Computer Forensics

A recent article on Law.com (part one of a seven part series) discusses the importance of legal holds for the preservation of electronically stored information (ESI) and other documents.

Why are courts placing so much emphasis on this ministerial step in preservation of issuing a written litigation hold? It appears that patience is running thin for lost ESI in federal court. More importantly, ignorance of litigation hold requirements is no excuse. Also, the days of he-said-she-said litigation hold arguments are numbered. Courts want to see a transparent and credible process by simply looking at a few documents such as the written hold notice, distribution list, follow-up interview reports or logs, as examples.

As articulated by Judge Scheindlin in Pension Committee v. Banc of America, courts definitely do not want to wade through stacks of motions papers and days of hearings to determine if preservation efforts were sufficient to prevent the destruction of ESI and other documents. As a result, it is imperative for an organization to have in place a litigation hold policy and adequate procedures necessary to avoid going down the litigation “detour” of discovery sanctions motions.

via Law.com – Step 1 for Legal Holds: Trigger Events.

FOR IMMEDIATE RELEASE

Contact:
Andrew Hoog
Chief Investigative Officer
viaForensics
Phone: +1 312-283-0551
http://viaforensics.com/contact-us

The CIO of viaForensics, Andrew Hoog, has been invited to speak at the International Conference on Cyber Security 2010 presented by the Federal Bureau of Investigation and Fordham University in New York City this August.

Chicago, Feb 24, 2010 –  viaForensics’ CIO Andrew Hoog will offer a training course on Android forensics at the upcoming Interational Conference on Cyber Security (ICCS 1020), held August 2-5, 2010, in New York City. The conference, hosted jointly by the Federal Bureau of Investigation and Fordham University, brings together law enforcement officials, industry professionals and academic experts to discuss emerging worldwide cyber threats.

In 2009, the conference hosted more than 500 professionals representing 40 counties. Attendees were an International mix of law enforcement agents and prosecutors, cyber-security researchers, members of academia and business and government leaders.

This year the conference will feature 50 lectures covering three broad areas: Emerging Technologies, Operations and Enforcement, and Real Life Experiences. In addition to the lectures, panel discussions, sponsors’ presentations, exhibitions and networking opportunities, ICCS will present two unique events – a Law Enforcement Workshop and the Cyber Security Tutorial – featuring experts presenting both technical and non-technical sessions.

viaForensics’ training, presented by CIO Andrew Hoog, provides examiners with six separate techniques to acquire data from an Android device. The course explains the techniques and analysis tools needed to effectively investigate an Android phone. The full course outline  is provided on the viaForensics website. The training will be offered on the first day of the conference, August 2nd.

Andrew Hoog has authored a groundbreaking white paper on iPhone forensics and is currently authoring a book on Android forensics. Hoog also maintains the Android Forensics Wiki (AFWiki).

About viaForensics

viaForensics is an innovative computer/mobile forensic and e-discovery firm focusing on providing proactive services to corporations, law enforcement and law firms. Andrew Hoog is a computer scientist, computer/forensics researcher and Chief Investigative Officer at viaForensics.

###

FOR IMMEDIATE RELEASE

Contact:
Andrew Hoog
Chief Investigative Officer
viaForensics
Phone: +1 312-283-0551
http://viaforensics.com/contact-us

viaForensics’ CIO, Andrew Hoog, earns Certified Computer Examiner designation

Chief Investigative Officer of viaForencis, Andrew Hoog, recently obtained his (CCE)® certification from the International Society of Forensic Computer Examiners

Chicago, Feb 19, 2010 –  The CIO of the computer/mobile forensic and e-discovery firm viaForensics, Andrew Hoog, has earned the Certified Computer Examiner (CCE) designation awarded by the International Society of Forensic Computer Examiners, an internationally recognized professional organization dedicated to upholding standards in the computer forensics community.

CCE certification is awarded to individuals who demonstrate knowledge and proficiency of skills related to the practice of digital forensics. Applicants for certification must complete an approved amount of training or professional experience and pass a four-part test.

Mr. Hoog adds this recognition to his list of credentials which includes the Global Information Assurance Certified Forensic Analyst (GCFA) designation and membership in the International High Technology Crime Investigation Association (HTCIA).

About viaForensics

viaForensics is an innovative computer/mobile forensic and e-discovery firm focusing on providing proactive services to corporations, law enforcement and law firms. Andrew Hoog is a computer scientist, computer/forensics researcher and Chief Investigative Officer at viaForensics.

# # #

Initial thoughts on Microsoft’s LE only forensics tool (COFEE) are not very becoming.  It was leaked to the Internet via a torrent file, details in the following article:

Of course, the tool is now widely available from other sources and while some are saying that the tool is useless to regular Internet users, there are others who disagree. It certainly won’t take long for a detailed analysis to appear.

via COFEE Forensic Tool Leaks To What.cd, Admins Ban It | TorrentFreak.

This is a very important lesson to head.  I don’t believe it happens in most cases but as a society, we cannot lock up innocent people.  Approaching computer forensics as a scientific discipline and remaining impartial and unbiased is a moral and professional obligation of all computer forensic examiners:

Of all the sinister things that Internet viruses do, this might be the worst: They can make you an unsuspecting collector of child pornography.

Heinous pictures and videos can be deposited on computers by viruses — the malicious programs better known for swiping your credit card numbers. In this twist, it’s your reputation that’s stolen.

Pedophiles can exploit virus-infected PCs to remotely store and view their stash without fear they’ll get caught. Pranksters or someone trying to frame you can tap viruses to make it appear that you surf illegal Web sites.

via AP IMPACT: Framed for child porn — by a PC virus by AP: Yahoo! Tech.

The warnings to banks and other corporations about the threat posed from insiders have been heralded for years.  A recent study found that:

70 percent of financial institutions saying they have experienced a case of data theft by one of their employees in the past 12 months

This is obviously a huge deal.  The article points out that the thefts occur most often with full-time employees who often had every intention of repaying the stolen assets.

The study also found that

nearly half of the banks in the Actimize survey say they are losing 1 to 4 percent of their total revenues to insider fraud

and the biggest challenges to meeting the threat are:

1. cost/expense (67 percent),
   
2. data availability/access (55.77 percent),
   
3. availability of tools (46 percent),
   
4. general resources/priorities (46 percent).

The good news for the banks and corporation is that we provide a very cost effective, innovative service which directly addresses this threat.  Find out more by contacting us…it will make a difference at your bank or company.

via Bankers Gone Bad: Financial Crisis Making The Threat Worse – DarkReading.

We come across many individual computers infected with keyloggers, spyware and the like.  It is often a game changer in a divorce case and certainly has broader implications as noted below.  If you are a corporate IT manager, anti-virus/spyware protection software is not enough.  A unified strategy is needed to protect your company’s confidential data.

He allegedly sent the spyware to the woman’s Yahoo e-mail address, hoping that it would give him a way to monitor what she was doing on her PC. But instead, she opened the spyware on a computer in the hospital’s pediatric cardiac surgery department, creating a regulatory nightmare for the hospital.

via Misdirected spyware infects Ohio hospital – hospital, keylogger, medical records, privacy – CIO.

I have been warning executives for years now that it is a simple matter for a foreign government to “examine” you laptop when you enter or leave their country when in fact they quickly imaging the drive and give your intellectual property your competition in their country.  Its quite easy to do and very few people use hard drive encryption.

But to really protect yourself, consider using a technology like TrueCrypt which has a “plausible deniability” feature allowing you to have two encrypted drive passwords.  The first is a throw away with a fully functional OS (i.e. Windows XP) but no sensitive data.  The other, of course, is your daily use computer.

Oh, and if you think is stops at your computer, just send me your iPhone or Android phone for a few hours!

Senior executives in US IT companies have been advised by the US Government to follow extremely strict policies for visits to China which extend far beyond standard software protection.

The policies encourage them to leave their standard IT equipment at home and to buy separate gear only for use in China.

via Safety first for IT executives in China – Software – Technology – News – CRN Australia.

Ahhh, the joys of not listening to the court.  This is a big case in Chicago and employment related forensics is a key component.  Make sure you have your acceptable use and termination policies well documented and make sure they are followed.

On Tuesday, Goldberg said he will give Crecos seven days to comply with his August order and allow the Huron forensics team back into his office or face a fine of $1,000 per day for each day of non-compliance. The order goes into effect Wednesday.

via Headhunter facing fines in Motorola firing suit — chicagotribune.com.

I think most forensic examiners are watching solid state storage closely to see how it will change our techniques.  The Apple iPhone and Android devices to date have brought in new file systems, wear-leveling that requires piecing larges files back together and more.  But a bit more disconcerting is the developed of SSD firmware that actively cleans up “dirty” blocks on a drive to increase performance.  If this firmware merely marks the page as unused, that would likely be OK.  But if the firmware, during free cycles, actively clears that data in unused pages/blocks, it could have a huge impact on the forensic recovery of data.  Original article below:

virtually all SSD manufacturers have incorporated, or soon will incorporate, garbage collection schemes into their drives’ firmware that actively seek out and remove the garbage data.

via OCZ and Indilinx Collaborate On New SSD Garbage Collection Scheme – HotHardware.