PATCtech is now offering a Comprehensive Cell Phone Forensics "Mini-Lab.
Our purpose for putting together this starter lab was to provide a high-end cell phone forensics solution for agencies who could not otherwise afford the industries existing "lab in a box" solutions.
No single cell phone forensics 'utility' (hardware or software) provides complete coverage of all cell phone models. Our final product, however, provides multiple utilities that have the ability to forensically examine approximately 90% of the cell phones on the market today - including popular models like the iPhone and Blackberry.
We chose to utilize the new "mini" laptop's with Atom processor technology for the 'engine' of the lab. The mini's passed extensive testing and will compete with any similarly priced cell phone forensics utility on the market.
For more details visit us on the web: http://www.patctech.com/cell-lab.shtml
Wednesday, May 27, 2009
Tuesday, April 28, 2009
Sexting and Sextmessaging
I recently asked a group of investigators if any of them have had to deal with a sexting case. After some quiet grumbles one person slowly raised his hand and said that he had heard of someone investigating a sexting case, however he had not done one. Well let me be the barer of bad news. If you have not had to investigate a Sexting case yet, you most assuredly will in the not too distant future. This is an epidemic that is sweeping through, not only the realm of teenagers, but pre teens as well.
What exactly is Sexting? Well, to define it simply, it is when an individual uses their mobile phone to send sexually explicit images of themselves to another mobile phone. Then what is Sexmessaging? This is sending sexually explicit text messages from one mobile phone to another. While Sexmessaging has its problems, both morally and psychologically, we (the law enforcement community) will most likely not deal with this unless coupled with a more serious crime. I.E. child pornography, child luring etc. When dealing with Sexting you must understand that the Actors in this are involving themselves in a behavior of unintended consequences. In that, they simply see it as innocent “flirting”. However the problem lies with what is done after the picture is sent to its intended recipient. What if that person then sends it to 10 of his or her buddies?
In a recent case from Cincinnati Ohio, that received national attention, a young girl Jessica Logan, committed suicide after naked pictures of herself made the rounds at local high schools. Some may argue this is a case of a teenager overreacting to an incredibly embarrassing situation that she induced upon herself. As law enforcement members we do not have the luxury to treat this situation with such callous disregard. When confronted with a Sexting case it is imperative that we strive to apply the appropriate law. This, however, does not preclude us from applying the “Spirit of the Law” in some situations. So where does that boundary lie? When do we simply inform the child that it is inappropriate to send these pictures as opposed to filing charges for the production and dissemination of child pornography? This is the very real problem investigators are facing on a daily basis all over this country. District Attorneys are cringing every time they here the term “Sexting” uttered in a criminal complaint.
As you can tell this problem is not easily addressed. The state of Vermont recently attempted to enact new legislation in an attempt to speak to this issue. Their new law would make it legal for someone under the age of 18 to send nude or semi nude pictures to other minors. They argue that they have no criminal intent when making or sending the images. The United State Supreme Court has said repeatedly that child pornography, by definition, is much narrower than just nudity. Child pornography generally includes sexual acts or situations in conjunction with the photos. This goes to the heart of Vermont’s argument. If the intent is to simply send a nude photo, and it does not include an overtly sexual situation, then should the photo be “legal”? If so, then how do we address the recipient of the photo? If a photo is sent to its intended recipient who then forwards it to another, is that now a violation? These are valid questions that lawmakers have to consider. And those in the law enforcement community will have to apply these laws.
This is not an easy situation for us to be in, however we must keep in mind that our reaction to these cases can have long standing effects for all involved.
What exactly is Sexting? Well, to define it simply, it is when an individual uses their mobile phone to send sexually explicit images of themselves to another mobile phone. Then what is Sexmessaging? This is sending sexually explicit text messages from one mobile phone to another. While Sexmessaging has its problems, both morally and psychologically, we (the law enforcement community) will most likely not deal with this unless coupled with a more serious crime. I.E. child pornography, child luring etc. When dealing with Sexting you must understand that the Actors in this are involving themselves in a behavior of unintended consequences. In that, they simply see it as innocent “flirting”. However the problem lies with what is done after the picture is sent to its intended recipient. What if that person then sends it to 10 of his or her buddies?
In a recent case from Cincinnati Ohio, that received national attention, a young girl Jessica Logan, committed suicide after naked pictures of herself made the rounds at local high schools. Some may argue this is a case of a teenager overreacting to an incredibly embarrassing situation that she induced upon herself. As law enforcement members we do not have the luxury to treat this situation with such callous disregard. When confronted with a Sexting case it is imperative that we strive to apply the appropriate law. This, however, does not preclude us from applying the “Spirit of the Law” in some situations. So where does that boundary lie? When do we simply inform the child that it is inappropriate to send these pictures as opposed to filing charges for the production and dissemination of child pornography? This is the very real problem investigators are facing on a daily basis all over this country. District Attorneys are cringing every time they here the term “Sexting” uttered in a criminal complaint.
As you can tell this problem is not easily addressed. The state of Vermont recently attempted to enact new legislation in an attempt to speak to this issue. Their new law would make it legal for someone under the age of 18 to send nude or semi nude pictures to other minors. They argue that they have no criminal intent when making or sending the images. The United State Supreme Court has said repeatedly that child pornography, by definition, is much narrower than just nudity. Child pornography generally includes sexual acts or situations in conjunction with the photos. This goes to the heart of Vermont’s argument. If the intent is to simply send a nude photo, and it does not include an overtly sexual situation, then should the photo be “legal”? If so, then how do we address the recipient of the photo? If a photo is sent to its intended recipient who then forwards it to another, is that now a violation? These are valid questions that lawmakers have to consider. And those in the law enforcement community will have to apply these laws.
This is not an easy situation for us to be in, however we must keep in mind that our reaction to these cases can have long standing effects for all involved.
Wednesday, April 1, 2009
Examining a Non-Working Drive? Be Cooool About It. #2 in a Series
In the first Blog of this series, I addressed one facet of how to recover data from a damaged or inoperable hard disk drive. If you recall, I discussed a method whereby the drive electronics was removed and replaced with a board from an identical working drive. As ingenuitive as this technique is, it sometimes may not be possible or appropriate. In other cases where it would be OK to try, perhaps it should not be the first method you should use. So let’s take a look at another technique.
Ever attach a hard drive to a computer and power it up only to hear a uniform "clicking" type of noise followed by an "accelerating spin up" sound that seems to cycle itself over and over again? This "clicking and accelerating spin up" report would be audible with about the same regularity as a skipping record, yes I am referring to a record player (I suppose I just dated myself). In any case, this can only be described as.....Not good. This usually means that the drive heads are touching the platters of the drive (which may be warped for some reason). This problem can quite literally carve circular gouges onto the spinning disks. If you hear this noise, TURN THE COMPUTER OFF.....SOON....NOW WOULD BE BETTER.
What we need to do is somehow recreate the minute space that used to exist between the read/write heads and the platters. How do we do this? Good question. Take the drive, go to your kitchen, tightly wrap it in aluminum foil, stick the newly wrapped drive in a sealed plastic baggie, squeeeeeze the air out of it and place it in the freezer, that's right I said stick it in the freezer. Wait about half an hour and DING, ITS DONE!!! What’s the catch? You might only have this one chance to spin it up and get what you need while it’s still cold. If you attempt this, immediately try to grab a forensic image of the drive, don't delay. In a Walgreens world somehow the drive would stay cooler during the entire imaging process, but since I don’t know anyone who lives there aim a fan at the drive and try to keep it cool. This drop in temperature is designed to condense everything in there juuuust enough to recreate the minute space that used to exist between the read/write heads and the platters that has somehow been lost.
Here comes the lawyer stuff, It is entirely likely that you may further damage the drive utilizing this method, but then again it was inoperable to begin with so in this respect you have not lost anything.
John LaRoche
PATCTech Chief Examiner, Instructor
Ever attach a hard drive to a computer and power it up only to hear a uniform "clicking" type of noise followed by an "accelerating spin up" sound that seems to cycle itself over and over again? This "clicking and accelerating spin up" report would be audible with about the same regularity as a skipping record, yes I am referring to a record player (I suppose I just dated myself). In any case, this can only be described as.....Not good. This usually means that the drive heads are touching the platters of the drive (which may be warped for some reason). This problem can quite literally carve circular gouges onto the spinning disks. If you hear this noise, TURN THE COMPUTER OFF.....SOON....NOW WOULD BE BETTER.
What we need to do is somehow recreate the minute space that used to exist between the read/write heads and the platters. How do we do this? Good question. Take the drive, go to your kitchen, tightly wrap it in aluminum foil, stick the newly wrapped drive in a sealed plastic baggie, squeeeeeze the air out of it and place it in the freezer, that's right I said stick it in the freezer. Wait about half an hour and DING, ITS DONE!!! What’s the catch? You might only have this one chance to spin it up and get what you need while it’s still cold. If you attempt this, immediately try to grab a forensic image of the drive, don't delay. In a Walgreens world somehow the drive would stay cooler during the entire imaging process, but since I don’t know anyone who lives there aim a fan at the drive and try to keep it cool. This drop in temperature is designed to condense everything in there juuuust enough to recreate the minute space that used to exist between the read/write heads and the platters that has somehow been lost.
Here comes the lawyer stuff, It is entirely likely that you may further damage the drive utilizing this method, but then again it was inoperable to begin with so in this respect you have not lost anything.
John LaRoche
PATCTech Chief Examiner, Instructor
Saturday, February 28, 2009
Examining Damaged/Non-Working Hard Drives, Can It Be Done??? #1 in a Series
Can a damaged and/or non-working hard disk drive be brought back from the dead for purposes of a forensic examination? Like many questions relative to computer forensics, the answer is, maybe. This will be the first in a series of Blogs addressing this issue.
Not too long ago, a detective brought me a computer for examination from the scene of an arson, and yes the tower had been burned up pretty good. To make things worse, upon opening the case I found a RAID array and one of the three drives had been damaged from the fire. Unfortunately, this was a RAID 0 configuration thus eliminating the possibility of recreating the drive via parity. Specifically, the damaged hard drives’ 1drive electronics was covered with black soot….Not good to say the least. What was so important about this particular computer is that it was located at and used by the business/building (that had been set ablaze) for storing the footage from the surveillance system. As a final insult, I was told it likely captured the arsonist(s) carrying out their handiwork in an investigation that otherwise had few leads. I felt like the field goal kicker at the 45 yard line with less than a minute to go with a score of 21-23, the pressure was on.
As dramatic as the lead up to the examination was, the solution was surprisingly simple. Although the drive would not spin up due to the fire damage to the drive electronics, the rest of the drive seemed none the worse for wear. After having used a commonly known forensic software tool to acquire a forensic copy (in the form of “image” files) from the other undamaged drives in the array, I then removed the drive electronics from the damaged drive. Now for the money shot, since all of the drives were of the exact same make, model and size, I removed the drive electronics from one of the undamaged drives and installed it onto the damaged drive. Upon connecting the damaged drive with the newly installed “good” drive electronics to a forensic computer, it spun up, was recognized and allowed for a full error less forensic copy to be acquired. Once finished, all of the separate drive “images” were reassembled (using the same aforementioned commonly known forensic software tool) and I was able to fully read the RAID array as it was meant to be read, as a single logical drive.
In retrospect, I was fortunate to have had additional drives at my immediate disposal that were of the same make, model and size from which to harvest a healthy drive electronics board. In some cases, it may prove difficult to find and obtain an exact duplicate drive of a damaged evidence hard disk, especially if it is older.
For those of you waiting for the end of the story, the examination did not provide any surveillance footage of the crime. The business was closed at the time of the arson and the cameras (installed to prevent and detect theft during business hours) did not operate when the business was closed.
You win some you lose some.
1drive electronics are the green exposed silicon circuit boards located on the bottom of hard disk drives.
John LaRoche
PATCTech Chief Examiner, Instructor
Not too long ago, a detective brought me a computer for examination from the scene of an arson, and yes the tower had been burned up pretty good. To make things worse, upon opening the case I found a RAID array and one of the three drives had been damaged from the fire. Unfortunately, this was a RAID 0 configuration thus eliminating the possibility of recreating the drive via parity. Specifically, the damaged hard drives’ 1drive electronics was covered with black soot….Not good to say the least. What was so important about this particular computer is that it was located at and used by the business/building (that had been set ablaze) for storing the footage from the surveillance system. As a final insult, I was told it likely captured the arsonist(s) carrying out their handiwork in an investigation that otherwise had few leads. I felt like the field goal kicker at the 45 yard line with less than a minute to go with a score of 21-23, the pressure was on.
As dramatic as the lead up to the examination was, the solution was surprisingly simple. Although the drive would not spin up due to the fire damage to the drive electronics, the rest of the drive seemed none the worse for wear. After having used a commonly known forensic software tool to acquire a forensic copy (in the form of “image” files) from the other undamaged drives in the array, I then removed the drive electronics from the damaged drive. Now for the money shot, since all of the drives were of the exact same make, model and size, I removed the drive electronics from one of the undamaged drives and installed it onto the damaged drive. Upon connecting the damaged drive with the newly installed “good” drive electronics to a forensic computer, it spun up, was recognized and allowed for a full error less forensic copy to be acquired. Once finished, all of the separate drive “images” were reassembled (using the same aforementioned commonly known forensic software tool) and I was able to fully read the RAID array as it was meant to be read, as a single logical drive.
In retrospect, I was fortunate to have had additional drives at my immediate disposal that were of the same make, model and size from which to harvest a healthy drive electronics board. In some cases, it may prove difficult to find and obtain an exact duplicate drive of a damaged evidence hard disk, especially if it is older.
For those of you waiting for the end of the story, the examination did not provide any surveillance footage of the crime. The business was closed at the time of the arson and the cameras (installed to prevent and detect theft during business hours) did not operate when the business was closed.
You win some you lose some.
1drive electronics are the green exposed silicon circuit boards located on the bottom of hard disk drives.
John LaRoche
PATCTech Chief Examiner, Instructor
Wednesday, February 11, 2009
"METADATA"; What is it? Where is it? What can it do for me?
I have heard these questions a lot lately and felt it needed to be addresses. So, what is "Metadata"? Simply put, it is "data about data". Some might ask, "What is that supposed to mean"? A good analogy would be a book, even books contains metadata of a sort. When you read through the pages of any book, you are reading the "data" if you will, but there are other forms of data in the book. What about the table of contents? or a bibliography? Perhaps the ISBN number? These are all forms of metadata. They are not directly part of the story in the book, but somehow provide the reader with other or extra information relative to the book.
Now, let's apply this analogy to the world of computers. Many types of files today have some sort of metadata embedded within them or somehow associated with them. An excellent example of this is your average Microsoft Word Document. Create a word document, save it somewhere, close the document, then hover your mouse cursor over the icon or filename associated with the document. See anything? You are likely going to see a small box appear that reveals some of the metadata about that file. Information such as the type of file, Author, Title, date modified and size. If you wanted to delve even deeper by, say, right mouse clicking on the file and calling up its properties, you could get a lot more metadata, such as who was the last person to save changes made to the document, comments, the author or editor's company, date and time last saved, the application (and version number) used to create or edit the document and many other items of possible interest. Getting scared yet? I seem to recall when I first learned about metadata, having tried to "wash" all of my Word files, it was taking to long so I finally gave up.
Some of you may already be familiar with other types of metadata. "Exif" data would be the equivalent of metadata for some digital picture file formats such as jpeg and tiff files (png, gif and a few other formats do not include "Exif" data). An Internet search would net you a free Exif reader that can be used to view the data easily. Look hard enough, you are likely going to find metadata in a lot of places.
Let's tie it all together, how important can metadata really be? Well, there was this one small case not too long ago involving a suspect who committed several murders over many years. It was the BTK (Bind, Torture, Kill) serial killer. BTK was starting to get worried about the advances made by the FBI and others in the area of handwriting analysis, so he decided to send them a document on a floppy diskette. Big mistake, a subsequent forensic exam on the diskette revealed a Word Document that contained, guess what, you guessed it, METADATA, that led authorities to BTK's church and ultimately to him.
John LaRoche
PATCTech Chief Examiner, Instructor
Now, let's apply this analogy to the world of computers. Many types of files today have some sort of metadata embedded within them or somehow associated with them. An excellent example of this is your average Microsoft Word Document. Create a word document, save it somewhere, close the document, then hover your mouse cursor over the icon or filename associated with the document. See anything? You are likely going to see a small box appear that reveals some of the metadata about that file. Information such as the type of file, Author, Title, date modified and size. If you wanted to delve even deeper by, say, right mouse clicking on the file and calling up its properties, you could get a lot more metadata, such as who was the last person to save changes made to the document, comments, the author or editor's company, date and time last saved, the application (and version number) used to create or edit the document and many other items of possible interest. Getting scared yet? I seem to recall when I first learned about metadata, having tried to "wash" all of my Word files, it was taking to long so I finally gave up.
Some of you may already be familiar with other types of metadata. "Exif" data would be the equivalent of metadata for some digital picture file formats such as jpeg and tiff files (png, gif and a few other formats do not include "Exif" data). An Internet search would net you a free Exif reader that can be used to view the data easily. Look hard enough, you are likely going to find metadata in a lot of places.
Let's tie it all together, how important can metadata really be? Well, there was this one small case not too long ago involving a suspect who committed several murders over many years. It was the BTK (Bind, Torture, Kill) serial killer. BTK was starting to get worried about the advances made by the FBI and others in the area of handwriting analysis, so he decided to send them a document on a floppy diskette. Big mistake, a subsequent forensic exam on the diskette revealed a Word Document that contained, guess what, you guessed it, METADATA, that led authorities to BTK's church and ultimately to him.
John LaRoche
PATCTech Chief Examiner, Instructor
Defeating Computer Forensics
Defeating Computer Forensics (a.k.a., "Anti-Forensics"). Lets assume that there are people today that would like to keep data on their device from falling into the hands of a forensic examiner.
Well, is it possible to defeat a thorough analysis by an experienced examiner? The answer is yes. With that being said, one might question the thinking or reasoning behind someone who would go to such lengths to hide evidence. Most individuals are just looking to hide their internet activities from their employer, spouse or other family members. For these people they delete the temporary internet files, cookies, url's etc.., and they are "safe". For the individual who has more to hide he will need to work considerably harder.
Some people believe by simply formatting the device that they have rendered the data unrecoverable. This is incorrect. They have simply removed the file from the file allocation table, but the data is still in its place. The computer just does not know where to locate the file. The file must be completely overwritten for it be unrecoverable. Multiple formats will cause the data to be more sparse and harder to recover, but its not a perfect system. Some software erasing tools can create a log of their activities that have been erased, which is self defeating. The only way to be sure to remove all ability to recover the information (aside from a sledge hammer or drill bit through the drive) is to wipe the unused portion of the hard drive (Replace all 1's and 0's). This is time consuming and most users are not willing to go through the process. Besides, if you show up at someones door with a warrant without their knowledge they will not have the time to erase the hard drive properly and entirely.
So , in conclusion, yes they can defeat a forensic exam. If they have advanced warning of the exam and are willing to remove all of their data. It will depend on how important the data is to them. We, as examiners, must keep this in the back of our mind when we come across a device which seems to have an unusual lack of evidence. May have to dig a little deeper in these cases and try something unconventional or simply work harder to find what they tried so hard to hide. The "Tracks" of trying to hide data can be just as important as the data itself!
Well, is it possible to defeat a thorough analysis by an experienced examiner? The answer is yes. With that being said, one might question the thinking or reasoning behind someone who would go to such lengths to hide evidence. Most individuals are just looking to hide their internet activities from their employer, spouse or other family members. For these people they delete the temporary internet files, cookies, url's etc.., and they are "safe". For the individual who has more to hide he will need to work considerably harder.
Some people believe by simply formatting the device that they have rendered the data unrecoverable. This is incorrect. They have simply removed the file from the file allocation table, but the data is still in its place. The computer just does not know where to locate the file. The file must be completely overwritten for it be unrecoverable. Multiple formats will cause the data to be more sparse and harder to recover, but its not a perfect system. Some software erasing tools can create a log of their activities that have been erased, which is self defeating. The only way to be sure to remove all ability to recover the information (aside from a sledge hammer or drill bit through the drive) is to wipe the unused portion of the hard drive (Replace all 1's and 0's). This is time consuming and most users are not willing to go through the process. Besides, if you show up at someones door with a warrant without their knowledge they will not have the time to erase the hard drive properly and entirely.
So , in conclusion, yes they can defeat a forensic exam. If they have advanced warning of the exam and are willing to remove all of their data. It will depend on how important the data is to them. We, as examiners, must keep this in the back of our mind when we come across a device which seems to have an unusual lack of evidence. May have to dig a little deeper in these cases and try something unconventional or simply work harder to find what they tried so hard to hide. The "Tracks" of trying to hide data can be just as important as the data itself!
Monday, January 5, 2009
DVR Forensics
Recently I was involved in a Homicide by Vehicle investigation being conducted by a local police department. The Actor had visited a night club prior to the accident. The investigator served a search warrant on the establishment and seized a large DVR which housed all the information gathered by the 20 + cameras within the business. The question posed to me was whether the information on the DVR could be found and then compared to the time stamp on a cash register receipt? Seemed like a tall task.
Upon inspection of the unit it was discovered that it was not a name brand piece of equipment and had no manufacturing marks at all. The case was opened and found to contain two large hard drives. The problem we ran into was upon trying to transfer the data to another hard drive and then view same. The video was in a proprietary format and was not able to be viewed in its imaged state. The only way to continue with the examination was to treat it as any other hard drive and view the image while utilizing a writeblocker and EnCase.
Once the appropriate images were located, namely the Actor purchasing and consuming drinks, we had the Audio / Video Division use enhancing techniques to focus on our guy.
NOTE: We were fortunate in this case that we were not dealing with a multi-plex system and also that we were not trying to recover deleted material. A lot of surveillance DVR's overwrite data every 2 to 3 weeks. In cases such as this, there is special equipment that can be purchased. When dealing with a Closed Circuit Television system you may have to go to the manufacturers website to download software to view the images. As with most computer forensics some trial and error will most likely be involved.
Upon inspection of the unit it was discovered that it was not a name brand piece of equipment and had no manufacturing marks at all. The case was opened and found to contain two large hard drives. The problem we ran into was upon trying to transfer the data to another hard drive and then view same. The video was in a proprietary format and was not able to be viewed in its imaged state. The only way to continue with the examination was to treat it as any other hard drive and view the image while utilizing a writeblocker and EnCase.
Once the appropriate images were located, namely the Actor purchasing and consuming drinks, we had the Audio / Video Division use enhancing techniques to focus on our guy.
NOTE: We were fortunate in this case that we were not dealing with a multi-plex system and also that we were not trying to recover deleted material. A lot of surveillance DVR's overwrite data every 2 to 3 weeks. In cases such as this, there is special equipment that can be purchased. When dealing with a Closed Circuit Television system you may have to go to the manufacturers website to download software to view the images. As with most computer forensics some trial and error will most likely be involved.
Subscribe to:
Posts (Atom)
Posts
