PATCtech Instructor Blog

SHADOW SCANNER 2.0 IS HERE

2011-12-22T05:59:00.000-08:00

Shadow Scanner version 2.0 has been released with the following enhancements:

Written in Java (Jave 1.7 required)
Scan now held in local database for advanced searching options
Local database eliminates the need to ever rescan a volume. ONE AND DONE!
Enhanced logging
Runs in all versions of Windows Vista and Windows 7!

All registered users will be given a complimentary upgrade to the new release. New and existing users are entitled to unlimited minor upgrades. Major upgrades (Shadow Scanner 3.0) will require a small upgrade fee.

Download Demo Copy and Quote for License Here

READ MORE ABOUT SHADOW COPIES HERE

Does Warrantless Installation of GPS Device Violate 4th Amendment? Circuits Split

2011-05-31T09:59:00.000-07:00

In a recent case United States v. Cuevas-Perez, 2011 WL 1585072 (C.A. 7 (Ill.)), the Seventh Circuit Court of Appeals considered whether the warrantless installation of a GPS device which allowed "real time" tracking of a suspect vehicle for approximately 60 hours while it traveled from Arizona to Illinois violated the Fourth Amendment.

The Court concluded that there was simply no constitutionally relevant difference between devices which simply record and store information for later retrieval and GPS units which furnish real time data. In fact, the Seventh Circuit indicated that GPS units which record and store historical data are less akin to the publicly exposed data on which permissible Fourth Amendment GPS tracking is based. Id. at 3. In referencing an earlier Seventh Circuit case the Court stated "GPS tracking is on the same side of the divide with the surveillance cameras and the satellite imaging, and if what they do is not searching in Fourth Amendment terms, neither is GPS tracking" See., United States v. Garcia, 474 F.3d 944 (7th Cir. 2007)

As law enforcement officers continue to add to their "toolbox", coupled with the advent of continually increasing technology, officers are faced with daily constitutional questions regarding whether these new tools comport with Fourth Amendment Constitutional standards.

As a preliminary question - Police Officers need to determine whether the Fourth Amendment is even implicated. If the Fourth Amendment is not in "play", then police conduct is deemed constitutionally valid. Always remember that State Constitutions are free to be more restrictive of government conduct. Thus, government actions which comport with the Fourth Amendment may still be in violation of a stricter state constitutional standard. See., People v. Weaver, 12 N.Y.3d 433 (2009), Commonwealth v. Connolly, 454 Mass. 808 (2009), State v. Jackson, 150 Wash. 2d 251 (2003), (all indicating that placement of a GPS is a search under their respective state constitutions, which must be supported by probable cause and a warrant)

THREE THINGS MUST BE PRESENT FOR THE FOURTH AMENDMENT TO BE IMPLICATED:

Government conduct - the 4th Amendment does not apply to private actors. See, Burdeau v. McDowell, 256 U.S. 465, 475 (1921) - evidence illegally obtained by private parties and turned over to police is not a 4th Amendment violation.

Standing - 4th Amendment rights are personal. There must be a sufficient nexus between the area or item subjected to the search/seizure and the person claiming a constitutional violation. See, Rakas v. Illinois, 439 U.S. 128, 138-39 (1978) – mere passengers in a vehicle have no standing to contest the legality of a search of the vehicle.

Reasonable Expectation of Privacy (REP) – must exist in the area or item subjected to the search or seizure. The individual must exhibit a subjective expectation of privacy in the item or area and that expectation of privacy must be objectively reasonable to society as a whole. See, Katz v. United States, 389 U.S. 347 (1967)- indicating that a two part analysis governs whether an expectation of privacy exists ie., there must be a subjective REP exhibited, and it must be objectively reasonable to society. If any of the three are absent, the 4th Amendment is simply not implicated.

The foundational Supreme Court precedent for GPS related cases is United States v. Knotts, 460 U.S. 276 (1983), holding that the use of a beeper device, secreted within a drum of chemicals, to track a suspect did not violate the 4th Amendment, because there was no search under the Fourth Amendment. The Supreme Court explained that a person traveling in a motor vehicle on public thoroughfares has no reasonable expectation in their movements. The Court commented that the use of GPS devices does not permit the discovery of any information that could not have been obtained by physical, visual surveillance of an auto traveling on public roads. In closing, the Court noted that nothing in the 4th Amendment prohibited the augmenting of sensory faculties via scientific and technological advancements. Id. at 282.

A CIRCUIT BY CIRCUIT DISCUSSION FOLLOWS - RE: STATE OF THE LAW WITH GPS DEVICES

1ST CIRCUIT

In United States v. Moore, 562 F.2d 106 (1st Cir. 1977), the First Circuit held that while the lesser expectation of privacy associated with motor vehicles justifies the use of a beeper without a warrant to track vehicles, this can only be done if officers have sufficient probable cause. The Court went on to acknowledge that potentially a lesser standard than probable cause may be constitutionally acceptable.A more recent case in the 1st Circuit, United States v. Sparks, 750 F.Supp.2d 384 (2010), claims that U.S. v. Moore's 1977 holding that probable cause is required for the installation of a tracking device, is no longer good law following the U.S. Supreme Court's 1983 holding in U.S. v. Knotts. District Court Justice Young commented that "where the use of a tracking device serves only as a technological substitute for an otherwise legal activity, it must remain constitutionally sound." Knotts at 284. In Sparks, FBI agents attached a GPS unit to a suspected bank robber's vehicle. The Court ruled that the suspect had neither a subjective expectation of privacy in the open air parking lot (where GPS was affixed), the exterior of the vehicle, or the movement of his vehicle on the streets. Id. at 396. With the absence of any REP, the Court indicated that no warrant or court order was needed to install or monitor the GPS. Id. In essence the 1st Circuit defaulted to U.S. v. Knotts, claiming since no REP exists there are no 4th Amd concerns.

2ND CIRCUIT

In Morton v. Nassau County Police Department, 2007 WL 4264569 (E.D.N.Y. ), plaintiff’s brought a civil rights claim against police alleging the warrantless installation and use of a GPS violated her Fourth and Fourteenth Amendments rights against unreasonable searches and seizures. Nassau County Police had attached a GPS device to plaintiff’s vehicle based upon previous sightings at residential burglaries.

The Court cited approvingly to U.S. v. Knotts, “a person traveling in an automobile on public thoroughfares has no reasonable expectation of privacy in his movements from one place to another.” Knotts at 281. The Court noted “the use of the GPS device did not permit the discovery of any information that could not have been obtained by following an automobile traveling on public roads either physically or through visual surveillance, conduct that neither requires a warrant nor implicated Fourth Amendment rights.” Id. at 282. In continuing to follow Knotts the Court held there was no reasonable expectation of privacy in one’s movements on public ways, and thus there was no search, seizure or Fourth Amendment implication by mere placement of a GPS device. Morton v. Nassau County Police Department at 4. See, U.S. v. Moran, 349 F.Supp. 2d 425 (N.D. N.Y. 2005).

3RD CIRCUIT

In United States v. Hossbach, 518 F.Supp. 759 (E.D. Pa. 1980), DEA agents attached a bumper beeper to a suspect’s vehicle after obtaining judicial authorization. While noting that most courts have held that prior judicial authorization is unnecessary for the installation of a bumper beeper (citing to 8th, 9th, and 10th Circuit cases), the Court declined to decide the issue because a warrant based upon probable cause had been obtained. Id. at 769.

4TH CIRCUIT

Similarly, a Fourth Circuit District Court declined to rule on the issue. In United States v. Berry, 300 F.Supp. 2d 366 (D. Md. 2004), police obtained a court order to affix a GPS onto a vehicle believed to be traveling from Baltimore to the New York City area. While acknowledging that under U.S. v. Knotts, the Supreme Court allowed the installation and monitoring of a beeper without seeking judicial authorization, the Court expressed reservations about whether the Supreme Court’s analysis would cover a GPS. Id. at 368. The Court indicated that it was unwilling to decide whether the new technology employed by state of the art GPS devices was so intrusive so as to necessitate a court order, noting that police had in fact obtained a court order. Id.

5TH CIRCUIT

The Fifth Circuit standard for the warrantless installation of an electronic tracking device is an “intermediate standard”, requiring law enforcement officers to have reasonable suspicion that criminal activity is afoot. United States v. Michael, 645 F.2d 252 (5th Cir. 1981). In U.S. v. Michael, the Fifth Circuit held that DEA’s warrantless attachment of an electronic tracking device, to the exterior of a suspect’s vehicle while parked in a public place, based upon reasonable suspicion was sufficient to allay any Fourth Amendment concerns. Id. at 257.

At the same time, the Fifth Circuit noted that some members of the majority would hold that installation of a beeper is not a search or seizure at all, and thus does not implicate any Fourth Amendment interests. Id. at 256. The 5th Circuit en banc, noted expressly “While we do not reject this view, … under the facts presented, the installation of the beeper was permissible, even if we assume the installation was a search.” Id. at 256.

Thus in the Fifth Circuit in an abundance of caution warrantless GPS installation should be based upon reasonable suspicion that the suspect (vehicle) is involved in criminal activity.

6TH CIRCUIT

In United States v. Bailey, 628 F.2d 938 (6th Cir. 1980), DEA agents acting in an undercover capacity delivered precursor chemicals to a Detroit , Michigan address. Prior to delivery agents sought and obtained a warrant authorizing DEA to install a beeper in a drum of chemicals. The Sixth Circuit subsequently held that the warrant was invalid, based upon the failure to specify any time limitations on the beeper monitoring (surveillance). Id. at 945. The Sixth Circuit indicated that “installation and monitoring of the beeper under the facts of this case was a search and seizure and had to meet Fourth Amendment standards.” Id. The Sixth Circuit continued “Ordinarily this means the surveillance (installation and monitoring of the beeper) must have been authorized by a warrant based upon probable cause and issued in advance.” Id. Thus in the Sixth Circuit, law enforcement officers need to obtain a warrant based upon probable cause in order to install and monitor a beeper.

7TH CIRCUIT

The Seventh Circuit has continually held that there is no search or seizure under the 4th Amendment when police attach a GPS tracking device underneath a suspect’s vehicle, that does not draw power from the engine or battery, does not take up room occupied by passengers or packages, and does not alter the vehicles appearance. See, United States v. Garcia, 474 F.3d 994 (7th Cir. 2007), United States v. Cuevas-Perez, 2011 WL 1585072 (C.A.7 (Ill.)).

The 7th Circuit noted that if police use of surveillance cameras and use of satellite imaging are not searches in Fourth Amendments terms, than neither is GPS tracking. U.S. v. Garcia, at 997.

In United States v. Cuevas-Perez, the 7th Circuit commented that the principles derived from Knotts and Garcia, that GPS tracking does not constitute a search controlled. Cuevas-Perez at 2. The 7th Circuit was unconcerned that the GPS unit affixed by police was capable of sending minute by minute messages regarding the vehicle’s location, or where continued GPS surveillance lasted for over 60 hours. Id. at 3. Thus in the Seventh Circuit warrantless attachment of a GPS unit is not a search within the terms of the Fourth Amendment.

8th Circuit

In United States v. Marquez, 605 F.3d 604 (8th Cir. 2010), the Eighth Circuit held that as a preliminary matter the defendant lacked standing to contest the installation of a GPS device in a vehicle in which he was only an occasional passenger. The Eighth Circuit noted that even if the defendant had standing, no reasonable expectation of privacy had been violated by DEA agents installing the GPS. Id. at 607. The Court explained that a person traveling in a motor vehicle via public roads has no reasonable expectation of privacy in his movements from one locale to another. Id. at 608. The 8th Circuit held that when police have reasonable suspicion that a specific vehicle is transporting drugs, a warrant is not required to install a non-invasive GPS tracking device, while the vehicle is parked in a public place, for a reasonable period of time. Id. at 610. Thus in the Eighth Circuit while law enforcement officials do not need a warrant to install a GPS device, they must possess a reasonable suspicion that the vehicle is involved in criminal activity.

9TH CIRCUIT

Surprisingly, the Ninth Circuit in following U.S. v. Knotts, ruled that United States Forest Service officers warrantless placement of two electronic tracking devices on the undercarriage of a suspect’s vehicle while parked outside the cartilage did not constitute a seizure in a Fourth Amendment sense. United States v. McIver, 186 F.3d 1119, 1127 (9th Cir. 1999). The Ninth Circuit cited to several cases which indicated that there is no reasonable expectation of privacy in the exterior of a vehicle. See, New York v. Class, 475 U.S. 106 (1980) - “(t)he exterior of a car, of course, is thrust into the public eye, and thus to examine it does not constitute a search” Id. at 114.

In United States v. Pineda-Moreno, 617 F.3d 1120 (9th Cir. 2010), the 9th Circuit rejected a petition for a rehearing en banc, where police surreptitiously attached a GPS tracking device to the underside of a vehicle, which was parked in a driveway. In rejecting the petition for rehearing en banc the 9th Circuit held simply that the 4th Amendment was not implicated. Id. at 1121. The 9th Circuit followed U.S. v. Knotts, in holding that the warrantless placement of an electronic tracking device does not violate any reasonable expectations of privacy thus there are no 4th Amendment issues.

10TH CIRCUIT

In United States v. Shovea, 580 F.2d 1382 (10th Cir. 1978), federal agents became aware of a suspicious order of precursor chemicals from a New York based company for the production of methamphetamine. Id. at 1383. Physical surveillance of the pick-up of the precursor chemicals, coupled with the suspicious manner of transport, and subsequent arrival at an airport for a trans-continental trip provided agents with the requisite probable cause to place an electronic tracking device onto a suspect’s vehicle. Id. at 1384. The 10th Circuit noted that although whether the installation of an electronic tracking device on a motor vehicle is a search or seizure under the 4th Amd was a difficult question, it need not be reached in the present case. Id. at 1387. The 10th Circuit assumed without deciding that the installation of the tracking device was a search under the 4th Amd, that was justified by the existence of probable cause and exigent circumstances (ie., the inherent mobility of vehicles making the application for a warrant impracticable ie., motor vehicle exception) Id. at 1388. Thus in the 10th Circuit, the warrantless installation of a tracking device based upon probable cause without initially acquiring a court order does not violate the 4th Amd. Id.

11TH CIRCUIT

In United States v. Smith, 387 Fed.Appx. 918, 2010 WL 2825488 (C.A. 11 (Fla.)), a DEA Task-Force Officer, without the benefit of a warrant attached a GPS unit to a marijuana trafficker’s Cadillac Escalade. The Court found that the GPS was installed in a public place and held that Smith lacked any reasonable expectation of privacy in the exterior of his vehicle. Id. at 921. The Court indicated that without any legitimate expectations of privacy there were no 4th Amendment issues. See, United States v. Barton, 698 F.Supp.2d 1303 (N.D. Fla. 2010) – “there is no 4th Amd violation for using a tracking device as a substitute for visual surveillance”. In the 11th Circuit warrantless installation of GPS devices does not impede on any reasonable expectations of privacy, thus no Fourth Amendments concerns exist.

D.C. CIRCUIT

The District of Columbia is the only Federal Circuit to claim that U.S. v. Knotts, is not controlling precedent regarding the warrantless installation and prolonged monitoring of a GPS device. The D.C. Circuit claims that the Supreme Court reserved the question of whether prolonged “twenty-four hour surveillance” was a search under the Fourth Amendment. United States v. Maynard, 615 F.3d 544 (D.C. Cir. 2010). The D.C. Circuit squarely differentiated between tracking “movements from one place to another” and tracking movements 24 hours a day for 28 days …thereby discovering the totality and pattern of his movements from place to place. Id. at 559.

In Maynard, FBI agents tracked the movements of a suspect 24 hours a day for 4 weeks, via warrantless installation of a GPS on his vehicle. Id. at 565. The D.C. Circuit recognized that prolonged GPS monitoring “yields a highly detailed profile of where a person travels, their associations, including political, religious, amicable and amorous” in essence laying out a pattern of a person’s activities. Id. at 562. The D.C. Circuit found a reasonable expectation of privacy in a person’s movement over the course of a month. Id. at 564.

In effect, the D.C. Circuit held that prolonged GPS monitoring was a search under 4th Amd rationale. Id. at 565. The D.C. Circuit imputed that warrantless searches are “per se unreasonable, subject only to a few specifically established and well delineated exceptions” Katz v. U.S., 389 U.S. 347, 357 (1967). Here since the warrantless installation and monitoring of the GPS ran afoul of the 4th Amendment, the resulting evidence gleaned from the GPS monitoring improperly contributed to the defendant’s conviction and reversal is warranted. Id. at 568. Thus in the District of Columbia, GPS installation appears to be subject to probable cause and warrant requirements.

FINAL NOTE

As a final note, I would like to address the concept of “Target Worthiness.” In essence regardless of the particular jurisdiction’s requirements regarding GPS tracking protocol, if the target of the investigation is deemed sufficiently “worthy”, ie., a significant amount of time or police resources have been or will be expended then careful consideration should be given to procuring a warrant or court order. For example it has been my experience that police often have obtained at a minimum reasonable suspicion if not probable cause that a particular vehicle is involved in criminal activity prior to installing a GPS device. Thus if investigators are sufficiently armed with probable cause, then the only remaining step would be to apply for a court order or warrant. If investigators are currently only in possession of reasonable suspicion, then perhaps it can be bolstered through further investigative means (physical surveillance, informants, criminal records inquiry, etc.) to meet the probable cause threshold. There are several benefits of obtaining a warrant prior to GPS installation, all conduct performed pursuant to a warrant is presumptively reasonable, Defendant’s now have the burden of litigating whether probable cause exists, and in close cases the police get the benefit of the doubt based upon their due diligence.

__________________________________________

NOTE: Court holdings can vary significantly between jurisdictions. As such, it is advisable to seek the advice of a local prosecutor or legal advisor regarding questions on specific cases. This article is not intended to constitute legal advice on a specific case.

Oxygen Forensic Suite 2011 v3.3 - new features!

2011-05-10T05:18:00.001-07:00

NEED A QUOTE FOR OXYGEN FORENSIC SUITE? CLICK HERE

New in Oxygen Forensic Suite 2011 v.3.3:

Added Google Mail section. It allows to investigate Gmail accounts, contacts and messages stored in the device. Available in Analyst license for Apple devices.
Added Google Maps section. It gives an opportunity to explore maps search history and stored bookmarks with full address and coordinates. Available in Analyst license for Apple devices.
Added Yahoo! Messenger section. It shows all available accounts, contact lists, phone numbers, messages and chats. Available in Analyst license for Apple devices.
Added support for iTunes 10.2.2.
Added support for Apple iOS 4.3.3.
Messages. Added e-mail support for jail-broken iPhone OS 4.x.
Timeline. Added Applications user data.
Applications. Added applications user data templates to the Device Definition Update.
Applications. Added support for Foursquare and Google Earth applications user data.
Added support for Windows Mobile OS devices: QiGi T900, QiGi U700, QiGi U700D, QiGi Smartbook U1000, QiGi Smartbook U2000, QiGi Smartbook III U3000, QiGi V800, QiGi Smartbook III V3000, QiGi V808, QiGi V880, QiGi W86, QiGi W86B, QiGi W700, QiGi W700B, QiGi W900 and QiGi AK008W.
Added support for Android OS devices: Archos A5 Internet Tablet, Archos A8 Home Tablet and HTC Incredible 2.
Added support for Symbian^3 smartphones: Nokia E6 and Nokia X7.
Added preliminary support for Camangi FM600 Internet Tablet.
Desktop. Added general device icons for Apple,Android OS, Blackberry and Windows Mobile OS devices.
Web Connections and Location Services. Locations. Added Point type column.
SQLite Viewer. Added Analyze Deleted Data button on the toolbar.
Messages. Improved support for iPod Touch with iOS 4.1.
Desktop. Improved Microsoft Windows x64 compatibility.
Web Connections and Location Services. Locations. Fixed problem that occurred when receiving maps from the server after Internet connection was lost.
Backup Extraction Wizard. Fixed problem with IPD backup restore.
Backup Extraction Wizard. Fixed problem which occurred when a backup was restored from the network storage.
General. Fixed problem with the detection of IMEI\ESN\MEID for Windows Mobile OS devices.
Full list of changes and improvements

Legally Speaking, Your Cell Phone IS A Computer!

2011-03-22T08:37:00.000-07:00

Is your cell phone comparable to a personal computer in the eyes of the law? The United States Court of Appeals for the 8th circuit believes so.

Neil Kramer pleaded guilty in District Court for the Western District of Missouri. His charge was transporting a minor in interstate commerce with the intent to engage in criminal sexual activity with her. Kramer also acknowledged that he used his cellular telephone (Motorola Motorazr V3) to send text messages and place calls to the victim for a period of six months leading up to the offense.

FINISH THIS ARTICLE AT THE LLRMI LEGAL UPDATE ARCHIVE:
http://llrmi.com/articles/legal_update/2011_8th_kramer.shtml

Register for free law enforcement legal updates at PATC.COM/NEWS

Shadow Copy Forensics

2011-01-17T12:47:00.000-08:00

UPDATE: December 2011 - Shadow Scanner 2.0 is Here DETAILS>>

************************************************************
Click Here to Download Printable Copy
************************************************************

Shadow Copies:
What are they?
Why are shadow copies important to investigators?
How to examine them - The traditional way & the better way!

WHAT ARE SHADOW COPIES?

Shadow copies are moment-in-time snapshots of files on a computer - specifically a NTFS formatted volume. They are created any time the restore point is triggered. Shadow Copies are created in both Windows® Vista and Windows® 7 however the focus of this article will be on Windows® 7. Windows® 7 creates a restore point by default every day at 12:00 AM and at system startup. Users can view these schedule tasks in the Windows® task scheduler.

Both Windows® Vista & Windows® 7 create volume shadow copies prior to the installation of new software, including Windows® updates. There is a maximum of 64 shadow copies which can be saved on a volume. The Microsoft Volume Shadow Copy Service, VSS, monitors all changes made to a VSS enabled volume. These changes are monitored in 16kb ‘blocks’. If a change is made to any data inside a 16kb block the entire block is copied to a volume shadow copy file prior to the data changing on the volume. All volume shadow copy files are stored in the ‘System Volume Information’ folder on the root of the volume. If there is a need to revert to a snapshot the original blocks are restored, replacing the changed ones, in a sense reconstituting the volume back to its state when the snapshot was taken. Certain versions of Windows® 7 and Windows® Vista (Professional, Enterprise, and Ultimate) allow users to access previous versions through the operating system.

Windows® 7 and Vista (Home basic and Home Premium) do not include the above functionality. Since the volume shadow copies are tied to the restore points being created, these backup copies still exist in the Windows® 7 / Vista home products!

WHY ARE SHADOW COPIES IMPORTANT TO INVESTIGATORS?

Shadow copies are enabled on the boot drive by default in Windows® Vista and Windows® 7. It allocates up to 15% of the hard drive space for shadow copies. Shadow copies store the 16K blocks of data that has been changed (in any way). If a file has been deleted in the volume, the entire file in its native and complete format would then exist only in the shadow volume.

File carving the data from the shadow volumes could be accomplished when the file has been deleted. If you need to recover the different versions of files, file carving is not effective since the shadow volume only holds the differences. Additionally, when you rely on file carving, you are unable to determine file attributes such as create, access and written times. Why would I rely on products which carve the data, when I can recover the whole file as it existed at a particular moment in time? This is the advantage of analyzing shadow copies ~ you have the potential to get the whole file, WITH the file attributes (meta-data)!

HOW TO EXAMINE SHADOW COPIES

Overview:

There are two different times when a shadow copy can be examined, live at a scene or post seizure in a lab environment. Although there may be instances where you would need to examine Shadow Copies live, this article will primarily focus on examination in a controlled environment.

The preferred operating system to use when examining shadow copies is Windows® 7. Two advantages of using Windows 7 are:

Windows® 7 Volume Shadow Copy Service (VSS) will remain backwardly compatible with older versions of VSS.

Windows® 7 does a better job of recognizing the shadow copies found on foreign discs.

Traditional Procedures for Shadow Copy Forensics

In order to examine shadow copies the traditional way, examiners must use the “vssadmin” and the “mklink” commands native to Windows® Vista & 7. The following steps could be taken to create a forensic image of a specific shadow copy.

Attach the hard drive to a forensic write blocker and then connect the write blocker to a computer running any version of Windows® 7.
Identify the shadow copy you wish to perform an analysis of with the following command which must be run in a dos window that has administrative privileges: “Vssadmin list shadows”
Use the “mklink” command to mount the volume to a directory on your forensic machine.

Use a forensic application to create a forensic image of the mounted shadow copy found mounted to the c:\shadow1 directory. This is a symbolic link which can be removed by simply deleting it.

The Problem with traditional shadow copy forensics

Although this process will work, there are issues with conducting a forensic analysis using traditional procedures. The primary problem is that even though the mounted shadow copy volume is a snapshot in time for the hard drive, when mounted, the contents of the shadow copy is commingled with the active files on the volume. These commingled files will equal nearly the same size of the files found on the volume. If the hard drive has 100 GB of files on the volume, the mounted shadow volume will be approximately 100 GB in size also. When you consider that there can be up to 64 shadow copies on a volume, you can see that taking the time to examine shadow copies can be cost prohibitive. The costs to consider are:

The cost of the examiner’s time and wages
The cost of storage for holding the massive forensic images (In the above example, it would take 6 TB of storage to store the images)
The cost of time lost in the investigation (if this is a missing person case, do you have time to search and analyze this amount of data?)

A Better Solution to Shadow Copy Forensics

Shadow Scanner

Shadow Scanner was developed to provide a more efficient and cost-effective solution to Shadow Copy Forensics. This forensic tool gives examiners the ability to perform their examinations on the file differences ~ eliminating hours or even days of examination time. It scans the files found in the shadow copies and then exports the files which are different or missing on the volume. Users may filter the results using the built-in file filters or user created filters. Once the file set is identified, the examiner need only export and image the different files they wish to examine.

Shadow Scanner is available as a Windows® 32 bit and 64 bit application. Regardless of which version you run, you will be able to examine shadow copies seized from a 32 or 64 bit copy of Windows® Vista or Windows® 7 computers.

The Shadow Scanner Process

Attach the seized hard drive to a forensic write blocker, and then attach to a Windows® 7 computer (any version of Windows® 7).

Launch Shadow Scanner and select Shadow Copy(s) to scan.

Shadow Scanner will first scan the volume, then the shadow copy

The differences can be based on the file path or also consider the attributes. By default it just finds the differences based on the file path.

The differences can be filtered by using the pre-defined filters or a user create filter.

Select one or more filters then “Close” to continue.

The results can then be exported in whole or in part by using the check boxes.

A user can then export the files selected, with an option to synchronize the created, last accessed, and last written times to the times as they existed in the shadow volume.

Once exported there are artifacts which document the entire forensic process.

C 2010-12-03 0151.48 - this is the directory which contains the exported files

C 2010-12-03 0151.48 - export errors.txt – files which were unable to be exported

C 2010-12-03 0151.48 - export files.csv – file names, paths, created, access, and written times
C 2010-12-03 0151.48 - scan errors.txt – a list of files which could not be scanned
C 2010-12-03 0151.48 - vssadmin output.txt – the output received from the vssadmin command

THE BOTTOM LINE
Shadow Scanner reveals the lost evidence!

When your suspect hides their tracks by changing a file or deleting a file on a Windows® 7 or Vista computer, Shadow Scanner is the tool that can help you quickly and easily recover those changed or deleted files.

Contact PATCtech today to receive a quote for Shadow Scanner

Court: No Warrant Needed To Search Cell Phones

2011-01-05T06:54:00.000-08:00

---------------------------------------------
Discuss this ruling at LinkedIN
---------------------------------------------

Copyright 2010 by The Associated Press. All Rights Reserved.
The next time you're in California, you might not want to bring your cell phone with you. The California Supreme Court ruled Monday that police can search the cell phone of a person who's been arrested -- including text messages -- without obtaining a warrant, and use that data as evidence.

The ruling opens up disturbing possibilities, such as broad, warrantless searches of e-mails, documents and contacts on smart phones, tablet computers, and perhaps even laptop computers, according to legal expert Mark Rasch.

The ruling handed down by California's top court involves the 2007 arrest of Gregory Diaz, who purchased drugs from a police informant. Investigators later looked through Diaz's phone and found text messages that implicated him in a drug deal. Diaz appealed his conviction, saying the evidence was gathered in violation of the Fourth Amendment, which prohibits unreasonable searches and seizures. The court disagreed, comparing Diaz cell phone to personal effects like clothing, which can be searched by arresting officers.

"The cell phone was an item (of personal property) on (Diaz's) person at the time of his arrest and during the administrative processing at the police station," the justices wrote. "Because the cell phone was immediately associated with defendant’s person, (police were) entitled to inspect its contents without a warrant."

In fact, the ruling goes further, saying essentially that the Diaz case didn't involve an exception -- such as a need to search the phone to stop a "crime in progress." In other words, this case was not an exception, but rather the rule.

Rasch, former head of the Justice Department's computer crime unit, pulled no punches in his reaction to the ruling.

"This ruling isn't just wrong, it's dangerous," said Rasch, now director of cybersecurity and privacy at computer security firm CSC in Virginia. "It's remarkable, because it simply misunderstands the nature of these devices."

The door is open for police to search the entire contents of iPhones or other smart phones that people routinely carry, he said.

"In fact, I would be shocked if police weren't getting instructions right now to do just that," he said.

By applying the "personal property on the defendant's person" standard, Rasch said, the ruling could logically extend to tablets or even laptop computers, he said.

It also flies in the face of established law, which prohibits the warrantless search of briefcases by police, other than a quick search for weapons, Rasch said.

In its ruling, the majority likened cell phone inspection to police inspection of a cigarette pack taken from a suspect, which was ruled a legal search in a prior case. A second ruling was cited involving the search of clothing removed from a suspect.

Rasch said the analogies don't hold, however, as modern phones that can store years' worth of personal information are a far cry from drugs hidden in a cigarette case or clothes pockets.

"There is a process for looking at data inside devices,” he said. “It's called a warrant."

Grants police 'carte blanche'
The California ruling was not unanimous. Dissenting Justice Kathryn Werdegar raised similar concerns in her opinion.

"The majority’s holding ... (grants) police carte blanche, with no showing of exigency, to rummage at leisure through the wealth of personal and business information that can be carried on a mobile phone or handheld computer merely because the device was taken from an arrestee’s person," she wrote. "The majority thus sanctions a highly intrusive and unjustified type of search, one meeting neither the warrant requirement nor the reasonableness requirement of the Fourth Amendment to the United States Constitution."

Jonathan Turley, a Constitutional law expert at George Washington University, took to his blog to raise his concerns about the ruling.

"The Court has left the Fourth Amendment in tatters and this ruling is the natural extension of that trend," he wrote. "While the Framers wanted to require warrants for searches and seizures, the Court now allows the vast majority of searches and seizures to occur without warrants. As a result, the California Supreme Court would allow police to open cell phone files — the modern equivalent of letter and personal messages.”

Diaz’s lawyer, Lyn A. Woodward, has said she plans to appeal the decision to the U.S. Supreme Court. In the meantime, warrantless searches of cell phones are essentially the law of the land in California.

Password-protection of smart phones might be a useful tool to ward off a warrantless search -- it's not clear that an arrested suspect could be compelled to divulge his or her password to police -- but that legal argument has not yet been made.

---------------------------------------------
For more case law on search and seizure visit LLRMI.COM

Electronic Evidence: Not Just for Computer Specialists - Not Just for Cyber Crime!

2010-12-29T06:35:00.000-08:00

Not every member of your agency can be a computer expert - nor do they need to be. Since its inception, it has been the goal of PATCtech Digital Forensics to bring basic computer-related skills that benefit any type of investigation to officers with any level of computer-related experience. There is a movement in public safety towards having all officers in an agency to possess basic computer-related skills, and not just the computer and cyber crime specialists. This movement, when fully materialized, arms an agency with more tools for rapid response in time-sensitive incidents like missing child cases, and a more comprehensive collection of evidence to use in prosecution for any type case.

To answer the sample questions below and more, join us at a PATCtech Electronic Evidence & Cyber Crime Conference, or one of the many computer-related training courses for law enforcement.

Where are chat logs located so I can quickly look for evidence of where a missing child may be located? When the clock is ticking, knowing standard file locations can expedite on-scene computer “triage” to find out what you are looking for “right now”.

How can I find out where the suspect was located during the time of the incident, using cell phone call records? Putting a suspect at a certain location at a certain time is a fundamental goal of any type investigation - mapping cellular records is an easy-to-learn scientific way of achieving this.

How can I easily and forensically find evidence of child pornography on a phone or computer that also shows the suspect knowingly possessed it? Finding a digital file is one thing. Proving your suspect knowingly possessed it is an essential step that strengthens your prosecution in any type case.

How can I easily view a suspect’s computer and Internet activity to find associations with a cyber crime? Locating specific computer or Internet activity of a suspect can be as useful as a finger print in proving a suspect’s guilt in any type of case.

How can I look through a computer at the crime scene without contaminating it for future use in court? There are simple solutions that 1st Responders, crime scene technicians and investigators can use that gives them full access to a computer “right now” while keeping it ‘clean’ for use in prosecution.

How do I get Google®, Yahoo®, AT&T®, Verizon® and other companies to issue me a suspect’s email or phone records? Knowing how to leverage email hosts and phone carriers for information can make or break your prosecution in any type case.

My suspect has a GPS device in their car. Can this help me? How do I recover that data? GPS information can give an investigator detailed information about travel history of a suspect, and virtually their pin-point location at any given time.

When I show up at a crime scene, what all types of electronic devices should I look for that could potentially have evidence for prosecution? Investigating digital evidence is not just for computer experts, and not just for cyber crime cases - ALL players in an investigation from 1st Responder to Prosecutor need to know how to harness digital data as evidence and be able to recognize what types of devices hold potential evidence.

If I’m on a crime scene, or just a regular stop and search of a person, can I legally go through a suspect’s phone or computer without a warrant? There are specific rules for what you can and cannot do with electronic storage devices prior to a warrant - knowing these rules can be as important as knowing which hip your gun is on and which hip your TASER® is on!

I’m not a digital forensics specialist, and I know very little about computers, how can I benefit from computer-related training? It’s true that advanced digital forensics is a specialty field requiring advanced and continued training. This is akin to a member of a narcotics unit receiving advanced training for their specialty. However, it behooves the whole agency when all officers know how to identify and seize illegal drugs. Equally so, advanced digital forensics should be left to specialists, but the basic procedures for identifying and seizing digital evidence are skills that all members of law enforcement should know.

All I Want For Christmas Is... Memristor Technology!

2010-12-03T13:34:00.000-08:00

There are some technologies that make you say "wow, that's pretty cool". Then there is technology that simply changes the game. We're talking technology that has the potential to rival the invention of the computer chip itself! Memristor has that potential ~ and whether you are a digital forensics specialist or a home-made computer whiz, memristor is a name you are going to want to remember. When memristor technology catches on (verdict is still out on how long that will be) traditional computing as we know could potentially be out the door, old hat, done, stuff that 'grandpa' used! Today's traditional computing is tomorrow's rotary phone; it's tomorrow's Atari gaming system! Yes, memristor has that potential. I'll go so far as to say it's "kinda' important" and you might want to follow it!

WHAT IS MEMRISTOR: Memristor (memory resistor) is considered the fourth type of electric circuit joining the resistor, capacitor, and inductor. That in itself is worthy of heavy acclimates. Specifically, memristor is a technology that can be used as computer memory that can retain its memory even when power is lost. Memristor technology also uses less power than Flash memory, is faster than current Flash memory, stores twice the data in the same size unit as Flash memory, it claims to be unaffected by radiation, and since they don't lose their memory at power loss, they can potentially turn a computer on instantly bringing you back to where you left when you turned it off - traditionally speaking, no boot up!.

OK THAT'S COOL, BUT THIS IS REVOLUTIONARY: Here is why I compared memristor technology, potentially, to the invention of the computer chip. Memristor not only stores more data, faster, using less power and without power, but get this - it can do its own calculations! Yes, it can process data by itself - no CPU needed! The future of memristor technology is that it will be memory AND a processor in one.

LET'S THINK ABOUT THAT A SECOND: Currently a computer or Smartphone, etc., has memory (RAM/ROM) and a CPU. Stepping outside the box, envision a computer that rather has multiple memristor’s in place of RAM/ROM and CPU.

You turn your computer off by hitting a button in the middle of creating your word document and the computer instantly shuts off like a light --- 2 days later, you come back, turn your computer on, and it turns on as quick as a light and your courser is still blinking right where you left off on the word document. Turning off your memristor driven computer could be as quick as turning just your monitor off with today's technology.
Let's say you are a doing a digital forensics exam on a computer. Data recovery is traditionally limited to two areas, the hard drive and the RAM (regardless of the type of device). With memristor, you could potentially have a processor and memory (all in one) dedicated to just email, another for just web browsing, another just for video, another just for handling the operating system. How will that affect your forensic examination?
Another digital forensics exam scenario. Since memristor technology can perform logic, potentially the user could specify what memristor chip handles each individual program or function. With this scenario, there would be no uniform structure for where data is stored. You now potentially have to do a complete recovery on each memristor chip on the computer! You might say, ok, so we look in more places,,, not a major issue. But what about when the ‘clock is ticking’! Say you are looking for a missing child. In this case let say your S.O.P. is to quickly check chat logs and other messaging archives to find evidence of where the suspect might be holding the child. In today’s computing there is a standard location for chat logs and messaging archives - with memristor technology in the scenario I layed out in this example then standardization is out the window! “Triage Forensics” (for simplicity let’s define that as ‘quick digital forensics at the scene’) is no longer a ‘quick’ process since there is no uniform structure for where things are located.
Now let's add the cloud to the equation! You think finding the physical location of a file on a network store is difficult!? Try finding one email on a Windows Live or Google account that is using memristor chips on their servers - hundreds of them PER SERVER, with hundreds of servers spread across the world. And don't forget, in years to come how much more difficult do you think it will be to get a court order to seize email from a corporation as big as Google or Microsoft?

For the computer user, the sky (or "cloud") is the limit with memristor technology. The potential processing power that exists with memristor technology is game-changing. Think of having a 8-core processor with 16GB of RAM for EACH program on your computer, and small enough to put in your smart phone. The possibilities that this technology invites is beyond this article, and frankly, beyond the author!

For the digital forensics examiner, the verdict is still out on how memristor specifically will change procedures. However one thing is for certain. Memristor technology, whether it fully comes to fruition or not in the mainstream, is a reminder that traditional computing and data storage technology of today will not necessarily be that of tomorrow. Subsequently, procedures we use today for forensically recovering digital data may not be the same as those of tomorrow.

The “industry” of digital forensics is no different than any technology industry. There is always a chase by the professionals to stay on top of the technology. Ultimately, memristor technology is just a reminder for you the professional to stay “healthy” with your training because the chase will never end. Likewise, let us not forget “forensic technology” itself. Memristor should also be a reminder to companies who make data recovery/forensics products like EnCase, Device Seizure, Secure View, Shadow 2 and others that they too need to stay in the chase. The missing child needs us all!

WIN A FREE MINI NETBOOK!

2010-10-26T06:40:00.000-07:00

WIN A FREE MINI-NETBOOK COMPUTER!
Just in time for the Holiday's! PATC is giving away a free Mini-Netbook! Drawing will be conducted at the 2010 Western States Training Conference in Las Vegas, NV!

~ TO ENTER THIS DRAWING ~
All who "Like" PATC or PATCtech on Facebook as of November 29th 2010 are automatically entered for the drawing!

All attendees of any class included in the 2010 Western States Training Conference are automatically entered for the drawing!

COMPLETE DETAILS AT PATC.COM >>

Introducing: Shadow Scanner v1.0

2010-09-29T11:48:00.000-07:00

his program will compare shadow volumes on a Windows Vista or Windows 7 operating system against the active files on the system. Examiners can quickly identify files which exist in the Shadow Volumes that are no longer present on the active file system. It also locates previous versions of files found on the active file system.

This truly unique product allows examiners to preview changes made to files over time by comparing the historical shadow volumes ("backups") of the files 1) against each other, and/or 2) against the "live" version of the file.

Shadow Scanner is available for resale by PATCtech -Request Official Quote

Oxygen Forensic Suite 2010 to support iPhone OS v.4.0.1 and iPhone OS v.4.0.2

2010-08-25T06:22:00.000-07:00

[Oxygen Forensic Suite] just released the new 2.8.1 version of Oxygen Forensic Suite 2010. New version adds support for Apple devices with iPhone OS v.4.0.1 and iPhone OS v.4.0.2. We also added more than 20 newest Sony Ericsson and Windows Mobile devices support.

All registered customers may download the new version immediately from their personal pages (using the link provided in registration confirmation message).

Changes in version 2.8.1:

Added support for iPhone OS 4.0.1 and 4.0.2.

Fixed problem with restoring non encrypted iTunes backup made from iPhone OS 4.0.x.

Added support for Sony Ericsson phones: Sony Ericsson C510a, Sony Ericsson C702a, Sony Ericsson C702c, Sony Ericsson J10, Sony Ericsson J10i2 Elm, Sony Ericsson J20 Hazel, Sony Ericsson F100i Jalou (BeJoo), Sony Ericsson G705u, Sony Ericsson U100i Yari, Sony Ericsson U100a Yari, Sony Ericsson W902, Sony Ericsson W995, Sony Ericsson W995a, Sony Ericsson W20 Zylo, Sony Ericsson W20i Zylo.

Added support for for Windows Mobile OS smartphones: RoverPC Evo X8 Black, RoverPC Evo X8 White, RoverPC Pro G8 White, RoverPC Pro G8 Black, RoverPC S8 Lite, RoverPC S8 Black.

Main changes in version 2.8:

Added SQLite Database Viewer. Support for .sqlite, .sqlitedb, .db, .db3 files opening. Deleted data blocks displaying. Available in Analyst license.

Added Plist files Viewer for Apple devices. Available in Analyst license.

Added support for iPhone OS version 4.0.

Added support for iTunes 9.2.1.5 version.

Added full support for Apple iPad device.

Backup Extraction Wizard. Added possibility to restore all saved phones from one Oxygen backup file.

General. Search. Completely improved search engine. Added Skype and LifeBlog sections.

General. Accelerated data uploading from the internal program database for all sections.

Desktop. Redesigned device data displaying. Added extracted data statistics for all available sections.

File Browser. Added displaying of photo thumbnails from C:\Photos\Photo Database folder on a separate bookmark for iPhone.

Messages. Added Deleted column for messages and filter for this column.

Extras. Phone Activity. Added Skype and Wi-Fi connections data displaying in the Phone Activity section.

Trial version is available for immediate download.

CONTACT PATCtech to request a quote or purchase Oxygen Forensic Suite today

New Xseries Forensics Labs

2010-07-29T05:25:00.000-07:00

PATCtech has recently launched three new upgraded mobile forensics labs - X1, X2 and X3. With three options, examiners or field users can choose based on their primary need.

Take a look at the options below, or view all digital forensics solutions

Contact PATCtech for complete details or to request a quote

| PORTABILITY

| POWER & STORAGE

| POWER & PORTABILITY

Human Trafficking

2010-02-11T06:28:00.000-08:00

I saw this article and it really surprised me. I knew that Human Trafficking was still a problem, but I never would have imagined that it was this large, nor would have I ever believed that it was this a problem in places like Ohio. I think we all knew that it occurred overseas, and even occasionally in New York or Los Angeles, but to see it in print that it occurs this often in the Heartland of America is truly shocking.

http://www.aolnews.com/nation/article/hundreds-of-kids-forced-into-sex-trade-in-ohio-report-says/19353784

News articles

2010-02-03T20:01:00.000-08:00

In the last few days I have found a couple articles that have made me think about how the cybercrime world is growing and changing. When I started doing this in 1998 I got 1 or 2 calls a month. Now I get dozens a day, and I think these two articles really reflect that trend.

Article 1

http://www.aolnews.com/nation/article/as-cyberwar-threat-looms-us-officials-stay-mum/19343127

Article 2 (Pay attention to # 3)

http://hotjobs.yahoo.com/career-articles-5_low_profile_careers_with_high_potential-1089

Cloud Computing and Identity Theft

2009-12-03T20:13:00.000-08:00

Ever wonder where your email is stored since its not actually stored on your own computer? Chances are that your email is stored by utilizing Cloud Computing. What is Cloud Computing? Without getting overly wordy and technical, it is a collection of utilized software applications that are stored on servers in another location. Anyone using this framework has access to not only the various software devices, but can use the servers to store their own personal data. You can see the benefits to having the use of these third party servers. There is no need to purchase all the different pieces of software you wish to use, also it frees up valuable hard drive space on your own computer. But with this convenience, comes security issues and concerns.

Some recent cases:

* In 2005 ChoicePoint was determined to have allowed 163,000 peoples personal data to be compromised due to poor security practices.
* In 2008 TJX was found to have transfered personal data in "clear text" between their servers which were open to anyone in the network.
* In 2009 Compgeeks.com had a complaint filed against them relating to not using "reasonable security" to protect its clients.

These are small in comparision to an FTC investigation against Google in March of 2009. If you uae Google's Gmail, GoogleDocs, GoogleDesktop, or Google Calender, then you are using Google's Cloud Computing. Your information is stored in different locations on their servers. This information is not encrypted and is therefore vulnerable. The FTC investigation stated that 26 million consumers were using Googles Cloud Computing as of September 2008. This number has only grown. Although Google states that all information is securely stored in an online storage, they also state in their Terms of Service Statement that they are not liable for any negligence on their part. Researchers into Googles practices found instances where email names AND passwords were able to be viewed by outsiders. This vulnerablity "exposed users information to malicious websites". This goes beyond the simple data mining that Google employs in Gmails, but the true threat of Identity Theft.

(If you would like to read the FTC report in full http://epic.org/privacy/cloudcomputing/google/ftc031709.pdf )

Some people may argue that with companies undergoing audits on their security practices, that breaches are slight and rare. As I just showed you this is not the case. Also some companies are refusing to undergo such audits. Cloud Computing has grown in popularity and will continue to do so, however we must keep in mind that when your data is stored elsewhere it is vulnerable.

Exif Data in Digital Images

2009-12-03T19:45:00.000-08:00

Ever wondered when a digital photograph was taken, or by what camera, or even where it was taken? Did you know that you could answer a lot of these questions by looking at the digital photograph? I do not mean by looking at the pictorial image itself, but rather at the data attached to such a digital picture. This data is referred to as Exif data, or Exchangeable Image File Format. Which is an image file format used by digital cameras and cellular phones equipped with cameras. Without getting into the entire history of this technology, suffice it to say it was invented in Japan in 1998 and is widely used throughout the digital image industry.

How can it be used forensically?

The first step you would have to take is to search the internet for a good Exif Reader. There are several and they are usually a free utility to download. They are also easy to navigate through and use.
Next, direct your utility to open the digital image in question.

This is just some of the information you could obtain very easily. If you look closely you can see not only a thumbnail preview of the image but some very interesting data. Such as:
* The make and model of the camera.
* The date and time the image was taken.

And even if the a flash was utilized by the camera. And if the image was taken using a cellular phone, for example a Blackberry Curve 8310, this information would be stored as well in the image. This information will follow the image from download to download. And barring the use of a metadata wiping utility to remove the Exif data, it will stay with the image. By now you are probably seeing the value to such data.
* Let's say you are examining a computer with child porn images and you locate digital images that have images of the bad guys daughter. You can use this utility to specify which camera or phone was used to obtain the image. This device can then be examined.

GPS?

Yes GPS tagging is attached to more and more digital devices. You simply take the longitude and latitude coordinates obtained from the Exif Reader and place them into a mapping utility, such as Google Maps, and it will tell you where the photograph was taken.

Just another tool to add to your growing arsenal.

*

Child Pornography caused by a Virus?

2009-12-02T15:37:00.000-08:00

So you seize a computer because of suspected child pornography and you find it stuffed in every corner of the hard drive. Case closed. Matter resolved. Bad guy goes to jail. Move on to next case. Right? Not so fast. This guy is adamant that he did not download these images. Things just aren't adding up. So what could have happened? Is it possible that a virus has implanted itself on the bad guys computer and caused it to surreptitiously download child pornography? The simple answer is, well, yes!!

In a 2007 case from Massachusetts a workers compensation investigator had several child porn images discovered on his work computer. He was fired and spent the next 11 months trying to rebuild his reputation and life. It was later determined that a virus found on his computer was responsible for constantly searching 40 separate child pornography sites for new images/videos every minute. This could not be done by physically searching for the items. A virus had performed this feat. It was also determined that the person who had infected his computer could access his computer and actually store his child porn images on this poor guys work computer.

I realize that storing illegal images on another persons computer has its limitations. The computer must be online. The machine which stores the image may have the images deleted by the user. And there is still a digital trace between the two machines. (An experienced examiner would be able to find this connection.) That being said, child porn producing viruses are very rare. It is more probable that a user would be redirected to a child porn site while looking for a legitimate adult porn site.

WHAT CAN BE DONE?

If you have a case where you suspect that a virus may be involved, what can you do? Here are some tips for your investigation:

* Determined if the owner was even using the computer at the time of the download.
* Determine if more than one image was downloaded at a time.
* Were images downloaded or cached due to being redirected from an adult porn site?
* Check on the anti virus on the computer; Has it been recently updated?

Now these are not the only tricks to use, but its a place to start. More and more defendants are using the "Virus invaded my computer" defense. And in the large majority of the cases they are wrong. But I hope this gives you a little "heads-up" on the this possibility.

Project-a-Phone ICD 5200 with Reporting Software - An Ideal addition to any digital forensics lab!

2009-11-05T07:02:00.000-08:00

PATCtech recognizes that there is no single utility in Cell Phone Forensics that will capture everything you need off of every phone. That's where the Project-a-Phone ICD 5200 fills the void! With this device, investigators and forensic examiners are able to manually navigate a phone, and record what they see. This device can be used as a stand-alone solution for capturing evidence off of handheld devices, or used to accentuate the findings from other utilities by displaying them in court in real time right from the phone, or with a graphical report that is generated by the included reporting software ~ an ideal addition to any digital forensics lab!

Project-a-Phone ICD 5200 with Reporting Software is used for both cell phone forensics and for live presentation displays of handheld devices, the ICD-5200 Image Capture and Display system uses a USB connection to link to a computer, where the basic software lets you capture screen shots and video clips or display the image on a computer monitor. The new case reporting software lets the investigator combine information about the case and phone with collected screen shots and video captures to create a case report in .pdf, .html, or .rtf rich text formats.

Request a Quote for Project-a-Phone, or other Utilities >>
View all Forensic Utilities offered by PATCtech >>
View sample report created by Project-a-Phone Reporting Software >>

CelleBrite Announces the Launch of UFED Physical Pro

2009-10-21T05:14:00.000-07:00

October 12, 2009

CelleBrite Ltd. announces the UFED Physical Pro, an upgrade module to its ubiquitous UFED (Universal Forensic Extraction Device) family of products. The UFED Physical Pro expands on the already robust logical extraction feature set found in the UFED to add the capability to extract deleted data and user passwords located in phone memory.

The UFED Physical Pro’s unique capability to provide deeper, more invasive access to mobile phone memory is the latest innovation for CelleBrite’s UFED system currently in use by law enforcement and security agencies worldwide. With an add-on module that can be deployed to any UFED device, existing UFED users can easily upgrade their systems with this latest functionality. With over 5,000 UFED units already deployed and in use, this represents a significant upgrade in capabilities for the current user base, as well as new opportunities for first time users.

“This innovative advancement enables the UFED to remove evidence from a phone that was never available through logical extraction. Cellebrite is extremely proud to offer the law enforcement community and anti-terror organizations the most advanced technology and most comprehensive solution on the market to protect our country as well as our families,” said Adi Ofrat, CEO of Cellebrite USA Corp.

Utilizing CelleBrite UFED’s user friendly and field-proven user interface, a complete high-speed hex dump of the phone memory is acquired without the need of cumbersome PC drivers. The flash memory of the phone is imaged as a binary file, which is decoded with the Physical Analyzer PC software tool. Critical data such as user lock codes and deleted information such as text messages, call history, pictures, and video are retrieved, sorted, and decoded by CelleBrite’s Physical Pro engine. The UFED Physical Analyzer also includes robust search tools for manual hex dump analysis, as well as an expert mode which allows advanced capabilities for researchers. Extracted data is presented in clear concise reports which can be used for intelligence gathering, investigative research, and legal evidence in court.

Features include:

Access to deleted data (ex: deleted call history, text messages, pictures, phonebook entries, and videos)

On board password extraction with no PC required for field use (450+ models)

Open Source Plug-In support: author, collaborate on, and utilize custom search and value parsing algorithms

Intelligent string finder

Built-in knowledge-base of each phone’s memory structure for automated retrieval, decoding, and translation of critical data

Hierarchical “tree” view for efficient and fast navigation

Advanced search capabilities both for novice and expert users

Customizable search, parsing, and report functions

Proprietary, forensically sound bootloaders for most supported devices

Deep access to data inaccessible by logical methods

Handset security or PIN lock code

Access to deep internal memory

Phone internal data (ex. IMSI history, past SIM cards used, past user lock code history where supported)

For more information, visit www.ufedsystem.com.

Homeland Security to Hire Up to 1K Cyber Experts

2009-10-07T05:33:00.000-07:00

SOURCE: InsideTech.com

WASHINGTON – The Obama administration has given a green light to the Homeland Security Department to be more competitive and choosey as it hires up to 1,000 new cyber experts over the next three years, the first major personnel move to fulfill its vow to bolster security of the nation’s computer networks.

The announcement follows a wave of cyber attacks on federal agencies, including a July assault that knocked government Web sites off the Internet and earlier intrusions into the country’s electrical grid.

Homeland Security Secretary Janet Napolitano, who made the announcement on Thursday, said the hiring plan reflects the Obama administration’s commitment to improving cyber security. The move gives DHS officials far greater flexibility to hire whom they want, outside of more stringent federal guidelines. And it will also allow more latitude in pay.

As a result, Napolitano told an audience of cyber industry professionals, the new rules “will allow us to be competitive with you all” in luring quality applicants.

Much of the funding already has been budgeted, but DHS also is working with Congress for more money. Officials refused to say how much money the program would represent.

The hiring push also underscores the administration’s ongoing struggle to better organize and manage the country’s vulnerable digital defense. President Barack Obama vowed in February to tackle cyber issues, but still has not named a cyber coordinator, a job that experts say will be difficult to fill.

Napolitano said her department does not anticipate filling all 1,000 positions, which will include cyber analysts, developers and engineers who can detect, investigate and deter cyber attacks.

The secretary’s announcement marked the start of National Cybersecurity Awareness Month, which reflects the White House goal to draw more public attention to the need for everyday computer users to exercise more diligence in protecting their online security.

In other comments, Deputy Defense Secretary William Lynn said the Pentagon expects to make decisions in the coming weeks on whether to relax restrictions on the use of external computer flash drives and social media Web sites by members of the military and department employees.

The Pentagon banned the use of flash drives last November because of a virus threat officials detected on Defense Department networks.

Have you been hacked?

2009-09-20T13:35:00.000-07:00

In keeping with the hacking theme of a recent post, I wanted to address one of the most famous yet difficult-to-investigate and difficult-to-prove types of crimes out there: Hacking. I regularly hear the statement “Someone hacked my computer”. As soon as I hear this, the wheels in my brain start to spin. I start to ask myself what was on their computer system that someone else wanted. And to be honest, the answer is nothing. The average hacker is not going to go after one computer system to gain access to one credit card or one bank account. Instead they are going to go after computers that have thousands of credit cards and bank account information. And to be more bluntly honest, most of the time it is a misdiagnosis. No one hacked the person’s computer; instead they have a virus, or malware. And while those can be very troublesome, they are not a “hack”.

Now, after listing all of the issues and errors associated with hacking incidents, does that mean that I should leave my wireless network unsecured? And the answer is ABSOLUTELY NOT! Just because your machine was not hacked as the target, does not mean that a hacker isn’t going to use your machine as a launch pad for his attack on a bigger target. A good hacker (OK, even beginner hackers) is not going to hack from their own network; they are going to use a different network to host their activity. And lastly, I am not saying that encrypting your network makes it impossible for someone to get into your network. Encrypting it only makes one more hurdle for the hacker to overcome. All you want to do is make your network harder to get into than the other networks around you. That way the hacker avoids yours to save time, and uses the wide open network at your neighbor’s house.

Susteen Releases New Cell Phone Forensics Utility: Secure View 2 with svProbe

2009-09-16T06:25:00.000-07:00

IRIVINE, Calif., September 9, 2009 – Susteen, Inc. today announced Secure View 2 with svProbe, a comprehensive forensic solution which enables law enforcement and corporate security consultants to acquire, analyze, and report data from cell phones. This software release is a step up of Susteen’s leading Secure View for Forensics and the first cell phone data acquisition solution to incorporate a true analytical tool set, namely svProbe, which significantly automates, speeds up, and reveals critical data during the investigation phase.

The svProbe offers unique functionalities currently not included in any of the competitive offerings on the market:

Data Discovery and Bookmarking – search data for relevant information with ease and bookmark results for quick and painless access during the investigation process.

Link Graph to establish interdependencies between received calls, dialed numbers, sent/ received SMS and MMS.

Activity Map – Snapshot of the cell phone activity volume within a predefined timeframe to identify how and when cell phone has been used

Prime Number report to determine the phone number with the most activity within the cell phone report, as well as to display the specific activity associated with the number.

The Secure View 2 also enables investigators to merge multiple reports generated from diverse cell phone forensic solutions into one report. No need to browse through different formats – Secure View 2 will aggregate the necessary data into a central location.

The Secure View 2 builds upon the existing strengths of the Secure View for Forensics including but not limited to, wide phone support (over 2,000 phones supported), OS agnostic solution (Windows Mobile, iPhone, Blackberry, Symbian, or proprietary operational systems), software ease-of-use and reliability, and data validation by means of HASH signature.

“Our product strategy to innovate in the newly emerged cell phone forensics field brought to the market the first ever data acquisition tool with analytical capability. Secure View 2 with svProbe fills in the missing link in an investigation process, which is data analysis. It empowers the investigators to make inferences of cell phone use besides mere data acquisition and reporting”, said Sonny Farinas, Director of World Wide Sales of Susteen.

For more information about Secure View 2 with svProbe visit Susteen online at www.mobileforensics.com and/or visit PATCtech.com for a complete list of cell phone forensics solutions.

________About Susteen, Inc.

Susteen, Inc. is an international design solution provider, specializing in the area of data communications and mobile computing. Susteen strives to enhance data communications through multi-level applications, and to develop products that provide convenience to the client through technological innovations. Susteen's vision is to ascend to the position of worldwide dominant player in the seamless data management software industry through the ongoing enhancement of product quality and complete satisfaction of the stakeholders involved. Susteen is based in Irvine, California.

Indianapolis Chosen as US Center for Hacking Research

2009-09-02T05:13:00.000-07:00

The international non-profit, security research institute ISECOM has chosen Indianapolis as their U.S. base. ISECOM is best known for freely providing the OSSTMM, a worldwide standard methodology for security testing which is used to hack computer systems, trick people, and get around home security sensors and alarms to test their security effectiveness.

Indiana native, Chris Griffin, is responsible for luring ISECOM to Indiana. Griffin got involved with ISECOM in 2004 as a volunteer and quickly became a core team member where he assisted writing the Hacking Exposed Linux third edition. He then took the next step and flew to Barcelona, Spain, for a “train the trainer” session where security experts fly in from all over the world to attend an extremely intensive 3 day bootcamp of 16 hour days and passing 4 exams of 4 hours each to become ISECOM certified in security and trust testing and analysis. This qualified Griffin as an accredited security trainer, one of just 5 in the USA.

“I was working as a government contractor in security and I just couldn't believe it when I saw this incredibly new direction in Internet Security that was so effective and here we were still making the same mistakes by focusing on products instead of solutions,” says Griffin. “So I just knew we had to get that knowledge out to others here in the U.S.”

Griffin is not the first American to be impressed with ISECOM. Organizations such as the Department of Justice, FBI, NSA, and all the military branches have used the OSSTMM for security tests and have even trained some of their people. Companies like Walmart, Disney, IBM, and Intel have also trained people and applied the standard methodology.

“Even the Vatican got their people certified,” says Griffin. “ISECOM know-how is in big demand but there was almost nobody here who can bring it. So I'm doing it.”

Griffin is bringing ISECOM project research to Indiana and talking to other security organizations, government, and universities for collaboration. He will be teaching the OSSTMM Professional Security Analysis (OPSA) the week of September 21st at the training facilities of PATCtech Forensic Digital Evidence in Indianapolis, IN (Directions: http://www.patc.com/special/trainingcenter.shtml). The class focuses on “critical security thinking and analysis”. According to ISECOM, much of the security models currently in use are built from best practices which have a way of not being best for everyone. The OPSA teaches security professionals to investigate, deconstruct, and measure how security works for anything to assure the unique, and optimum solution for their needs.

For more information about this training class, including registration, contact Chris Griffin by phone at 317-903-6516 or by email to chris.griffin@isecom.org. Online registration is also available: http://www.isecom.org/opsa_indianapolis
____________________________________________

Griffin is also extending the ISECOM project, Hacker Highschool, to Indiana, which teaches teens resourcefulness and critical security thinking through hacking. The project provides schools free lesson books and access to a test network for experimentation.

“We can't turn away from the curiosity these kids have about hacking and expect them to just drop it,” said Pete Herzog, the Managing Director of ISECOM, in a BBC interview. “We need to harness that enthusiasm and help them learn, guide them, and let them understand there are responsibilities and consequences that come with that kind of knowledge.”

Indiana high schools who want to get involved in the Hacker Highschool project or security professionals who are interested in the upcoming OPSA class should contact Griffin by phone at 317-903-6516 or by e-mail to chris.griffin@isecom.org.

Time traveling with Computer forensics

2009-08-30T18:09:00.000-07:00

Question: Can computer forensics help you go back in time?
Answer: maybe

A while back I was conducting some detailed forensics on a few Windows Vista machines. I was looking for some very specific files types with specific words in the file names. As I was doing the exam, I continued to find that the evidence files no longer existed in their native format on the computer. (I was looking for some video and picture files.) So I started a keyword search for the words that I knew were in the file names. I got thousands of hits on the words, and as I reviewed the hits, I was able to see the file name that I was looking for in the text view. However, the hits weren’t in individual files or even slack space; instead they were in some very oddly named files located in the “System Volume Information” folder. I also noticed that these files that held the keyword hits were huge in size; one of them was 9 GB alone. Just from experience and training, I knew these files were Shadow Copies, but I never really had to extract them before. I was always able to find the evidence still located on the machine, so I never had to do the extraction. Now here I was with 2 different exams, both with the evidence locked away in the confusing world of Shadow Copies.

But before we go any further, what is a Shadow Copy? Well, it is a point in time back up of items saved on certain Windows machines. Shadow Copies arrived on Server 2003, and have been on all Windows machines since. Even Vista home basic makes Shadow Copies, even though you can’t access them. What is really nice is that I have a triple boot laptop (Ubuntu, XP, and Vista) and I can actually boot into Vista and make Shadow Copies of my XP partition.) And Shadow copies are created several ways. You can make a user initiated Shadow Copy, you can set your machine to do it automatically, or it is also done when new software is installed. And essentially, it takes all of the files currently on your computer and turns them into one big file. To see if you are making Shadow Copies on your machine, simply run a command prompt as administrator and run the command vssadmin list shadows.

The first thing I did was to try and carve the files out using several EnScripts. I selected the entire System Volume Information folder, and carved away. It took a little while, and when it was done, it only revealed a very small amount of the data that I knew should be on the machine. So now I knew that I needed to extract the Shadow Copies. My first question, which way did I want to do this. Here were my choices:

I could simply make a copy of the drive, put it into the original case, start it, crack the password if necessary, and restore the folders that I knew had the data.

Or

I could mount the image file using a utility such as Mount Image Pro, the start a VM on the machine, and again restore the files from the Shadow copies.

Or

I could attach the device to a Vista computer with a hardware writeblocker, and use a utility such as Shadow Explorer to review the contents of the Shadow Copies then restore whatever I wanted.

(Note: There are a couple other ways, as well as a few combinations of all of the above, but for the sake of time, I just listed the above three.)

I chose the last method since I did not have the original case, and I didn’t like my odds of cracking the user password in a VM environment. (I know it can be done, I just also know it is a pain, and I wanted to get the evidence as fast as possible.)
So I attached the hard drive to my Vista laptop and made sure that it recognized. I then downloaded Shadow Explorer from www.shadowexplorer.com. I started Shadow Explorer and it recognized the attached device; however, it did not see any Shadow Copies. I had done some research, and knew that I needed to turn on Shadow Copies on my computer. So I initiated Shadow Copies, and then restarted my machine. This time, when I started Shadow Explorer, it allowed me to navigate to the attached drive and see several Shadow Copies, listed by their dates and times. I was then able to navigate to the folders where the evidence was held, and simply right click and export the entire folder to my laptop.

Two more cases done.

For more details, check out the PATCtech forum (Restricted to members of public safety / criminal justice).
_____________________________
Glenn Bard is the Chief Technical Officer for PATCtech Forensic Digital Evidence and instructs nationally on Cell Phone Forensics, Cyber Crime, Basic Computer Investigations and other training courses for law enforcement.

Examining Damaged/Non-Working Hard Disk Drives, "Desperate Measures!" #3 of 3 in a Series

2009-08-26T18:41:00.000-07:00

This will be the final entry in this series. If you recall in the first two , I discussed techniques for acquiring a forensic copy (Image) of a damaged and apparently inoperable hard disk drive. The first Blog described swapping out the drive electronics. The second discussed placing the drive in a freezer for a limited amount of time. Depending on how you choose to handle it, the final method to be addressed is either going to be very very easy or far more difficult, In either case, it is likely to be expensive.... VERY EXPENSIVE.

What we want to do is carefully remove the disk platters from inside the drive and insert them into a working hard disk drive of the exact same manufacturer, model and size in which the platters from this host drive has been removed to make room for the platters from the nonworking drive. This method is not for the faint of heart, nor should it be taken lightly. Very specialized (and expensive) equipment, knowledge, experience and training is necessary. This is very similar in nature to performing surgery since a "clean room" type of environment is required. Manufacturing plants where hard disk drives are assembled are literally cleaner and more dust free than an actual operating room. This is necessary since even the smallest of particles can disrupt the distance between the read/write heads and platters of the drive causing a “crash”. Now you know why I stated earlier that it could be far more difficult than other methods. But, if you recall I also said it could be very easy. Here is the easy way: Call the drive manufacturer and ask them to do it for you. There, see how easy that was (much easier than paying the enormous bill you would likely receive).

Obviously you would only attempt this if you have tried everything else you can think of (and nothing worked), the investigation/prosecution hinges on the potential and expected results of such an endeavor and it is a REALLY important investigation (IE Homicide, terrorist attack, etc). I have been told there is a Federal Law Enforcement Agency out there that has the appropriate equipment/trained personal and takes submissions for this service but as of this writing I have not confirmed this. It would truly be an "unlikely event" to have to resort to this method, but then again the last time I boarded an airplane the flight attendant showed me how to use my seat cushion as a flotation device in the "unlikely event" of a water landing. I hope neither of these events ever happen to you, but if one does at least you will know you what to do.

John LaRoche
_________________________
John instructs nationally for PATCtech Forensic Digital Evidence on Social Networking Investigations, Linux Previewing and Network Seizure for Criminal Investigators, as well as other Law Enforcement Criminal Investigation Training Courses.

Comprehensive Cell Phone Forensics "Mini-Lab" available through PATCtech

2009-05-27T11:46:00.000-07:00

PATCtech is now offering a Comprehensive Cell Phone Forensics "Mini-Lab.

Our purpose for putting together this starter lab was to provide a high-end cell phone forensics solution for agencies who could not otherwise afford the industries existing "lab in a box" solutions.

No single cell phone forensics 'utility' (hardware or software) provides complete coverage of all cell phone models. Our final product, however, provides multiple utilities that have the ability to forensically examine approximately 90% of the cell phones on the market today - including popular models like the iPhone and Blackberry.

We chose to utilize the new "mini" laptop's with Atom processor technology for the 'engine' of the lab. The mini's passed extensive testing and will compete with any similarly priced cell phone forensics utility on the market.

For more details visit us on the web: http://www.patctech.com/cell-lab.shtml

Sexting and Sextmessaging

2009-04-28T07:45:00.000-07:00

I recently asked a group of investigators if any of them have had to deal with a sexting case. After some quiet grumbles one person slowly raised his hand and said that he had heard of someone investigating a sexting case, however he had not done one. Well let me be the barer of bad news. If you have not had to investigate a Sexting case yet, you most assuredly will in the not too distant future. This is an epidemic that is sweeping through, not only the realm of teenagers, but pre teens as well.

What exactly is Sexting? Well, to define it simply, it is when an individual uses their mobile phone to send sexually explicit images of themselves to another mobile phone. Then what is Sexmessaging? This is sending sexually explicit text messages from one mobile phone to another. While Sexmessaging has its problems, both morally and psychologically, we (the law enforcement community) will most likely not deal with this unless coupled with a more serious crime. I.E. child pornography, child luring etc. When dealing with Sexting you must understand that the Actors in this are involving themselves in a behavior of unintended consequences. In that, they simply see it as innocent “flirting”. However the problem lies with what is done after the picture is sent to its intended recipient. What if that person then sends it to 10 of his or her buddies?

In a recent case from Cincinnati Ohio, that received national attention, a young girl Jessica Logan, committed suicide after naked pictures of herself made the rounds at local high schools. Some may argue this is a case of a teenager overreacting to an incredibly embarrassing situation that she induced upon herself. As law enforcement members we do not have the luxury to treat this situation with such callous disregard. When confronted with a Sexting case it is imperative that we strive to apply the appropriate law. This, however, does not preclude us from applying the “Spirit of the Law” in some situations. So where does that boundary lie? When do we simply inform the child that it is inappropriate to send these pictures as opposed to filing charges for the production and dissemination of child pornography? This is the very real problem investigators are facing on a daily basis all over this country. District Attorneys are cringing every time they here the term “Sexting” uttered in a criminal complaint.

As you can tell this problem is not easily addressed. The state of Vermont recently attempted to enact new legislation in an attempt to speak to this issue. Their new law would make it legal for someone under the age of 18 to send nude or semi nude pictures to other minors. They argue that they have no criminal intent when making or sending the images. The United State Supreme Court has said repeatedly that child pornography, by definition, is much narrower than just nudity. Child pornography generally includes sexual acts or situations in conjunction with the photos. This goes to the heart of Vermont’s argument. If the intent is to simply send a nude photo, and it does not include an overtly sexual situation, then should the photo be “legal”? If so, then how do we address the recipient of the photo? If a photo is sent to its intended recipient who then forwards it to another, is that now a violation? These are valid questions that lawmakers have to consider. And those in the law enforcement community will have to apply these laws.

This is not an easy situation for us to be in, however we must keep in mind that our reaction to these cases can have long standing effects for all involved.

Examining a Non-Working Drive? Be Cooool About It. #2 in a Series

2009-04-01T14:10:00.000-07:00

In the first Blog of this series, I addressed one facet of how to recover data from a damaged or inoperable hard disk drive. If you recall, I discussed a method whereby the drive electronics was removed and replaced with a board from an identical working drive. As ingenuitive as this technique is, it sometimes may not be possible or appropriate. In other cases where it would be OK to try, perhaps it should not be the first method you should use. So let’s take a look at another technique.

Ever attach a hard drive to a computer and power it up only to hear a uniform "clicking" type of noise followed by an "accelerating spin up" sound that seems to cycle itself over and over again? This "clicking and accelerating spin up" report would be audible with about the same regularity as a skipping record, yes I am referring to a record player (I suppose I just dated myself). In any case, this can only be described as.....Not good. This usually means that the drive heads are touching the platters of the drive (which may be warped for some reason). This problem can quite literally carve circular gouges onto the spinning disks. If you hear this noise, TURN THE COMPUTER OFF.....SOON....NOW WOULD BE BETTER.

What we need to do is somehow recreate the minute space that used to exist between the read/write heads and the platters. How do we do this? Good question. Take the drive, go to your kitchen, tightly wrap it in aluminum foil, stick the newly wrapped drive in a sealed plastic baggie, squeeeeeze the air out of it and place it in the freezer, that's right I said stick it in the freezer. Wait about half an hour and DING, ITS DONE!!! What’s the catch? You might only have this one chance to spin it up and get what you need while it’s still cold. If you attempt this, immediately try to grab a forensic image of the drive, don't delay. In a Walgreens world somehow the drive would stay cooler during the entire imaging process, but since I don’t know anyone who lives there aim a fan at the drive and try to keep it cool. This drop in temperature is designed to condense everything in there juuuust enough to recreate the minute space that used to exist between the read/write heads and the platters that has somehow been lost.

Here comes the lawyer stuff, It is entirely likely that you may further damage the drive utilizing this method, but then again it was inoperable to begin with so in this respect you have not lost anything.

John LaRoche
PATCTech Chief Examiner, Instructor

Examining Damaged/Non-Working Hard Drives, Can It Be Done??? #1 in a Series

2009-02-28T19:43:00.000-08:00

Can a damaged and/or non-working hard disk drive be brought back from the dead for purposes of a forensic examination? Like many questions relative to computer forensics, the answer is, maybe. This will be the first in a series of Blogs addressing this issue.

Not too long ago, a detective brought me a computer for examination from the scene of an arson, and yes the tower had been burned up pretty good. To make things worse, upon opening the case I found a RAID array and one of the three drives had been damaged from the fire. Unfortunately, this was a RAID 0 configuration thus eliminating the possibility of recreating the drive via parity. Specifically, the damaged hard drives’ ¹

drive electronics was covered with black soot….Not good to say the least. What was so important about this particular computer is that it was located at and used by the business/building (that had been set ablaze) for storing the footage from the surveillance system. As a final insult, I was told it likely captured the arsonist(s) carrying out their handiwork in an investigation that otherwise had few leads. I felt like the field goal kicker at the 45 yard line with less than a minute to go with a score of 21-23, the pressure was on.

As dramatic as the lead up to the examination was, the solution was surprisingly simple. Although the drive would not spin up due to the fire damage to the drive electronics, the rest of the drive seemed none the worse for wear. After having used a commonly known forensic software tool to acquire a forensic copy (in the form of “image” files) from the other undamaged drives in the array, I then removed the drive electronics from the damaged drive. Now for the money shot, since all of the drives were of the exact same make, model and size, I removed the drive electronics from one of the undamaged drives and installed it onto the damaged drive. Upon connecting the damaged drive with the newly installed “good” drive electronics to a forensic computer, it spun up, was recognized and allowed for a full error less forensic copy to be acquired. Once finished, all of the separate drive “images” were reassembled (using the same aforementioned commonly known forensic software tool) and I was able to fully read the RAID array as it was meant to be read, as a single logical drive.

In retrospect, I was fortunate to have had additional drives at my immediate disposal that were of the same make, model and size from which to harvest a healthy drive electronics board. In some cases, it may prove difficult to find and obtain an exact duplicate drive of a damaged evidence hard disk, especially if it is older.

For those of you waiting for the end of the story, the examination did not provide any surveillance footage of the crime. The business was closed at the time of the arson and the cameras (installed to prevent and detect theft during business hours) did not operate when the business was closed.

You win some you lose some.

¹

drive electronics are the green exposed silicon circuit boards located on the bottom of hard disk drives.

John LaRoche
PATCTech Chief Examiner, Instructor

"METADATA"; What is it? Where is it? What can it do for me?

2009-02-11T20:11:00.000-08:00

I have heard these questions a lot lately and felt it needed to be addresses. So, what is "Metadata"? Simply put, it is "data about data". Some might ask, "What is that supposed to mean"? A good analogy would be a book, even books contains metadata of a sort. When you read through the pages of any book, you are reading the "data" if you will, but there are other forms of data in the book. What about the table of contents? or a bibliography? Perhaps the ISBN number? These are all forms of metadata. They are not directly part of the story in the book, but somehow provide the reader with other or extra information relative to the book.

Now, let's apply this analogy to the world of computers. Many types of files today have some sort of metadata embedded within them or somehow associated with them. An excellent example of this is your average Microsoft Word Document. Create a word document, save it somewhere, close the document, then hover your mouse cursor over the icon or filename associated with the document. See anything? You are likely going to see a small box appear that reveals some of the metadata about that file. Information such as the type of file, Author, Title, date modified and size. If you wanted to delve even deeper by, say, right mouse clicking on the file and calling up its properties, you could get a lot more metadata, such as who was the last person to save changes made to the document, comments, the author or editor's company, date and time last saved, the application (and version number) used to create or edit the document and many other items of possible interest. Getting scared yet? I seem to recall when I first learned about metadata, having tried to "wash" all of my Word files, it was taking to long so I finally gave up.

Some of you may already be familiar with other types of metadata. "Exif" data would be the equivalent of metadata for some digital picture file formats such as jpeg and tiff files (png, gif and a few other formats do not include "Exif" data). An Internet search would net you a free Exif reader that can be used to view the data easily. Look hard enough, you are likely going to find metadata in a lot of places.

Let's tie it all together, how important can metadata really be? Well, there was this one small case not too long ago involving a suspect who committed several murders over many years. It was the BTK (Bind, Torture, Kill) serial killer. BTK was starting to get worried about the advances made by the FBI and others in the area of handwriting analysis, so he decided to send them a document on a floppy diskette. Big mistake, a subsequent forensic exam on the diskette revealed a Word Document that contained, guess what, you guessed it, METADATA, that led authorities to BTK's church and ultimately to him.

John LaRoche
PATCTech Chief Examiner, Instructor

Defeating Computer Forensics

2009-02-11T16:49:00.000-08:00

Defeating Computer Forensics (a.k.a., "Anti-Forensics"). Lets assume that there are people today that would like to keep data on their device from falling into the hands of a forensic examiner.

Well, is it possible to defeat a thorough analysis by an experienced examiner? The answer is yes. With that being said, one might question the thinking or reasoning behind someone who would go to such lengths to hide evidence. Most individuals are just looking to hide their internet activities from their employer, spouse or other family members. For these people they delete the temporary internet files, cookies, url's etc.., and they are "safe". For the individual who has more to hide he will need to work considerably harder.

Some people believe by simply formatting the device that they have rendered the data unrecoverable. This is incorrect. They have simply removed the file from the file allocation table, but the data is still in its place. The computer just does not know where to locate the file. The file must be completely overwritten for it be unrecoverable. Multiple formats will cause the data to be more sparse and harder to recover, but its not a perfect system. Some software erasing tools can create a log of their activities that have been erased, which is self defeating. The only way to be sure to remove all ability to recover the information (aside from a sledge hammer or drill bit through the drive) is to wipe the unused portion of the hard drive (Replace all 1's and 0's). This is time consuming and most users are not willing to go through the process. Besides, if you show up at someones door with a warrant without their knowledge they will not have the time to erase the hard drive properly and entirely.

So , in conclusion, yes they can defeat a forensic exam. If they have advanced warning of the exam and are willing to remove all of their data. It will depend on how important the data is to them. We, as examiners, must keep this in the back of our mind when we come across a device which seems to have an unusual lack of evidence. May have to dig a little deeper in these cases and try something unconventional or simply work harder to find what they tried so hard to hide. The "Tracks" of trying to hide data can be just as important as the data itself!

DVR Forensics

2009-01-05T14:46:00.000-08:00

Recently I was involved in a Homicide by Vehicle investigation being conducted by a local police department. The Actor had visited a night club prior to the accident. The investigator served a search warrant on the establishment and seized a large DVR which housed all the information gathered by the 20 + cameras within the business. The question posed to me was whether the information on the DVR could be found and then compared to the time stamp on a cash register receipt? Seemed like a tall task.

Upon inspection of the unit it was discovered that it was not a name brand piece of equipment and had no manufacturing marks at all. The case was opened and found to contain two large hard drives. The problem we ran into was upon trying to transfer the data to another hard drive and then view same. The video was in a proprietary format and was not able to be viewed in its imaged state. The only way to continue with the examination was to treat it as any other hard drive and view the image while utilizing a writeblocker and EnCase.

Once the appropriate images were located, namely the Actor purchasing and consuming drinks, we had the Audio / Video Division use enhancing techniques to focus on our guy.

NOTE: We were fortunate in this case that we were not dealing with a multi-plex system and also that we were not trying to recover deleted material. A lot of surveillance DVR's overwrite data every 2 to 3 weeks. In cases such as this, there is special equipment that can be purchased. When dealing with a Closed Circuit Television system you may have to go to the manufacturers website to download software to view the images. As with most computer forensics some trial and error will most likely be involved.

Bootable BackTrack3 USB

2008-12-21T19:38:00.000-08:00

I always heard about booting a computer to Linux on a USB and always wanted to do it. So I went and downloaded BackTrack3 for USB in ISO format and tried to extract it to USB, but kept having problems extracting the ISO to my USB. So I did some research and finally worked it out. What I needed to do was bust the ISO, move the contents of the Syslinux folder, change a CFG file, and then write a small BAT file to make it all bootable. It sounds like a lot, but in actuality it was very easy and took a total of about 2 hours.

Mine works fantastic and is very fast. Plus it has all of the BackTrack3 tools. And the best part is that it all fit onto an old 1GB thumb I wasn't using anymore.
If you want step by step instructions, check out the "Just Linux!" section of the forum.

Good Luck.

Phase I of "CDEI" Certification: Cell Phone Technology & Forensic Data Recovery Certification

2008-12-05T06:20:00.000-08:00

Currently Scheduled in Frisco, TX July 27-31, 2009 (Details & Registration)

View the complete details for this certification training below, or by visiting the objectives page on the web here: Cell Phone Technology & Forensic Data Recovery Certification.
--------------------------------
Cell Phone Technology & Forensic Data Recovery Certification is a one of a kind certification training module for law enforcement and members of the public safety / criminal justice community that provides investigators a comprehensive study of how to use cell phone records and cell phone forensic technologies in any type of investigation.
--------------------------------

TESTING FOR THE CELL PHONE TECHNOLOGY & FORENSIC DATA RECOVERY CERTIFICATION:

Those wishing to test for the Cell Phone Technology & Forensic Data Recovery Certification must have completed either both of the qualifying classes individually (Cell Phone Technology for Criminal Investigators + Forensic Cell Phone Data Recovery for Criminal Investigators) or the combined 4 1/2 day certification course as outlined on this page.

For those past students who have taken both qualifying courses individually and wish to take the certification test, please contact the PATC central office at 800.365.0119 (locally: 317.821.5085).

For those taking the 4 1/2 day combined course as outlined on this page, testing will be conducted at the conclusion of training on the final day.

--------------------------------

TRAINING OBJECTIVES:

The 4 1/2 day combined training module for the Cell Phone Technology & Forensic Data Recovery Certification includes all content and lessons as described in the individual courses Cell Phone Technology for Criminal Investigators + Forensic Cell Phone Data Recovory for Criminal Investigators respectively.

Cell Phone Technology for Criminal Investigators:

The purpose of this seminar is to expose the attendee to proficient and effective investigations utilizing available databases and cellular usage records.

Major topics include:

Types of cellular records available as a law enforcement official

Methods to acquire cellular records

Understanding cellular records

Proven ways to display cellular records in a court of law

Understanding the usage and manner in cellular tower records

Overview of commercially available software that effectively displays cellular records

Forensic Cell Phone Data Recovery for Criminal Investigators:

The primary objectives of this course are to familiarize the law enforcement officer and investigator with different cell phone technologies and teach the practical techniques used in forensic recovery of data stored in cell phones.

Major topics include:

Different types cell phone technologies, and how to identify them

Cell phone connection hardware

Cell phone software

Cell phone data/evidence seizure

Cell phone resources on the Internet

Legal issues and case law pertaining to cell phone data seizure

PATC Tech Quick Guide

2008-11-09T16:27:00.001-08:00

PATCTech has prepared a Quick Guide for computer seizure. It will cover step by step instructions to properly conduct a search warrant execution on a computer system. It goes over topics ranging from live acquisitions, RAM Dumps, photographing the scene, packaging the evidence and more. As soon as it is ready for publication we will make a new announcement here. Stay Tuned.

Have a good Veteran's day, and if you know a Veteran, thank him or her. It is because of them that we are still the greatest country on Earth.

Land of the Free,
Because of the Brave!!!

MAC Forensics

2008-10-31T19:38:00.001-07:00

Recently I have had the opportunity (Or bad luck depending on how you look at it.) to examine several Macintosh computer systems. Three this week alone to be exact, 1 older generation iMAC, 1 new generation iMAC and 1 Mini MAC. To do these three devices, I used three different approaches to acquire the drives.

On the new generation iMAC I removed the internal SATA by removing the back from the tower / monitor combo, and then placed it into my forensic machine in the SATA write protect bay just like any other drive.

On the older generation iMAC I was able to access the IDE drive by opening a small access panel on the back of the device and attaching a long IDE cable and power cord. I then attached the other ends of cables to an Ultrablock and imaged the device like any normal IDE drive.
http://www.blogger.com/post-edit.g?blogID=4149422942457488318&postID=5538970991539394484
TO acquire the Mini MAC, I simply attached a Firewire 400 cable to the device, and the other end to my forensic machine. I then booted the Mini MAC to "Target" mode was then able to acquire the drive as if it were an attached hard drive. (To learn how to boot into "Target" mode go the MAC section of the PATCtech Forum.)

It is important to remember that simply attaching the devices to my forensic machine did not make them viewable in Windows. Obviously the use the Macintosh proprietary file system (HFS, HFS-J, and so on) and Windows simply can't see the devices. But if you use something like Encase version 6, the acquisition and exam is just as easy as if you were examining XP or Vista.

For some more details about these three processes, go the the "Just MAC" section of the PATCtech Forum, and I will post the finer details there.

Obtaining an image from a running machine

2008-10-09T16:22:00.000-07:00

Under perfect circumstances, we, as forensic examiners, seize computers from their locations, return to our offices, remove the hard drives, image them, and perform exams using a wide range of tools. However, our world is rarely perfect, and circumstances require that we have a certain amount of flexibility. There are times when doing things this way is not possible, and you have to be prepared to change your SOP and obtain the evidence you need under less-than-optimal conditions.

In some situations, specifically when the drive is encrypted, you can’t shut down the computer without losing the evidence. Or, if the machine is a server, taking down the entire network may not be possible (or, at least, undesirable). None of us wants to be the subject of a civil case for shutting down a business.

Fortunately, there is a way to make an image of a running machine, and it requires no specialized (or expensive!) equipment. The first thing you’ll need is an external hard drive (large enough to contain the image), probably USB, that can be attached to the machine. The second item is a thumb drive. And the third is a great little utility from AccessData called FTK Imager Lite. This is a free (yay!) download, and runs right from the thumb drive. Download it, unzip it to the thumb drive, and you’re ready to go.

On-scene, attach the external drive, and insert the thumb drive. Navigate to the thumb drive, and start FTK Imager. The software is easy to use, and makes the entire process a breeze. You first direct the imager to create an image file. The software gives you the opportunity to select the source of the image, which can be a physical drive, a logical drive, an image file, contents of a folder, or a Fernico device. Primarily, you will be choosing a physical drive, but the other options may come in handy in specific circumstances. You are then given a drop-down menu which lists the drives located on the machine, including the drive number and a brief description of the manufacturer, type and size of each drive. After you select your source drive, you will be asked what type of image file you would like to create, Raw(dd), Smart, or E01. You then input specific case information, such as the case number, examiner’s name, and evidence number, and then select a destination and name for the image. Obviously, the destination should be the external drive you have already attached to the machine. Additionally, the imager will allow you to choose the level of compression you want for the image from 0 (none) to 9 (smallest, and slowest). From there, you start the imaging process, and sit back to wait.

Obviously, one of the downsides to imaging a machine this way is that you have to sit at the site and wait for the image to finish, which could end up taking several hours. But if circumstances demand that the machine not be taken out of service, this is a good way to get an image to examine. Plus, maybe you’ll earn yourself a little overtime, watching the progress bar.

Once you get back to the office, you can examine the image using your tool of choice, depending on what type of image file you created.

There is obviously no way to avoid making small changes to the system you are imaging using this method. Attaching the thumb drive that you are running the imager from, as well as the external drive you are imaging to, will make changes in the registry, and the imager will make changes to the RAM and the pagefile. But these changes can be logically explained and defended, given the circumstances that required you to make this image on-scene rather than in the lab. Just be aware that you may, at some point, be asked to articulate why it was necessary to do so.

I have used this method to make images of running machines on more than one occasion, and it made what could have been a very sticky situation easy as could be.

PATCTech announces new classes.

2008-10-07T20:47:00.001-07:00

Earlier today I had the pleasure of officially announcing to a class that PATCTech is launching 3 new one day classes in January 2009. The classes cover Social Networking sites (MySpace), Network seizure and Router interrogation, and Linux Live CD's for first responders. Following is the class announcement from the PATCTech website:

This PATCtech hand's on training module targets three essential and unique elements associated with the investigation and recovery of digital evidence. Registration for this training module does not require an advanced understanding of computer related skills, and is designed for all parties directly involved in crime scene procedures, evidence preservation and criminal investigations.

* NOTE: Students should bring a laptop with wireless networking capabilities to this course.

Social Networking:
This portion of the class is designed for detectives, school resource officers, and anyone involved in conducting investigations involving social networking sites for the purpose of administrative or criminal investigations.

Primary Topics for this section of the course include the following:

Introduction to the various Social Networking sites including Facebook, MySpace and others;
Steps to preserving a social networking profile;
Determining the identity of a profile's creator;
Steps to set up an undercover profile;
How to use an undercover profile for information gathering;
How to use available tools that aid in the investigation of social networking profiles;
Artifacts that Social Networking sites leave on a computer system.

Linux Previewing Utilities:
This portion of the class is designed for the first responder, probation or parole officer, or any other person with a need to preview a live computer on scene without changing important information on the computer system.

Primary Topics for this section of the course include the following:

Introduction to several different types of Live Linux CDs available for previewing a running computer system;
Hand's on skill training in the proper use of each of the Live Linux CDs on a running computer system;
How to conduct a targeted search for pictures, videos, documents and other types of digital evidence;
How to copy the contents of the computer's RAM on a live machine.

Network Seizure:
This portion of the class is designed for the first responder, raid team leader, or any other person with the responsibility of conducting search warrants on networks in a home or commercial setting.

Primary Topics for this section of the course include the following:

The different types of networks that one can anticipate encountering, including simple home networks to large business networks;
Descriptions and functions of different types of network hardware;
Proper shut down procedures for network hardware;
Obtaining evidence from servers;
Identifying and locating network attached storage;
Conducting analysis of routers on scene.

To register for these classes go to:

https://www.patc.com/training/register.php?ID=12583529

I hope to see everyone in class.

"TO LIVE EXAMINE A RUNNING MACHINE... OR NOT TO LIVE EXAMINE A RUNNING MACHINE.... THAT IS THE QUESTION."

2008-10-06T11:58:00.000-07:00

Some of you who have been around the computer forensics arena for a long time (like me), no doubt remember the 1st and most important rule when seizing a computer system that you have found to be on and "running". If you have acted in more of a "lab rat" capacity, then you likely hammered this same rule home to the officers and detectives that bring you computer evidence to be examined.

Rule #1: "Don't make any changes, Don't touch the keyboard, Don't touch the mouse (this one to a lesser degree)", "Pull the power cord out from the back of the computer!!!!"

OK you got me, that is more that one rule, but the concepts behind each of these statements is the same and you never EVER wavered from them, that is until now. All that you ever learned about how to seize a computer that is powered up upon your arrival is all changed.

Current theory would go that if you do not obtain certain information from a running machine that it could be very detrimental to you case. In playing devil's advocate, I can see the potential disaster involving a very intuitiveness yet deceptive defense attorney, "Officer, is it not true that you deliberately and abruptly cut power to my client's computer, is it not also true that in doing so you permanently destroyed 2 (or more) gigabytes of information, did you know that there was (read here exculpatory) evidence in there that would have vindicated my client!!!!". This line of questioning could go on for an uncomfortably long period of time. In any case, to a lesser degree, I would have to agree. Ignoring potential evidence for the sake of preserving what amounts to a relatively small number of date and time stamps is ludicrous. Is it not better to capture and document the evidence and make a few explainable and justifiable changes to last accessed dates and times than to miss something completely? Remember, properly executed running machine examinations only change minor “overhead” related data, IT DOES NOT ACTUALLY CHANGE THE EVIDENCE ITSELF.

Make no mistake, the days of seizing running computers the “old” way are over, gone with it is a narrow minded mentality on how to seize computer evidence. Also gone is the ability to send Officers/Detectives with rather minimal training to execute a search warrant to seize computer evidence. In days old it was easy to give a somewhat short class to inexperienced Officers, educating them on how to seize computer evidence, not any more. Having an Officer specifically (and I would add extensively) trained in seizing computer evidence using the newly accepted best practices methods is essential. Not only would an Officer have to be able to capture information from a running computer without damaging or changing actual evidence, but he/she would also have to be proficient at ram dumping, interrogating routers and searching/scanning for wireless devices, to say nothing about cell phones (please lets not go there).

I must admit, in some ways I long for easier times. My father began his police career in 1966. He had a revolver, cuffs and a baton. The crimes code and vehicle code back then combined were thinner than my wallet. Now, they are thicker than Leo Tolstoy’s War and Peace. Point being, investigating computer crimes is becoming more complicated by the day. Failure to keep up with training, equipment, certifications and current trends will mean lost cases, lawsuits and worse........ victims without justice.

John LaRoche
PATCTech Chief Examiner, Instructor

Network Seizure

2008-10-05T04:34:00.000-07:00

After my last post about RAM Dumping, I wanted to touch on another procedure that should be conducted at each search warrant service. In today's computer world, networks are everywhere from huge corporations to a bad guys house. When I first started seizing computers in 1999, most people were connecting to the internet via POTS (Plain Old Telephone System, aka Dial up). Now everyone is connecting via high speed, and most people have some type of home network. Additionally the average user is getting much more proficient with securing their personal computers and networks. In many cases, this can actually help the investigator prove responsibility, but to do this, the routers must be interrogated on scene, and seized. This can allow for us to identify if the network is encrypted, what type of encryption, and even how many devices are connected to the network. This all sounds difficult, but it really is not that hard. We are currently developing a Network Seizure class that will teach how to properly examine and seize network equipment, and make your case even stronger. The first class is scheduled for January in Indianapolis. Check the PATC website for exact dates and times. I hope to see you in class.

RAM Dumps

2008-10-05T04:21:00.000-07:00

When I first started doing RAM dumps, it was a very difficult procedure and included connecting a laptop to the target computer, placing a Linux utility CD into the target machine, booting your laptop to Linux and then pulling the contents of the RAM through a cross over cable to the laptop. Things got a little easier with Helix, but you still needed the Helix Live CD, a thumb drive, and a working knowledge of the procedure. Recently RAM dumping has gotten a lot easier. All you need now is a BAT file on a thumb drive that dumps the contents of the RAM into a DD file in the same folder that the BAT file is located. This is making it a lot easier, and considering that encryption is now common place it is a good idea to conduct RAM Dumps on all seized machines.

If you are seizing computers, and not conducting RAM Dumps, I highly recommend you start. The information you can obtain through this procedure can be invaluable. I have done a lot of research into the data that can be obtained from RAM Dumps, and have found pictures, e-mail text, address, IP addresses, passwords and much more.

Additionally, if you are not doing a RAM Dump, you truly are not getting all of the data possible to solve the crime and prosecute the responsible party.

Homeland Security and MALINTENT reading your mind

2008-09-30T13:08:00.000-07:00

I am sure by now you have heard of the new "tool" being introduced by the Department of Homeland Security. The machine named MALINTENT uses various infrared optics to read body anxiety and nervousness that react in conjunction with a person who has malicious intent. They claim the error rate is low and if you are just a nervous traveler, or have had a bad day, this will not be reading you as being a terrorist. The machine looks like an ordinary metal detector and can read a person as fast as they can walk through. I have no problem with airlines taking extensive precautions to ensure the traveling publics safety. However, my fear is that the information is matched up with the person walking through the machine and then kept for future reference. The manufacturer states that all information is dumped as soon as the person clears the machine. Time will tell if the public is annoyed by yet another invasion into our privacy. Check out the Fox News link below:

http://www.foxnews.com/story/0,2933,426485,00.html

Google Phone

2008-09-23T04:48:00.000-07:00

Today is the launch of the new Google Phone (G1), powered with Android Technology, the latest of the "smart phone" category. From what I have read it will initially be available only to T-Mobile customers. I checked phonescoop.com and they had very little information relating to this device. They are offering free Gmail with a new contract. So there is no need to pay the service fee to access your email. Good move.

The software developed by Google will be Linux based. Not sure if current cell phone forensic applications will work, however it does not appear that Android will hamper any examination efforts.

Public Agency Training Council launches new division: PATCtech

2008-09-16T11:22:00.000-07:00

Combining law enforcement and computer science to provide solutions and training in Digital Forensics, Data and Legal Services

PATC Forensic Technology (PATCtech) was founded to meet the needs of the public safety and private sectors and the rapidly growing demands associated with digital forensics and high-tech investigations.

PATCtech provides an experienced staff in the classroom for certified high-tech criminal investigation training, and in the field for comprehensive digital forensics services. To meet the needs of our digital forensics clients, we also provide complete data service solutions through the PATCtech Affiliate Network.

Digital Forensics services (a.k.a., Computer Forensics) from the PATCtech lab include the implimentation of digital evidence recovery from any type of electronically stored media (computers, cell phones, iPods, PDA's, cameras, etc...). Because of the experience of our examiners, analyzing and reporting for every case is assured to be comprehensive in scope and qualified for acceptance in a court of law.

PATCtech Data Services provide stand-alone solutions for Data Management, and create additional value to Digital Forensics clients by offering pro-active solutions against any future liability associated with electronic discovery (eDiscovery). Examples of Data Services available through the PATCtech Affiliate Network include: Data and Network Security, I.T. Management and Preventative Maintenance Solutions, Data Backup and Recovery, and Network and Bandwith monitoring.

PATCtech associates are available for case consultation and expert witnessing services, as well as hand's on training for public safety & criminal justice. PATCtech consultants and trainers are all actively practicing attorney's or certified and experienced law enforcement investigators specializing in data as evidence and digital forensic examinations. Our experienced staff offers the peace of mind that you are being given tested and proven solutions.