Upholding the law: the risks for forensicators

“You have zero privacy anyway. Get over it” – I’m sure many remember Scott McNealy, CEO of Sun Microsystems coming out with that controversial phrase in 1999. Yet 15 years later instead of the problem being dealt with it now is hotter than ever. In Episode 35, Forensic 4cast discussed the events surrounding HBGary, having been articulately hacked by activist group Anonymous – because of their assistance to government investigations against them and possible connections to data leaks through website WikiLeaks.org. This attack has been particularly personal for the victims who have been caught in a much bigger cyber-privacy whirlwind. What kind of message is this sending to those in the same position as HBGary? – are the enforcers who stamp out cybercrime activities likely to be at threat for providing services to aid justice? Is it not acceptable for professional security firms to assist the government investigating computer crimes?

Freedom of Information

First a quick history lesson – open your books at the Freedom of Information… FOI has been around for a long time and is well set in legislation (FOIA 1966 US, FOI 2000 UK) – laws which we the public lobbied for to gain access to information we believed was our right to see. This included personal details held by government agencies as well as restricted information deemed to be in the public’s interest. More recently with the advent of the computer as a prime means of holding information, FOI matured and became more complicated. Legislation was kept up to date to deal with the electronic storage of information (E-FOIA 1996) and this transparency continued to encourage good working practices. We have become used to this and I have even exercised this right several times placing disclosure requests against companies who hold my data (keeps them on their toes!). In addition, it has caused a transformation of the media industry who now use FOI as a key tool to write headlines and scoops. For some this was always a step too far and pushes FOI to the limit of what it was really designed for.

Risk to the enforcer

While the laws haven’t changed much, the attitudes to interpreting them most certainly have. Openness and privacy have complex and contrasting meanings which are open to much interpretation – cultures, industries and the passing of time itself are just a few reasons for different viewpoints. In the last few years we have heard noises from various anti-privacy groups that the restriction of information is still far to tight. The Anonymous/WikiLeaks story epitomizes this. In an interview in January 2011, Julian Assange summed up his thinking into a single paragraph:

“The more secretive or unjust an organization is, the more leaks induce fear and paranoia in its leadership and planning coterie …Since unjust systems, by their nature, induce opponents, and in many places barely have the upper hand, mass leaking leaves them exquisitely vulnerable to those who seek to replace them with more open forms of governance.” – Julian Assange, Jan 2011

I don’t know about you – but I find that a pretty frightening statement. So what message is that putting out to the HBGary’s out there? Cyber warfare is complex. One man’s right is another man’s wrong – Assange’s quote shows this. He would like an FOI Act on steroids. This challenge has always existed – this is just a new plain on which the challenge is being presented. Just as when the original Act was formed in 1966 due to pressures on making data more open, there are those today who continue to hold the belief that the required level of transparency hasn’t yet been reached. It is still early in this struggle but it already places those like HBGary who considered themselves of integrity in the firing line for supporting the very agencies that others have determined are at fault. Does this mean forensicators dealing with criminal cases should expect to have their reputation slurred by activists who don’t like the laws that cover computer crimes? What about those who help secure private networks? Are they now seen to be targets as supporters of those departments who protect classified information?

There are lots of questions and chaos, and no real answers at the minute – at least none that directly respond to these new threats. However we should be able to use lessons learnt from the past:

1. Accept the risks that come with the job. Basic but important to remember. Just like a security guard shouldn’t be surprised to see the odd bandit, the nature of your work may mean risks of attack are always there. You need to tune your mindset accordingly.

2. Display professional discretion. To build upon the acceptance, you should be wise when discussing client work and your general role in public spaces. Loose lips can sink ships.

3. Implement safeguards in your work. Those who work in forensics operate to flawless procedures – where simple inaccuracies or reason for doubt can result in the entire loss of a case – never mind the developing consequences on the reputation. Minimise the risk and put all safe guards in place. Don’t make it easy for those who wish to defame you – make your own work bulletproof.

4. Maintain your integrity. If everything else fails you will hoping you have LOTS of this. Having a reputation and history for being trustworthy by peers and clients could make the difference between surviving the rage of an attack or not. You can’t buy it or get a certification in it – it’s built continually as part of your working life.

So where does this leave us?

Having to watch every step? McNeal was warning us about privacy issues in 1999, and others well before that. The reality is that as we battle and solve today’s fight, there are those planning the new attacks for tomorrow. Those in law enforcement or who support government departments probably already have a built-in awareness to the risks around them. It’s now clear more than ever that security firms in the private sector must also consider their ability to deal with these issues. Ultimately the risks can only be managed through sensible choices – you cannot make them go away. Remember above all else: maintain your integrity.

David Hewitt is a security consultant and published writer of articles on digital forensics and IT law. He runs the Forensically Speaking Project, which looks at emerging technologies and their impact to forensics and cybercrime. Follow him on Twitter @Forensically or contact him at david.hewitt@gmail.com.

How to do the Worst Job Possible

Occasionally we all see forensic reports that are as close to perfect as they could be. Where procedures and presentation are clear and concise and where the author has conducted research relevant to the investigation. Sadly this isn’t once of those instances…

This is a real report prepared by a real defence ‘expert’. Any references to those involved have been changed.

Sadly I can’t take the credit for finding this gem. The folks at Cranfield University know its origin and share it with their students as a very very bad example. I’d love to hear your thoughts on the report. I’ve also included a pdf of the report at the following location http://www.forensic4cast.com/wp-content/uploads/2010/08/report.pdf

REPORT

1.1 My Qualifications

I am Alfie Moon, MBCS. I work as a Director for The Queen Victoria PH plc, an IT business Management Consultancy. I have worked for The Queen Victoria PH since 1997 and prior- to that I was a Director of Angie’s Den. As a consultant my primary fields of activity are project and organisational effectiveness reviews, in a variety of technical environments and the production of expert reports under Civil Procedure Rules. I am a member of the British Computer Society.

I have worked full-time in the IT industry since 1963. Over this period I have been a programmer, designer, analyst, team leader, project manager and line manager responsible for several hundred staff. I have always, professionally and personally, been an advocate for, and a user of, the PC and internet environment. I have written code, reviewed organisational intra/internets and developed web sites.

1.2 The Charges

I have taken the charges from the Indictment and have addressed the 18 counts individually in the section on findings. Note that these charges all address the possession of indecent photographs of children, not of making them. I have not addressed the issue of whether such photographs were made by Dermis Watts.

1.3 Questions addresses

I was given the following instructions and have responded as indicated in italics

• Nothing that the prosecution expert computer witness asserts in his witness statement should be taken at face value. The evidence presented by Grant Mitchell and DC Phil Mitchell has been reviewed and verified by examination of the floppy disks and computer hard disk.

• Nothing that Dennis Watts says in his police interview should be taken at face value.Noted
• The Defence needs to know whether the images or traces of images of child pornography are actually on the hard disk in Mr Watts’s computer. Internet cache on the hard disk was reviewed; deleted files were recovered where possible and also reviewed.
• Mr Watts cannot remember the dates and times at which he was at home.Noted
• What dates and times were the child pornographic images downloaded from various websites on the internet by Mr Watts’s computer? Addressed in findings
• Can it be confirmed whether or not Mr Watts’s computer was used to download child pornographic images onto floppy disks? Addressed in findings

1.4 Evidence provided

On the 13th May 2002 I was provided with:

1. the Indictment on 18 counts.
2. Statements / Evidence from

• Dennis Watts, draft and final
• Pauline Fowler
• Ian Beale
• Katherine Slater
• Dorothy Cotton
• Phil Mitchell
• Grant Mitchell

On 17^th May 2002 I was provided with:

• PF/1, four floppy disks and KS/1 Time Computer Tower

2. METHOD

2.1 Unsolicited email

Dennis Watts admits to providing his address to an unspecified number of pornographic web sites. In this circumstance I believe that he had no control over the material that might be sent to him, whether it is soft porn, hard porn or child pornography.

I tested this assumption by setting up a free Hotmail account (the web mail service used by Dennis Watts), surfing for porn sites and providing my Hotmail address to the first site that requested it. I received about 5 unsolicited emails, over a 3-day period, as a result.

2.2 Computer

I received the computer for examination on Friday 17^th May 2002. It appears to be a standard Windows 98 machine using Internet Explorer for internet access through Orange Net. I have not used it to connect to the internet.

• There is no password protection in place. This is normal domestic behaviour but it does mean that the full range of facilities provided can be used by a casual user.
• The date and time were incorrect. Specifically the date was 16th April 2002, the time about 05.00. Thus the machine was running about one month, one day and 12 hours slow. I corrected the date and time using normal Windows facilities. I note that the evidence of DC Phil Mitchell of 13th November 2001 states that on initial examination of the computer the date was correct, the time nearly so. I conclude that the machine had been without power for some time.

I installed an undelete facility on the computer to allow me to examine any files that had been deleted by the user. The facility usually allows deleted files to be recovered and viewed. Where the defragmenter utility had been run (to make disk access more efficient or to hide deleted files) this utility is unable to recover deleted files. Note however that the defragmentation process is not selective. It can only be applied to a complete disk.

I undeleted all files possible, 2486 files. The earliest was dated 05/08/93, the latest, prior to my intervention was dated 10/07/01. Prior to that the latest dated 24/06/01. There were no deleted files dated 14/06/01.

I also created a set of folders on the hard drive to contain the floppy disk contents and working images from the internet cache and deleted files.

Once this report was completed I defragmented the hard drive to verify that all the deleted files had in fact been deleted, uninstalled the undelete utility and deleted the hard drive folders that I had previously set up.

2.3 Floppy disks

I received cloned copies of the four disks with the computer. I copied the contents to temporary folders on the hard drive for speed of access and ran the undelete utility on the disks themselves. No deleted files were found on any of the four disks.

2.4 Internet Cache

The intern et cache is a key issue in internet access and it is worth describing the fole it fulfils. All

internet files (formatting, text or images) are, in the first instance, received from the internet into the cache and in this process is not under user control. Where pages are requested from the internet the browser (Internet Explorer in this instance) will, in the interests of speed, first attempt to find the file in the cache. If it cannot be found it will access the file from the internet. As the cache fills up the space occupied by the oldest files will be reused.

While there are exceptions to this general rule (some pages can force the browser to access the internet for a more up to date version), the cache is essentially a good record of intemet access activity. If the user elects to save files then the saving process will copy the files from the cache to the selected location. The original will remain in the cache.

3. Findings

All photographs in the charges are stated to have been in Watts’s possession on 18th June 2001. Findings on them are given individually in the table below.

	Photograph from Charges	Prosecution evidence	Location	Origin	Last Accessed
1	0023.jpg (evidence states 00223.jpg. I have taken the name on the charge to be a mis-type)	Page 3 of PM	Exists on disk 2/lollypop1 Not in internet cache Not in deleted files	PM page 3 states attached to incoming email from ‘Noddy’	PM page 3 states email on 5.6.2001 00:47:41
2	000.jpg	As above	Exists on disk 2/lollypop1 Not in internet cache Not in deleted files	As above	As above
3	0010.jpg	As above	Exists on disk 2/lollypop1 Not in internet cache Not in deleted files	As above	As above
4	0000.jpg	As above	Exists on disk 2/lollypop1 Not in internet cache Not in deleted files	As above	As above
5	0005.jpg	As above	Exists on disk 2/lollypop1 Not in internet cache Not in deleted files	As above	As above
6	0147.jpg	Page 3 of PM	Exists on disk 2/lollypop2 Not in internet cache Not in deleted files	PM page 3 states attached to incoming email from ‘Noddy’	Email on 5.6.2001 00:59:12
7	0198.jpg	As above	Exists on disk 2/lollypop2 Not in internet cache Not in deleted files	As above	As above
8	0156.jpg	As above	Exists on disk 2/lollypop2 Not in internet cache Not in deleted files	As above	As above
9	0177.jpg	As above	Exists on disk 2/lollypop2 Not in internet cache Not in deleted files	As above	As above
10	014.jpg	As above	Exists on disk 2/lollypop2 Not in internet cache Not in deleted files	As above	As above
11	12.jpg	Page 3 of PM	Exists on disk 2/lollipop3 8 variants of 12.jpg exist in the internet cache, none are this image 9 variants of 12.jpg exist in the internet cache, none are this image	PM page 3 states that this is attached to incoming mail from ‘Popeye’	Email on 6.6.2001 12:31:24
12	080.jpg There is no 080.jpg on the floppy disks but there is an aa080.jpg in the PF/1 listing	PF/1 listing	Disk3/04 Not in internet cache Not in deleted files		Created 9.6.01 Accessed 26.6.01
13	0704.jpg	PF/1 listing	Disk 3 Not in internet cache Not in deleted files		Created 14.6.01 Accessed 14.6.01
14	2veryyoung.jpg	PF/1 listing	Disk 3 Not in internet cache Not in deleted files		Created 3.6.01 Accessed 6.6.01
15	21.jpg	PF/1 listing	Disk 4 Not in internet cache Not in deleted files	Yippee Holland	Created 8.6.01 Accessed 11.6.01
16	10.htm Note that this is an .htm file and therefore not a photograph. It references YU107213910270 (a photograph on disk 4 though not one of the photographs above) as one book may reference another, but it is not a photograph.	N/a	N/a	N/a	N/a
17	13.htm Note that this is an .htm file and therefore not a photograph. It references hayley13 (a photograph on disk 4 though not one of the photographs above) as one book may reference another, but it is not a photograph.	N/a	N/a	N/a	N/a
18	8.htm Note that this is an .htm file and therefore not a photograph. It references 08 (a photograph on disk 4 though not one of the photographs above) as one book may reference another, but it is not a photograph.	N/a	N/a	N/a	N/a

3.1 Conclusions

There are 18 ‘photographs’ defined in the table above, all located on floppy disks, of which the first 15 are actually photographs. I propose to ignore items 16-18, the .htm files for the reasons given above.

While the computer has clearly been used to surf the net for pornographic sites, some of which deal with incest and child pornography, to interact with internet chat rooms and receive emailed images it should be stressed that, according to my examination, none of the images on the floppy disks that are presented in the charges can be found on the computer hard drive, whether in the internet cache, in deleted files or elsewhere.

3.1.1 Emailed Items

Items 1 to 5 above were received, according to the prosecution evidence with which I have no reason to disagree, in a single email on the 5th June. Dennis Watts admits to having given his email address to an unspecified number of pornography web sites or chat rooms and, in this circumstance, he had no control on what might have been sent to him as a result. It seems to me that, while he had advertised his willingness to receive pornographic mail, he had not advertised a specific interest in child pornography.

The same observation holds for items 6 to 10 and item 11 above for emails received on the 5th and 6^th June.

3.1.2 Were images viewed?

A general question arises on whether Dermis Watts actually viewed any images sent to him. He states that he always loaded pornographic images to his A drive (the floppy disk) for review later. Hotmail was developed for the US market where local calls to internet numbers tend to be free. This is not the case in the UK and Hotmail users here do develop behaviour to limit the cost of telephone calls. While Hotmail will generally open (and therefore present images to the user) any attachments in emails (photographs in this case) it is not invariably so. While my own equipment will do so I have friends who are not able to. It depends on a number of circumstance which can exist in complex combinations:

• The format in which the sender has sent the mail.
• The capability of the receiving computer
• The extent to which the user is ‘computer literate’
• Whether Hotmail itself has been modified, e.g. by the user changing security settings, to accept attachments

My view is that it cannot be proven that Dennis Watts would invariably view any email attachment sent to him before he saved it to a floppy disk.

3.1.3 Items 12 to 14

As noted in the table above I can find no evidence that these images exist on the computer hard drive in either the internet cache or as deleted files.

3.1.4 Item 15

As noted in the table above I can find no evidence that this image exists on the computer hard drive in either the internet cache or as deleted files.

This image appears to be from a Yippee site in Holland. I note that, in Dennis Watts’s witness statement, the police view that he would have needed a password to access this. It seems to me that Yippee is freely available in any language, if he were sent a hyperlink to such a site (as ‘here’s an interesting site, look at it’) then clicking on the hyperlink would have yielded the image. I have accessed the Yippee site directly; though it was empty it appeared to be available for access. I find it unlikely that access to images in this way would be possible without viewing the image.

3.1.5 Were the images on the floppy disk from the computer?

Dennis Watts does not claim that the floppy disks were given to him. It would be possible someone else to ‘fake’ the floppy disk contents but this would require time (to access the appropriate files using another computer, then to transfer them to a floppy disk) and the technical ability (changing the clock on the computer used to ‘fake’ the disk to give the desired time and date). Such a process would not need to make use of Dennis Watt’s computer. As noted the computer is not protected (i.e. it does not requirea user name and password to function).

It should be noted that (unless ‘faking’ was involved) all images written to the floppies would pass via the internet cache on the computer. It is possible, using utilities freely available to Dennis Watts, to delete the content of the internet cache, or to be more complex, to rename them such that they appear to be something completely different.

On balance, if files exist on the floppy disks and also on the hard drive, it can be reasonably assumed that they are the same. The corollary, that If they exist on the floppies but not on the hard drive, leads to the conclusion that:

• The content of the floppies have been faked or
• The contents of the hard drive have been modified

If the contents of the hard drive had been modified by deletion, this should have been visible in the contents of the deleted files.

I believe that the case for ‘faking’ the contents of the floppy disks is supported by the following set of observations:

• Disk 3 contains a number of folders but, in the root segment, are 7 images of children, 3 of one child, 4 of a second child. One image of the second child (0704.jpg) is presented in the charges
• These 7 images on disk 3 all have a modification date (i.e. the date on which they were saved to the floppy disk) of 14/06/01, timed between 10.08 and 10:45
• There is no activity identified (access to the internet or otherwise, or in the deleted files) on the computer hard drive for the date of 14/06/01 other than a game of minesweeper whlch is timed at 17.33.

SCHEDULE SHOWING WHICH IMAGES CAME FROM

WHICH FLOPPY DISK

1	00223.jpg	Disk 2
2	000.jpg	Disk 2
3	0010.jpg	Disk 2
4	0000.jpg	Disk 2
5	0005.jpg	Disk 2
6	0147.jpg	Disk 2
7	0198.jpg	Disk 2
8	0156.jpg	Disk 2
9	0177.jpg	Disk 2
10	014.jpg	Disk 2
11	12.jpg	Disk 2
12	080.jpg	Disk 3
13	0704.jpg	Disk 3
14	2veryyoung.jpg	Disk 4
15	21.jpg	Disk 4
16	10.htm	Disk 4
17	13.htm	Disk 4
18	8.htm	Disk 4

End of Report

---

FINAL RESULT

Following expert examination of the hard disk and floppy drives which resulted in the extraction and de-coding of link files from both allocated and unallocated space the defendant pleaded guilty to all (amended) counts and was sentenced to 12 months imprisonment. The above report was NOT submitted in evidence by the defence or used as any basis for mitigation.

Extreme Hexjumping Video

A few weeks ago I posted a picture of Martin Westman just before he jumped out of a plane while hex-dumping a phone. He has been in touch and sent a link to the Youtube video. I asked Martin if he has any more plans to do things like this in the future and he seems to have some nice ideas… I’m not going to spoil it, you’ll just have to watch out for them.

Digital Forensics – What We Don’t Know CAN Hurt Us

If my work with Volume Shadow Copies has taught me one thing it is that I don’t know anything. I have often said the more I learn, the less I know. Everything that we learn about computer investigations leads to more learning. It never ends. Anyone that thinks they know everything there is to know about digital forensics is either a liar or delusional. Each case should be teaching us something new and we should be learning from it.

The same goes for any new developments in the field. If we don’t keep up with all the latest developments how do we expect to be able to conduct a full investigation?

I have noticed a worrying arrogance lately in that digital forensic investigators believe that they know all that they need to know. They’ve been on all the AccessData and Guidance courses that are on offer, so they have all the knowledge they could ever hope to amass. There is no more room for progression.

This is incredibly dangerous not only to the analyst, but to the people that we represent.

A little while ago a friend of mine conducted an investigation for a police force. I remember him working very hard to experiment and test his findings, like any good examiner. He sent his report to the relevant authorities and got on with his next case.

Some months later the defence report arrived on our doorstep. This report was compiled by a digital forensic investigator professing nearly 20 years experience in the field.

His report went on to attack my colleague’s findings. This is not unusual but the manner in which he tried to do this left me feeling completely stunned.

The report was simply dismissive. This ‘veteran’ stated that he did not believe my colleague’s finding were accurate. He did not give any justification for this, he did not conduct any testing, he just said something along the lines of “I know of no method to recover this data so his findings must be incorrect.”

What?

I couldn’t believe this. At what point does an investigator allow himself to interpret his own limited knowledge as fact? It is disturbing and I hope that I never fall into this trap.

The question I would ask is: How do we safeguard against such arrogance? Clearly our field is intellectual and we know a great deal but how do we stop ourselves from becoming like this examiner? How do we keep ourselves firmly anchored?

Microsoft Word – What Lies Beneath

As a Forensic Investigator it is crucial that any investigation of a case is thorough and done to the best of an individual’s ability. In the interest of time there can be a temptation to delve deep enough to find the required evidence, report it, then move on to the next case. People may, in fact, be under very real pressure to do this. Sometimes doing such things can cause problems for a case in the future when another expert potentially reviews and comments on your own findings.

Imagine the following scenario as a forensic investigator. You are handed a case brief and a computer hard drive to examine. The case brief informs you that Bill, the owner of the computer, is suspected of using the computer to create fraudulent documents for their own financial benefit. The alleged offence took place between May and July. You image the disk, load the disk image into your preferred forensic software and begin your examination.

Initial searches uncover a large number of Microsoft Word documents. You open these documents and discover that they do, indeed, contain a number of fraudulent documents. You discover that the documents have been created over the period of two months and that they have been accessed by a the Windows user named ‘Bill’ on the computer. Well, there you have it. Guilty? Innocent? However it looks on the surface, if you dig a little deeper you could see things very differently.

You discover that the NTUSER.DAT registry hive for the user ‘Bill’ shows Microsoft Office to have been used and registered by this same user. When the software was first run he specified the user name ‘Bill’ and the initials ‘BT’. You also find that Microsoft Office was installed on the computer three months earlier.

Whilst a lot of people are aware that this and more information is stored by Microsoft Office, they may not be aware of how this can potentially swing a case. This information, as well as much more, is embedded into every Microsoft Word document by default.

When a document is created by the user selecting ‘New’ from the Office menu or the File menu Microsoft immediately records the time and date as a ‘Create Date’ for that document. Regardless of what happens to that original document or where it is copied to, this date and time remains the same. In addition to this the above user name and initials are also stored in this document as ‘Author’ details even before it is saved by the user. When the document is first saved a ‘Last Revised Date’ record is created, and a ‘Last Saved By’ field stores the current Microsoft Word user. This information is updated every time a document is saved, but ‘Author’ data remains the same. When a file is printed a ‘Last Print’ date and time is recorded. Depending on the version of Microsoft Office you may occasionally find the make and model of the printer used in plain text. This can be useful in determining whether a document was printed form a certain place.

You may know this already or wonder why this is relevant. Take the following examples.

A document has an NTFS creation date of 30th July 2009 but a Microsoft Word ‘Create Date’ of 12th February 2009. The Author and ‘Last Saved’ fields show ‘Ted’. The ‘Last Revised Date’ and ‘Last Print Date’ for the document both showed 13th February. What does this information tell us about a document saved on the hard drive of Bill’s computer? It tells us that maybe he didn’t put it there.

Another document has a Word ‘Create Date’ showing some time after the creation date saved by the NTFS file system and the ‘Last Print Date’ recorded by Microsoft Word. This shows that another document has been saved over an existing document. As a result it is not possible to determine exactly what was printed. The document as it exists now is likely not the document that was ever printed.

A further document has a ‘Create Date’ of 1st March 2009 but a ‘Last Revised Date’ 24th February 2009 and ‘Last Printed Date’ of 22nd February 2009. How can this happen? The document was likely created from an existing older document that has previously been printed, and had inherited a number of its properties.

It is of course possible for a user to modify their user name. An investigator would then have to determine the likelihood of a user having sufficient knowledge to make such changes. This can be determined by seeing what programs have been installed and used, where the user has saved files, and whether there is anything hinting at a more experienced user (I have seen computers with more than one anti-virus program running permanently. This could be the result of paranoia or a less than full understanding of how such programs work).

Now imagine having done a computer investigation having not looked for this information. An expert hired by the defence team then examines your findings and the disk images and finds this information. All of a sudden doubt can be cast over your work, which previously appeared to be quite convincing. The fact that you missed this information doesn’t help your own reputation.

I have had cases where apparent guilt was turned on its head as a result of investigating Microsoft Office embedded data. I have seen documents created before they existed on a suspect’s computer. I have seen documents printed before they were created or edited by Microsoft Word.

This information can potentially confuse an investigation. It can make or break a case and determine whether someone has been the perpetrator of a crime or not.

Testing of this is easy and of extreme importance. I would recommend that any forensic investigator take a few minutes to test embedded Microsoft Office data. Only then can you say with any authority that dates and times show in a specific order because of specific events. This embedded data can make all the difference to your investigation, and looking a little bit closer can provide a more complete picture, whatever that complete picture shows.

The Changing Face of Phone Forensics

Desensitisation

Working for a UK based forensic company I do a lot of work with cases involving indecent images of children (known commonly as child porn).  When such pictures or videos are found on a computer they are categorised.  The categorising of these pictures is according to the scale below:

1) Nudity or Erotic Posing of Child(ren)

2) Sexual Activity Between Children or Solo Masturbation

3) Non-Penetrative Sexual Activity Between Adult(s) and Child(ren).

4) Penetration of Child(ren)

5) Sadism/Bestiality Involving Children

Recent legislation also means that the above categories are divided into three subcategories based on the age of the subjects.

In our office we have a man who spends most of his time categorising material according to this scale.  Sentencing is also based on the level of images found on a suspect’s computer, if a suspect has level 5 images they will be given a more substantial sentence than if they possess level 1 images.  This individual has a job that I do not envy but he has been doing this kind of work for decades, and he has some interesting stories – but that’s for another time.

The work that he does helps us considerably.  First, we don’t have to spend hours doing the task ourselves and second, our exposure to this material is reduced.  We import his work into EnCase as bookmarks and perform a normal investigation.

This week this person had annual leave booked.  This meant that the tasks of categorising of images fell back on the investigators.  The last place I worked we did all of our own categorising so I’m familiar with the material and just got on with it.  I’ve worked in this field for three years and, in this time, I’ve seen and categorised several millions of these images.  Am I used to it? Have I become desensitised to this kind of material? Not in the least.

I can honestly say that categorising pictures this week has been horrible.  I am disgusted and appalled by the things I see.  Some people in this field will answer this with “You’re in the wrong business,” or “Don’t worry, you’ll learn to cope with it.”  These kinds of comments are not helpful or even true.

After three years these people suggest that I should have developed some sort of immunity to this material but I don’t agree.  I believe it is my disgust at these images that separates me from those people that view it illegally.  I never want to sit down to do such a case and not feel terrible about doing it.  I’m not saying that I can’t cope with the work, I can handle it just fine, but I never want to get to a point where it doesn’t affect me.  If I ever reach it I will consider leaving the field in order to preserve my own humanity.

This is the main reason that I won’t stop arguing that we, as forensic investigators, should not be debating the difference between a 15 and a 16 year old, we should be left to get on with what we do best.  We are not experts in child development, we are not paediatricians, we are digital forensic experts. I’m going to wave this banner until something changes or I die, whichever comes first.  Sadly, knowing the legal system in the UK I have a feeling I know which one will arrive most quickly.

Law Enforcement Only

Before I begin I want make it clear that I work as a subcontractor for several different police forces throughout England.  I work for several private/defence clients too.  I feel that this gives me good insight and a balanced point of view towards the two.  I know that this can be a somewhat emotive subject but, having said that, I am not one to stay quiet on subjects that I feel strongly about.  My colleagues know that, if they discuss it, that I will interject and verbally assault anyone that disagrees with me.

As a contractor for the police we are tasked with providing forensic reports and statements based on computer or phone evidence. During our day to day work we encounter the same material to which the police themselves are exposed. We perform an investigation on the submitted evidence and then send the evidence, and the reports, back to the relevant constabulary while we retain copies for archiving purposes. We act on behalf of the prosecution in these cases.  We are, in essence, doing the job of a trained cop.

As such it is my opinion that we should be permitted access to all the same training and software that are furnished for law enforcement officers.

Earlier this year a conference was held with the subject matter based on mobile/cell phone forensics.  On average our company completes around 80 phone investigations for various forces per month.  With this in mind we decided it would be a good idea to send a couple of our phone invesigators along to learn about any new developments.  Upon contacting the organisers of the event we were told that we could not attend as we were not law enforcement. Factually this may be the case but in what way do we really differ from law enforcement officers? We do the same work, their work, and we’re even on the ‘same side’ so to speak, so what reason could there be to exclude us? No explanation was offered. Not even an irrational explanation.

Excluding private and defence experts from such conferences is a strange practice.  Expert reports and statement that form part of a criminal case, along with the testimonies given, are made public record (obviously with some exclusions).  As a result any new investigation techniques discussed at closed conferences will seen become open knowledge anyway, so what is the point of restricting the flow of information in the first place?

The chasm between law enforcement and non-LE personnel widens drastically when you look further afield.  Commercial software and training is offered to law enforcement at a significantly reduced rate.  Why is this?  Everyone that I have discussed this matter with has been unable to provide a concise answer.  Is it due to budgetary requirements?  Everyone has budgetary requirements to meet, in what ways do private companies and police forces differ in that regard?

Software such as iLook, COFEE, and many others are released as forensic and/or indicent response tools for the use of law enforcement personnel only.  Once again, the question is ‘why’?  We work in an adversarial legal system where fairness and equality for both prosecution and defence should be central to each and every case.  The legal system should be fair. The evidence and tools used by the prosecution experts should be accessible to the defence, how else can the legal system claim to be fair? A defence expert may be left with no recourse if the prosecution presents evidence that has been found using one of these ‘LE only’ tools that has not, and can not, be indepently verified or the results challenged.  Should the court allow this? Of course not. But for some reason it is acceptable.

The legal system is about fairness and equality. How can disqualifying forensic practitioners from events or software be in the best interest of the law or justice? Why should it matter whether or not they wear a badge and carry a gun?

Something ironic to finish.  One of the organisers of the aforementioned conference (a police officer) recently contacted our company asking for some information relating to a case that we recently completed for a different force.  We do not do any work for his force in fact they do not outsource any of their work or permit the evidence out of their compound. We’ll gladly furnish him with the data but he’s not going to like our conditions or the cost.

This subject is not going away.  We will be discussing this very topic on a future episode of Forensic 4cast.  If you want to appear on that episode to share your own point of view let me know.

How Much Are Your Clients Worth?

I am subscribed to a mailing list in which several forensic investigators converse about various issues.  One such issue arose recently that struck me as slightly unusual, and some of the responses surprised me.  The issue in question was simply “Do you bill clients for machine time?”  The investigator was simply asking if we charge for time when the investigator is not working on the case but the computer is still working; things such as carving files or performing keyword searches.  I do not know how many times I have had to leave a case overnight, or even over the weekend, in order to complete a task.  All I know is that it happens frequently.  So what are the flaws in billing for machine time? How can investigators and clients both be satisfied with the final bill? Should I charge my usual fee, or even a reduced fee, for the time that the computer takes to complete a process?  My answer: it depends.

The variable in the answer is a case of exclusivity.

If you are an internal investigator or a law enforcement officer the article may not strictly apply to you, however I believe the principle of accountability applies to all regardless of their position or employer.  We all have to report to someone whether it be employer or client.  These people expect us to perform certain tasks in return for payment.  If we are dishonest in our endeavors it will inevitably come back to haunt us.  The best advice that I can offer?  Be completely honest with your employer, clients, and whoever else to whom you are contracted.

Billing is a basic concept.  We charge a certain amount of money ‘X’ per hour and do so many hours of work ‘Y’.  Therefore X x Y = Z (where Z is the billable amount).  The problem is that all ‘X’, ‘Y’, and ‘Z’ can be called into question if billing for machine time.

Look at your employment contract, it will likely state something along the lines of “you will not conduct business for anyone else during your working hours with…”  This is a reasonable request as your employer should not have to pay you for time that is spent working for someone else.  More to the point, why should clients feel any differently?  Many investigators will find themselves, at some point, working on several cases at once.  They may run keyword searches on two cases and, while that is processing, continue to work on a third.  What should they charge in such circumstances?  If, per se, you charge $200 per hour for your services would you charge for the work on all three cases simultaneously, totalling $600 per hour?  The compuer has been working on three cases so why not charge that much?  There are five potential pitfalls that can create a stumbling block for an investigator if they choose to do this.

• First – Audits

Imagine trying to explain to an external auditor that you have earned three times your earning potential in a year.  When the auditor looks at the total hours worked, and the fees charged for that work, how will you explain the discrepancies?

• Second – Computer Specification

Surely if you’re going to charge for machine time it should depend on how quickly your computer can process the data.  If you ran the same keyword search on the same case on two different computers the time taken to complete those searches would differ drastically depending on the specification of the computer.  What complex calculation would you use to determine the hourly rate for the differences in performance?  If you’re planning on charging for this you’d better have some answers as your clients may come back to you with this question.

• Third – Number of Cases

Aside from the spec of your computer the thing that will affect performance will be how many cases are you working on at any given time.  If you are running a keyword search on two cases simultaneously then the speed of the search could be halved, so do you charge half of your hourly rate?  What happens if the search on one case finishes before the other?  Do you charge half for the first hour taken and the full amount for the second hour?  Do you sit and stare at your screen, making notes on when the first search started so you know precisely how much to bill?

As you can see, this becomes very complicated and can waste a lot of time.

• Fourth – Expertise

Clients are not looking for the investigator with the fastest computer or the largest hard drive, the client is paying the hourly rate for your expertise in the field.  They are not paying for processing power, they are paying for your experience and knowledge.  The agreed hourly rate is for you, not for your computer.  The client is paying a substantial amount of money to you, they do not expect to pay you regardless of whether or not you are physically working on their case.

• Five – Reputation

What would happen if a client discovered that they were paying you while you were working for another client, or out shopping, or fishing, etc?  How would others perceive you?  Your reputation could well be on the line.

People may argue and say things like “What about my bills? The cost of running the computer, the cost of keeping the office open while a process is run, how do I recoup these expenses?  The answer is quite simple.  You do charge for these things but in such a way as to maintain your integrity.  When quoting for work don’t simply estimate, take your expenses into account.  The hourly rate should not only reflect your expertise, it should also take in to account depreciation of assets, such as computers, administrative efforts related to the case, as well as electricity, other consumables, and non-investigative staff.  Doing this will enable you to invoice clients with the confidence that you have done everything honestly with your integrity in tact.

There is, of course, an exception to the rule.  If you are called upon to perform an investigation outside your office (on-site) then the client should be paying you for the the time that you spend at the premises.  This will include the amount of time to acquire any devices.  You may ask ‘why the difference?’  It is down to exclusivity.  If you are at your own desk you will have other tasks that you can perform that do not relate to that client.  When you’re away from the office you are expected to give your full attention to the client, they expect exclusive access to your skills and knowledge while you are there.  Even if you are there to only acquire a single hard disk drive, the time taken to acquire, regardless of how long it takes, should always be billable.  Do not interpret this to mean that you should just kick back and wait for the process to complete.  Use the time wisely, they are paying for you to be there so do something productive such as completing forms, tidying up your notes, getting details about the case from the client (if applicable), and so forth.

There are many issues that affect how and what we bill clients but it is important that we get it right if we want our client to return with future business.  Remember the key is exclusivity.  When in the office keep track of what time you spend in front of the screen working for the client.  When you are not working for them, don’t bill them.  This way you will ensure that you clients are happy with the cost of the work, all you have to worry about is the quality.

Lee Whitfield BSc (Hons) MBCS CCE EnCE is a digital forensic investigator and founder of Forensic 4cast.

You are The Weakest Link… Goodbye

Some time ago I appeared on Anne Robinson’s Weakest Link. I wouldn’t normally wish to appear on a TV game show but whilst playing the Weakest Link at home with my family I became so adept at winning that they suggested I try my luck on the real gameshow.

Appearing on the Weakest Link was quite nerve wracking. Not because of the redoubtable Anne Robinson, but because I did not wish to appear stupid to a national TV audience. I was also determined not to make the “walk of shame” at the end of round one only to see a professional dog walker from Purley go on to win the cash.

I didn’t win and I don’t expect you to believe this, but I actually knew the answers to everyone else’s questions.

So, has my moment of TV fame made any impact on my Expert Witness role? Well, it has actually. I learned some valuable lessons during filming that I won’t forget quickly, such as:

• Don’t submit yourself for questioning unless you know the topic.
• Don’t guess the answer, it is probably going to be wrong.
• Don’t shrivel under the withering gaze of a dominant questioner, answer quickly, boldly and with conviction.

An Expert should always know his Topic

A quantum expert is expected to have an abundant knowledge of construction methods and the measurement thereof. They will understand the original contracted scope of work, the site application of the materials in use and quantities required to fulfil that scope. Finally, they will know how the contract deals with the evaluation of changes to the works.

Likewise, a planning expert will not only know how to manipulate planning software, but they will be experienced and practical. They will understand the processes of construction and how long an activity should take. The forensic expert will also know how the works should have been logically sequenced. Armed with this knowledge they can provide a tribunal with a fact based analyses.

It all sounds so obvious and simple but there are still many Expert Witnesses who fail to fulfil the basic criteria set out above.

On an engineering project that seriously overran the programme, the Contractors Planning Expert Witness accepted that the Contractor’s extension of time claim was correct, even though it sought an extension of time that took planned completion months beyond the actual completion date.

Disregarding strenuous arguments from the tribunal explaining the futility of such an expert finding, and despite being referred to earlier cases and learned academic texts to the contrary, the expert was immovable. In cross examination the expert faced the accusation that his findings were wholly “theoretical” and that as a matter of record the events did not happen at the times shown on his theoretical analysis. The Expert refused move from his stated position and a chance to narrow the issues was lost, as was the Contractor’s case.

Experts should not guess

Cardinal Wolsey said “A man may believe what he will, but he should believe what he ought”. In essence experts are allowed to have an opinion but that opinion should not ignore the evidence. An Expert’s opinion should only be constructed under strict criteria, namely:

• It should be on a matter upon which they are informed
• It should be on a matter where they are experienced
• It should be on a matter upon which they are qualified to opine
• It should always be based upon available facts, where these are available
• If contemporaneous facts are not available any published data relied upon must be from an reputable and reliable source
• Where it is a best estimate or guess, this should be clearly noted

In an arbitration on an overseas power project the Contractor’s expert was unable to verify the price of the Contractor’s bulk materials and so rather than carry out a measure of installed works the expert made the assumption that the total weights of pipeline materials delivered were installed. He applied an estimating rate and labour norms to the total delivered weights and valued the work accordingly.

Under detailed cross examination it was disclosed that the Contractor’s expert had not been able to find accurate weights for the numerous valves delivered and so he had allocated them into columns of “less than 2 kg”, “2kg to 10kg” and “10kg to 20kg”, making the assumption that every valve in each column was equal to the maximum weight in the column heading ie. 2kg, 10kg and 20kg respectively. This guess proved to be completely wrong with many valves being only 30% of that allowed.

This was a wholly avoidable error as the necessary valve weight information was available on the internet, just a few mouse clicks away.

Guessing isn’t acceptable for an expert and if experts are asked to give an educated guess then they should make it clear that their answer is an approximation based on experience.

Experts should be sure of their opinions

When an expert has carried out his research thoroughly, has found sound evidence upon which to rely and has then formulated his honestly held opinion based on his experience, he should be better placed than anyone else to influence the tribunal.

Advocates, no matter how skilled and informed, cannot know the Expert’s field better than the expert, yet they sometimes convince experts that they do. If the Expert has prepared properly he should know the answers to all relevant and important questions and then he can safely confess to the tribunal that he does not know the answer to irrelevant questions.

Perhaps because of nerves, or maybe due to lack of preparation, experts are occasionally knocked off course by aggressive questioning. Experts must remember that forming an opinion is only a small part of the expert’s job, defending his opinion in the face of cross examination is potentially the more important part.

A short while ago I watched as experienced counsel took an expert to task on his report. The expert had not done all of his own research and soon became nervous. Counsel smelled blood and moved up a gear. The expert, stammered and shook, soon his evidence collapsed completely. Later when the expert saw the transcripts he was shocked, he simply could not remember agreeing that the opposing expert’s view was probably more prescient than his own.

Facing experienced counsel in cross examination is difficult, but the expert should remember that on the issues in question, he should be better informed about his report than opposing counsel. Firm, bold answers will help to unsettle the cross examiner who is always anxious to avoid reinforcing the opposing expert’s opinion.

Conclusion

Choosing an expert can be tricky, will they do the research, can you trust them not to guess, will they fold under hostile questioning? Only time will tell unless you choose wisely from the ranks of experienced experts who have been there done it and proudly wear the tee shirt.

As for the Weakest Link, was Anne Robinson scarier than a QC, not really. In hindsight it was fun and if you don’t believe me and you live in Purley, ask you local professional dog walker.

Jeffery Whitfield LLB, FRICS, MCIArb, MAE is an expert witness and forensic consultant in the field of construction.  He is a partner at EC Harris.