Computer Forensics and Social Media

4,030 views
3,743 views

Published on

Presentation on Computer Forensics and Social Media given to the Lorain County Bar Association, May 17 2012.

Published in: Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,030
On SlideShare
0
From Embeds
0
Number of Embeds
457
Actions
Shares
0
Downloads
173
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Computer Forensics and Social Media

  1. 1. Lorain County Bar AssociationComputer Forensics and Social Media May 17, 2012Timothy M. Opsitnick, Esq.Senior Partner and General CounselJurInnov Ltd.John Liptak, ACE, EnCESenior ConsultantComputer Forensic and Investigation ServicesDaniel Dean, ACEConsultantComputer Forensic and Investigation Services © 2009 Property of JurInnov Ltd. All Rights Reserved
  2. 2. Who Are We? JurInnov works with organizations that want to more effectively manage matters involving “Electronically Stored Information” (ESI). – Electronic Discovery – Computer Forensics – Document and Case Management – Computer & Information Security 2© 2012 Property of JurInnov Ltd. All Rights Reserved
  3. 3. Presentation Overview • Understanding Computing Environments • Collecting Electronically Stored Information • Forensic Analysis Demonstration • Social Media Explained • Social Media Discovery Issues 3© 2012 Property of JurInnov Ltd. All Rights Reserved
  4. 4. What is Computer Forensics? Computer Forensics is a scientific, systematic inspection of the computer system and its contents utilizing specialized techniques and tools for recovery, authentication, and analysis of electronic data. It is customarily used when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer Forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel. 4© 2012 Property of JurInnov Ltd. All Rights Reserved
  5. 5. Types of “ESI” • E-mail • Office Files • Database • Ephemeral • Legacy Systems • Metadata 5© 2012 Property of JurInnov Ltd. All Rights Reserved
  6. 6. Sources of “ESI” • Desktops • E-Mail • Laptops • Archives • CDs/DVDs • Cell Phones/PDAs • Network Attached • Thumb Drives Storage Devices (NAS) • Storage Area Networks • Memory Cards (SAN) • External Storage Devices • Servers • Cameras • Databases • Printers • Backup Tapes • GPS Devices© 2009 Property of JurInnov Ltd. All Rights Reserved 2012 6
  7. 7. Why Computer Forensics? • Reasons to use Computer Forensics – Internal Company Investigations • Alleged criminal activity • Civil or Regulatory Preservation – Receivership, Bankruptcy – EEO issues – Improper use of company assets – Recovery of Accidentally or Intentionally Deleted Data • Deleted is not necessarily deleted • Recovery from Improper shutdowns 7© 2012 Property of JurInnov Ltd. All Rights Reserved
  8. 8. How Does a Computer Operate? • Hardware – Processor – Memory (RAM) – Hard Drive – CD/DVD Drive – Motherboard – Mouse/Keyboard • Software – Operating System – Applications 8 © 2012 Property of JurInnov Ltd. All Rights Reserved
  9. 9. How Does a Computer Operate? • How is data stored on a hard drive? • How is data “deleted” by the operating system? 9 © 2012 Property of JurInnov Ltd. All Rights Reserved
  10. 10. 10© 2012 Property of JurInnov Ltd. All Rights Reserved
  11. 11. 11© 2012 Property of JurInnov Ltd. All Rights Reserved
  12. 12. 12© 2012 Property of JurInnov Ltd. All Rights Reserved
  13. 13. Computer Forensics Process • Case Assessment & Planning • Maintaining Chain of Custody • Record Evidence Information • Imaging & Data Collection • Analysis • Exports and Reporting • Expert Testimony 13© 2012 Property of JurInnov Ltd. All Rights Reserved
  14. 14. Collecting “ESI” • “Let’s let the IT staff do it.” • Forensic Harvesting – What is a forensic copy? 14© 2012 Property of JurInnov Ltd. All Rights Reserved
  15. 15. Collecting “ESI”• Forensic Harvesting - Logical v Physical – Logical / “Ghost” copy (Active Files) • Data that is visible via the O.S. – Physical • Logical + File Slack + Unallocated Space + system areas (MBR, Partition table, FAT/MFT) 15© 2012 Property of JurInnov Ltd. All Rights Reserved
  16. 16. 16© 2012 Property of JurInnov Ltd. All Rights Reserved
  17. 17. Collecting “ESI” • Network Harvest • E-Mail Harvest • Cell Phone / Device Seizure 17© 2012 Property of JurInnov Ltd. All Rights Reserved
  18. 18. Acquisition (Data Harvest) • Software Tools – EnCase (Guidance Software) – Forensic Tool Kit (AccessData) – Device Seizure (Paraben) – Raptor (Forward Discovery) – Sleuth Kit (SANS.org) • Hardware Tools – Write Blockers (Tableau) – CellDEK (Logicube) 18© 2012 Property of JurInnov Ltd. All Rights Reserved
  19. 19. Types of Data Acquisitions • Image Types – EnCase Image (.E01) – Logical EnCase Image (.L01) – DD Image (.001) – Custom Content Image (.AD1) • ESI Locations – Hard Drives – External Media – Servers • Email • Network Shares – Cell Phone/PDA 19© 2012 Property of JurInnov Ltd. All Rights Reserved
  20. 20. What is a “hash value”? • MD5 Hash: 128-bit value calculated based on an algorithm • Odds of duplicate values are 2128 or 1 in 340,282,366,920,938,000,000,000,000,000,000,000,000 • It is a Digital Fingerprint that uniquely identifies any stream of data or file • Utilized For: – Verifying Images – Identifying Exact File Duplicates 20© 2012 Property of JurInnov Ltd. All Rights Reserved
  21. 21. Image Verification • Presentation Suspect Images • Description: Physical Disk, 39102336 Sectors, 18.6GB • Physical Size: 512 • Starting Extent: 1S0 • Name: Presentation Suspect Images • Actual Date: 03/24/09 03:17:21PM • Target Date: 03/24/09 03:17:21PM • File Path: E:Presentation image.E01 • Case Number: Presentation Drive • Evidence Number: Presentation Suspect Images • Examiner Name: Stephen W. St.Pierre • Drive Type: Fixed • File Integrity: Completely Verified, 0 Errors • Acquisition Hash: 5cfa3830c3af83741da4f9adcfb896e1 • Verify Hash: 5cfa3830c3af83741da4f9adcfb896e1 • GUID: 04d345276275524c8a111824be6eb170 • EnCase Version: 5.05j • System Version: Windows 2003 Server • Total Size: 20,020,396,032 bytes (18.6GB) • Total Sectors: 39,102,336 21© 2012 Property of JurInnov Ltd. All Rights Reserved
  22. 22. Encryption Issues • Windows Encryption – Encrypted File System (XP) – BitLocker (Vista & Windows 7) • Other Hardware or Software Encryption – Laptop hard drives – e.g., Truecrypt 22© 2012 Property of JurInnov Ltd. All Rights Reserved
  23. 23. Forensic Analysis • Key Word Searching – Indexing (dtSearch / FTK) – Filters • AND/OR/NOT • Date Range • Specific File Types • USB Device Activity • LNK File Analysis 23© 2012 Property of JurInnov Ltd. All Rights Reserved
  24. 24. Forensic Analysis • Deletion – Recovery of Deleted Documents – Recycle Bin Analysis – Data Carving – Unallocated Space – Evidence of Wiping • Signature Analysis: File Extension vs. File Signature (Header) 24© 2012 Property of JurInnov Ltd. All Rights Reserved
  25. 25. Forensic Analysis • File Hash Analysis • Internet History • Windows Registry • Mobile Devices • Analysis Examples … 25© 2012 Property of JurInnov Ltd. All Rights Reserved
  26. 26. Registry Overview • Windows Registry – central database of the configuration data for the OS and applications. • Gold Mine of forensic evidence • Registry Keys – Software – System – SAM (Security Account Manager) – NTUSER.dat 26© 2012 Property of JurInnov Ltd. All Rights Reserved
  27. 27. Software Key • What Operating System Installed? • Date/Time OS Installed • Product ID For Installed OS • Programs That Run Automatically at Startup (Place to Hide Virus) • Profiles 27© 2012 Property of JurInnov Ltd. All Rights Reserved
  28. 28. System Key • Mounted Devices • Computer Name • USB Plugged-In Devices (USBSTOR) • Last System SHUT DOWN Time • Time Zone 28© 2012 Property of JurInnov Ltd. All Rights Reserved
  29. 29. SAM & NTUSER.DAT Keys• SAM – Domain Accounts• NTUSER.DAT – Network Assigned Drive Letters – Typed URLs (websites) – Last Clean Shutdown Date/Time – Recent Documents• Registry examples … 29© 2012 Property of JurInnov Ltd. All Rights Reserved
  30. 30. Unallocated Space Analysis • Residual Data • Unallocated Space • Drive Free Space • File Slack 30 © 2012 Property of JurInnov Ltd. All Rights Reserved
  31. 31. Data Transfer Analysis • FTP • E-Mail • External Drives • Link Files • Internet History • Webmail • Created/Accessed/Modified Dates 31© 2012 Property of JurInnov Ltd. All Rights Reserved
  32. 32. Evidence/Analysis Reporting • Native File Exports • HTML Based Reports – FTK, Device Seizure, CellDEK • Final Expert Report • Interpretation of Report • Expert Testimony • Creation of key terms • Evolving analytical search terms 32© 2012 Property of JurInnov Ltd. All Rights Reserved
  33. 33. Forensic Analyst • Tips For Dealing With Your Forensic Analyst • What to Expect From A Forensic Analyst – Certifications – Training – Experience – Testimony 33© 2012 Property of JurInnov Ltd. All Rights Reserved
  34. 34. Types of Cases When ForensicsAre Useful… • Financial – Receivership – Bankruptcy • General Litigation – Commercial Litigation – Product Liability • Corporate – Regulatory (SEC, Second Requests, FTC) – Mergers/Acquisitions 34 © 2012 Property of JurInnov Ltd. All Rights Reserved
  35. 35. Types of Cases When ForensicsAre Useful, cont. • Intellectual Property – Theft of Intellectual Property – Temporary Restraining Order (TRO) – Permanent Injunction 35 © 2012 Property of JurInnov Ltd. All Rights Reserved
  36. 36. Types of Cases When ForensicsAre Useful, cont. • Labor/Employment – Violation of Non-Compete Agreements – Sexual Harassment – Age Discrimination – Fraud/Embezzlement – Other Violations of Company Policy 36 © 2012 Property of JurInnov Ltd. All Rights Reserved
  37. 37. Types of Cases When ForensicsAre Useful, cont. • Domestic Relations – Divorce – Custody • Corporate Criminal – Other Criminal 37 © 2012 Property of JurInnov Ltd. All Rights Reserved
  38. 38. Social Media – What is it? • “Tools that allow the sharing of information and creation of communities through online networks of people.” • Typically feature content that is: – Shared (made available to others) – Interactive (participants are suppliers and users of content) – Internet-based (on the web) – Personal (usually represents personal comment or seeks commentary) – Informal (tends to be conversational, candid, unstructured, unedited) • Used for both business and personal reasons 38 © 2012 Property of JurInnov Ltd. All Rights Reserved
  39. 39. Social Media – What is it? • Benefits of Social Media – Enhanced collaboration – Improved business relationship – Increased productivity • Risks of Social Media: – Destroy productivity – Loss of confidential data – Misuse of personal data and privacy concerns – Damage to brand and reputation – Casual manner – Once disclosed hard to prevent dissemination – Employees become publishers – Burden of preservation for regulatory and legal 39 © 2012 Property of JurInnov Ltd. All Rights Reserved
  40. 40. Social Media – What is it? • Examples of Social Media Sites: – FaceBook: Social Networking – Twitter: Social Networking – LinkedIn: Business Networking – Foursquare: Location based check-in’s / Reviews – YouTube: Video posting/sharing – Instagram: Photo posting/sharing – Tumblr: Blogging 40 © 2012 Property of JurInnov Ltd. All Rights Reserved
  41. 41. Social Media Threshold Issues • Establish Relevance • Possession, Custody and Control – Complicated issue – Access once posted – Dynamic and spoliation – Interactive with other sites – Point in time – Issues regarding ease of loss of control • Ethical Issues – Not clear – Pretexting – Collector in chain of custody – Evidentiary issues 41 © 2012 Property of JurInnov Ltd. All Rights Reserved
  42. 42. Social Media Threshold Issues • Stored Communications Act (“SCA”) of the Electronic Communications Privacy Act (“ECPA”) – Complex, communications service providers versus computing service providers – Criminal exceptions – Do not apply to civil matters – Civil and criminal sanctions for violations • Privacy concerns and need for protective orders • Anonymity • Practical solution to seeking discovery – Directly from user or litigant – Since dynamic give notice of preservation as negotiation takes time 42 © 2012 Property of JurInnov Ltd. All Rights Reserved
  43. 43. Social Media Threshold Issues • Practical problems with social media – Evolving new forms – Forensic tools are behind – Difficult to review • Preservation • Dynamic • Point in time • API and other links, e.g., integration with database or other websites – Production • Print, image, static versus dynamic • Conflict with the rules, reasonably useable format 43 © 2012 Property of JurInnov Ltd. All Rights Reserved
  44. 44. Social Media – Forensic Capabilities • Manual Screen Capture/Video Capture/Image Format – Print screen – SnagIt • Temporary Internet Files – Web browsing artifacts – Temporary Pictures • Residual Data/Unallocated Space – Deleted data (Temporary Internet Files) – Partial web pages • New Software Tools – X1 Social Discovery • Industrys first investigative solution specifically designed to enable eDiscovery and computer forensics professionals to effectively address social media content. X1 Social Discovery provides for a powerful platform to collect, authenticate, search, review and produce electronically stored information (ESI) from popular social media sites, such as Facebook, Twitter and LinkedIn. 44 © 2012 Property of JurInnov Ltd. All Rights Reserved
  45. 45. Social Media Issues • Social Engineering – Ability to manipulate a person into giving you personal or sensitive information. • Fraud Schemes – Criminals use Social Media sites to pass off fraud schemes such as investment dealings. They create pages that seem legitimate but are actually traps to entice possible investors. • Phishing Schemes – Criminals use Social Media to steal personal information such as logins and passwords from people in an attempt to commit identity theft. The primary method used is to send fraudulent links across followers/friends of an account in hopes of people clicking on the link which will then log the password and login of those users. • Data mining – Companies use Social Media to collect vast amounts of data from the people using the sites. This information is then sold off to companies in the form of marketing research in most cases. 45 © 2012 Property of JurInnov Ltd. All Rights Reserved
  46. 46. Social Media for Attorneys • Use of social media and ethical rules – Solicitation and advertising – Establishing an attorney-client relationship – Examination of jurors and witnesses 46 © 2012 Property of JurInnov Ltd. All Rights Reserved
  47. 47. For assistance or additional information • Phone: 216-664-1100 • Web: www.jurinnov.com • Email: tim.opsitnick@jurinnov.com john.liptak@jurinnov.com daniel.dean@jurinnov.com JurInnov Ltd. The Idea Center 1375 Euclid Avenue, Suite 400 Cleveland, Ohio 44115 47 © 2012 Property of JurInnov Ltd. All Rights Reserved

×