Computer Forensics Challenges of 2008;Themajor issues effecting the use of digital forensics in family law cases in South Carolina. Presented by Steven M. Abrams, J.D., M.S. Abrams Millonzi Law Firm, P.C.
Steven M. Abrams, Esq. Computer Forensics ExaminerAttorney at Law (SC), Private Investigator (NY) Computer Forensics Bio • 1983 – 2008 (25yr) • Trained under Military and Law Enforcement Supervision – NCJA, NW3C, NYPD, FBI, SLED • 350 CF Cases • 75% Domestic Relations • Law enforcement work: USSS, FBI, Mt. Pleasant PD, ... • Member: HTCIA, SCALI, ALDONYS, IEEE • Permanent Member: SLED PI Business Advisory Committee • Instructor: Numerous CLEs, Seminars, US and Foreign Governments
What we will cover today:Issues confronting the use of Computer Forensics in Family Court • Common Abuses of the Discovery Process. • Need to Check Licenses and Credentials of Computer Forensics examiners. • Need to critically evaluate CF evidence. • Lack of Uniform rules for E-Discovery in State Courts.
Computer Forensics? Computer forensics, also called cyberforensics and digital forensics, is the application of computer investigation and analysis techniques to gather evidence suitable for presentation in a court of law. The goal of computer forensics is to perform a structured investigation while maintaining a documented chain of evidence to find out exactly what happened on a computer and who was responsible for it.
Why do Computer Forensics? Forget dumpster diving. Computers harbor more personal information and secrets than anyone can discard into a 20-gallon trash container.A typical computer holds information people once stored in wallets, cameras, contact lists, calendars, and filing cabinets. Computers are the treasure trove of personal contacts, personal finance, and correspondence. Practically every investigation - can benefit from the proper analysis of the suspect's computer systems." - Incident Response, Investigating Computer Crime, Pg.88
Family Law Matters are particularly suited to digital forensics. • Home Computers, Cell Phones are usually jointly owned and used marital property. • Household financial records often on home computer. Hidden assets traceable on PC. • Increasingly paramours contacted by computer – email & websites / cell phone . • Arrangements for liaisons made using computer; flight and hotel reservations. • Pornography, Pornography, Pornography…
A Typical Digital Forensics Investigation An actual domestic relations case example The names of the parties have been changed to protect their identities.
Scenario • Domestic Relations Matter • Lisa - Wife of client having an affair. • Paramour: “Michael” • Email Address: “Metro6969@alt.com” • Lisa has installed new web cam • Explicit emails recovered referring to web cam • Michael claims to be 41 years old • Lisa has taken a trip to ?? • Goal: Locate Paramour (and Lisa)
Procedure – Search for web cam related content • MPG’s are a popular movie format, along with MOV and WMV. • Search for MPGs turn up many fragments and some link (lnk) files containing information about movies accessed on this computer. • One “lisa” movie link file found, but lisa movie itself is not found on hard drive • It may contain important evidence
Evidence - LisaMOV00396.LNK Shortcut File • LisaMOV00396.lnk.html
Procedure • Do a keyword search for “LisaMOV00396.MPG” • There were no files by that name on the hard drive • Search Recycler for LisaMOV00396.MPG
Evidence – INFO2.DAT • Recycle Bin Index … (Movie has been renamed Dc73.MPG by Recycler, and is still intact!)
Evidence –DC73.MPG Listen to the accent in the speaker’s voice
Procedure – Search hard drive for “metro6969” • A keyword search for “metro6969” turns up many explicit emails between Lisa and Michael. • One email contains Michael’s business email signature, probably by accident.
Evidence - Email (Signature from paramour’s deleted email recovered with FTK) … Michael E. Smith Metropolitan Plumbing Co., Inc.
Procedure – Look up Company • Using accent as a guide (New England) • Search for Business Filings on D&B for “Metropolitan Plumbing Co.”
Business Report from D&B Comprehensive Business Report Company Name: METROPOLITAN PLUMBING CO INC Address: HICKSVILLE, MA 02799 Phone: (508) 632−6969 FEIN:00-000000 Associated People: Business Contacts: MICHAEL SMITH, SSN: 025−55−0000, Date LastSeen: Apr, 2005 HICKSVILLE, MA 02799 MICHAEL SMITH, SSN: 025−55−0000, PRESIDENT, Date Last Seen: Apr, 2006
Procedure – Use SSN to Locate Paramour • Using IRBSearch.com person search lookup SSN… to produce background report on paramour.
Evidence – Background Report Subject Information: Name: MICHAEL E SMITH Date of Birth: 04/1965 Age: 41 SSN: 025−55−0000 issued in Massachusettsbetween 01/01/1971 and 12/31/1973 Active Address(es): MICHAEL E SMITH − 591 MARKET ST, FRANCIS MA 02099−1513, NORFOLK COUNTY (May 1993 − Sep 2006) SMITH MARY ANNE (508) 540−1234
Eureka! It’s now a simple matter to place Michael under surveillance and have him lead us to Lisa, who is waiting for him at a local roadside motel.
Issues confronting the use of CF in Family Court Issue #1: Willful Spoliation – An increasingly common occurrence
Issues effecting CF in Family law Matters: #1 Issue: Spoliation Willful deliberate spoliation is becoming an increasingly common occurrence in domestic relations matters.
Typical example of willful spoliation You are called in to examine a computer produced in response to a court order. Upon opening the case of the eight year old computer, which you note was missing the screws that hold the cover closed, you observe the following…
Actual Evidence Photo 1 Dust Bunnies !
Actual Evidence Photo 2 Cob Webs!
Actual Evidence Photo 4 The Hard Drive was Pristine, almost sterile.
Rule # 1: Parties cheat in e-discovery, especially in domestic relations cases. • Never assume that material produced during the course of electronic discovery is complete or authentic; Use forensic evidence to establish authenticity. • Electronic data is fragile and easily lost or manipulated.
Rule # 1: Parties cheat in e-discovery, especially in domestic relations cases. • Opposing counsels are usually well-meaning, but clients are often beyond their control. • Clients often have an unreasonable belief that they will not get caught. • Hire a knowledgeable computer forensics expert to review materials produced during electronic discovery.
Most common method of spoliation:Wiping Programs (Anti-forensics) • Wiping software makes data recovery difficult or impossible by deleting and overwriting data on the hard drive. Wiping can be detected in two ways: • Detect disk wiping by examining the data in disk sectors for regular patterns indicative of wiping. • Detect wiping software with Gargoyle Investigator™ Forensic Pro software.
2nd Most common method of spoliation:Evidence Tampering Includes any attempt to alter the data on the hard drive • Most commonly done by reformatting hard drive and reloading the O/S (Windows). • The original data is usually at least partially recoverable from a reformat / reload. • Other tampering includes changing time and date stamps on files to pre or post date them. • Rarely, we have seen one spouse fabricate evidence to appear as if other spouse was responsible for data remaining on hard drive.
How can evidence tampering be detected? Analysis of artifacts within several key areas of the hard drive can lead to conclusive evidence of willful spoliation and evidence tampering. (For example: reformatting HD) The key areas include; • Windows Registry • Link files– shows files that were on system and when • Event Logs– shows when/if system clock reset • Disk Partition and System DirectoryMeta Data – shows when hard drive reformatted and Windows install date. • Keyword searches for deleted data in unallocated Drive Freespace. • Deletion dates obtained from Recycler INFO2 structure
The Windows Registry • The Windows Registry conceptually can be thought of as a special directory where Windows and other software programs store system data needed for proper operations of the operating systems and installed software. User activity within Windows is tracked and stored in the Registry.
The Files that constitute the Windows XP Registry • Windows/System32/config/ directory • System • Software • SAM • Security • documents and settings/User/ • Ntuser.dat
Metadata What is metadata? • Metadata gives any kind of data context. Any item of data is a description of something. Metadata is a type of data where the something being described is data. Or, as it is often put, metadata is data about data.
Microsoft Office Metadata Microsoft Office files include metadata beyond their printable content, such as the original author's name, the creation, modification, and access date and time of the document, and the amount of time spent editing it. Unintentional disclosure can be awkward or even raise malpractice concerns.
Metadata is essential as a means of determining the install date for Windows and date of hard drive formatting. • Folders (subdirectories) are just a special type of file. As such they have file creation date and time meta data associated with them. • The Windows folder and the system32 subfolder (among others) are created when Windows is installed. The creation date metadata on the Windows folder can tell you when Windows was installed. This can indicate that the hard drive has been tampered with. • The metadata on the root folder, and on the bad cluster and partition files can tell you when the partition was created, usually when the drive was formatted.
Metadata is discoverable! Williams v. Sprint/United Mgmt. Co., 2005 U.S. Dist. LEXIS 21966(D. Kan. Sept. 29, 2005). • The Williams court established the following standard: • [W]hen a party is ordered to produce electronic documents as they are maintained in the ordinary course of business, the producing party should produce the electronic documents with their meta data intact, unless that party timely objects to production of meta data, the parties agree that the meta data should not be produced, or the producing party requests a protective order. Id.
Typical Case Example : W v. H • Custody matter between W and her former husband H. • W has joint custody with H over 4 yr old daughter. (W increasingly erratic behavior. Possibly dangerous.) • H and his new wife seek sole custody • W allegedly tells a friend via email that “she will sooner kill the child and H, then turn her over to his custody.”
W v. H • Attorney for H issues subpoena for W’s computer so he could have the emails examined. • W’s attorney files motion to quash subpoena • On July 20, Judge issues order from bench for W to turn computer over to her attorney so it can be examined by H’s expert.
W v. H • On July 25th signed order arrives at W’s attorney’s office. • On July 27th W brings computer to her attorney’s office for examination. • I examine and copy computer in W’s attorney's office on August 1st. • During my exam, I take the following photos of the computer:
Evidence Photos from Aug 1st Hard drive pristine!
W v. H – Forensic EvidenceEnCase Image from W’s Hard Drive • Case Information: • Case Number: 2005-29 • Evidence Number: 1 • Unique Description: Maxtor 4GB • Examiner: SM Abrams • Notes: Maxtor 4GB from Dell Tower • -------------------------------------------------------------- • Information for E:\image\maxtor4gb: • Physical Evidentiary Item (Source) Information: • Drive Interface Type: USB • Drive Model: Maxtor 8 4320D5 USB Device • [Drive Geometry] • Bytes per Sector: 512 • Cylinders: 525 • Sectors per Track: 63 • Sector Count: 8,437,500 • Tracks per Cylinder: 255 • Source data size: 4119 MB • Sector count: 8437500 • MD5 checksum: bf7c9baa773530bb3300fbf3aa5c5f60 • SHA1 checksum: 6a3965440b9df1a4b61a2e12ff555ec60238f42d • Image Information: • Segment list: • E:\image\maxtor4gb.E01 • Image Verification Results: • MD5 checksum: bf7c9baa773530bb3300fbf3aa5c5f60 : verified • SHA1 checksum: 6a3965440b9df1a4b61a2e12ff555ec60238f42d : verified
W v. H – Forensic EvidenceEnCase Image from C’s Hard Drive Data on hard drive largely consisted of 0x35, or ASCII 5’s “555555555555555…” In binary this is “00110101” which is a common wiping pattern.
W v. H – Forensic EvidenceWindows First Run Log dated 7/25 File: Frunlog.lnkFull Path: maxtor4gb\Part_1\NO NAME-FAT32\WINDOWS\Recent\Frunlog.lnkAlias: Extension: lnkFile Type: Shortcut FileCategory: OtherSubject: Created: 7/25/2005 5:48:42 PMModified: 7/25/2005 5:48:44 PMAccessed: 7/26/2005
W v. H – Forensic EvidenceRegistry files created 7/25/05 File: SYSTEM.DATFull Path: maxtor4gb\Part_1\NO NAME-FAT32\WINDOWS\SYSTEM.DATAlias: Extension: DATFile Type: Windows 9x/Me Registry FileCategory: OtherSubject: Created: 7/25/2005 10:37:22 PMModified: 7/26/2005 6:17:06 PMAccessed: 7/26/2005
W v. H – Forensic EvidenceRegistry files created 7/25/05 File: USER.DATFull Path: maxtor4gb\Part_1\NO NAME-FAT32\WINDOWS\USER.DATAlias: Extension: DATFile Type: Windows 9x/Me Registry FileCategory: OtherSubject: Created: 7/26/2005 6:13:06 PMModified: 7/26/2005 6:17:06 PMAccessed: 7/26/2005
W v. H – Forensic EvidenceW’s password file created on 7/25 File: MARY.PWLFull Path: maxtor4gb\Part_1\NO NAME-FAT32\WINDOWS\MARY.PWLAlias: Extension: PWLFile Type: Windows PWL file (new)Category: OtherSubject: Created: 7/25/2005 5:37:22 PMModified: 7/25/2005 5:37:24 PMAccessed: 7/26/2005
W v. H – Forensic EvidenceScandisk runs as part of Windows9x install on 7/25 File: SCANDISK.LOGFull Path: maxtor4gb\Part_1\NO NAME-FAT32\SCANDISK.LOGAlias: Extension: LOGFile Type: Unknown File TypeCategory: UnknownSubject: Created: 7/25/2005 8:22:54 PMModified: 7/25/2005 8:22:56 PMAccessed: 7/25/2005
W v. H – Forensic Evidence W deleted files in attempt to cover up 7/25 Windows install Recycle Bin Index Filename: Dc0.TXT Original Name:C:\SETUPXLG.TXT Date Recycled:7/25/2005 5:48:41 PM Removed from Bin:Yes