Collecting and Analyzing Digital Forensics

Thirty Years of ALPR

Investigations now often include evidence gathered from such sources as social media, Web sites and cloud services.

Pointing the way toward the best methods to collect and properly handle such information were team members from TransPerfect Legal Solutions. Andrew Neal, Director, Forensic Technology and Consulting; Daniel Andriulli, Digital Forensics, Manager; and Joe Pochron, Digital Forensics, presented their ideas at the 61st Annual Meeting of ASIS, the world’s leading security organization.

Fundamentals

Andrew Neal said forensic science is not new, having begun around 300 B.C., if not further back in history. Forensic science opened the way to the scientific method and is a means for many different identifications and analyses. With the advent of cyber information, Web sites, E-mail, social media, and cloud services have entered the scene. “Any E-digital devices reacting with each other, change each other,” Neal said. That huge network of interaction presents new challenges in forensic science.

The panelists pointed out that, in legal proceedings, investigation involves chain of custody matters. Traditionally, a document or item was notated as to who had contact with it any time it was examined. That tracked the physical item. But, cyber information is not always so easy to track. The integrity of the information must be verified and it must be shown that nothing was changed on the device or the information from it.

Appraisal

There may be decisions which have to be made about the process of collection of data and the defensibility of that process. For example, unless a Word document is a redline version, if it is prepared and printed, changes to that document on the way to its final version might be lost. The native format might be better, but, if a document is changed to a PDF, it might not match the original.

In addition, there is the matter of data about data, or “metadata.” Dates, file names, ownership, and so on should be stored separately from the document itself.

Cloud evidence (for example, Dropbox™, the file sharing and storage service) may depend on vendor-specific constraints, or user or administrator interfaces. There may be the need to contact the vendor and determine how archiving occurs and what applications are needed to retrieve a stored item.

Geographical problems might emerge if the data is dispersed to another nation or across multiple storage devices. Even if it remains in the US, different states might be used for the cloud, server, user, and even the location of the crime in which the data takes a role.

Useful Tools

The panelists described a variety of forensic tools to assist with these and similar problems and considerations. The Web site, www.httrack.com, is a free and easy to use offline browser which allows the download of a Web site from the Internet to a local directory and the building of all directories, HTML, images, and other files from the server to a computer to make a “localized” copy. The Web site, www.x1.com, offers social media discovery and Web collection to serve as an investigative tool for E-discovery, compliance and computer forensics. It addresses social media content, Web site collection, geostream, Webmail, and YouTube video capture – all in one interface. The “Wayback Machine” of www.archive.org can reach older versions of a Web page. This capability is especially useful for commercial litigation and the service is free of charge. Yet another help is www.f-response.com, a vendor neutral, patented software which allows live forensic, data recovery and Ediscovery over an IP network. Its process provides read-only access to physical disks, physical memory RAM, third-party cloud, E-mail, and database storage. A Forensic ToolKit Imager, or FTK Imager, is imaging software available from Access Data at www.accessdata.com.  In addition, www.elcomsoft.com offers a wide range of tools for gaining information to password protected documents, archives and system recovery. The panelists also mentioned Google™ and its archive service which, with a court order, can be used to access data from a party who will not give a password for access. And, the Internet Message Access Protocol, or IMAP, can be used to allow an E-mail client to access E-mail on a remote mail server. It can synchronize to multiple devices.

Technology is leading to a new and expanding branch of forensic science, but one which is quickly becoming necessary in the cyberworld.

Stephenie Slahor, Ph.D., J.D., is a writer in the fields of law enforcement and security. She can be reached at drss12@msn.com .