of evidentiary files with metadata is a standard part of reporting every forensic examination.

Mack expressed concern about working from a “mirror image” rather than the hard drive itself, testifying that the computer programs in existence did not create
true mirror images

Here is a small, non-exhaustive list of computer programs which create mirror images:

  • X-Ways Forensics
  • FTK Imager
  • EnCase Forensic
  • dd
  • In fact, FTK Imager is free (as in beer) and dd is free (both as in beer, and as in speech being open source) and contained on every version of linux and BSD that I know of, along with a bunch of linux based forensic boot disks.

    In order to be a “mirror image” or “forensic image”, the image must contain the complete disk, including system areas such as the boot sectors, partition tables, and any unallocated space. All forensic imaging software will do this.

    Mack conceded that his examination of the actual hard drive would entail
    reconnecting the original personal computer equipment, turning the computer on, and
    loading his software file-searching tools, and he agreed that in the process of booting
    up the Windows operating system the contents of the hard drive would be changed.

    Booting Windows will change hundreds of files and settings. Installing his software will most likely alter the registry, and potentially overwrite evidence in deleted space. What he is proposing is the equivelant of walking all over a crime scene in muddy boots with no gloves. You’re destroying evidence, AND leaving your own fingerprints all over the place. This is horrible from a forensics viewpoint.

    I have booted up a suspect’s computer before, but it was ALWAYS with a forensic copy of the hard drive. There is never a good reason to boot the original.

    However, according to his testimony, booting the computer would not alter either the
    file creation date or last accessed date of the images in question.

    Ok, this is half right. You probably won’t change the MAC dates of the files at start up, but as soon as you start looking at them on the live system you will. Open a file in Windows, and generally, the accessed date is changed.

    Try this little exercise out: Right click on a picture file in Windows Explorer. Select Properties. Check the Accessed Date. Windows will tell you that you lasted accessed the file “Today” and the Accessed Time will be the time when you clicked on Properties.

    Mack stated that there was an increased risk of disclosing non-discoverable information because the State’s expert would be able to determine what tools had been run on Defendant’s computer hard drive and what information had been recovered before Defendant was obligated to disclose its expert report.

    So now that he’s gone and dirtied up his evidence, he’s complaining that the prosecution will find his fingerprints on the evidence? This is why CSIs wear gloves, and forensic computer examiners don’t run live unprotected exams on the original evidence.

    Remember, when hiring a computer forensic expert you are looking for training and experience. Training generally involves a certification. Any examiner worth their salt is going to have a CFCE, CCE, EnCE or ACE. Experience should be measured both in years of experience, and number of forensic examinations.

    Classic April Fools

    Friday, April 3rd, 2009

    I’m a big fan of a cleverly done and slightly subtle online April fools joke. I believe this is the first one I’ve seen that involves Computer Forensics. Kudos to Jamie Morris of the Forensic Focus blog.

    Computer Crime presentation

    Friday, April 3rd, 2009

    Back in ’06 I did a presentation at my alma mater for Computer Security Day 2006. AusCERT is still hosting the presentation I gave at this link. Some of the numbers are a little out of date, but the same kinds of trends are still happening. It also is the source of a quote from my last post about not sending money to people you don’t know in countries you can’t pick on a map.