On a recent matter, we were tasked to analyze a computer that reportedly had evidence of a person’s wrong doing . . . downloading images of child pornography (CP).  The judge hearing the case appointed us as the §730 expert to analyze the data.

“Mary” and ”Fred” are going through a rather nasty divorce, and Fred moved out.  As custody is an issue, Mary indicated that Fred’s affinity for illicit images should influence how custody should be determined.  We analyzed the device to determine if Mary’s assertion relating to Fred’s illegal activity online was true.

The judge directed that the computer be analyzed to determine two things:  1) if CP was contained thereon, and if so, 2) how it got there.

1) After a thorough review of the data on the hard drive, we found evidence of what appeared to be CP from a well known source in Russia.  These images were derived from a CP ring that was shut down through an Interpol coordinated operation several years ago, but the images still do exist on many computers around the world.

2) How they got there: These images were searched for and downloaded via a popular file sharing program using BitTorrent, which allows its 150 million users worldwide to share information, some of which is illegal.

Relating to #2 . . . the “how,” is the “when.” (The devil is always in the details!)  We learned through a review of the metadata that those images were downloaded after Fred had moved out, when he no longer had access to that computer.

It is anticipated that law enforcement will soon be involved to help iron out all those pesky details.

A friend recently went into a automobile repair shop and saw a sign similar to the one above.  It was cute, but the point was well taken- that a well meaning customer can create more work (and expense) than is necessary if he takes a shot at fixing their car first.

In working with hard drives, cell phones, USB flash drives, etc., the concern isn’t so much about creating additional work for the analyst, but rather it is all about potentially tainting evidence.  The simple act of powering on a computer poses risks of overwriting deleted data, and viewing existing files on a computer creates metadata issues.

It is clear that many are still unaware of what to do if there is a potential that electronic evidence exists.  We get cases quite often where the owner of the computer will have tried to search for and view the evidence first. Or had his IT person, computer consultant, son-in-law, etc. take a look at it.

To answer that concern, we wrote a white paper last year to assist our clients, who are primarily attorneys and business owners. A lot of headaches and heartburn can be avoided if a few simple things were observed with respect to digital evidence.  Send us an email if you would like a copy: v at verdict.net.

Many of us can do easy things like change the oil or brakes on our cars, but if tempted to look at electronic data, remember the commandment, “Thou shalt not touch.”

Maxwell Smart’s high tech mobile phone was a fun concept back in 1965.  The idea that people could carry around a portable phone wasn’t even on the grid yet.  Now there are over 4 billion mobile phones in use around the world. In America, 53% of all cell phones are smart phones, and 90% of Americans use mobiles to text or send pictures.  Texting is the #2 use of cell phones.  (#1 is checking the time.)

The average teen sends 3339 text messages per month, and 42% of teens can text blindfolded.  Those over 65 are getting into the act too, but they send only 32 text messages per month at this point. (Siri may help change that!)

Microsoft completed a study last year that indicates by 2014, mobile internet usage will exceed usage by desktop computers.  91% of mobile internet access is used to socialize, compared to 79% on desktops.

What does this mean?  Should be pretty obvious . . . the cell phone must be an element of investigations, as they often contain evidence.  The computer is still the best starting point, as well as the richest source of electronic evidence, since the desktop computer can do much and store a ton of information.  However, it is important to note that those little phones we carry around in our front pockets have more power and storage capacity than the Apple Mac Plus computer with the 20MB hard drive we had back in college.

Remember when Blackberries started to gain popularity?  They were known as “Crackberries,” due to the silly addictive-like behaviors of their owners.  (Seeing that blinking red light indicating a new message was enough to give some people the shakes.) Now it is the norm with iPhones, Androids, etc.

The amount of use on these little devices continues to make them an evidentiary treasure trove.

On a recent case, our client, a bleeding edge tech firm in Los Angeles, had some employees quit and venture out on their own. They started a competing company, and soon, several of firm’s clients started to migrate over to the start up. We soon got a call from the firm’s attorney to see if we could uncover any evidence on these former employees’ computers showing if any proprietary or protected data was used by these guys.

We grabbed the several computers used by the former employees, as well as some backup media, and initially found nothing of real value. (People are getting pretty smart these days about what can be recovered from a computer. Luckily, most remain ignorant of what we can snag off of a cell phone.) One of the employees’ computers had no evidence on it, but while combing through deleted files on another of the computers, we found one file that certainly caught our eye . . . a business plan!

This business plan was written on the firm’s computer, during the work day as identified by the metadata, and the writer spared little in the way of details. The marketing portion of the plan indicated how they would use their current firm’s client list as a basis for their marketing efforts. The firm’s client list contains information such as names of contacts, direct lines and cell numbers, and other client data that the firm had developed over the many years they’ve been in business.

Our client is positioned to now go after these former employees, no longer armed with a pea shooter, but with a bazooka.

Life is hard; it’s harder if you’re stupid. John Wayne

Well, while the above logo is a bit polarizing, recent efforts by the ACLU did yield some pretty helpful information for cases where cell phones / PDAs are involved. (Do people still use the term “PDA?”)

A couple months ago, 35 ACLU affiliates filed 381 requests with law enforcement agencies in 32 states to identify how they use location data from cell phone companies to track citizens. Part of the results of their efforts yielded a chart that indicates what information is kept by the carriers and for how long.

This chart was created by the US Department of Justice and was intended to be used for law enforcement purposes only, but this will be helpful for criminal defense and civil matters as well.

The chart can be found here: http://tinyurl.com/3zzsxu6

I listened to a terrific presentation this morning by Liz Danziger of WorkTalk that detailed some of the things people should do to be more effective when using email, and that included many of the pitfalls involved with that mode of communication. The only thing I can say is . . . thank goodness most people have not seen this presentation! I really can’t overstate the level of stupidity that I see sometimes when analyzing electronic data, in fact, I depend on it! Presentations like this will make my work harder- their ignorance is my bliss.

Well, that is all tongue-in-cheek, of course. Learning how best to handle electronic data is critical, and I have clients that regularly speak to groups on things like what to do with electronically stored information (ESI) when one has employee issues, legal concerns when investigating an employee, how to deal with social networking, etc. I would be happy to put anyone in contact with them- just shoot me a note.

I also regularly speak to groups on workplace investigations specific to ESI from a “bag and tag” as well as analysis standpoint, including what type of evidence can be expected and how to preserve it.

If you do find yourself with an investigative need, do not overlook the computer. Nearly all communication originates on one, and most of those can be recovered by an expert using forensically accepted tools and practices.

I was recently called to analyze a home PC owned by a couple going through a divorce, on behalf of the wife who believed that the PC may contain evidence of her husband’s online trading accounts.  She did not want to bring the computer to our office to get it copied and analyzed, for fear that her husband may recognize that she’d done something with the computer. She was extremely nervous about getting caught, so I went to her home to copy the hard drive.  Her husband had a business lunch meeting in a city over an hour away, which provided a nice window of opportunity for us to get in, get the data, and get out.  At least in theory . . .

As I had the computer open and was removing the hard drive, we heard the unexpected yet familiar sound of the electric garage door starting to open, and she exclaimed, “Oh NO!  He’s home!”

She was pretty nervous at the beginning, but by now her anxiety was going through the roof.  We heard the kitchen door open, followed by footsteps across the tile floor, and she looked completely desperate.  By this time I was in full flight or fight mode, (hands sweaty, mouth dry, adrenaline pumping), when she hissed, “Quick!  Take your clothes off!”

Well, maybe that last part didn’t happen exactly that way, but this experience underscored the need to maintain tight controls over the environment.  Similar to the client who called us in to image a computer, and then let the opposing litigant and his attorney be present and dictate how the data was to be captured.  Forfeiting control of the situation is a recipe for failure.

Sometimes there are hardware or software challenges that require work arounds, and maybe even a call to technical support, which does not inspire confidence when capturing the data with several parties present.  There is an unrealistic expectation that if an expert is involved, then the process will always be flawless.

The best case scenario is for us to bring the computer or storage device into our office so we can capture and analyze in a controlled environment.  If that is not possible, then we often go onsite to capture the data, but we still control how we access the device as well as the method of data acquisition.  If there is an issue with the owner of the computer attempting to assert controls over the procedure, then we will work with the owner’s trusted IT person, who can set the owner at ease.  Beyond that we will consider the environment too difficult to be successful and will exit the case.

Greater control increases the likelihood of a successful outcome.

Due to our expertise in computer forensics, we are often called on to help recover files that have been accidentally deleted.  It has happened to every one- deleting a file and emptying the trash before realizing we needed to keep something in there.  What a sinking feeling, but all is not lost.

The first thing to do in this situation is to not write any new data to the computer.  There is an excellent chance of recovering that data, as long as the hard drive space where that data resides is not overwritten.  So stop what your are doing . . . do NOT use the computer.

Probably one of the best ways to proceed is to take the computer in to a competent IT professional, who will have some industrial-strength tools in his bag of tricks.  But there are some terrific tools that are easy to use if you want to try it on your own.  Probably a trip to Staples or Frys and getting their recommended products is all you need, in addition to having a friend that it is at least a little tech savy help out. Here are a few proven applications to consider:

1 - Recuva: Not the most powerful, but it is free, and does a pretty darn good job.

2 - DiskInternals NTFS Recovery: The gold standard for recovering files, and pretty cheap at $100.

3 - DiskWarrior: If you have a Mac, then this is the one for you, and also runs a c-note.

One thing you should consider is an online backup service.  We use Carbonite, but there are others that do a great job.  If you have ever opened up a file intending to use it as a template for a new file, and accidentally altered the original, these backup services often will keep multiple backups over time so you have a choices on which versions of the file to restore.  This has been a lifesaver!

Give us a call if we can help: 805-445-1997

Many thousands of dollars are spent on protecting our computers from outside threats, but studies show that the greatest problems are on the inside of the firewall.  Consider this:

1 – 85% of company information, your proprietary data, is at the end point.
2 – Employees spend an average of 75 minutes a day on non-work related activity. That is 25 hours a month.
3 – 70% of porn is accessed during the 9-to-5 workday.
4 – 82% of all e-crimes are by employees.

Below are a couple recent cases involving employees’ illicit use of their computers:

1) Employee Sends Risqué Photo of Herself?
We recently investigated an incident that occurred at a law firm. One of the workers, a woman, had posed for a very risqué photograph, which she appeared to have sent to everyone in the law firm. The originating email was from a Yahoo! email address that was a derivative of her name. The email’s header yielded the IP address, confirming that the email originated from within the law firm. The Internet logs on the network were then reviewed to determine which computers were on Yahoo! at the time the email was sent, and four were identified, none of which was her’s. A forensic analysis was conducted of the person’s computer who seemed most likely to have sent the email, a paralegal. He was successful in covering most of his tracks, but irrefutable evidence showed that offending email’s account was created on his computer, leading to his termination. How dumb can you be?

2) CFO in Collusion with the Opposition
Our client’s company was involved in litigation, and the opposition had information that indicated there was a leak high up in the company.  Forensic analyses were conducted on several computers, including the Chief Financial Officer’s.  Discovered on his system was a deleted file that showed he had provided confidential information to opposing litigants. He created a three-page file in Microsoft Word, listing in great detail perceived offenses by his employer, emailed it from a personal Hotmail account through his browser, then deleted it. We found it.  Associated metadata indicated he was the author, when it was created and how many times he edited it.  Interestingly, this CFO was aware of our involvement early on in the case, before he created the document; which proves that stupidity is not limited to low level employees!

An Obvious Place to Look
The computer is an obvious starting point when investigating workplace activities, especially when considering that most communications and all information is derived and/or stored on a computer, 95% of which will never get printed.  As in the above examples, sometimes it is the only place.

We were recently engaged to identify inappropriate communications by a subject, and none were identified on the subject’s computer.  We analyzed data from the subject’s iPhone and struck gold, and identifying dozens of illicit text messages that unquestionably showed the subject’s guilt.  Many people are becoming aware of email recovery, and thus are more cautious in their communications, but they are much less guarded when it comes to their cell phones. Like computers, a cell phone can both facilitate the act and store the evidence, so they should be an obvious place to look for information.

Some have predicted that mobile devices will one day replace our computers.  Many professionals are already shedding their notebooks when traveling, opting for the convenience of communicating by Blackberry, iPhone, etc.  More functionality is a certainty, which creates an increasing need for mobile forensics.

Verdict Resources, Inc. and Mobile Phone Investigations, Inc. announces strategic alliance.

Because of this, Verdict Resources, Inc., a provider of computer forensics services, has allied itself with Mobile Phone Investigations, owned by Kevin Martin, to conduct all forensics on mobile devices. Kevin has served many years in law enforcement conducting examinations on both computers and cell phones, including PDAs, and has spent the last several years teaching advanced cell phone forensics and conducting forensics examinations for Paraben Corporation.

Computer technology is an ever changing environment, but it is MUCH more so with mobile devices. There is a new device introduced every day, and this is seen more in the cell phone/PDA world than in any other technology. Businesses and private citizens continue to feed the frenzy by continually upgrading to the latest and greatest of these technologies.

Tools and Methodologies
Because computers and mobile devices are built differently, one can not apply the same examination techniques nor use the same tools. Today there is no standard in the construction of mobile devices or in their operating systems. One must have an ever-growing collection of cables and drivers to facilitate a connection between the software and the target device, as well as several court-tested forensics applications that work with most phones.

Training is equally critical in mobile forensics as computer forensics, so mobile forensics has become its own discipline. An example of different approaches would be a hard drive analysis focuses on the physical side of the device, while mobile forensics focuses first is on the logical files. You might get one shot at analyzing a mobile device, so choosing the right provider is essential.

What evidence is available?
If an investigation includes both a computer and a mobile device, then examine the mobile first. More current data is there and people communicate much more casually on their mobiles.  Additionally, the limited storage capacity of a mobile device means that data is overwritten more readily, a concern for obtaining evidence. Also, analyses can occur within hours of acquisition, while a computer can take several days.  A contact list in a cell phone is very helpful when subsequently searching a computer as well, so cell phone and computer forensics compliment each other.

Not only do can a list of contacts be obtained, also recoverable is-

· Text messages and MMS (picture/video) messages
· Call logs
· Email
· Chat
· Pictures
· Videos
· Internet activity
· Some back up files from computers
· Some deleted text messages and pictures can be recovered.