• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Computer Forensics and Social Media
 

Computer Forensics and Social Media

on

  • 2,379 views

Presentation on Computer Forensics and Social Media given to the Lorain County Bar Association, May 17 2012.

Presentation on Computer Forensics and Social Media given to the Lorain County Bar Association, May 17 2012.

Statistics

Views

Total Views
2,379
Views on SlideShare
1,979
Embed Views
400

Actions

Likes
0
Downloads
78
Comments
0

5 Embeds 400

http://www.jurinnov.com 378
http://www.social-media-discovery.com 15
http://www.linkedin.com 3
http://www.slashdocs.com 2
http://jurinnovsandbox.com 2

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Computer Forensics and Social Media Computer Forensics and Social Media Presentation Transcript

    • Lorain County Bar AssociationComputer Forensics and Social Media May 17, 2012Timothy M. Opsitnick, Esq.Senior Partner and General CounselJurInnov Ltd.John Liptak, ACE, EnCESenior ConsultantComputer Forensic and Investigation ServicesDaniel Dean, ACEConsultantComputer Forensic and Investigation Services © 2009 Property of JurInnov Ltd. All Rights Reserved
    • Who Are We? JurInnov works with organizations that want to more effectively manage matters involving “Electronically Stored Information” (ESI). – Electronic Discovery – Computer Forensics – Document and Case Management – Computer & Information Security 2© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Presentation Overview • Understanding Computing Environments • Collecting Electronically Stored Information • Forensic Analysis Demonstration • Social Media Explained • Social Media Discovery Issues 3© 2012 Property of JurInnov Ltd. All Rights Reserved
    • What is Computer Forensics? Computer Forensics is a scientific, systematic inspection of the computer system and its contents utilizing specialized techniques and tools for recovery, authentication, and analysis of electronic data. It is customarily used when a case involves issues relating to reconstruction of computer usage, examination of residual data, authentication of data by technical analysis or explanation of technical features of data and computer usage. Computer Forensics requires specialized expertise that goes beyond normal data collection and preservation techniques available to end-users or system support personnel. 4© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Types of “ESI” • E-mail • Office Files • Database • Ephemeral • Legacy Systems • Metadata 5© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Sources of “ESI” • Desktops • E-Mail • Laptops • Archives • CDs/DVDs • Cell Phones/PDAs • Network Attached • Thumb Drives Storage Devices (NAS) • Storage Area Networks • Memory Cards (SAN) • External Storage Devices • Servers • Cameras • Databases • Printers • Backup Tapes • GPS Devices© 2009 Property of JurInnov Ltd. All Rights Reserved 2012 6
    • Why Computer Forensics? • Reasons to use Computer Forensics – Internal Company Investigations • Alleged criminal activity • Civil or Regulatory Preservation – Receivership, Bankruptcy – EEO issues – Improper use of company assets – Recovery of Accidentally or Intentionally Deleted Data • Deleted is not necessarily deleted • Recovery from Improper shutdowns 7© 2012 Property of JurInnov Ltd. All Rights Reserved
    • How Does a Computer Operate? • Hardware – Processor – Memory (RAM) – Hard Drive – CD/DVD Drive – Motherboard – Mouse/Keyboard • Software – Operating System – Applications 8 © 2012 Property of JurInnov Ltd. All Rights Reserved
    • How Does a Computer Operate? • How is data stored on a hard drive? • How is data “deleted” by the operating system? 9 © 2012 Property of JurInnov Ltd. All Rights Reserved
    • 10© 2012 Property of JurInnov Ltd. All Rights Reserved
    • 11© 2012 Property of JurInnov Ltd. All Rights Reserved
    • 12© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Computer Forensics Process • Case Assessment & Planning • Maintaining Chain of Custody • Record Evidence Information • Imaging & Data Collection • Analysis • Exports and Reporting • Expert Testimony 13© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Collecting “ESI” • “Let’s let the IT staff do it.” • Forensic Harvesting – What is a forensic copy? 14© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Collecting “ESI”• Forensic Harvesting - Logical v Physical – Logical / “Ghost” copy (Active Files) • Data that is visible via the O.S. – Physical • Logical + File Slack + Unallocated Space + system areas (MBR, Partition table, FAT/MFT) 15© 2012 Property of JurInnov Ltd. All Rights Reserved
    • 16© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Collecting “ESI” • Network Harvest • E-Mail Harvest • Cell Phone / Device Seizure 17© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Acquisition (Data Harvest) • Software Tools – EnCase (Guidance Software) – Forensic Tool Kit (AccessData) – Device Seizure (Paraben) – Raptor (Forward Discovery) – Sleuth Kit (SANS.org) • Hardware Tools – Write Blockers (Tableau) – CellDEK (Logicube) 18© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Types of Data Acquisitions • Image Types – EnCase Image (.E01) – Logical EnCase Image (.L01) – DD Image (.001) – Custom Content Image (.AD1) • ESI Locations – Hard Drives – External Media – Servers • Email • Network Shares – Cell Phone/PDA 19© 2012 Property of JurInnov Ltd. All Rights Reserved
    • What is a “hash value”? • MD5 Hash: 128-bit value calculated based on an algorithm • Odds of duplicate values are 2128 or 1 in 340,282,366,920,938,000,000,000,000,000,000,000,000 • It is a Digital Fingerprint that uniquely identifies any stream of data or file • Utilized For: – Verifying Images – Identifying Exact File Duplicates 20© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Image Verification • Presentation Suspect Images • Description: Physical Disk, 39102336 Sectors, 18.6GB • Physical Size: 512 • Starting Extent: 1S0 • Name: Presentation Suspect Images • Actual Date: 03/24/09 03:17:21PM • Target Date: 03/24/09 03:17:21PM • File Path: E:Presentation image.E01 • Case Number: Presentation Drive • Evidence Number: Presentation Suspect Images • Examiner Name: Stephen W. St.Pierre • Drive Type: Fixed • File Integrity: Completely Verified, 0 Errors • Acquisition Hash: 5cfa3830c3af83741da4f9adcfb896e1 • Verify Hash: 5cfa3830c3af83741da4f9adcfb896e1 • GUID: 04d345276275524c8a111824be6eb170 • EnCase Version: 5.05j • System Version: Windows 2003 Server • Total Size: 20,020,396,032 bytes (18.6GB) • Total Sectors: 39,102,336 21© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Encryption Issues • Windows Encryption – Encrypted File System (XP) – BitLocker (Vista & Windows 7) • Other Hardware or Software Encryption – Laptop hard drives – e.g., Truecrypt 22© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Forensic Analysis • Key Word Searching – Indexing (dtSearch / FTK) – Filters • AND/OR/NOT • Date Range • Specific File Types • USB Device Activity • LNK File Analysis 23© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Forensic Analysis • Deletion – Recovery of Deleted Documents – Recycle Bin Analysis – Data Carving – Unallocated Space – Evidence of Wiping • Signature Analysis: File Extension vs. File Signature (Header) 24© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Forensic Analysis • File Hash Analysis • Internet History • Windows Registry • Mobile Devices • Analysis Examples … 25© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Registry Overview • Windows Registry – central database of the configuration data for the OS and applications. • Gold Mine of forensic evidence • Registry Keys – Software – System – SAM (Security Account Manager) – NTUSER.dat 26© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Software Key • What Operating System Installed? • Date/Time OS Installed • Product ID For Installed OS • Programs That Run Automatically at Startup (Place to Hide Virus) • Profiles 27© 2012 Property of JurInnov Ltd. All Rights Reserved
    • System Key • Mounted Devices • Computer Name • USB Plugged-In Devices (USBSTOR) • Last System SHUT DOWN Time • Time Zone 28© 2012 Property of JurInnov Ltd. All Rights Reserved
    • SAM & NTUSER.DAT Keys• SAM – Domain Accounts• NTUSER.DAT – Network Assigned Drive Letters – Typed URLs (websites) – Last Clean Shutdown Date/Time – Recent Documents• Registry examples … 29© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Unallocated Space Analysis • Residual Data • Unallocated Space • Drive Free Space • File Slack 30 © 2012 Property of JurInnov Ltd. All Rights Reserved
    • Data Transfer Analysis • FTP • E-Mail • External Drives • Link Files • Internet History • Webmail • Created/Accessed/Modified Dates 31© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Evidence/Analysis Reporting • Native File Exports • HTML Based Reports – FTK, Device Seizure, CellDEK • Final Expert Report • Interpretation of Report • Expert Testimony • Creation of key terms • Evolving analytical search terms 32© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Forensic Analyst • Tips For Dealing With Your Forensic Analyst • What to Expect From A Forensic Analyst – Certifications – Training – Experience – Testimony 33© 2012 Property of JurInnov Ltd. All Rights Reserved
    • Types of Cases When ForensicsAre Useful… • Financial – Receivership – Bankruptcy • General Litigation – Commercial Litigation – Product Liability • Corporate – Regulatory (SEC, Second Requests, FTC) – Mergers/Acquisitions 34 © 2012 Property of JurInnov Ltd. All Rights Reserved
    • Types of Cases When ForensicsAre Useful, cont. • Intellectual Property – Theft of Intellectual Property – Temporary Restraining Order (TRO) – Permanent Injunction 35 © 2012 Property of JurInnov Ltd. All Rights Reserved
    • Types of Cases When ForensicsAre Useful, cont. • Labor/Employment – Violation of Non-Compete Agreements – Sexual Harassment – Age Discrimination – Fraud/Embezzlement – Other Violations of Company Policy 36 © 2012 Property of JurInnov Ltd. All Rights Reserved
    • Types of Cases When ForensicsAre Useful, cont. • Domestic Relations – Divorce – Custody • Corporate Criminal – Other Criminal 37 © 2012 Property of JurInnov Ltd. All Rights Reserved
    • Social Media – What is it? • “Tools that allow the sharing of information and creation of communities through online networks of people.” • Typically feature content that is: – Shared (made available to others) – Interactive (participants are suppliers and users of content) – Internet-based (on the web) – Personal (usually represents personal comment or seeks commentary) – Informal (tends to be conversational, candid, unstructured, unedited) • Used for both business and personal reasons 38 © 2012 Property of JurInnov Ltd. All Rights Reserved
    • Social Media – What is it? • Benefits of Social Media – Enhanced collaboration – Improved business relationship – Increased productivity • Risks of Social Media: – Destroy productivity – Loss of confidential data – Misuse of personal data and privacy concerns – Damage to brand and reputation – Casual manner – Once disclosed hard to prevent dissemination – Employees become publishers – Burden of preservation for regulatory and legal 39 © 2012 Property of JurInnov Ltd. All Rights Reserved
    • Social Media – What is it? • Examples of Social Media Sites: – FaceBook: Social Networking – Twitter: Social Networking – LinkedIn: Business Networking – Foursquare: Location based check-in’s / Reviews – YouTube: Video posting/sharing – Instagram: Photo posting/sharing – Tumblr: Blogging 40 © 2012 Property of JurInnov Ltd. All Rights Reserved
    • Social Media Threshold Issues • Establish Relevance • Possession, Custody and Control – Complicated issue – Access once posted – Dynamic and spoliation – Interactive with other sites – Point in time – Issues regarding ease of loss of control • Ethical Issues – Not clear – Pretexting – Collector in chain of custody – Evidentiary issues 41 © 2012 Property of JurInnov Ltd. All Rights Reserved
    • Social Media Threshold Issues • Stored Communications Act (“SCA”) of the Electronic Communications Privacy Act (“ECPA”) – Complex, communications service providers versus computing service providers – Criminal exceptions – Do not apply to civil matters – Civil and criminal sanctions for violations • Privacy concerns and need for protective orders • Anonymity • Practical solution to seeking discovery – Directly from user or litigant – Since dynamic give notice of preservation as negotiation takes time 42 © 2012 Property of JurInnov Ltd. All Rights Reserved
    • Social Media Threshold Issues • Practical problems with social media – Evolving new forms – Forensic tools are behind – Difficult to review • Preservation • Dynamic • Point in time • API and other links, e.g., integration with database or other websites – Production • Print, image, static versus dynamic • Conflict with the rules, reasonably useable format 43 © 2012 Property of JurInnov Ltd. All Rights Reserved
    • Social Media – Forensic Capabilities • Manual Screen Capture/Video Capture/Image Format – Print screen – SnagIt • Temporary Internet Files – Web browsing artifacts – Temporary Pictures • Residual Data/Unallocated Space – Deleted data (Temporary Internet Files) – Partial web pages • New Software Tools – X1 Social Discovery • Industrys first investigative solution specifically designed to enable eDiscovery and computer forensics professionals to effectively address social media content. X1 Social Discovery provides for a powerful platform to collect, authenticate, search, review and produce electronically stored information (ESI) from popular social media sites, such as Facebook, Twitter and LinkedIn. 44 © 2012 Property of JurInnov Ltd. All Rights Reserved
    • Social Media Issues • Social Engineering – Ability to manipulate a person into giving you personal or sensitive information. • Fraud Schemes – Criminals use Social Media sites to pass off fraud schemes such as investment dealings. They create pages that seem legitimate but are actually traps to entice possible investors. • Phishing Schemes – Criminals use Social Media to steal personal information such as logins and passwords from people in an attempt to commit identity theft. The primary method used is to send fraudulent links across followers/friends of an account in hopes of people clicking on the link which will then log the password and login of those users. • Data mining – Companies use Social Media to collect vast amounts of data from the people using the sites. This information is then sold off to companies in the form of marketing research in most cases. 45 © 2012 Property of JurInnov Ltd. All Rights Reserved
    • Social Media for Attorneys • Use of social media and ethical rules – Solicitation and advertising – Establishing an attorney-client relationship – Examination of jurors and witnesses 46 © 2012 Property of JurInnov Ltd. All Rights Reserved
    • For assistance or additional information • Phone: 216-664-1100 • Web: www.jurinnov.com • Email: tim.opsitnick@jurinnov.com john.liptak@jurinnov.com daniel.dean@jurinnov.com JurInnov Ltd. The Idea Center 1375 Euclid Avenue, Suite 400 Cleveland, Ohio 44115 47 © 2012 Property of JurInnov Ltd. All Rights Reserved