Category Archives: Computer forensic

Why I like Forensic ToolKit (FTK)

James FTK

Sometimes I get asked what software I use most in computer forensics. I promise I’m not a paid spokesperson here, but I’m a big fan of AccessData’s Forensic Toolkit (FTK). I’ve been using different versions since about 2001, and I consider it the primary workhorse in my forensic tool arsenal. The current version is 6.1, which was released in October 2016. (Well, it’s the current one as of the initial posting of this article in February 2017.)

A couple of the key aspects of FTK I enjoy:

Multiple installations: FTK can be installed on multiple computers. To operate on a specific computer, you need a security dongle that you physically attach to that computer. If you want to work on another computer that has FTK installed, though, you can move the dongle and do it — it’s very easy. A lot of computer forensics programs don’t make this easy, which I think is one of the bigger value-adds of the FTK software.

Consistent search results: If you’re in the investigating phase or performing document review — and if you’re searching in FTK or a program like Summation — you can get consistent search results delivered quickly. This is a huge time-saver.

Fairly simple: With so many different tools on the market (for anything, really), I keep coming back to the idea that simplicity is key. FTK is powerful, but it’s deceptively simple. For example: all digital evidence gets shared in one case database. Anyone who needs to access the information has it all in one place. With some other forensics programs, there are multiple datasets — which increases the time and complexity you need to deal with, especially if you’re looping new people or new teams into the process.

Support and training: Their training and support options are world-class.

Visualization: We supposedly live in this era of “Big Data,” which I think is mostly true. But one of the things we miss about Big Data is that when we’ve put together lots of information, we still need a way to present it to people effectively. Many human beings are visual creatures, which makes the visualization aspect of FTK a huge value-add. I can automatically construct timelines and graphically illustrate relationships among parties of interest in a case; I can also use cluster graphs, pie charts, and geolocations. When I’m done with the different visualizations, I can then generate reports that are easily consumed by attorneys, CIOs or other investigators. This is absolutely amazing — and makes the back-and-forth aspect of this work much easier.

That’s my vote, then: FTK. I’ve been around it almost two decades and I don’t see that changing anytime soon. Had a different experience with FTK, or have another forensics program you want to extol the virtues of? I’d love to hear.

Do users have a reasonable expectation of privacy on TOR?

On January 26, 2017, I testified in Federal court as an expert witness for the defense in a case.
The testimony was regarding The Onion Router (TOR), Dark Net, and Playpen.  The case involved Network Investigative Technique (NIT); the FBI had engaged in their Operation Pacifier, wherein, a Search and Seizure Warranted allowed FBI to seize and operate the server that hosted Playpen.  The FBI had then employed NIT to place Malware on the computer of visitors to the server that hosted Playpen.
I’ve testified in other cases before, but this was an interesting one because it brought up a lot of questions that are paramount for the current era. Namely: when a computer user uses TOR, do they have an expectation of privacy? Is that legally relevant? And should the general public look at TOR and assume an expectation of privacy?
Ultimately, the judge in this case (and others) said that users don’t have a reasonable expectation of privacy on TOR. VICE explained this in a recent article too. The judge’s ruling was, in part, predicated on the idea that users give their IP address to connect to TOR; thus, the judge said, the IP address is “public information that … eventually would have been discovered.”
Now, the law is one of the slower-moving entities in terms of reacting to, and understanding, technology. I’ve seen this for years. In true form, then, they missed the boat on the TOR ruling. Users do reveal their IP address via a guard node when they log on, yes. But then TOR bounces data around the globe via different nodes, so no ISP can correlate which IP address is visiting which site.
You can technically identify a specific TOR user with advanced traffic correlation protocols, but to do so you’d have to control a massive number of nodes. It’s virtually impossible. The judge’s ruling seems to indicate that the government would have found another way to get IP addresses from TOR users, but then doesn’t talk about how that could have possibly happened. In fact, in this case the only reason the FBI was using NIT to begin with was because it couldn’t find another way to determine the true users of hidden sites.
I’m not going to come out and say that I’m a huge fan of TOR — some legitimately bad stuff happens on there hourly. But TOR users should have a legitimate expectation of privacy, and the general public should assume that expectation as well. Part of this is because people don’t understand how TOR works, and part is because of hyper-sensitivity these days around privacy issues as mobile and digital continue to scale globally. But there absolutely should be a legitimate expectation of privacy on TOR networks.

Dedicated and Fully Committed Criminal Litigation Services Help Defendants Resolve Their Case

Anyone can be charged with a crime he did not commit and face criminal prosecution. Though the US Constitution does have provisions deeming an accused not guilty until his “crime” is proven beyond reasonable doubt it does not always work that way. An accused has the right to a speedy trial according to Amendment VI and Amendment V safeguards him against self-incrimination. An accused may remain silent during questioning. Amendment IV prohibits unreasonable searches and seizures. All these protections notwithstanding an accused may be convicted purely on the basis of circumstantial evidence, especially in cases where digital evidence is involved. Prosecution may not be able to unravel digital evidence or may simply ignore it. It is for the defendant to hire a competent attorney well versed in getting to the root of the matter and even being able to unravel digital data and present it in a form that stands up as compelling evidence disproving the accusations and circumstantial evidence against the defendant.

Technology is here since quite some time. However, attorneys are more focused on various aspects of the law and may be quite unfamiliar with handling digital data, especially in instances of cyber crimes such as Ponzi schemes, bank frauds and white collar crimes. This is where services of an expert in computer and digital forensics prove to be invaluable.

Litigation, whether civil or criminal, is a drawn out and expensive affair. If, at the end, a wrongly charged defendant loses, he stands to spend time in prison, pay a hefty fine or both. In addition, his reputation is besmirched and he loses his social standing as well as his job. If convicted, once returned to society he cannot regain his previous status. He is marked forever. This may never have happen if he had the benefit of expert investigative assistance. Employing experts in examining witnesses, compiling testimony, unraveling digital data and even appearing on the witness stands can turn the tables in favor of the defendant.

One such organization committed to helping wrongly accused defendants is ICFECI. Dan James, an expert in computer forensics and a certified fraud examiner powers ICFECI and pursuance of its goals to provide investigative and adequate representation of defendant services under Title 18 of the United States Code, Section 3006A. If any one is embroiled in a criminal case as accused and has retained a lawyer for criminal litigation services then ICFECI provides indispensable investigative support that will help the lawyer defend the case for his client. Dan has a BS in criminal justice, is a licensed private investigator and has a wealth of experience in conducting investigations as well as compiling evidence. He and his team of experts at ICFECI diligently pursue every lead in order to prepare a rock solid defense. ICFECI’s expertise in computer and digital forensics proves especially invaluable in cases where digital data is involved. An individual may be wrongly involved through indirect, circumstantial inferences by authorities but Dan and his team unravels digital data to disprove such allegations.

Computer forensics is but one part of compiling evidence to support defendants by ICFECI criminal litigation services; examining witnesses and pursuing a paper trail as well as appearing on the stand as an expert witness are the other aspects. ICFECI and its team never give up even if the case appears to be hopeless. People wrongly accused of crimes have trusted ICFECI and have been acquitted.

3 TECHNOLOGIES USED IN COMPUTER FORENSIC INVESTIGATION

Technology and the internet have provided a wide platform for cyber as well as white collar crimes. Crime involving the use of computers and technology is rising in unprecedented proportions. In light of this, the field of forensic investigation has introduced cutting edge tools and equipments in order to remain at par with the criminals. From retinal scanning to tracing evidence on internet servers, computer forensics has improvised technology to solve sophisticated crimes involving the use of modern day resources like computers, laptops, cell phones and tablets.

The basic functionality of Computer forensic tools is to extract and analyze vast amount of data and zero –in on the relevant facts and evidence beneficial to the criminal or civil litigation at hand.

While the acquisition of digital evidence and the process of presenting it at courts is a complex task carried out by expert Computer Forensic Investigators, there are countless tools available to aid the procedure. However, among the wide range of cool technologies available, forensic experts rely on software and equipments that are court –incited platforms and helps them investigate efficiently and effectively. The state of the art tools selected by digital forensic investigators must be platforms accepted by a court of law. This increases the reliability and the admissibility of the evidence. Here we have tried to focus on the use of specific tools, their benefits and advantages over other forensic equipments available.

Forensic Toolkit (FTK)
FTK or Forensic toolkit is a digital forensic tool approved by court and designed for analyzing vast repository of data with uncontested speed. It is characterized by stability, ease of use and speed which makes it reliable as a source of digital evidence. It efficiently searches, filters, analyzes, indexes and points out relevant facts and evidence pertaining to the case. Owing to the comprehensive architecture, FTK can be used for collaborative analysis and web based case management. However, the most important aspect of FTK that makes it a favorite among computer forensic investigators is the speed with which it filters relevant evidence from a heap of data.

Mobile Phone Examiner Plus (MPE+)
Selecting a tool for cell phone forensic examination is a challenging task. Investigators are required to choose a Cell Phone Analysis tool that meets the ever changing mobile phone technology. Mobile Phone Examiner Plus is a stand-alone investigative solution for digital cell phone forensic analysis. It presents a unique approach to cell phone data extraction thus easily zeroing on the key facts and evidence. Plus, it supports the analysis of more than 7000 mobile phone models, including GSM/CDMA devices and using versatile technologies like Blackberry, Android, iOS and Windows. MPE+ has robust tools built into its architecture thus providing a single solution for multiple platforms and thus making the investigation a cost effective process.

dtSearch
dtSearch is one of the most common effective search tool used by computer forensic examiners. It is deployed by most forensic investigators owing to its ability to reduce data search time. It primarily helps in imaging, hashing, searching and indexing data on drivers and other digital storage media devices. dtSearch is a pivotal element of modern forensic investigation due to its ability to search through a variety of document types such as HTML, PDFs, PSTs, Unicode and common files like word documents, excel sheets and more. Instantaneous identification of key facts say file names and strings reduces the overall time frame of analysis thus providing accurate desired results that assist in finding successful resolution on a case.

The role of a computer forensic investigator and that of forensic tool is complementary in an investigation. High end, user friendly and effective tools are imperative to the successful resolution of a case and effective representation of clients involved. Similarly, competent and experienced analysts should also be employed who can operate and extract required information from these complex equipments and present them as admissible evidence.

CELL PHONE FORENSICS INVESTIGATOR LEAVE NO STONE UNTURNED

Technology paved the way for development and also opened the door for criminals to commit crimes without being caught for years. Presently the mobile phones are a double-edged sword; it creates innovative security risks whilst offering valuable sources of verification for cell phone forensics investigator. Their competent capabilities make mobile devices more like computers that serve us to navigate the world. It uses information hoard on and generated by mobile devices to restructure our communications, movements and other personal details.
Cell phone forensics, being an integral part of digital forensics is vital to accurate investigations associated with criminal and civil litigation’s. It comprises of SMS recovery, locations tracking and recovery of multimedia files, contact records of a cell phone, date and time of incoming and outgoing call records. If anybody is intentionally engaged in illegal activities, he will take predictable precautions to hide their tracks. Some of the protective measures adopted by criminals to avoid being caught are listed below:

Encrypting data
Wiping tools
Secure deletion tools
Stenography
Remote data storage devices
Digital data compression

The cell phone forensics requires a lot to extract information from smartphones, cell phones and other devices. We, as forensic investigators of cell phones generally adopt 7 ways to extract and determine cell phone activity as listed below:

Bypassing Security Codes
With the help of specialized tools, digital forensic investigators can haul out the security code from some locked mobile devices. This bypass security code facilitates in acquiring data with forensic software from the device.

Safe SIM Card
The confidential data in memory is destroyed if the wrong SIM card is inserted in a cell phone. Keeping in mind this issue, investigators create “safe” SIM cards for inspection purposes.

Live acquisition
The valuable and confidential proofs might be destroyed if the battery is removed from the mobile phones before the performance of forensic acquisition. In few cases, to make sure that all evidence and useful information is conserved, investigators can leave the mobile device powered on until the forensic operation can be performed, in order to avoid external influences, it’s mandatory to take some precautions beforehand.

Trusted Time Source
Though the clock on the device shows incorrect time, still the network generated system functions properly and offer the accurate data. As an example, the time shown in SMS is generated by SMS service center, not by the phone.

Tracking movements
Several mobile devices store site-based data related to actions and bound media on the device. The investigators will recover this data to perceive this information to conclude the geographic location at a particular time on a mobile device.

Recovering Deleted Data
Accidentally or intentionally deleted information related to call logs may be easily recoverable by the investigators with the help of certain ready to use forensic tools. Such tools offer detailed information of missed, dialed and received calls.

Getting Physical
It is easier for the investigators to recover the extensive amount of deleted data from rising number of mobile devices by analyzing and acquiring the complete memory contents.