Computer Forensics

Presented by: Marcus Lawson J.D. President Josiah Roloff ENCE Vice President Global CompuSearch LLC Spokane WA (main office) 509-443-9293 Portland OR 503-542-7448 Sacramento CA 916-760-7362 Palm Springs (San Diego) 760-459-2122

Overview:
Digital evidence is
- Hard drives - Floppy Diskettes - GPS devices - Smart phones - Scanners/copiers/printers - DVDs/CDs - Flash cards/thumb drives - Mobile devices - Gaming devices - Cameras/Camcorders

When a file is deleted, is it really gone?

When a file is deleted only pointers to that file are removed. The data remains in the same place on the hard drive indefinitely unless overwritten by new data. Allocated vs. Unallocated file space

How do we get at the relevant data we need? Forensic Tools:

Keyword searching
Scripts Sorting by date Sorting by type

The Forensics Tools How they work

Case View:

The Examination Process

The Forensics Tools How they work

Picture view:

The Examination Process

Its not me! Im being set up! Who is responsible???? Timelines of use (1) how they are done (2) what they reveal

Timeline Analysis: Chat occurring on July 14, 2006

The Forensics Tools How they work

The Examination Process

The Forensics Tools How they work

Timeline Analysis:

The Examination Process

Admission of Digital Evidence

Tools that are validated versus those that are not (Casey Anthony) Examiner qualifications and opinion vs. factual testimony Documentation of findings by the examiner

The answers to the questions should be the same regardless of who is asking them

Digital Evidence Case Types

Case Types
Homicide
Motive: Girlfriends, boyfriends and secret lovers? Motive: Creepy paraphilias? Planning: Buying scuba belts on Ebay? Planning: Studying tide currents in the bay? Timing: Your cell phone will rat you out every time! Case Example : OR vs. Kim

Case Strategies
Fraud
Planning

Methodology
Records/Emails Co-conspirators? United States vs. Havens

Case Strategies
Child Pornography
1. Is it of a child?

2. Is it pornographic?
Web surfing File sharing Possession vs. Receipt vs. Distribution

Discovery & CP cases:

Child pornography cases create special discovery issues
As of August 2006, the defense can no longer obtain copies of media alleged to contain contraband in federal cases under the Adam Walsh Act and must do forensic exams at government facilities. This creates significant problems for trial prep and adds significant cost to the analysis a cost that is often paid with public funds.

Discovery & CP cases:

Most states have refused to follow the Adam Walsh model and will allow defense forensic examiners to temporarily possess a forensic copy of the media in question via court order. If a court order is granted, there are several important issues which should be addressed in the order. (WA State sample order)

The Order

What is to be provided by the government (forensic copy) Where the media will be examined and stored (in state) That no contraband will be copied or removed from the forensic image The process to be followed when the case is over

Case Strategies
The Kitchen Sink
Arson : (computer research) Robbery : (recovered CCTV) Vehicular Homicide : (GPS) DUI : (breathalyzer source code) Rape : (communications before or after)

Search Warrant Affidavits

Search Warrant Affidavits

[14] We find it particularly significant that the IP addresses from which the qem and foel websites were created were traced to internet subscribers hundreds of miles away from the Chisms home in Nine Mile Falls, Washington. We have explained that a computer that is connected to the internet can be uniquely identified by its IP number, much like a land-line phone can be uniquely identified by its phone number. See Forrester, 512 F.3d at 510 n.5. Moreover, we have repeatedly recognized the utility of using IP address information to investigate child pornography offenders. CHISM v. WASHINGTON STATE

Search Warrant Affidavits

The affidavit submitted by Marcus Lawson, the president of a computer forensic company that examined Todd Chisms computers similarly admonishes: [T]o have any success as an Internet criminal, regardless of whether one was a thief, a hacker or a child pornography collector, it would be incumbent to use other peoples identities to do so. . . . It is primarily for this reason that relying only on information provided by the user of a credit card that is associated with criminal activity is inherently unreliable. CHISM v. WASHINGTON STATE

Search Warrant Affidavits

What is an IP address and why is it so important?

Computers communicate on the Internet because of certain protocols. These protocols allow information to be broken down into small packets, transmitted to the computer you choose and then reassembled as the file you intended to send.

Search Warrant Affidavits

IP addresses are globally unique numbers that allow each computer connected to the Internet to have it's own specific address (just like your residence) and really is the only way IP networks around the world can talk with each other without everything becoming a jumbled mess.

Search Warrant Affidavits

Search Warrant Affidavits

File Sharing cases (should have more than one incident) WWW based cases (subscribers and/or server log files of IPs) Credit Card use by itself should not be relied upon (the account information used will typically be correct)

Facebook, Yahoo, Hotmail subpoenas

Search Warrant Affidavits

Static vs. Dynamic IP Addresses The date of IP connection to the subject address must coincide with the dates documented for the offense

Search Warrant Affidavits

TFA Suchy was able to download 61 files from (the defendant), fifty of which were consistent with child pornography. TFA Suchy used CommView in order to identify the IP address utilized by (the defendant) which was 99.68.129.56.

A search of the American Registry for Internet Numbers (ARIN) online database indicated that IP address 99.68.128.56 is registered to AT&T Internet Services. Results from an administrative subpoena sent to AT&T Internet Services for the date and time the files were downloaded revealed that, at that day and time, the IP address was assigned to the account registered to (the defendants mother), 0000 Summer Wind Drive, Brecksville, Ohio 44141.

Search Warrant Affidavits

Offense

IP number captured

Subpoena to Internet provider

IP address linked to physical location on correct dates

Search Warrant for location is requested

Computer Forensics
If you believe a case might need forensic assistance: STOP all use of the device(s) - Preservation request - Subpoenas sent asap Create forensic copies of all electronic devices - An inexpensive insurance Contact an expert to assist in determining how they can be most helpful

Computer Forensics

Spokane (Main) Office : 509-443-9293 Portland Office : 503-542-7448 Sacramento Office : 916-760-7362 Palm Springs Office : 760-459-2122 www.GCSforensics.com