AccessData Certified Examiner now free (part 2)

May 14th, 2009

Having reviewed the videos from AccessData, it seems that you do still need to own a copy of FTK to undertake the new “ACE Test-Out”. The specific wording is:

be exempted from the class attendance requirement

Clearly this is a little bit more than the promo email promise which is “NO PREREQUISITES!” This amounts to a little under $4k pre-req of requiring that members own a current version of FTK, with current meaning your support contract or “SMS” is up to date. Of course, you weren’t actually expecting a free lunch were you?

Now here is where my comments about this free test being a good way for AccessData to channel people into their training comes true:

  • If the candidate fails a Test-Out session, they must complete the ACE Prep course to attempt the Test-Out session again.
  • If the candidate fails a second Test-Out session, they must complete the class pre-requisites to challenge the ACE process.
  • So basically, they encourage you to try to get ACE certified, and then if you fail, they channel you back into the training that you used to have to take originally anyway. I am totally OK with this since in my mind, it behooves AccessData to make the cert challenging to get more people to their training. And as I said, their training is very good.

    The other smaller issue is that it looks like the ACE is heavily focused on FTK2. I expect that you could complete the practical component with FTK1 – and probably with the other forensic suites out there – but a whole raft of the knowledge test component questions are about functionality specific to FTK2.

    Personally, I’ve been holding off using FTK2 because of the teething problems, and the resource hog reputation it had acquired in the computer forensic community. I’m hearing however that the latest iterations of FTK2 are much faster. It looks like it’s time to move on up to FTK2 then get the ACE done.

    Accessdata Certified Examiner now free

    May 13th, 2009

    Accessdata has announced (via email only thus far, I haven’t seen an announcement on their site) that the Accessdata Certified Examiner (ACE) will now be free (as in beer). At first I thought this was a scam or a joke until it arrived on both the email account associated with my ownership of FTK and my unassociated FTK forums account email.

    Additionally, it appears they have removed all the pre-requisites for undertaking the cert, including ownership of an FTK product. The ACE Preparation page has been updated to reflect this. This is a major change since previously, you were required to own FTK (which costs over $3k plus the yearly subscription for support/updates) plus have attended 2 of their training sessions – BootCamp and Windows Forensics – which is thousands more in training costs.

    Additionally, they have put up training videos for free download that cover the course material.

    Now this would seem to potentially hurt their revenue stream, however it could increase the user base to off-set this, and their 3-day training courses are still very worthwhile. I attended their Internet Forensics course in 2005, and despite having 5 years experience at that time, I still learned a lot.

    What this may do is somewhat elevate the certification against the competing EnCE from Guidance. One of the big criticisms of tool certs is that because you have already bought their product, and paid for their training, they have a vested interest in you passing. By making the ACE free, AccessData now has a vested interest in people not passing, since that would tend to move them towards undertaking the training courses to get skilled up.

    Computer Forensics Ethics, Inculpatory & Exculpatory Evidence

    May 1st, 2009

    I’ve been wanting to do a post on ethics since I started the blog, but my spare time has been somewhat overrun with the recent rush of licensing issues. A recent article from John J Barbara of FDLE over at DFI News addressed the issue of Ethics in Computer Forensics, and in particular, the ethical requirement for a Forensic Computer Examiner to search for exculpatory evidence as well as inculpatory evidence.

    For those new to evidence in general, inculpatory evidence is that which supports a charge or accusation of wrongdoing, whilst exculpatory evidence is that which would cast doubt or prove innocence. In the computer forensic world, perhaps the best known example of exculpatory evidence is a virus which downloads content, or rootkit allowing surreptitious access by a third party to a computer. Although it is rare to find these in an examination, it’s well within the realms of possibility, and so must be ruled out before the examination is complete. EDIT: I meant to say that it must be ruled out in certain cases where it is applicable, for example, those cases where possession or distribution is an element of the crime.

    Barbara refers to the Code of Ethics of the California Association of Criminalists, however there are more widely accepted ethics statements in the computer forensics community. One of the first is from IACIS (of which I am a member) and is displayed on their site at http://www.iacis.com/new_membership/code_of_ethics.

    The portion covering impartiality is fully 2/3 of the code:

    # Maintain the highest level of objectivity in all forensic examinations and accurately present the facts involved.
    # Thoroughly examine and analyze the evidence in a case.
    # Conduct examinations based upon established, validated principles.
    # Render opinions having a basis that is demonstratively reasonable.
    # Not withhold any findings, whether inculpatory or exculpatory, that would cause the facts of a case to be misrepresented or distorted.

    One of the issues that Barbara raises is the impartiality of examiners who also happen to be investigators. Computer Forensics is still an evolving discipline in the law enforcement world, despite having been around in some sense for over 20 years. In the USA in particular, because of the prevalence of local law enforcement – vs countries such as Australia where local law enforcement responsibility is vested in the states – many agencies don’t have a dedicated computer forensic analyst who solely performs examinations. Most local police examiners are investigators who also conduct examinations, and often conducts exams in support of their own cases.

    This potential dual role aspect is why it is so important for examiners to follow the code of ethics. When a detective is pursuing a suspect, they tend to focus their energy on finding the evidence of guilt. Many people may have heard of the 48 hour rule. Basically, if you don’t catch your perp in the first 48 hours after a crime, your odds of success drop dramatically. Forensic examinations however take time. Pressure to achieve results in a given time period can result in missed evidence. I have personally experienced pressure from investigators to only search for inculpatory evidence and leave it at that.

    I have more than once refused to produce final results without a search for exculpatory evidence. (I have however given progress reports in time sensitive cases before completing the case.) Why? Notwithstanding the importance of being ethical, and the ethics requiring your impartiality and completeness: If you miss something on a case, you shoot your credibility in the foot.

    The computer forensic community is still relatively small, we all know people who know people. If you make a mistake on an examination, or give bogus evidence in court, someone will make a note of it. It’s commonplace to request background info on your opposition examiner from your colleagues in the field. Your mistakes will come back to haunt you and potentially end your career. An examiner is only as good as their reputation.

    Although I may work for one side in a case, I remain at all times impartial with regards to my evidence. I have told detectives that there is evidence of innocence or a lack of evidence, and (in other cases) I have told defendants that there is evidence of guilt. This is what the ethics requires.

    North Carolina licensing of Computer Forensic Examiners (result)

    April 19th, 2009

    Larry Daniels has reported via the ForensicFocus forums that North Carolina will now exempt forensic computer examiners from licensing in North Carolina. That’s 2 good results in the same week.

    Montana Computer Forensic Examiner – PI Licensing

    April 13th, 2009

    A win for sanity today when the Montana legislature passed HOUSE BILL NO. 354. Refer to section 3(k). This new bill exempts those who perform forensic examination in Montana from licensing as a private investigator, so this is wider than just exempting those in the digital evidence field.

    Jimmy Weg, of the Montana DCI who assisted with the bill (independently, in regard to his private practice, wegcomputerforensics.com) offered to work with the licensing agency if they feel that a separate licensing scheme for Computer Forensic Examiners is necessary.” However, concerning criminal matters, Weg says he is “is unaware of any forensics-certified examiners in MT who do criminal defense work, so the implications of PI licensing could have a chilling effect on the ability of defendants to obtain qualified assistance”.

    Hopefully the Montana legislation can be used to help other state legislatures in the crafting of their PI licensing requirements as they effect the forensics field.

    North Carolina licensing of Computer Forensic Examiners (update)

    April 9th, 2009

    I’ve just been informed that the hearing on Bill S584 is now calendared for Thursday April 16. It has been changed a couple of times already, so consider this subject to change.

    North Carolina licensing of Computer Forensic Examiners

    April 8th, 2009

    Yesterday was supposed to be the reading and feedback day for the North Carolina bills to require licensing of Computer Forensic and Electronic Discovery professionals. Essentially, they plan to lump our profession in with Security Guards and gumshoes.

    My colleagues in NC inform me that the reading was canceled due to a conflict with a budget hearing. Initial reports indicated tomorrow Thursday April 9th as the day, but the most recent advice I’ve received is that it won’t be tomorrow and will more likely be next week.

    Senator Fletcher Hartsell coordinates the presentation of bills in the Senate Judiciary Committee. His office number is (919) 733 7223.

    Background

    As I indicated in my FAQ page, the American Bar Association is against licensing of Computer Forensics professionals as Private Investigators. Joe Howie wrote a great piece called “Impact of State Licensing of Private Investigators on Digital Forensics” in the ABA’s Law Technology Today journal, June 2008 edition.

    He does a great job of differentiating Computer Forensic Examiners from PIs. (He refers to as Digital Forensic Examiners or DFEs.)

    First he addresses the methods PIs use to obtain evidence:

    When a client hires a private investigator (“PI”) to investigate a third-party or a specific incident, the PI may employ various means, none of which will involve giving the third-party the right to be present, telling the third party that the investigation is underway or telling the subject of the investigation the names of those being contacted. In an undercover or clandestine investigation the PI may talk with or record the subject or make observations regarding the subject at the subject’s home, place of business or worship, or while engaged in civic or associational activities, all without notifying the subject that his or her discussions or actions are being noted for possible use later on.

    Then he differentiates Computer Forensic Examiners

    Digital forensics and litigation support can both involve the gathering, analysis and presentation of data that is secured with the full knowledge and consent of the owner of the data or of data that was obtained pursuant to judicial process where the owner of the data was aware of the inquiry and had the opportunity to raise any objections or concerns in a court of law prior to producing or making the data available.

    The major difference between how I operate, and how a PI operates is that I always operate either with the consent of the owner of the computer systems, or under a court order which the owner is aware of. I have not performed a covert acquisition since my early days with the police, and I have no intention of doing one as a non-government examiner.

    N.B. No disrespect is intended to PIs and Security Guards. You perform a valuable service. It’s just that requiring a PI license for a Computer Forensic Examiner is like requiring an Aviation Mechanic to have a pilot’s license.

    Adam Walsh Act (part 2)

    April 4th, 2009

    The Adam Walsh Act places restrictions on examination of evidence by the defense in Child Exploitation Material cases. In the simplest terms, any evidence must be examined either at the Law Enforcement Agency, or at the Courthouse.

    In my last post, I covered the issue of lack of control of your environment and the resultant problem with sterile environment. I’m not going to rehash that.

    COST

    There is a major increase in the cost of forensic computer examination of a case under these restrictions. To understand this, you need to know how services are billed.

    Examiners only bill for their actual time spent working, not for “machine time”.

    A really basic examination of a computer will take at least 3 days. A large part of this is the indexing time. Indexing is the process by which computer forensic software generates a database of search terms, generates hashes of files for known file filtering (KFF) and does some internal sorting of data to make it more manageable. Indexing takes hours. I’ve had big cases with multiple evidence items where indexing took days. This time is not billed.

    Part of why this time is not billed is because the examiner will be performing other work during this time that may not be related to the case at hand. Indexing time is a great time to do your daily tech reading, do research, write up the case report from the previous case, or eat lunch.

    Running a virus scan on mounted evidence is another exercise that burns up an hour or two of time and isn’t usually fully billed. Some of the reporting functions can take time. If you have to do a duplicate system restore and boot, that’s going to take an hour or more.

    However, when you are sitting in a government facility, you don’t stop the clock. This is because you can’t multitask because you aren’t going to bring another case with you to multitask on, and you’re not going to check your mail, do web research, admin tasks, etc on a government computer. You can’t even leave the room to get coffee because you’re leaving a running forensic workstation unattended, which is fine if it’s your lab and you can lock it up, but you don’t control the room. So while a basic 3 day examination might have 8 hours billable in the lab, in an Adam Walsh Act case, it’s 24 hours billable. At a standard billing rate of $250/hour, that’s an additional $2000 on a really basic case. On any case with a large amount of data, this could easily climb to tens of thousands of dollars. In fact, most cases I know of, the examination cost well over $10k.

    Additionally, there is prep time that you are going to bill. Getting your workstation packed up and moved and so on. Plus, before you leave the government facility, you’re going to blow away all your work product except your forensic reports because the indexing processes for example produces thumbnails of contraband material with is now on your forensic workstation. So you have to add in a hour or 2 for wiping the 3 drives.

    So one of the most noticeable effects of the Adam Walsh Act amendments is a major increase in defense costs. And of course, you don’t get costs awarded to you if you successfully defend your criminal case.

    Now let me be clear about one thing: I am completely in favour of limiting access to contraband material. CEM is disgusting, and I’ve seen things that I’d happily forget ever seeing if I could. There is no good reason for the average citizen to have this contraband material in their possession… ever.

    However, defense lawyers are officers of the court, and serving an important function, and forensic computer examiners are the only people able to properly test the government’s claims against the evidence for the defense. If it’s acceptable for the prosecutor, the judge and the jury to hold onto this evidence during the trial, it should be acceptable for the defense team. If any of the defense take a personal copy of this material, they should be prosecuted. If they retain the material after the court process is completed, they should be prosecuted.

    The defendant is entitled to a fair trial, and the right to test the evidence.

    Adam Walsh Act, Tennessee, and questionable “Expert” witnesses

    April 3rd, 2009

    Susan Brenner has an article on her CYB3RCRIM3 blog about the chilling effects of the Adam Walsh Act putting the fear of God into people, esp the defense regarding dealing with child exploitation material. (CEM is one of the nicer terms for child porn, and the one I generally use since it was in favour at QPol where I used to work.)

    I have dealt with the restrictions of the Adam Walsh Act from the defense examiner side, and personally feel that some of the restrictions are onerous to say the least. You are basically requiring a forensic examiner to transplant part of his laboratory to a government facility to conduct the examination, which is forensically unsound, because one of the major issues with forensics is the “sterile environment” concept.

    Part of the sterile environment is the examiner having control of all access to their evidence. In a government facility, you most certainly do NOT have control of your environment. I’ve never known a proper examination of a computer to take less than a few days, so you’re leaving your gear there overnight, unattended, in a room and building over which you have no control. And you can’t just take your equipment back to the office with you at the end of each day, because the examination process potentially creates copies of contraband material on your exam machine.

    The government also has a habit of refusing to grant access to the original evidence. A properly trained examiner doesn’t want this access in order to manipulate the evidence on the original, but rather to make the forensic copy themselves, or to get a hash and validate the supplied copy.

    But enough about the joys of the Adam Walsh Act. The case referred to in Ms Brenner’s blog is STATE OF TENNESSEE v. RE´LICKA DAJUAN ALLEN No. E2007-01018-CCA-R3-CD.

    What really makes this case interesting is the absolutely wrong statements made by the defense “expert” witness. Now I’ve never heard of Mr Herbert Mack, and I can’t seem to find anything about him outside this case through a few google searches. Seriously though, this guy shouldn’t have passed a Daubert challenge, and the prosecutor was weak on not challenging him.

    Here commeth the whoppers:

    He said that, given the large number of images allegedly contained on the computer, he would not be able to remember the specifics of the information without taking the computer hard drive from the sheriff’s department.

    One of the golden rules of forensics is: document everything important. You should have a notepad recording every procedure, every search you conduct, and any pertinent results. Forensic software also lets you produce volumous reports of files and meta data – none of which need contain contraband – if the quantity of material is too much for your notes. In fact, production of a file list of evidentiary files with metadata is a standard part of reporting every forensic examination.

    Mack expressed concern about working from a “mirror image” rather than the hard drive itself, testifying that the computer programs in existence did not create
    true mirror images

    Here is a small, non-exhaustive list of computer programs which create mirror images:

  • X-Ways Forensics
  • FTK Imager
  • EnCase Forensic
  • dd
  • In fact, FTK Imager is free (as in beer) and dd is free (both as in beer, and as in speech being open source) and contained on every version of linux and BSD that I know of, along with a bunch of linux based forensic boot disks.

    In order to be a “mirror image” or “forensic image”, the image must contain the complete disk, including system areas such as the boot sectors, partition tables, and any unallocated space. All forensic imaging software will do this.

    Mack conceded that his examination of the actual hard drive would entail
    reconnecting the original personal computer equipment, turning the computer on, and
    loading his software file-searching tools, and he agreed that in the process of booting
    up the Windows operating system the contents of the hard drive would be changed.

    Booting Windows will change hundreds of files and settings. Installing his software will most likely alter the registry, and potentially overwrite evidence in deleted space. What he is proposing is the equivelant of walking all over a crime scene in muddy boots with no gloves. You’re destroying evidence, AND leaving your own fingerprints all over the place. This is horrible from a forensics viewpoint.

    I have booted up a suspect’s computer before, but it was ALWAYS with a forensic copy of the hard drive. There is never a good reason to boot the original.

    However, according to his testimony, booting the computer would not alter either the
    file creation date or last accessed date of the images in question.

    Ok, this is half right. You probably won’t change the MAC dates of the files at start up, but as soon as you start looking at them on the live system you will. Open a file in Windows, and generally, the accessed date is changed.

    Try this little exercise out: Right click on a picture file in Windows Explorer. Select Properties. Check the Accessed Date. Windows will tell you that you lasted accessed the file “Today” and the Accessed Time will be the time when you clicked on Properties.

    Mack stated that there was an increased risk of disclosing non-discoverable information because the State’s expert would be able to determine what tools had been run on Defendant’s computer hard drive and what information had been recovered before Defendant was obligated to disclose its expert report.

    So now that he’s gone and dirtied up his evidence, he’s complaining that the prosecution will find his fingerprints on the evidence? This is why CSIs wear gloves, and forensic computer examiners don’t run live unprotected exams on the original evidence.

    Remember, when hiring a computer forensic expert you are looking for training and experience. Training generally involves a certification. Any examiner worth their salt is going to have a CFCE, CCE, EnCE or ACE. Experience should be measured both in years of experience, and number of forensic examinations.

    Classic April Fools

    April 3rd, 2009

    I’m a big fan of a cleverly done and slightly subtle online April fools joke. I believe this is the first one I’ve seen that involves Computer Forensics. Kudos to Jamie Morris of the Forensic Focus blog.