following the digital trail: how your case can benefit ... · live cell phone forensics demo...
TRANSCRIPT
Thursday, November 16, 2017 9 a.m.–12:15 p.m.
2.75 General CLE credits
Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
iiFollowing the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
FOLLOWING THE DIGITAL TRAIL: HOW YOUR CASE CAN BENEFIT FROM COMPUTER AND PHONE FORENSICS
The materials and forms in this manual are published by the Oregon State Bar exclusively for the use of attorneys. Neither the Oregon State Bar nor the contributors make either express or implied warranties in regard to the use of the materials and/or forms. Each attorney must depend on his or her own knowledge of the law and expertise in the use or modification of these materials.
Copyright © 2017
OREGON STATE BAR16037 SW Upper Boones Ferry Road
P.O. Box 231935Tigard, OR 97281-1935
iiiFollowing the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
TABLE OF CONTENTS
Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Faculty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
Presentation Slides—Computer and Mobile Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
ivFollowing the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
vFollowing the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
SCHEDULE
Presented by Don Vilfer, VAND Group LLC, Sacramento, California
8:30 Registration
9:00 Using Computer and Phone Forensics
F What are digital forensics?
F Incorporating forensics into your case
F Recent case law
F Computer forensics overview
10:00 Break
10:15 Phone Forensics
F Overview
F Production of information
11:15 Break
11:30 Forensic Tools and Methods
F Live demonstration
12:15 Adjourn
FACULTY
Don Vilfer, VAND Group LLC, Sacramento, California. Mr. Vilfer specializes in general and complex investigative matters and has extensive experience testifying in state and federal courts, including as an expert witness. He previously was Senior Director of Litigation Support and Investigative Services for a large Sacramento accounting firm and before that was assigned to the FBI’s Washington, D.C., field office and worked on major cases involving bank fraud and public corruption. He also was a Supervisory Special Agent at FBI headquarters and served as the Special Agent in charge of the White Collar Crime and Computer Crime Unit in Sacramento, leading investigations of federal white collar crime violations and overseeing the FBI’s participation in the Sacramento High-Tech Task Force. Mr. Vilfer is a member of the Ohio State Bar Association.
viFollowing the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
1Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
© Duarte Design, Inc. 2009 1
Computer &
Mobile ForensicsDon Vilfer, JD, ACE
WHY DO WE CARE ABOUT FORENSICS?
• Lawyers need to be equipped to adequately advise clients or employers.
• You have a duty to prepare your cases for adequate discovery.
• You have a duty to advise your clients/management about their discovery obligations.
2Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
© Duarte Design, Inc. 2009 2
WHAT IS DIGITAL FORENSICS?
Digital forensics is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. --Wikipedia
FORENSIC IMAGE
•The creation of a Forensic Duplicate of the storage media.
•FRE Section 1003: a duplicate is admissible to the same extent as the original unless (1) a genuine question is raised as to the authenticity of the original or (2) in the circumstances it would be unfair to admit the duplicate in lieu of the original.
3Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
© Duarte Design, Inc. 2009 3
CHARACTERISTICS OF A FORENSIC IMAGE
Hash Value (Digital Fingerprint) Data cannot be changed Includes Unallocated Space, Drive
Freespace and File Slack Difference from Ghost Acceptable in court as Best Evidence
FORENSIC IMAGES/DATA ACQUISITION
• Drive Removal and write-blocking• Live Images• Boot Disks• Triage-Live
Searching and Acquisition
• Networks-remoteImaging(even across the ocean) is possible
4Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
© Duarte Design, Inc. 2009 4
PRESERVING THE ORIGINAL EVIDENCE FOR EXAMINATION
i.e., To Shutdown Or Not To Shutdown
RAM-volatile data. Now capable of being forensically captured! Leave computer on if you suspect recent monkey business. Hard Drive-reasons to not leave computer
on or access files. The evidence changes simply by booting.
BUT, THE USUAL RULES OF EVIDENCE STILL APPLY
Chain of Custody—must be able to account for the location of the evidence from the moment it was collected. Authentication—computer evidence is
considered “writings and recordings” under the Rules of Evidence and must be authenticated to be admissible. Validation—is it really the same? (Hash
files)
5Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
© Duarte Design, Inc. 2009 5
RECENT CASE LAW
State v. Kolanowski, (Wash: Court of Appeals, January 30, 2017). In a case involving the failure to authenticate social media evidence, a criminal defendant unsuccessfully sought to admit a screenshot of Facebook evidence that he maintained would have served as critical impeachment of the prosecutions’ main witness. The State successfully argued the screenshot lacked foundation. Metadata that could have been obtained during the collection was not obtained—a simple screenshot did not suffice.
RECENT CASE LAW
The government’s retention of files outside the scope of a warrant for more than two years violates the Fourth Amendment. US v. Ganias, 755 F3d 125 (2d Cir 2014).
6Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
© Duarte Design, Inc. 2009 6
RECENT CASE LAW
Landmark United States Supreme Court case in which the Court unanimously held that the warrantless search and seizure of digital contents of a cell phone during an arrest is unconstitutional.
Riley v. California, 134 S.Ct. 2473 (2014)
• New paragraphs 13 and 14 of Rule 902 will remove some authentication hurdles for electronic evidence. The text of the new rule is as follows (emphasis added):
• The following items of evidence are self-authenticating; they require no extrinsic evidence of authenticity in order to be admitted:
• (13) Certified Records Generated by an Electronic Process or System. A record generated by an electronic process or system that produces an accurate result, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12).
• (14) Certified Data Copied from an Electronic Device, Storage Medium, or File. Data copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12).
Changes to Federal Rules of Evidence 902
7Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
© Duarte Design, Inc. 2009 7
INITIAL RESPONSE
• Gather sufficient info to develop a response• Traditional investigation• Don’t attempt data recovery• Avoid spoiling the evidence (logs, free space,
etc.)• Consult with someone knowledgeable• Consider locations of relevant evidence
(thumbdrives, router logs, cameras)• Develop a strategy drawing on your skills and
what you will hopefully learn today!
Data Constantly Changes
8Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
© Duarte Design, Inc. 2009 8
FORENSIC PROCESSES (NOW WHAT DO WE DO WITH IT?)
• Review information on the drive• Recover deleted files.• Data Carving.• Searches in free space.• Recovering web-based e-mail.• Determining activities on the computer (copying,
printing, deleting, burning).• Break passwords and encryption.
Forensics of Mobile Devices
--after the break
9Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
© Duarte Design, Inc. 2009 9
How Cell Data Can Help Your Case
• Establish communication between subjects/witnesses-example
• Provide location during key times• Corroborate statements• Prove misconduct (harassment, relationships, use
of time, theft)• Develop leads (location, banking, contacts)
Benefits of Incorporating Cell Phones into Your Investigation
• No longer is it a “he said, she said”• Can contain irrefutable evidence• Many times the evidence is in their own words• There is often evidence available that cannot be
had elsewhere• Cell Phone data might inform other aspects of
the inquiry
10Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
© Duarte Design, Inc. 2009 10
Sources of Cell Phone Data
• Local Backups-not just backing up iTunes
• The cloud-oh, forgot about the cloud• Service Provider-limitations, but also
data that is not available elsewhere
• The phone itself
The Phone Itself
• Flash Storage vs Disk• Differing File Systems-iOS, Android,
Windows, Nokia (Symbian)• Security Issues: password,
encryption, wiping• What is Recoverable?- It depends.
11Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
© Duarte Design, Inc. 2009 11
Forensic Approaches
• Logical vs Physical extraction• SIM card• SD Cards?• Chip Off
Forensic Software
• Cellebrite• Accessdata-MPE• Magnet Axiom• Blacklight
12Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
© Duarte Design, Inc. 2009 12
Data Carving from a Physical Image
• Carved Image and Carved SMS
Local Backups
• The same data as on the phone• Not just iTunes• Includes deleted data• Often forgotten by those destroying
evidence• An opportunity for multiple snapshots
13Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
© Duarte Design, Inc. 2009 13
The Cloud
• The same data as on phone in many cases
• iCloud, Google, backup services• Sync across devices?• Often forgotten by those destroying
evidence• An opportunity for multiple snapshots• Forensic preservation notes
The Service Provider
• Limitations on stored data• Data not had elsewhere• Ping data and geolocation data• Transactional records• Case example of transactional
record not on phone
14Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
© Duarte Design, Inc. 2009 14
Gaining Access to the Data
• Consent• Ownership (company data, buy it)• Court Order/Subpoena• Proceed with Caution-ECPA
Failure to preserve text messages or other mobile data could result in “death penalty sanctions.” see Small v. Univ. Med. Center of S. Nevada
Legal Obligations to Collect Cell Data
15Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
© Duarte Design, Inc. 2009 15
Legal Obligations to Collect Cell Phone Data
• Texts and emails sent by public employees on their personal devices or accounts are a matter of public record if they deal with official business. see City of San Jose v. Superior Court, CA Supreme Court decided March 2, 2017
The Product You Want
Report vs ExtractionReport Formatting
16Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
© Duarte Design, Inc. 2009 16
LIVE CELL PHONE FORENSICS DEMO
What’s on your phone? (or mine)
Don Vilfer, JD, ACE916-883-2020
Digital Forensics and Investigations
17Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics
18Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics