Guidance on Digital Forensics

by Andy Spruill, EnCE

May 18, 2010

One of my students recently asked me this question.  It was perfectly timed, as it allowed me dive into the topic for the nights lecture.
 
Forensics is the application of a broad spectrum of sciences to answer questions of interest to the legal system. This means that it is the legal system that determines what is forensically sound and therefore may be admissible into its proceedings.  NOT any particular vendor, industry expert or certifying body.  As matter of fact, all of them appropriately turn to the legal system for its definition.
 
In the United States legal system, there are two basic standards that have been established by the courts in order to test the soundness of forensic evidence.  These are known as the Frye and the Daubert standards.
 
Under Frye, in order to establish the soundness or admissibility of forensic evidence, the process used to derive that evidence must be "generally accepted within the relevant scientific community."  Not much to it on its face, but still a strong enough test that worked very well in its application for many years.  Today, however, only a few state courts still use this standard (California for one).  The others have moved to the Daubert standard.

 
The reason for this transition is that Daubert is much more defined.  In my personal opinion, it is the defacto standard that all should follow.  The Daubert standard states that in order to be considered forensically sound and therefore admissible, the following must be applied to the theory or technique:

 
1.  Be falsifiable, refutable, and testable;
2.  Been subjected to peer review and publication;
3.  Has a known or potential error rate;
4.  The existence and maintenance of standards and controls concerning its operation ;
5.  The degree to which the theory and technique is generally accepted by the relevant scientific community.

 
So long story short, Forensically Sound is any theory or technique that meets the standards for the admissibility of forensic evidence as set forth by the relevant court system.

 
The EnCase Legal Journal gives much more detail on this topic.  It also lays out the defining legal cases where EnCase was challenged under these standards.  It can be downloaded from our public website under the resources tab.

By Andy Spruill

March 10, 2010

I’ve been pretty quiet for the last month or so. It’s been a very busy time. Outside of the holidays and New Year festivities, I have also testified in another death penalty case and been immersed in a somewhat famous eDiscovery litigation. I fully intend on posting some blogs on both of these when appropriate as there are some fascinating insights and lessons to be learned from both.

Today I want to jump up on another one of my soap boxes. This was spurred by an email I recently read in one of the digital forensic listservs. The Computer Forensic Tools Testing (CFTT) project at the National Institute of Standards and Technology (NIST) is partnering with the National White Collar Crime Consortium (NW3C) to survey local and state law enforcement agencies to see what digital forensic tools they are currently using and would like to see tested by NIST. This is an outstanding idea. I promptly followed the link and completed the survey based on my casework at Westminster PD.

So here is my issue. As we all know, and may have experienced, tools and systems can become inaccurate or even fail with use. This is why forensic accreditations require practitioners across all forensic disciplines to perform some type of routine testing and calibration of the forensic tools and systems used for the capture and analysis of forensic evidence. This makes perfect sense given the sheer weight these tools and systems may have in someone’s liberty.

Too many times when talking about tool validation procedures, I’ve heard fellow practitioners state they only use NIST validated tools, as if this somehow alleviated them from this testing requirement. Whenever I hear this, my mind goes to the famous Southpark gnome episode… Step 1: NIST Validates Tool, Step 2: “???”, Step 3: Validated Forensic Results. Translation for those of you who don’t watch Southpark: Step 2 is the most critical step—and the one that the gnomes so humorously omitted. You must test and calibrate the tools and systems you are using. Not the ones that NIST used or installed, but the ones sitting on your desk or installed on your systems. The service NIST provides is invaluable to our community as it helps guide us towards those tools and systems that meet certain industry or government standards, but in no way does it relieve you of your responsibility to test your specific tools.

To help us with Step 2, our friends at the CFTT project created the Computer Forensic Reference Data Sets (CFReDS) for digital evidence. Basically, they have made available simulated data sets that can be used to validate your tools.

So, when was the last time you actually tested that write blocker in your kit? If not recently, now might be a great time.

By the way, for being a loyal reader of my blog, I’ve worked out a $100 discount for anyone in the digital forensics field interested in attending CEIC, the leading conference for digital investigations professionals. Simply visit www.ceicconference.com and, during registration, enter the discount code: redrock.

By Andy Spruill

December 16, 2009

In my last blog I talked about what the courts expect in the way of our reports as forensic experts. So what about our area of specialization? Namely, the field of Computer Science. Again, this field has been around awhile and reporting standards have been well established.

The first thing to understand is that there are very specific and formalized writing “styles” that exist and are updated on a regular basis. These formalized styles will vary by country and the industry being served. For instance, here in the United States, the Associated Press (AP) Stylebook is followed by most newspapers; the medical industry generally uses the American Medical Association (AMA) Manual of Style; and, as many college students know, academia will generally follow the Modern Language Association of America (MLA) Style Manual.

In the world of the Computer Sciences, it is generally expected that any technical writings or research papers published within this field will follow the Institute of Electrical and Electronics Engineers (IEEE) Style. However, outside of an academic environment, this style is seen as overkill.

Knowing this and wanting to make for a more user friendly environment, three of the major operating system manufacturers each published their own technical writing style guides using the IEEE Style as a foundation. Microsoft published its Microsoft Manual of Style for Technical Papers, Apple published its Apple Publications Style Guide; and Sun Microsystems published its Read Me First! A Style Guide for the Computer Industry. Of the three, I personally tend to follow the style as put forth by Microsoft. (Yes, I am a PC!)

The important thing to understand is that you should adopt one of the accepted writing styles within your industry and then adhere to it. This will allow you to put forward clean, consistent and professional reports.

The other part of writing within the Computer Sciences, and specifically in our discipline of Digital Forensics, is that we use a common set of terms and phrases. Like every profession, we have our own jargon that is meaningless to most laypersons. I recommend two basic references when defining these terms and phrases: Microsoft’s Computer Dictionary and The Sedona Conference Glossary: E-Discovery & Digital Information Management.

In my last blog I showed what was expected by the courts when writing our reports and here we have what is expected within our area of specialization. In my next blog I will talk about what is expected by the modern forensic sciences.

By Andy Spruill

October 20, 2009

One of my favorite soap box issues to talk about is the current state of reporting within the digital forensic discipline. Over the years I’ve had the opportunity to read many digital forensic reports, both as a peer and as an opposing expert. In doing so I’ve noticed a lack of understanding in what is required when creating these reports. The biggest reason I’ve heard, as many of you have, is that there is no standard in this area for our discipline. Well, that’s simply not true.

The Forensic Sciences has been around for quite awhile and there are clearly established standards when it comes to the reporting of forensic analysis and opinions. Our discipline brings to the table its own challenges, but every discipline does. In a prior blog entry, I mentioned that that there are three basic areas you must master as a forensic specialist: Area Expertise, the Law, and Forensic Methodology. Reporting standards are well established in all three of these areas.

Let’s take a look at the Law first.  After all, this is ultimately where most of the work we do will find itself.

There are only two types of basic reports you will write: an Analysis Report and an Expert Report. What makes your report one or the other? An Analysis Report is a straight forward presentation of the factual findings of any analysis of the evidence. If you provide any interpretation, opinions or conclusions based on the factual findings, then you’ve enter the realm of the Expert Report.

Which report do you need to write? Simple answer is to ask what type of witness you will be potentially designated as to the court. If a percipient witness (someone who will provide testimony to facts), you will write an Analysis Report. If an expert witness (someone who will be asked to provide an expert opinion), then you must write an Expert Report. It is not uncommon to have one forensic specialist carry out the procedural analysis and documentation, and then have a separate, perhaps more experienced, forensic specialist prepare and present an opinion based on the factual findings.(1)

The United States Federal courts have established some basic rules for Expert Witnesses (Federal Rules of Evidence 702, 703 and 705) and what type of reporting they are required to submit.

In federal criminal proceedings, both government and defense experts must, if requested by either side, present a written summary of any testimony they intend to give. This written summary must describe the witness's opinions, the bases and reasons for those opinions, and the witness's qualifications. (Federal Rule of Criminal Procedure 16 (a) (1) (G) and (b) (1) (C))

In federal civil proceedings, the rules regarding Expert Reports are expanded. Once an expert witness is disclosed, unless otherwise stipulated or ordered by the court, this disclosure must be accompanied by a written report. The report must contain (i) a complete statement of all opinions the witness will express and the basis and reasons for them; (ii) the data or other information considered by the witness in forming them; (iii) any exhibits that will be used to summarize or support them; (iv) the witness's qualifications, including a list of all publications authored in the previous 10 years; (v) a list of all other cases in which, during the previous 4 years, the witness testified as an expert at trial or by deposition; and (vi) a statement of the compensation to be paid for the study and testimony in the case. (Federal Rule of Civil Procedure 26 (a) (2) (B))

So right up front, we see that the courts have set requirements when it comes to reporting by forensic experts. In my next blog, we will take these requirements and then apply modern forensic methodology reporting standards.

(1) Historically, only the expert witness has been required to testify, but a recent controversial US Supreme Court decision, Melendez-Diaz v. Massachusetts (No. 07–591), now allows for both to be called.

By Andy Spruill

October 5, 2009

As I travel around and speak to various groups, I am constantly being approached by people who are excited about the prospect of moving into this fascinating discipline within the forensic sciences. Some are business owners wanting to expand their service offerings, some are seasoned individuals looking for a change in their current career paths, and some are students looking to find their calling in life. I, of course, encourage every one of them to pursue this desire. One of the greatest challenges our discipline currently faces is a shortage of well-trained and experienced personnel. It’s why I take time out of my life to spend several hours every week teaching at a local university. It has to start somewhere. But I digress and will save this point for another day.

In talking to them about this field, I tell all of them, right up front, that to be successful and respected in this field there are basically three areas in which they must build up some amount of expertise. Like a three legged stool, each must be equally developed, or they will find themselves slipping off the stool or totally falling down.  They are:

Area Expertise. Most of them have this one pretty well developed. In our discipline we are talking about some technical expertise in the digital world. Whether it’s in computer science, networking environments, or programming, they have to have some skill that puts them ahead of the everyday lay person. Training and experience in the specialty is a must have requirement for any of the forensic disciplines and ours is no different.

Unfortunately, many of them think that this one requirement is all that is required to make the jump successfully. Many have made this jump based on this requirement alone, and many have failed because they realized too late that they had neglected the other two basic requirements.

The Law. Forensics is all about one thing and one thing only; the presentation of scientific evidence in a court of law. I tell them they can’t play ball if they don’t know the rules of the game. They don’t have to be lawyers, but they do need to know what is required by the courts when seizing, analyzing and presenting digital evidence in legal proceedings. Simple things like understanding Daubert / Frye or where in the litigation process the work they will be doing will fall and what will be required of them in each phase.

Courtrooms… Lawyers… Judges… Juries… Oh My!

Many of them have never experienced what is required to give a technical presentation in front of a group of people, much less have someone publically challenge their findings and opinions. Simply put, it’s not for everyone, but it is ultimately where all this is heading. This generally gives many of them some pause to think. So, on to the third and most important of the three legs of the stool:

Forensic Methodology. Understanding and following modern forensic practices and methods is essential. Digital forensics is only one of many forensic disciplines within the forensic sciences. Handling our medium has its own special requirements, just as all of the other disciplines have their own specific requirements. But there are some basic procedures that all must follow such as evidence handling, quality assurance controls, and documentation and reporting. Failure here generally means that all of the hard work and effort will have been for naught.

By this point in the conversation, many of them have come to realize that they have their work cut out before they can hang that shingle outside of their doors. Invariably, they all ask what they can do to get these legs developed. Where can they go to get started? Well, here are some suggestions:

Formal Education. Seek out local universities and colleges that have Forensic Science programs. Many are now offering coursework specifically in the digital forensic discipline. Some of these institutions have integrated these courses into their existing full-time programs, like at Cal Poly Pomona. Others have built it into a certificate program in their extended education curriculum, like at Cal State – Fullerton.

By Andy Spurill

September 21, 2009

On Friday, August 14, 2009, California Judge William Froeburg confirmed the death penalty handed down by a jury a few weeks earlier for Jason Aguirre, a member of a known violent street gang in Orange County, California (located just south of Los Angeles). In August 2003, six years earlier almost to the day, Mr. Aguirre had gunned down a young teen boy and critically wounded two other family members in a case of mistaken identity. For this, the jury found him guilty of first-degree murder with the special circumstance of committing the murder for the benefit of his gang.

What was it that convinced these twelve Californians from various walks of life to hand down the ultimate sentence? Was Mr. Aguirre's DNA recovered from the crime scene? No, his DNA was found on a bandana in a car that was used in the crime, but one he had been in many times, not just that night.

Were his fingerprints on the gun? Did the ballistics match up? No, the gun was never recovered. Though there were other perpetrators fingering him as the shooter, the motives behind their testimony could be easily challenged without something to give it some standing.

So what put Mr. Aguirre on California's death row?   Big surprise here... Digital Evidence.

Yes, it’s true, gang members use the same powerful social mediums to communicate with one another just as we do.

Like many of you, I have seized and analyzed my fair share of digital devices. But by far, the ones that have proven themselves, time and again, to be a treasure trove of evidence and criminal intelligence has been those used by gang members. In their online chat sessions, gang members discuss activities that include the planning and execution of crimes, drug cultivation and distribution, and the buying and selling of weapons, to name just a few of the things I have seen. The social networking Web sites they visit glorify gang culture or promote their individual street gangs. These same gang members, who won't say a word to you when questioned, will have folder after folder full of digital photos documenting their gang life, everything from gang posturing to drug use and other crimes. Throughout all of their use of digital devices, they nearly always use their known gang monikers as their online identifiers.

I can't count the number of times I've received surprised reactions from not just lay persons, but fellow officers, when explaining what I routinely collect from gang members devices.  Here's what I hear:  "They don't use that stuff, do they?" or "They're not that sophisticated. They're just street criminals." or "Really?"

Technology is simple to use by design. The simpler to use, the deeper the possibility of market penetration. You don't have to be an über-nerd anymore to use the most advanced of today's technology. This is good news for law enforcement groups that recognize the benefits of a computer forensics team that can build strong cases using the digital evidence that exists in just about every criminal case today.

I know this is the first blog I am posting and I wanted to drive home the point, right up front, that when we talk about digital forensics, we are talking about the forensic analysis of items that are a part of our everyday life. Things that permeate our society to the point that they are taken for granted and easily overlooked. Just like trace evidence, there is plenty there, if we just look.

By the way, if you want to learn more about the Aguirre case, Detective Tom Rackleff (the man responsible for luring me into the world of Digital Forensics) and I wrote an article published in Law Officer magazine this month. Here is the link to the online version of the article: http://www.lawofficer.com/news-and-articles/articles/lom/0508/caught_in_the_web.html.