digital forensics/e-discovery in litigation3/14/2019 1 digital forensics/e-discovery in litigation...
TRANSCRIPT
3/14/2019
1
Digital Forensics/e-Discovery in Litigation
Stan Mitchell, CFCE, [email protected]
615-882-7903
Digital Forensics Computer Forensics began in the mid-80s as a response to a
demand for service from Law Enforcement, in particular the FBI
Many local Police Departments now have forensic capabilities
Demand in private sector led to privatized Computer Forensic Labs
In the past, we looked for the “paper trail” in folders, boxes, cabinets, rooms, and warehouse
Today, that same “paper trail” is more likely to be stored electronically on a computer hard drive or similar electronic media
Electronic Discoveryvs.
Digital Forensics
1
2
3
3/14/2019
2
Electronic Discovery Defined
Electronic Discovery may be defined as:– The process of collecting, processing, and producing electronic
documents, e-mail messages, database records, etc…
from a computer hard drive or other electronic media... then loaded into some type of litigation database or
delivered on media with an accompanying viewer program…
allowing for review of the files by the end-user.
– So what one has at the end of the electronic discovery process is a massive database of documents that have been copied from electronic media and delivered in a reviewable format
A High Level Overview of the E-Discovery Process
1. Identify potential sources of electronic evidence
2. Preserve and acquire data sources
3. Process acquired data
4. Conduct substantive review
5. Produce responsive documents
Digital Forensics Defined
Digital forensics may be defined as: The retrieval and analysis of data...
from a seized computer hard drive or other electronic media...
performed in such a manner that the results are...
reproducible by another examiner who...
following the same steps, reaches the same conclusions
Digital forensics has also been described as an “electronic autopsy” of a digital media, because specialized training, hardware/software tools and techniques are all required to make a forensic image of the drive, then analyze the data and the various levels at which that data is stored
4
5
6
3/14/2019
3
Digital Forensics Defined
….of electronic related evidence
PresentationInterpretationExtractionPreservationIdentification
Specialized training and expertise beyond that possessed by not only the average computer user, but also beyond that of even the well-trained I.T. expert
Requirements
Forensic examination may explain...
User created or Copied?
Wipingapplied?
Internet sites?
Recent Apps?
Any Hidden info?
Forensic examination may require...
Documenting activity – What, When or How Targeting Recovery of deleted files/e-mail and the
examination of file slack / unallocated space Searching for hidden files, or files that may have been
renamed, disguised, or encrypted Viewing files (text or images) to determine evidentiary value Analysis of date/time stamps to establish evidentiary
timelines with as much accuracy as is possible Documenting efforts to destroy evidence Recovering browser history Finding previous/similar versions of a file Defeating encryption
7
8
9
3/14/2019
4
A forensics examiner should...
Possess the requisite training and equipment to forensically process seized digital evidence in order to identify and recover data with evidentiary value
Establish a community of contacts, references, referrals; network with experts in the field
Be able to provide training (formal or informal) to other personnel regardless of their level of expertise
Have a knowledge base consisting of source information such as publications, documentation, intelligence, modus operandi, and any other data relevant to computer-related crimes
Be able to effectively testify as an expert in a court of law
Obstacles in analysis
• Password protection
• Encryption
• Obscure software
• Very old technology
• Very new technology
• Virus (damaged or altered)
• Other operating systems
• Special drive conditions
• Sheer volume….
5 1/4"3 1/2"
CD-ROM
1.5GBHDD
5GBHDD
22.5
1080
2160
6420
0
1000
2000
3000
4000
5000
6000
7000
Media Volume to "Books"
Stuff nobody ever told me...
That computers often have some pretty unusual contents lurking inside the case... including:
Hairballs the size of Montana
Biohazards such as smoke or meth residue
Cockroaches – hundreds of ‘em –
Or even worse...
10
11
12
3/14/2019
5
Overview of Digital Crimes
13
14
15
3/14/2019
6
Overview of Digital Crimes
• In 1997 the U.S. Census estimated that only about 18% of households had computers/electronic devices.
• In 2015 the U.S. Census estimated that this had grown to 78% of households in the U.S. with 77% of those having Internet access.
• In 2015, ~205 billion emails sent per day / 2.4 million per second
Overview of Digital Crimes
• What type of crimes are being committed with computers/mobile devices?
• A better question now would be: What crimes are not being done with or on computers/mobile devices?
• You can expect to be involved in a variety of investigations such as….
DFI:
Digital Forensic Investigation
Criminal Case Files
16
17
18
3/14/2019
7
Attempt To Destroy Data
Case Files – Homicide
Victim is found dead in her vehicle outside of her apartment shot 9 times.
Victim’s divorce was due to be final that day.
Interview with victim’s husband reveals inconsistencies in his alibi immediately.
During search warrant the family computer and a diary are seized.
Case Files – Homicide
Victim’s diary reflects that husband was stalking her
Analysis reveals Eblaster from Spectorsoft on victim’s pc.
The husband was monitoring his wife and daughter and having the reports sent to his work email address which he would read from a web based interface from home.
Internet history also reflects user visiting www.anytrack.net
19
20
21
3/14/2019
8
Case Files – Homicide
A subpoena to anytrack gives the complete account information as well as all the recorded locations of the device.
The suspect had a GPS device hidden on the victims vehicle.
Last destination reported from GPS device was where victim was killed.
Criminal Case Files – Drug Case
Pictures of the dope
Or... of the dopes with the dope...
22
23
24
3/14/2019
9
Case Files – Bank Robbery
Police arrest a suspect for robbery and seize his cell phone and computer.
Exactly what could you find that could possibly link him to a bank robbery????
25
26
27
3/14/2019
10
And my personal favorite………..
Case Files – Attempted Homicide
• Woman hospitalized in 2002 due to severe weight loss, weakness, hair loss, and other assorted ailments
• High levels of thallium discovered in her system. While hospitalized, thallium levels mysteriously increase.
• Search warrant issued for her residence – No evidence of thallium, but three home computers seized for analysis
28
29
30
3/14/2019
11
Case Files – Attempted HomicideKeyword searches for thallium reveal these deleted entries…
Chemical price list containing the word “thallium”
A “keyword” search for “springfield” reveals…
31
32
33
3/14/2019
12
Case Files – Attempted Homicide
• Additionally, user searches were recovered showing the user searched for “arsenic” and “arsenic poisoning”
• Girlfriend in Jackson, MS hospitalized two years prior for arsenic poisoning
• Subject pleads guilty to 2 counts of Attempted Criminal Homicide
Case Files – Criminal / Mobile
• Active/Inactive• IPAD – Recovered texts• CP – Suspect living @ Parent’s House• CP – Investigator Search Terms
34
35
36
3/14/2019
13
e-Discovery Investigation
Civil Case Files
THE BILLION DOLLAR LOSS POTENTIAL!
Mr. "Smith" & Mr. “Doe” left Company-A; they insured their value and success to Company-B by supplying IP secrets.
Company-A owner had the computers forensically analyzed…..
Intellectual Property Theft
IP Theft
Mr. “Smith” downloaded client/company files from the company server to his pc (over 2500 files), and forwarded many of them to his new employer.
Mr. “Smith” then reloaded Windows Operating System, apparently to try and hide his actions.
Mr. “Doe” deleted his e-mail (Outlook) files.
37
38
39
3/14/2019
14
Litigation in News BP Oil Spill in 2010
Bank of America Hack in 2011
LinkedIn Hack in 2012
White House computer system hack in 2014
VW Emissions in 2015
DNC Hack in 2016
Equifax Breach in 2017
Stan Mitchell, CFCE, [email protected]
615-882-7903
QUESTIONS??????
40
41
42