Digtital Forensic Tools, Rules of Evidence and Other Considerations
|
 |
Wednesday, 02 July 08 - 05:49 AM (GMT) By John ML Dierckx in Investigations & Forensics |
| ||
Having been active in this field in both the Netherlands and New Zealand, I know for a fact that some of the issues considered in this article are very spot on. At the same time the legal development of computer forensics appears not to be as hot an issue in New Zealand, compared to for instance the USA.
In my view however, it is always better to be safe than sorry and more than once I have been wondering why parties (including their lawyers) have been taking risks in this area by introducing (in my view) indefensible evidence or evidence that could well have been disputed. Maybe I am overly concerned.
Source: http://www.csoonline.com/article/374763/Rules_of_Evidence_Digital_Forensics_Tools
Rules of Evidence - Digital Forensics Tools
Searching for clues? Here's how to investigate and use digital forensics and e-discovery tools
Digital forensics tools are intended to help security staff, law enforcement and legal investigators identify, collect, preserve and examine data on computer hard drives related to inappropriate and illegal activity, such as cybercrime, e-mail and Internet abuse, fraud, financial mismanagement, unauthorized disclosure of corporate information, intellectual property theft, and so on. Increasingly, these tools are also being applied to e-discovery efforts related to civil litigation and regulatory compliance.
Forensics tools are often confused with other classifications of tools, such as incident management, e-discovery and data recovery. [For a quick look at the major forensic software providers, see The Usual Suspects.] But while they can be used for those purposes, the difference is that they abide by formal evidence processing protocols such as maintaining a chain of custody and avoiding the alteration or compromise of evidence, enabling any findings to be successfully used in a court of law.
In short, while you can apply forensics tools to nonforensics work, it can be risky to use nonforensics tools. "If the evidence you've collected is not defensible in court, you've severely limited its later applicability," says Jay Heiser, research VP and analyst at Gartner.
Digital forensics tools generally provide three main capabilities:
Acquisition/collection/preservation: Make a sector-by-sector copy of the hard drive and run checks against those images to verify it's an exact copy of the original.
Search/analysis: Identify, analyze and keyword-search all relevant data, including deleted, encrypted, hidden, protected and temporary files, as well as virtual memory, application settings, printer spools, etc. Some packages can also detect which Web ports are open and which processes are running.
Reporting: Create a detailed report, including a full audit log. This can help address compliance with Sarbanes-Oxley and other regulations.
The 800-pound gorilla of digital forensics is Guidance Software, which released its EnCase Forensic software in 1998. However, most investigators work with a variety of tools, and there are many commercial and open-source tools and utilities available, from suites to specialized point products. Main competitors are AccessData's FTK and AD Enterprise; Paraben Software's P2 suite; and Technology Pathways' ProDiscover suite. Others include New Technologies' suite of tools, X-Ways Software Technology's WinHex utility, StepaNet Communications' DataLifte and ASR Data's Smart utility. On the open-source side is Sleuth Kit and E-fense's Helix.
In addition to forensics tools geared toward hard-drive contents, two other types of tools are often used in conjunction with forensics (or e-discovery) work, according to Mark Rhodes-Ousley, an information security architect and author of Network Security: The Complete Reference. For instance, there are "survey tools" that report on exceptions to preconfigured thresholds, including intrusion detection tools, e-mail and log analyzers, Web proxy reporters and network traffic analyzers, he says. In addition, "sliding-window" systems observe the behavior of a system over time, including network monitoring tools such as those from NetWitness, Niksun, and Sandstorm Enterprises.
George Socha, founder of Socha Consulting, compares digital forensics to woodworking. "No one tool will build a piece of furniture," he says. "Same here—what tools you use depend on what objectives you have in mind."
Key Decisions
Should you use a service or buy software? There are hundreds of forensics service providers, including many of the vendors that sell forensics tools. So the question becomes whether to outsource this work or invest in software. It stands to reason that if you anticipate several incidents per year or are in an industry with heavy governmental regulations, it may be worth investing in an in-house solution, especially if you can also put the tool to other uses, such as e-discovery, data recovery and incident management. According to Gartner, by 2010 the most litigious companies in financial services, energy, utilities, pharmaceuticals and high-tech will decrease their spending on outsourced e-discovery services by 75 percent and increase their enterprise software spending by 100 percent.
For Affiliated Computer Services, it was less expensive to purchase AD Enterprise than to hire outside help because the software enables the company to respond more quickly to requests, according to Curtis Gatterson, director of digital forensic and e-discovery support at the company. With 58,000 employees in the U.S., the centralized collection network helps him provide litigation support and respond to internal inquiries into policy violations or complaints related to privacy or ethics. "Any Fortune 500 company is going to constantly have inquiries," he says. "With the amount of cases we process a month, it would be five to 10 times the cost of what we spend with our more proactive approach."
Should you buy single-workstation software or a tool that works over the network? Traditionally, investigators used manual forensics tools, requiring them to be physically present at the workstation from which they were extracting data. However, more vendors now offer software that works over the network, using remote agent technology to preview and collect evidence without users being aware of it. "It's much more efficient than sending someone to every single office that might be involved in a discovery request," Heiser says.
Network-based solutions are more expensive but should be considered by large or distributed environments. For instance, Gatterson upgraded to AD Enterprise after using EnCase Forensic, Access Data's FTK and other tools for many years. Previously, "we had to put folks on a plane to do collection, which was resource-intensive and time-consuming," he says. Now, from a central location in Dallas, he can log in to the network, do some quick searches and identify the inquiry subject within a six-hour period.
Are you purchasing the tool to do more than forensics work? According to John Patzakis, vice chairman and chief legal officer at Guidance, customers are increasingly justifying the cost of its EnCase Enterprise product by targeting it not just at forensics but also at e-discovery. "They realize they're spending $30 million to $40 million on outsourcing their e-discovery function and another $10 million to $20 million in investigations, so the business case is more compelling when they combine [the two processes]," he says.
Both Guidance and Access Data offer an e-discovery module that automates keyword searching around the network to look for relevant documents in pending civil litigation suits or for regulatory compliance.
"If you're trying to collect all the files having to do with the XYZ merger, you may or may not need to do that in a forensically sound way. But, it's tough to make that decision, which is why many companies are simply buying products like EnCase," says Jason Priebe, Of Counsel in the Chicago offices of Seyfarth Shaw.
Evaluation Criteria for Digital Forensics Software
Here are some key criteria to include in your search for the best tool:
Courtroom admissibility. If there's any chance of needing to use the evidence you collect in court, you should look carefully at which tools have been tested in a courtroom and how much success they've had there, according to Rhodes-Ousley. "One of the most important factors to keep in mind is courtroom admissibility of evidentiary data," he says.
EnCase is not the only tool to fit that bill, but because it's used extensively by law enforcement, it's gained a lot of familiarity with judges, Priebe says. "It's stood the test of experts challenging its sufficiency," he says. "It's a little harder when you have to have the IT person saying, Let me tell you how the tool works."
Ability to preserve only relevant data. Some tools enable you to reduce the volume of data you preserve by filtering out certain types of files such as executables. Or you might be able to narrow down data by using keyword searches or context searching capabilities. "It's not the blunt instrument that grabs everything and then you sort through it later," Priebe says. "You can stage it on the storage device and de-duplicate it right then and there." E-discovery costs rise quickly during the attorney review stage; "Getting data from 2 terabytes to 5GB can save a company millions on one case," Patzakis says.
Case management capabilities. Especially when running multiple investigations, it's important to maintain a record of your activities, as well as all the data objects associated with each investigation.
Integration. Many vendors have worked to integrate their tools with other software that aids in forensics work, such as incident management, e-mail analysis, decryption tools, password-recovery tools and so on. Other vendors offer preintegrated modules that extend a tool's capabilities into areas such as e-discovery, password analysis, e-mail analysis and incident response.
Digital Forensics Dos and Don'ts
DON'T confuse e-discovery with forensics. Some vendors of forensics suites are marketing their tools for e-discovery because, in fact, the steps involved with forensics work are actually subsets of the e-discovery process, as defined by the Electronic Discovery Reference Model. The EDRM defines forensics as encompassing identification, preservation and collection—three steps of its overall model, which also includes information management, review, analysis, production and presentation. Vendors such as Guidance and AccessData also sell e-discovery modules.
When using an e-discovery module, the tool doesn't make a full bit-by-bit copy of the entire hard drive, explains Socha; instead, it uses a keyword search function over the network to locate relevant files in specific folders or drives, he says. This enables the scan to happen much more quickly, according to Patzakis. "It can scan 500 computers in three or four days, which would take three or four months with EnCase Enterprise," he says.
But while forensics tools can perform e-discovery work, Priebe and others discourage users from doing the opposite—using nonforensics tools for forensics work. "There are plenty of companies that think if you use something like Norton Ghost or the WinZip file utility that it's an adequate job," Priebe says. "And it may be, but not against a more skilled opponent who starts questioning the adequacy of what you did in court."
DO train staff before using these tools. The process related to a forensics investigation is more important than the product you use, Gartner says. And you can't just learn it on the job—you need to undergo formal training. "There are always stories of clients who say, I've captured the data; now you tell me what happened," he says. "But at that point, the admissibility of the data in a court of law might be totally gone."
"People will, in good faith, think they're using a tool and following a process that's appropriate, but they're not sufficiently informed sometimes," Socha says.
DON'T forget PDAs. With increasing use of handheld tools, chances are you'll someday need to investigate data held on a PDA or cell phone. Software that supports PDAs include Palm DD, Pilot-link and Palm OS Emulator, all open-source software; PDA Seizure from Paraben; and Guidance's Duplicate Disk utility.
DO prepare for sticker shock. EnCase Enterprise Version 6 starts at $25,000. You can spend considerably less by purchasing a workstation-based tool, a less scalable remote-collection tool or one that limits its feature set, for instance, a tool that's strong in forensics data collection and not internal policy and compliance investigations, or one that eliminates the analysis and reporting capabilities.
"Other methods are great for smaller cases, but when many computers are involved or it's a serious criminal matter involving something like the SEC, EnCase is the gold standard," Priebe says. "You don't want to cut butter with a chainsaw, but sometimes you need a chainsaw."
Others contend you can get similar functionality for far less. Gatterson says it cost him about $2 million to implement AD Enterprise, about half what he would have paid for EnCase Enterprise.
DO expect to use more than one tool. Although the trend is for software vendors to try to be a one-stop shop, most investigators use more than one tool. In fact, NIST compares forensics tools to a Swiss army knife, where many tools specialize in certain functionality that needs to be augmented by others.
##
News Flash: Computer Forensics
|
|
|
Thursday, 27 September 07 - 05:15 AM (GMT) By John ML Dierckx in Investigations & Forensics |
| ||
In my times here in New Zealand, my colleague and I have often been amazed about how no consideration is being given evidence protection in important circumstances. And not just by private parties and businesses, no, also by lawyers even in cases. I guess this news item confirms our concerns.
http://www.scoop.co.nz/stories/BU0709/S00506.htm
|
|
||
|
IT practices inadequate for forensic evidence |
||
IT management practices inadequate to preserve forensic evidence
The second annual New Zealand Computer Crime and Security Survey has revealed New Zealand organisations are ill-equipped to preserve computer forensic evidence.
The University of Otago conducted survey – which aims to raise the level of security awareness and determine the scope of computer crime in New Zealand – has found that IT management practices are inadequate when it comes to the preservation of forensic evidence that could lead to criminal convictions for computer hackers or fraudulent employees.
University of Otago researcher KJ Spike Quinn is concerned that New Zealand organisations do not appreciate the full seriousness of computer crime and associated consequences – both financially and with regard to the reputation of an organisation.
“Management of forensic capability is woefully short of ensuring admissibility of evidence in court. Having a suitably trained person first on the scene makes all the difference in whether a prosecution is successful,” Mr Quinn says.
Most organisations reported having the basic protection, such as antivirus and firewall technologies in place, but only 7 per cent of respondents had a forensically-trained first responder.
When an incident or intrusion occurred, 40 per cent reported it to management and 30 per cent did their best to patch security holes in network systems. Only 16 per cent reported intrusions to law enforcement. A third of the respondents who did not report intrusions to law enforcement were unaware of law enforcement interest.
Sixty-six per cent of New Zealand organisations invest of up to 5 per cent of their IT budget on security issues, compared to the 43 per cent Australian and 55 per cent United States figures.
“This investment figure initially sounds good, but AusCERT found in its 2006 report that 51 per cent of respondents considered an investment of up to 5 per cent to be inadequate. We need to be investing more now to be protected in the long term,” Mr Quinn says.
Only 5 per cent of New Zealand organisations spent more than 10 per cent of their IT budget on security, compared with 13 per cent in the United States and 14 per cent in Australia.
“These figures, coupled with the forensic readiness finding, predict a rise in failed prosecutions. The implementation of basic policies and procedures, plus basic security training, need to be adopted more widely. If there’s no training and no procedure laid down, you can’t expect staff to act appropriately,” Mr Quinn says.
Centre for Critical Infrastructure Protection Managing Director Richard Byfield says security threats and risks continue to increase and evolve to defeat our best defences.
“Key cyber threats include those from foreign intelligence services, organised crime syndicates, political activists, individuals acting alone, botnets and spam. As the tools and techniques of the adversaries improve, so must our ability to detect and deter these threats.”
Although most organisations surveyed had basic security features, technology solutions alone are not enough and organisations need to build a culture of cyber security, Mr Byfield says.
“People are a key component to raising the security posture of an organisation, but they need to be supported by clear and practical policy and procedures. On-going cyber security education and awareness initiatives are essential to ensuring that people are sensitised to the threats,” Mr Byfield says.
The survey also found that only 22 per cent of New Zealand respondents reported unauthorised use of computer resources, whereas the US figure was 52 per cent. This is possibly because New Zealand has greater access to computers and the Internet away from work.
The 2006 survey considered prevalence of security incidents, percentage of information technology department budget spent on security issues, use of cyber-security incident insurance, and intruder detection systems and other technologies, as well as popularity of workstation operating systems. Survey results are based on the responses of 113 computer security practitioners in New Zealand manufacturing, governmental, financial and medical organisations, and tertiary education providers regarding the 2005 calendar year.
Tips on using open source information (from the Internet)
|
|
|
Tuesday, 28 August 07 - 05:56 AM (GMT) By John ML Dierckx in Investigations & Forensics |
| ||
More ands more people are using the internet as one of their prime sources of information for their lives business and as a source of dynamic intelligence and knowledge through the social networks, newsgroups and other web2 applications.
In a recent Renaissance Man article I covered the issue of information that has been altered in Wikipedia by parties that had an interest in these alterations and in breach of the neutrality and conflict of interest guidelines.
In this article I aim to provide yous with some tips about using information sources from the internet. Whilst the internet opens the world up to a vast ocean of information it is important to realise that a lot of this information is unscreened or not evaluated. Therefore care is required when it comes to using this information in your intelligence and research operations to support decision making.Evaluating Information
Information is more than once not just true or not true. Truth can be relative under circumstances. The accuracy and reliability of information can not always be assessed upfront.
In the intelligence industry a system called the ADMIRALITY system is used to assess and evaluate information. This system assesses both the reliability of the source and the reliability and validity of the information. Both categories are subdivided in four reliability levels.
|
|
|
|
Reliability of Source |
|
|
A |
Reliable |
|
|
No doubts about the reliability, authenticity of the source. |
|
B |
Usually Reliable |
|
|
Sometimes there are doubts about the reliability, competency and authenticity of the source. Most of the times the source is reliable. |
|
C |
Unreliable |
|
|
Regular doubts about the reliability, competency and authenticity of the source. In the past the source has been proven to be unreliable on several occasions |
|
X |
Reliability unknown or can not be assessed |
|
|
Source has not been used before and there is no basis to assess the reliability of the source yet. |
|
|
|
|
Reliability of Information |
|
|
1 |
Confirmed |
|
|
Reliable information , confirmed by other independent sources and consistent with other information on the subject matter |
|
2 |
Probable |
|
|
Information has not been confirmed but is consistent with other information on the subject matter |
|
3 |
Doubtful |
|
|
The information has not been confirmed and is inconsistent with other information. It is possible that the information is correct, however the inconsistency with other information makes this unlikely. |
|
4 |
Reliability unknown or can not be assessed |
|
|
The information can not be compared with other information to assess the reliability. There is no additional information available on the subject matter because this is an entirely new subject matter. As a result the reliability of the information can not be assessed at this point in time. |
This system has proven to be quite useful in classifying information that is used to support decision making processes. I personally use it on a regular basis.
Using sources from the Internet usually additional efforts of the user because a vast amount of the available information can be and is placed on the Internet unfiltered. Usual types of evaluation of sources is more that once not sufficient in relation to internet information.
Six important evaluation criteria are:
· Author
· Publishing organization
· Viewpoints/Opinions of the author
· References to other sources
· Accuracy and verifiability of the information
· Currency of the information
As can be seen these criteria cover both source and information can therefore be used in a classification system as outlined above.
Author
This is probably one of the most important criteria. In relation to this criterion additional questions need to be asked:
· What are the backgrounds and or authority of the author?
o Is he a well known person and authority in a specific area?
o Do others refer to the author and in what way?
o How did I end up at this document? For instance via a google search link or through another document by an authority in a specific area
o Does the document contain biographical information like the authors position and organization? How can the authority of the author be evaluated?
o Is it possible to contact the author for more information?
Publishing Organization
Awareness of the publishing organization is often important because it helps in assessing whether or not it is likely that prior review of the material ahs taken place (editing, peer review, organizational standards). Questions that can be asked in this respect are:
· Does the document or information contain the name of an organization?
· If not, does the document contain a link or reference to an organization that is linked to this information or document?
· Is the organization generally recognized?
· Is it possible to establish what the relationship between the author and the organization is?
· Is it possible to identify the servers on which the documents are stored? (Using special equipment or IP address searches)?
· Is the information published on a official organizational website or is it published on a personal website?
Viewpoints of the author
It is important to establish whether or not the author has taken a certain position ion writing the information and what this position is. Through selective use of references for instance an author can make his viewpoint or perspective more plausible. As a result references will need to be checked as well. This type of check is aimed at the content of the document:
· What is the purpose of the publication:
o Inform the reader?
o Explain something to the reader?
o Trying to convince the reader?
· The author is related to an organization that is associated with a certain perspective itself. (For instance Amnesty International, Political Parties)
· Is the information presented in any way used to make the organization of the author look better or is there a chance that might be the purpose of the publication?
· Is the information stored on the servers of an engaged organization/an organization that represents certain viewpoints?
References and sources assist in establishing (in part) what the context is in which the author places his or her publication. It helps in assessing the backgrounds of the author. Useful criteria can be:
· Does the document or publication also hold a biography?
· Does the author quote or refer to others in a appropriate way (Does he understand that which is quoted)?
· Does the author use the applicable theoretical foundations?
· Does the author also point out weaknesses in his own reasoning or theories?
· I case of a controversial approach to a specific subject matter, does the author point out this is the case?
Accuracy and verifiability
This is an important part of the assessment process especially when using and reading information by relatively unknown authors or when certain information is presented in an unorthodox fashion. To evaluate or assess the accuracy and verifiability of information the following criteria are useful:
· In case of a scientific publication: can the methodologies of data gathering and analysis be identified?
· Are the methodologies appropriate, applicable, or viable?
· Is there reference to other sources?
· Can the sources used be verified?
· Can used context information be verified in terms of accuracy?
Currency of the information
Some information is ageless or timeless. However that is far from the standard and it is at all times important to verify whether or not information presented is still current.
Questions that can be asked are:
· Can the timeframe and cut off dates be verified in the document up to when information has been gathered?
· Does the document refer to clearly dateable information? (For instance an act or case law)
· In case of dynamic content, does the document specify updates and last update/edit?
· Does the document contain a date on which copyright was established?
· Can the date of the document be verified through it’s directory listing if the document itself does not contain clear dates?
Closing Remarks
By using assessment methods as outlined in this short guide, it is possible to assess, evaluate, and classify information/intelligence that is being used in decision making processes. It is noted here that this process is dynamic. What starts as X4 (Source and Information can not be assessed) could ultimately become A1.
Three basic guidelines still remain as a closer for this short guide to using:
· All information used in decision making processes needs to be verified. This may seem obvious but experience learned that this is far from standard practice
· If information sounds too good to be true it often is
· Don’t use information and sources that can’t be verified to support your decision making processes unless your gut is infallible. In that case you didn’t need the information anyway.
Anti Forensics: The End of Computer Forensics?
|
|
|
Monday, 13 August 07 - 01:24 AM (GMT) By John ML Dierckx in Investigations & Forensics |
| ||
Computer Forensics is a relatively young discipline. In short it is about using computer science and technology to establish facts and preserve evidence of those facts. (I realize that are definitions are in use.) It is an after the fact reactive method of establishing what has happened or reconstruct crimes that have taken place. More and more tools are coming out that are being used to make reconstruction more difficult if not impossible, computer forensics more and more expensive and legally irrelevant.
During an investigation into data theft it was established that one of the employees of the client had been downloading an mp3 and played it.t was also established that hidden in the mp3 was a rootkit that had installed itself. As a result a hacker had been able to gain "administrators" access to the system of the client, completely undetected and for over a year this access had been used to obtain confidential information. But here's the catch. It was not identified who the hacker was and most likely no one ever will. (If there are some up for the challenge they are hereby invited). It makes you wonder: who and what else?
More and more hackers appear to focus on what is currently being named as the field of anti-forensics. Tools that make it hard if not impossible for computer forensic investigators to identify what has happened, who the perpetrator is and to link the perpetrator to the identified security breaches and data thefts. What makes life especially hard for forensic investigators is that the elite nature of these techniques is over. Very similar to the availability of hacking techniques that focussed on gaining access in the old days more and more these anti-forensic tools are coming down the ladder of availability for the greater public. What’s more, this is taking place in a time when more and more people with less noble intentions, technically not up there are looking for ways to get their hands on all the cash moving around on-line. Anti-forensics are a great help in covering their tracks.
In the good old days, hackers and data thieves tried to avoid detection using back doors and other techniques. Nowadays, they seem not to care. Why? Because even when you do detect what is happening and this gets easier and easier, you will never find out who the perpetrator is.The Legal Side of Things: from hard evidence to circumstantial evidence
It is my sincere expectation that well before the field of computer forensics has come to full bloom, especially here in New Zealand, we will already be faced with a situation or at least an increased chance that computer forensic evidence will become more and more circumstantial as a result of the anti forensic tools that are readily available on the market.
Computer forensics is in a way telling a story, establishing what has happened and who made things happen. The basis has always been that data captured could be trusted. This is no longer necessarily true (btw very similar to abuse of telephone facilities since VOIP networks came in place).
While it has always been a challenge to put a person behind a machine in terms of reconstructing what has happened, we are now faced with an additional problem of establishing which machine was the one that can be identified as "the guilty machine".
In this environment data is no longer trustworthy. The implication of this can hardly be understated. Where a presumption of reliability falls away, prosecution becomes a severe challenge and more and more a less appealing option when you take into consideration the relatively heavy burden of evidence in criminal prosecutions.
Anti forensic tools could in effect create a form of de facto legal immunity for those that know how to use these new tools.
Will Computer Forensics stay an Economically Viable Option?
With the rise in insecurity of a useful and reliable outcome and with the continuously growing difficulties in this field of investigation, it is not too hard to imagine what will happen with this field of expertise.
If it becomes increasingly difficult to figure out what has happened and if the chances of legal usability of the findings decrease as a result of these anti forensic tools, chances are that corporates will opt for the economically most viable alternative: forget about investigations and write off the losses. (Might there be a new market for the insurance industry here?)
Back to Basics
What does this mean for the computer forensics field? In my view it means that we will need to (re-)establish broader approaches to investigating computer crimes.
I cannot help but finding myself in situations where the technical capabilities will need to be downplayed and instead a broader focus is required that takes into consideration physical investigative techniques such as traffic analysis of phones, email, mobiles and data, interviewing and interrogation, physical inspection and investigations of suspect's premises, telephone taps, running informants and focusing on witnesses close to the suspects, loggers on suspected computers, following up on victim transactions (including and where possible appropriate camera footage analysis and for instance instance in case of credit card abuse tracing and surveillance of people and goods) and good old crime analysis techniques that depart from an all-source approach.
Come to think of it, every computer forensic investigation I did had a physical component to it if only to interview and take statements of subjects thought to be behind the incidents. What has changed over the years in many instances is that the technique has become a means in itself, used by those with great technical capabilities but not necessarily equipped with the general investigative skills and creativity to come to a satisfactory result. Back to basics I would say.
Thinking about it, this takes me back to the days I worked with one great police officer in the Netherlands, Commisioner Harm Beukenholdt. He once told me, years back: "John, you have the technical guys, and you have the old school detectives. Success will be for those that know how to bring these apparently strictly divided worlds together to work efficiently and effectively."
The field of anti forensics is now proving him well ahead of his time. He could basically have predicted what is taking place at the moment.
What he understood and so many nowadays have forgotten is that it is all a matter of layering the evidence, building it up and narrowing the escapes. If we had to rely on computer forensic evidence solely, we would get stuck. Luckily however there are those that understand the value of a multi-disciplinary approach.
For those considering a business in computer forensics: don't give up your day job if that is all you have to offer. Some time ago I wrote a blog called Evolutionary Notes on Private Investigators, dealing with the changing face of investigators. The last stage in evolution the investigator manager of all new experts in a multi-disciplinary approach. That's where we at Dierckx & Associates will shine. We have a network in place covering all relevant disciplines and John Dierckx is equipped and experienced in bringing these disciplines together.
If you need us than start sharing
|
|
|
Friday, 25 May 07 - 04:16 PM (GMT) By John ML Dierckx in Investigations & Forensics |
| ||
Tonight I found this article on Reuters at http://www.reuters.com/article/internetNews/idUSCHA43660820070524
G8 needs private sector help to end child porn
By Louis Charbonneau
MUNICH, Germany (Reuters) - World powers vowed on Thursday to increase efforts to combat sexual exploitation of children by Internet pornographers but said governments alone could not stamp out the Web crime.
After their first working session in Munich, ministers from current Group of Eight countries Germany, the United States, Britain, France, Italy, Canada, Japan and Russia called on the private sector for help.
"Entities including Internet Service Providers, information technology professionals and financial institutions ... the media, parents and educators, should be encouraged to consider what role they could play in the fight," said a statement from G8 interior and justice ministers.
Germany recently smashed a child pornography ring thanks to credit card data provided by financial institutions and credit card companies.
German Justice Minister Brigitte Zypries said the case of Madeleine McCann, a 4-year-old British girl who disappeared earlier this month in Portugal, illustrated the need for increased international cooperation.
"We simply have to assume that this was done by a gang that passes on these children to be exploited, and Russia as well mentioned the danger ... that such children may be abducted for adoption later on," she told reporters.
Investigators fear McCann may have been spirited out of Portugal.
The G8 has been working with Interpol for years to combat child pornography and helped it establish the International Child Sexual Exploitation Image Database, which is intended to help police identify and rescue victims of such abuse.
The ministers were briefed by the head of Interpol on its activities.
In an interview with Reuters, Interpol Secretary General Ronald K. Noble said its database now contains more than half a million images of children being sexually exploited and has helped secure the rescue of over 500 children worldwide.
Noble showed Reuters a number of database photos, all of which showed Caucasian adult males engaged in sex acts with Asian boys, activities that would be clearly illegal.
This reflects the majority of cases in which U.S. or European males travel to countries like Thailand or Cambodia where they sexually exploit poor children, Noble said.
Because child pornographers often distort the faces of the adults so they cannot be identified, Interpol has developed software to enable identification of the crime scenes, he said.
"One case we are working on right now involves a Norwegian," he said. "(Norwegian police) raided a house, downloaded the material on the computer and found the images of a man sexually abusing a child."
Interpol software analyzed the scene and matched up at least one other image, giving authorities a lead, he said.
Kristin Kvigne, assistant director of Interpol's human trafficking division, said the number of such sex offenders traveling around the world at the moment was probably "in the thousands".
Now of course I can not deny that child pornography is the worst of the worst. But reading this really makes me wonder about the sincerity of the people involved.
The Private Sector Left Out
I have been involved in the area of computer forensics for many years and one thing I hated about my job is he fact that every now and then, actually every six months you'd be called upon to investigate something unrelated to find child pornography issues.
I have been called on more than one occasion where these practices, either the looking material or the actual distribution has been suspected. But .....
As foresnic investugators in the private sector, many of us are faced with the harsh reality that we physically have to go over the materials because the hash files for such rubbish are not being made available by the authorities for whatever reason.
This is sad, not only because it makes the work of a provate cmputer forensic expert sometimes almost unbearable: having to watch at footage as described above to establish whether or not we are dealing with child pornography, one opf the mist disgusting tasks in this line of work. But more importantly, because those hashes are not shared with the private sector so we have to make extra costs for those companies that suspect such illegal activitiy. And finally: once you went over the objectionable material, felt sick from watching it you have the trouble of preserving it, which makes you an offender (for posessing child porn) and once you deliver it to the authorities it is not clear whether they see it as child pornography.
Having those hask keys available for the private computer forensic sector would make our lives much better and could actually assist in uncoverung more illegal practices in this area. If those haskh keys are provided that are related to established child porn, than we could save ourselves the trouble of having to go over the material or at least to a lesser extent (cause yes you could alter things slightly, however many don't go through that "trouble").
More importantly, running a child abuse hash key search as a standard part of the procedure would most likely uncover many more cases and at the same time protect the computer forensic investigators in terms of unnecessary exposure to this horrable material.
Or could it just be that we are talking about egos here: law enforcement agents that want their heads in the news. I for one have found child porn the hardest part of my job as computer forensic investigator and as a father of three children. In the private sector we don't have the luxury of psychological backup. So, we could use some support. I for one couldn't care less about the headlines , as long as that kind of rubbish gets taken out.
And if I encountered several cases (at one point six in 1.5 year) than I have no reason to imagine it is any different for my colleagues. Just imagine.
So if the G8 is really serious: start sharing what neds to be shared with the private sector. For once forget about the formals and think about the cause. Share with those that are out in the field doing what the authorities don't pick up and let's collaborate instead of missing out for the sake of formalities.
iPod Forensics
|
|
|
Saturday, 20 January 07 - 02:24 PM (GMT) By John ML Dierckx in Investigations & Forensics |
| ||
I received an email from from one of my colleagues of Digital Investigations about what was described as Apple iPod forensics, I think it is important to share this with you all. For more questions after reading this post, contact me.
The blog post was taken from the Digital Investigations blog
Digital Investigations can now offer Apple iPOD Forensics. Consider the fact that an iPOD may contain an 80GB hard drive and that an employee may connect up an iPOD to a computer via a USB connection and "slurp" the data off onto the iPOD's hard drive.
We may be able to recover deleted files that may prove that the employee has downloaded sensitive corporate information. Here is a tip for a company. If they are going to allow users to connect up iPODs, then make sure they are company owned iPODs, then the company should have less of an issue when it comes to trying to investigate possible dubious activities with such a device. If the suspect has been using their own iPOD and you suspect that they have company data on it, obtaining the iPOD becomes a lot trickier.
When looking to see if an iPOD has been connected, one of the first giveaways is the Apple iTUNES software may have been installed on the suspect's computer.
---------
On other occasions I have advised about the necessity to keep up with technology and what new technologies mean for your business. Now where this is usually approached from a perspective of opportunities, it is important that risks are also considered especially in the area of information security. With iPods we have yet another easy to use and plugable mass storage device that can be used for all kinds of fun, and useful things but also to quickly take your company sensitive data.
It is important that clear guidelines and policies are developed, maintained and most importantly enforced where it comes to risk and security. This is part of good governance and healthy business. The efforts don't need to be to extreme in most instances, but just imagine what can happen if your client base is downloaded onto an ipod by a departing employee or what to think of special client arrangements.
John Dierckx has been involved in a number of investigations that dealt with data leakage and corporate espionage. More than once the initial signals are subtle:
- regular or long term relationships go to the competition
- missing out on offerings and tenders
- clients complaining about better deals with the competition
These are just a few examples but it will be clear I hope: the damages can be substantial and life threatening for your business.
The added difficulty in theft of company sensitive data cases is aparent: where in case of theft of physical assets your physically lose the object of theft, this is not necessarily - better yet - usually not the case where your information assets are stolen. They remain on your system and are just duplicated.
So if you recognise any of the three bullet points or can answer any of the following questions with no, perhaps it is time to give me a ring or visit www.dierckx.co.nz for more information. I can also recommend a search on the keyword "information security" through my blog archive at Ask the Investigator New Zealand at http://nzpi.blogspot.com for more examples and ways to secure your company sensitive data.
Do you have an information security strategy / policy?
Do you have an acceptable use policy for employees?
If the answer to the previous question was yes, is it regularly reviewed, is it actually enforced?
Do you actually know what your employees are up to when they use their company computers? And is usage monitored in any way?
Do you know where your comany sensitive data actually is?
... More items are available in our News Archive
