Archive for the ‘Computer Forensics’ Category

FTK Imager 3.0 released

Saturday, October 9th, 2010

FTK Imager 3.0 was released this week and is available for download. It’s free (as in beer) and it has a simple function to mount a forensic image as if it were a hard drive (read only by default) as well as support for a few more file systems such as exFAT and ext4fs. The FS support is also included in the simultaneous FTK 3.2 release (which is not free) which is particularly interesting, since last I knew, major competitor EnCase by Guidance doesn’t support ext4fs [PDF] – however X-Ways Forensic does.

Some bugs in the mounting feature have been reported and are being worked on according to AccessData’s support forums. However I tested the feature with 3 forensic images that I made for testing, and it worked perfectly on all 3. The mount process was quick and simple. There are of course numerous other solutions for mounting disk images, however I’ve tended to find them to be either onerous, limited, or non-free. This little feature will be great for scanning an image file with AV, or for making data available to 3rd party software that doesn’t have forensic file support.

IACIS votes to open Certified Forensic Computer Examiner to the public

Thursday, July 22nd, 2010

The official announcement is here.. There will be a requirement to pass a background check as part of the application process.

I made a post on Forensic Forums about this and I’m answering some questions there as well.

U.S. v Comprehensive Drug Testing

Thursday, August 27th, 2009

Read the full decision here.

This case will get a lot of press due to it’s relation to ballplayer drug testing, but in the computer forensic world, this case is generating a lot of email and forum traffic. The case is extensive and the issues involved are complex, so I’m not going to even try to rehash it all. There are multiple search warrants for the same information, but in short, the government sought the test results of 10 ballplayers, got access to the computers with all the test results, and somehow the investigators got access to results of people outside the scope of the warrants.

The majority decision creates 5 new rules, but the first 2 are creating the big buzz:

1. Magistrates should insist that the government waive reliance upon the plain view doctrine in digital evidence cases. See p. 11876 supra.

2. Segregation and redaction must be either done by specialized personnel or an independent third party. See pp. 11880-81 supra. If the segregation is to be done by government computer personnel, it must agree in the warrant application that the computer personnel will not disclose to the investigators any information other than that which is the target of the warrant.

There is a specific issue here that differentiates it from a normal case. That is, that the warrant was for specific records on a computer, whereas in a normal investigation, the warrant would be for indeterminate potential evidence on a computer. So if for example in a drug dealer case, you’re searching the computer for anything relevant to drugs, and you come across child exploitation material, the plain view doctrine applies to the first image you find, and then you go and get a warrant to cover an extended search for contraband using the first image as your basis. Here however you are dealing with a limited scope search.

In the e-discovery field, you get this all the time. You are producing certain relevant records, and the opposing side doesn’t get access to the rest of the data. This is what we’re dealing with here: a production of records, not a general investigative process on the computer as in most criminal forensic cases.

Back during my fraud specialisation from 2003-2007, I did a bunch of cases investigating attorney malfeasance. In those cases, I worked as if having a Chinese Wall, and made sure that only certain information was released to the investigating police detectives. I even had partial document production with redaction of the non-relevant (and privileged) paragraphs. It’s really not that hard to do, and it’s not a major cost impediment. Even if you are a small agency where your examiner is part forensics, part detective, you can still compartmentalise results.

If the court’s proposed orders are applied to all computer forensics, then there’s a major issue, but if they are limiting the new orders to limited scope searches for records on 3rd party systems, then this seems a very reasonable result. With the high profile of this case, I expect an appeal is inevitable.

Free e-discovery seminar on Metadata

Friday, July 31st, 2009

Patrick Computer Forensics Inc. is offering a free electronic discovery / computer forensics seminar for attorneys and their staff in Memphis. This half hour presentation is entitled “Metadata, what is it, and how does it win cases?”. As well as explaining metadata in easy to understand terms, the seminar will show examples of sources of metadata, and case studies where metadata was pivotal.

AccessData Certified Examiner now free (part 3)

Tuesday, July 21st, 2009

The devil is in the details.

As I indicated in a previous post on this issue, I expected that the ACE being free to obtain would somehow lead to a greater revenue stream for AccessData. Well thanks to a post by “rayp” on the Forensic Focus forums, the revenue stream has become apparent. It seems you are required to do 2 AccessData training courses in the first year in order to keep your certification.

Now in order to keep my CFCE, I need to have a certain amount of training over 3 years, but I can receive this through any reputable training body, and even count time I spend training others so long as it’s only counted once per year.

Clearly the ACE is not actually free in the long term, but you weren’t really expecting that it would be, right?

Employee fraud – first response

Tuesday, July 7th, 2009

With the downturn in the economy, the foreclosures and the credit crunch, employee fraud, theft and general malfeasance is on the rise. If you don’t want to take my word for it, do a search on employee fraud rise and read a few of the results. I’ve been seeing these kinds of cases here in Memphis too.

What follows is practical advice about what to do when employee fraud happens in terms of preserving evidence for a later investigation and trial. Note that this is not legal advice. Hence the first thing to do is call your lawyer. The way it works in Tennessee is that forensic consultants are retained by a lawyer, not directly by the public, so your lawyer’s involvement is not optional.

Let’s start at the point where you discover your employee’s malfeasance.

Document your actions. Who, date/time, what, where.

Firstly, if that employee has a dedicated workstation, immediately remove that workstation from your network. If the workstation is turned off, DO NOT TURN IT ON. Take the computer box (you don’t need the monitor and cables) and place it in a locked room or cabinet. If it’s a notebook computer, keep the power cable with the computer.

If you turn on the computer, it’s like walking through a crime scene. You leave your own fingerprints and footprints everywhere, and you may accidentally walk all over your evidence and destroy some of it. Resist the urge to look yourself, you’ll only hurt your case later on. (Note that once forensic preservation has been done, you can look all you want.)

If it is turned on, you’re going to need advice directly from a forensic computer expert, so contact us quickly. The permutations about how to deal with a live PC for forensics are too many to cover in this article.

Restrict that employee’s access to your computer network. If you have a central file server, or email server, these are potential sources of evidence and you don’t want your suspect employee trying to access them to cover their tracks.

If your employee has any portable computing devices owned by the company, e.g. a notebook computer, PDA, thumbdrive or mobile phone, take these back now and keep them with the workstation in the locked room/cabinet.

Check your backups. You are making regular backups of essential systems like your file server and your email server right? Check to make sure these backups have been conducted, and put aside your backup tapes or drives. Do not do new backups over old ones after an incident as you may inadvertently destroy evidence.

Get your system forensically preserved as soon as possible. Forensic imaging allows the preservation of all electronically stored evidence so that you can keep running your business. In situations like these, forensic preservation can be done out of hours to minimize disruption to your business.

Once your system has been forensically preserved, you can continue to do business, and decide on a course of action with your lawyer. A forensic examination on preserved evidence can be carried out weeks, even years after the preservation has been performed. If your case becomes a criminal issue, the forensic images can be turned over to law enforcement with a fully documented chain of custody, or your computer forensic expert can testify if the examination has already been performed.

AccessData Certified Examiner now free (part 2)

Thursday, May 14th, 2009

Having reviewed the videos from AccessData, it seems that you do still need to own a copy of FTK to undertake the new “ACE Test-Out”. The specific wording is:

be exempted from the class attendance requirement

Clearly this is a little bit more than the promo email promise which is “NO PREREQUISITES!” This amounts to a little under $4k pre-req of requiring that members own a current version of FTK, with current meaning your support contract or “SMS” is up to date. Of course, you weren’t actually expecting a free lunch were you?

Now here is where my comments about this free test being a good way for AccessData to channel people into their training comes true:

  • If the candidate fails a Test-Out session, they must complete the ACE Prep course to attempt the Test-Out session again.
  • If the candidate fails a second Test-Out session, they must complete the class pre-requisites to challenge the ACE process.
  • So basically, they encourage you to try to get ACE certified, and then if you fail, they channel you back into the training that you used to have to take originally anyway. I am totally OK with this since in my mind, it behooves AccessData to make the cert challenging to get more people to their training. And as I said, their training is very good.

    The other smaller issue is that it looks like the ACE is heavily focused on FTK2. I expect that you could complete the practical component with FTK1 – and probably with the other forensic suites out there – but a whole raft of the knowledge test component questions are about functionality specific to FTK2.

    Personally, I’ve been holding off using FTK2 because of the teething problems, and the resource hog reputation it had acquired in the computer forensic community. I’m hearing however that the latest iterations of FTK2 are much faster. It looks like it’s time to move on up to FTK2 then get the ACE done.

    Accessdata Certified Examiner now free

    Wednesday, May 13th, 2009

    Accessdata has announced (via email only thus far, I haven’t seen an announcement on their site) that the Accessdata Certified Examiner (ACE) will now be free (as in beer). At first I thought this was a scam or a joke until it arrived on both the email account associated with my ownership of FTK and my unassociated FTK forums account email.

    Additionally, it appears they have removed all the pre-requisites for undertaking the cert, including ownership of an FTK product. The ACE Preparation page has been updated to reflect this. This is a major change since previously, you were required to own FTK (which costs over $3k plus the yearly subscription for support/updates) plus have attended 2 of their training sessions – BootCamp and Windows Forensics – which is thousands more in training costs.

    Additionally, they have put up training videos for free download that cover the course material.

    Now this would seem to potentially hurt their revenue stream, however it could increase the user base to off-set this, and their 3-day training courses are still very worthwhile. I attended their Internet Forensics course in 2005, and despite having 5 years experience at that time, I still learned a lot.

    What this may do is somewhat elevate the certification against the competing EnCE from Guidance. One of the big criticisms of tool certs is that because you have already bought their product, and paid for their training, they have a vested interest in you passing. By making the ACE free, AccessData now has a vested interest in people not passing, since that would tend to move them towards undertaking the training courses to get skilled up.

    Computer Forensics Ethics, Inculpatory & Exculpatory Evidence

    Friday, May 1st, 2009

    I’ve been wanting to do a post on ethics since I started the blog, but my spare time has been somewhat overrun with the recent rush of licensing issues. A recent article from John J Barbara of FDLE over at DFI News addressed the issue of Ethics in Computer Forensics, and in particular, the ethical requirement for a Forensic Computer Examiner to search for exculpatory evidence as well as inculpatory evidence.

    For those new to evidence in general, inculpatory evidence is that which supports a charge or accusation of wrongdoing, whilst exculpatory evidence is that which would cast doubt or prove innocence. In the computer forensic world, perhaps the best known example of exculpatory evidence is a virus which downloads content, or rootkit allowing surreptitious access by a third party to a computer. Although it is rare to find these in an examination, it’s well within the realms of possibility, and so must be ruled out before the examination is complete. EDIT: I meant to say that it must be ruled out in certain cases where it is applicable, for example, those cases where possession or distribution is an element of the crime.

    Barbara refers to the Code of Ethics of the California Association of Criminalists, however there are more widely accepted ethics statements in the computer forensics community. One of the first is from IACIS (of which I am a member) and is displayed on their site at

    The portion covering impartiality is fully 2/3 of the code:

    # Maintain the highest level of objectivity in all forensic examinations and accurately present the facts involved.
    # Thoroughly examine and analyze the evidence in a case.
    # Conduct examinations based upon established, validated principles.
    # Render opinions having a basis that is demonstratively reasonable.
    # Not withhold any findings, whether inculpatory or exculpatory, that would cause the facts of a case to be misrepresented or distorted.

    One of the issues that Barbara raises is the impartiality of examiners who also happen to be investigators. Computer Forensics is still an evolving discipline in the law enforcement world, despite having been around in some sense for over 20 years. In the USA in particular, because of the prevalence of local law enforcement – vs countries such as Australia where local law enforcement responsibility is vested in the states – many agencies don’t have a dedicated computer forensic analyst who solely performs examinations. Most local police examiners are investigators who also conduct examinations, and often conducts exams in support of their own cases.

    This potential dual role aspect is why it is so important for examiners to follow the code of ethics. When a detective is pursuing a suspect, they tend to focus their energy on finding the evidence of guilt. Many people may have heard of the 48 hour rule. Basically, if you don’t catch your perp in the first 48 hours after a crime, your odds of success drop dramatically. Forensic examinations however take time. Pressure to achieve results in a given time period can result in missed evidence. I have personally experienced pressure from investigators to only search for inculpatory evidence and leave it at that.

    I have more than once refused to produce final results without a search for exculpatory evidence. (I have however given progress reports in time sensitive cases before completing the case.) Why? Notwithstanding the importance of being ethical, and the ethics requiring your impartiality and completeness: If you miss something on a case, you shoot your credibility in the foot.

    The computer forensic community is still relatively small, we all know people who know people. If you make a mistake on an examination, or give bogus evidence in court, someone will make a note of it. It’s commonplace to request background info on your opposition examiner from your colleagues in the field. Your mistakes will come back to haunt you and potentially end your career. An examiner is only as good as their reputation.

    Although I may work for one side in a case, I remain at all times impartial with regards to my evidence. I have told detectives that there is evidence of innocence or a lack of evidence, and (in other cases) I have told defendants that there is evidence of guilt. This is what the ethics requires.

    North Carolina licensing of Computer Forensic Examiners (result)

    Sunday, April 19th, 2009

    Larry Daniels has reported via the ForensicFocus forums that North Carolina will now exempt forensic computer examiners from licensing in North Carolina. That’s 2 good results in the same week.