13. Computer Forensics
a. Definition – an image – a forensically sound copy that is an accurate and complete duplicate of the source evidence on a hard drive.
b. Deleted Files
i. When a file is deleted it is still present until the operating system overwrites it.
c. Types of ESI for which a Computer Forensics Specialist Is Needed
iii. Disguised – e.g., by changing the file extenstion.
iv. Tampered With – contents of file or its metadata are altered to prevent detection.
vi. Password protected
vii. Encrypted – contents scrambled by an encryption key or algorithm – the keys are digital.
viii. Headerless encrypted files – the operating system can’t detect these types of files.
d. Tasks of Computer Forensics Specialist
i. Recover ESI proving action was taken or event happened.
ii. Recover ESI proving action or event didn’t happen.
iii. Examine opponent or third party’s ESI.
iv. Evaluate the evidentiary strength of the ESI.
v. Rebut findings of opposing party’s expert.
e. Data sampling – check for responsive material without doing a full review.
f. To scientifically examine an email:
i. Do intelligence – issues surrounding an incident.
ii. Formulate a hypothesis as to the existence of responsive data.
iii. Create a forensic copy to be used for analysis
1. Forensic software creates an index of the words in the files.
2. Original storage devices are stored in a secure location and never examined.
iv. Test – run a query for emails using keyword, key phrases, and names.
v. Draw conclusions – review results to determine responsive, privileged and protected documents.
g. Computer Forensics and E-Discovery
i. ESI protected against destruction or compromise
ii. System is protected against malware such as viruses during the analysis.
iii. Extracted ESI is protected from mechanical or electromagnetic damage.
iv. Chain of custody is maintained.
v. Business operations are affected for a limited amount of time.
vi. Inadvertently collected client attorney information is not divulged.
vii. Protects computer system during forensic examination from any alteration, data corruption or virus introduction.
viii. Discovers all files on storage media including deleted files, hidden files, password protected files and encrypted files.
ix. Recover as many deleted files as possible.
x. Reveal contents of temporary or swap files used by applications and the OS.
xi. Access protected or encrypted files
xii. Review data in unallocated space on a disk which may be a repository of previous data, and slack space in a file
xiii. Opinion of the system layout; file structures; any discovered data or authorship information; attempted to hide, delete or encrypt information.
xiv. Provide expert testimony.
h. Slack space in a file is the remnant area at the end of a file, in the last assigned disk cluster, that is unused by current file data, but may be a possible site for previously created and relevant evidence.
i. Procedure in Computer Forensic Investigation:
j. Courts may allow forensic imaging if good cause is shown.
k. Neutral computer forensic experts may be appointed by the court.
l. Investigation Steps
i. Conduct interviews with IT staff, archivists, record managers, and data custodians.
ii. Determine relevant time periods.
iii. Identify relevant file types
iv. Identify key words, phrases, or concepts to be used as search terms.
m. Williams v. Massachusetts Mutual Life Ins. Co. (2007) court found no credible evidence that employer was unwilling to produce or withheld relevant ESI. The court would not appoint an expert to help ascertain existence of a document whose existence could not be verified.
n. Acquiring and Preserving the Image
i. The creation of a forensic copy is the acquisition.
ii. Also called a bit-stream copy or image – exact bit for bit copy – all meta data, file dates, slack areas, bad sectors are the same.
iii. Forensics Software Tools:
2. Digital Intelligence
3. X-Ways WinHex
4. X-Ways Forensics
o. Hash Value Authentication
i. Hash value calculated based on contents of image.
1. MD5 (Message Digest 5) 32 digit hexadecimal number checksum
2. SHA-1 (Secure Hash Algorithm 1) 40 digit hexadecimal number checksums
3. SHA-256 64 digit hexadecimal number checksums
p. Recovery of Deleted ESI
i. Computer forensics expert can detect that scrubbing or wiping software has been installed.
ii. Kucala Enterprises v. Auto Wax Co. (2003) Kucala installed evidence eliminator a day before an inspection of his computer and removed 15,000 files - the expert could prove it had been used. Lost case and had to pay court and attorney fees.
q. How to Broaden a Search
i. Stemming – invest* >> investment
ii. Synonyms – crisis >> problem
iii. Homonyms – personnel >> personal
iv. Fuzziness – Rule 502 >> Rule 52
r. CMOS chip – Complementary Metal Oxide Semnormalductor – stores itme and date – CAM values based on this.
s. Data Craving Tools – search through unallocated space on storage medium for file remnants by searching for headers of known file types.
t. Defensibility Documentation
i. Acquired evidence without altering or damaging the source.
ii. Verified acquired evidence was the same as the original.
iii. Analyzed data without alteration.
iv. Used systematic sampling techniques which agreed upon keyword, concepts, file types and date ranges.
v. Followed industry best practices and in accordance with forensic scientific principles.
vi. Conducted with verified tools to identify, collect, filter, bag & tag, store and preserve e-evidence.
vii. Documented thoroughly and in detail.