Computer Forensics: What Every Lawyer Needs to Know

Shannon MurphyDave Freskos

Raj Laud

Presenters

Shannon MurphyWhite Collar, Regulatory Defense & InvestigationWinston & Strawn LLP - Chicago, ILstmurphy@winston.com

• Member of the firm’s Global Privacy and Data Security Task Force.

• Handles litigation, investigations, and advisory services, with a focus on data security and theft of trade secrets.

• Received a certificate for passing the Rochester Institute of Technology’s Computer Forensics program and is CompTIA IT Fundamentals Certified

Dave Freskos Senior Director, Digital Forensics & InvestigationsFTI Consulting, Inc. - Chicago, ILDavid.freskos@fticonsulting.com

• Certified EnCase Examiner and Cellebrite Physical Analyst

• Leads Chicago based forensics team that specializes in uncovering IP theft and supporting other high stakes investigations.

• Regularly provides expert testimony and written affidavits in support of litigation matters.

Raj LaudDeputy Chief, National Security and CybercrimesChicago, ILrajnath.laud@usdoj.gov

• Supervises national security, cyber, and intellectual property crimes cases in the U.S. Attorney’s Office for the Northern District of Illinois

• Opinions expressed are his own, not those of the U.S. Attorney’s Office or Department of Justice

Why Digital Forensics?

What Is Digital Forensics?• Obtaining evidence from digital media in a defensible manner

• Proper preservation

• Carefully documented use of a variety of different techniques.• No one, singular log provides all the answers• Analysis of processes designed with the intent to help a device run more

efficiently, not produce evidence.• Collection of seemingly non-related artifacts allow for examiners to build a

narrative around user activity.

Traditional Document Searches Forensic Analyses• User-created documents

• Microsoft Suite, PDF, etc.

• Corporate Email• File Shares• Paper Documents

• USB Devices• Internet History• Event Logs• Social Media• Cloud Services• Mobile Devices/Applications• Volume Shadow Copies/Backups• Personal Webmail• Unallocated Disk Space• Program Execution History

A Different Approach

5

10 Things Every Lawyer Should Know

Collect Broadly

• Where might evidence be located?• Email• Computers• Phones• External hard drives• Security camera footage• Keycard access logs• Printer logs• Server/database logs• Extranet access logs

7

Maintain and Document Chain of Custody

• Document collect• Make, model, serial number• When collected• By whom• From whom/from where

• Store securely• Document any change in custody

8

Image the Device Before Any Review

• Do not take any steps to review a device until a copy has been made

• Train “well-intentioned” IT personnel

9

What is a Device Image?• Bit-for-bit copy of the

entire hard drive• Hash value is generated as

the image is created• Allows for integrity of the

image to be verified• Ghost or similar enterprise IT

tools do not create a forensic image.

10

Consider Whether to Turn a Device On/Off

• Turning on or off a device can lose or alter data, including potentially key date/time stamps

• BUT, in some instances, turning off the computer is the better option, even though some data will be lost

11

“Deleted” Does Not Mean Nonexistent

• In-tact deleted files vs Overwritten files.• Ease of recoverability depends on file

state• Forensic software can identify deleted

files and recover metadata associated with the once active file

• Carving of unallocated space• May allow of snippets of relevant data to

be recovered.

12

Deleted File States

13

Part of your hard drive is a file system that lists where files are on this track – here is where this track starts and ends, etc.

File System: File System:file001file002file003

Deleted, but data is not removed from

the track

Upon deletion, space is only marked as available. Data is not removed from the track. Data can still be pulled out.

File System:

file001file002file003

Data is physically removed from

the track

Space is marked as available. Data is removed from the track.

Active Files Deleting Files Wiping Files

file001file002file003

Computers Do Not Track Files Moved to Other Devices

• Computers do not create a log of files moved or copied

• “Artifacts” may be created • Software programs can be used to

generate a list of files on external storage (e.g. USB devices)

14

File Usage Artifacts

15

Link Files:Link files are shortcuts to files you opened. They get created by Windows and applications for a variety of reasons, including to show you which files you opened recently. Link files include information about where a file was opened from (e.g. a USB device) and the file’s metadata.

File Usage Artifacts

16

Jump Lists:Metadata stored about folders and files that have been recently accessed – including the most recent time each file was opened and the file’s access, creation, and modification date.

A List of External Devices Can Be Created

• For Windows devices – a list of every device plugged in with first and last connection dates

• For Mac devices – a list of devices plugged in within the last 30 days

17

Date/Time Stamps Are Not Gospel

• Documents have date time stamps of certain events (created, modified, last accessed)

• Computers keep many logs that have dates and times of certain events

• Dates/times are keyed off of the internal clock – which can be changed

• Intentional changes• Changes due to lack of battery

18

Give Your Forensic Expert Case Details

• Computer forensic work is an art

• Your computer forensic expert needs background facts to investigate

• How/where company stores data• Key names and dates• File naming conventions • Information about remote access

19

Preventative Measures are available

• Use Data Loss Prevention software

• Educate legal and IT teams to communicate

• Data Governance• Know where your valuable IP

resides and use managed resources to secure

20

Hiring a Digital Forensics Expert

21

Complex analysis required, such as showing misappropriation of corporate data

May file a TRO or lawsuit

May need an affidavit

May refer matter to law enforcement

Need to ensure complete and defensible preservation

Considerations

Counsel should engage to protect privilege

Discuss and define the scope of work

But, realize the scope may change

Not all experts are the same

Engage as soon as possible

When

Questions?

22