Digital Investigations in Academic Environments

Presented by:

Tony MartinoSenior Forensic Examiner

AMRIC Associates

Ronald LongoPrincipal Member

Keane & Beane P.C.

About the Presenter – Anthony Martino

● Senior Forensic Examiner – AMRIC Associates

● Director of the Northeast Cyber Forensic Center at UC

● Adjunct faculty - cyber security and forensics

● Retired Sergeant from Utica Police Department

● Member of the U.S. Secret Service ECTF

● Over 10 years experience in the digital forensics field

● Expert witness qualifications in state and federal courts

About the Presenter – Ronald Longo

Principal - Keane & Beane, P.C.White Plains, NYFishkill, NY • Attorney specializing in Public Sector Labor Law and Education Law for

over 30 years

• Prior Experience as Assistant Town Attorney for Labor Matters, School Personnel Administrator and County Personnel Dept. Employee

• Past President of New York State Public Employer Labor Relations Association

Topics

● Digital evidence and forensics

● Forensics vs IT

● Data preservation & eDiscovery

● Conducting internal investigations with digital evidence

● Special considerations for academic environments

● Designing digital device usage policies

● Case studies

5

Digital Evidence

Digital Forensics

• The ability to conduct analysis of digital data in a manner that:

• Does not alter the original information

• Conforms to industry accepted practices

• Provides repeatable results

• Meets the standards necessary to support criminal, civil or internal litigation

Digital Forensics Capabilities

• Recovery of deleted information

• Analysis of user activity

• Timeline creation of data changes

• User attribution for activity on shared systems

• Preservation of data for future analysis or litigation

Digital Forensics Limitations

• Forensics is not magic

• Data that is not there can not be found

• Data that has been corrupted or destroyed can not be restored to its original form

• The recovery of deleted data is limited in scope and not guaranteed

• Forensic examinations involve the application of scientific processes. The result is not always a smoking gun.

Forensics vs IT

Data Preservation & eDiscovery

● Digital data is volatile and easily destroyed or corrupted

– Routine system processes

– User activity

– Intentional destruction

– Well meaning “investigations”

– Expired retention periods

Data Preservation & eDiscovery

● Early preservation is paramount

– Take systems offline

– Create forensically sound duplicates

– Locate external data

– Identify log files or other surveillance information

Example: Cellular Phone Evidence

VS

Where is the Evidence?

Handset Service Provider

Recent Call logs Account Information

Contacts Historical Call Logs *

Email Text Messages / Logs *

Text Messages Location History *

Images / Videos

Location History

Social Media

Internet History * Subject to legal process and service provider retention policies.

The amount, type and retention period for data can vary widely between carriers.

– Legal process required

– ECPA

– Preservation

Service Provider Data

Internal investigations are commonplace, but challenging

– Trust may be hard to define

– Most protections are outward facing

– Digital evidence is commonplace

– Policies may be inconsistent or silent on issues related to digital evidence

– Some evidence is likely to exist on private devices

– Privacy and confidentiality needs may conflict with investigative needs

Internal Investigations

Basic steps

– Get legal assistance ASAP

– Involve as few people as necessary

– Consider after hours or sneak & peek operations

– Preserve data and backups of potential evidence to protect against destruction due to long litigation waits

– Adhere to legal and contractual limitations on searches and interviews

– Get expert assistance

Internal Investigations

Interview Preparation

Internal Investigations

Interviews

– Create a comfortable atmosphere

– Be non-confrontational

– Seek the truth. Not a predetermined outcome

– Have and display empathy

– Ask open ended questions

– Shut up and listen

– Use recording devices if permitted

Internal Investigations

Special Considerations

– Privacy needs

– FERPA, local policies etc.

– Students are likely far more technologically advanced

– Educational goals and best practices for preventing improper faculty / students relationships are sometimes in conflict

Academic Environments

Educators have high public profiles

– Outside influences can interfere with investigations

– Fear of public exposure can reduce cooperation

– Even unsubstantiated claims of impropriety with children can have catastrophic consequences

• Investigation secrecy

• Support for suspected staff members

Academic Environments

Goals

– To allow the use of technology to further the goals of the institution

• Instructional needs

• Community involvement

– Parents– Media

– To create an information infrastructure that allows access to information in a safe environment that is appropriate for a wide range of ages

Designing Usage Policies

User attribution is a must– Unique user names and passwords

Shared devices are commonplace

– Mandate use of only personal credentials

Data exfiltration can be serious

– Removable media

– Dissemination of institutional data

Designing Usage Policies

Personal assignment of institution owned devices is common– Acceptable use

– Personal use allowable?

Social media is a double edged sword

– Excellent mechanism for reaching the public

– Can be a dangerous place for faculty & students to mix

Every faculty / staff member should have an official communication mechanism

– All communications with students/parents should be mandated to occur within this medium

Designing Usage Policies

User attribution is a must– Unique user names and passwords

Shared devices are commonplace

– Mandate use of only personal credentials

Data exfiltration can be serious

– Removable media

– Dissemination of institutional data

Designing Usage Policies

Bring Your Own Device (BYOD)

– Becoming more popular in corporate, government and academic environments

– Can reduce technology needs and costs for the institution

– Can increase employee productivity

– Can lead to serious data security issues

Designing Usage Policies

Strong BYOD policies are a must

– What specific devices are allowed

– What are the required security standards

– Prohibitions against data exfiltration

– Employee separation policy

• Cleansing of institution data from device

• Examination of device before separation

• Disconnection of device from connectivity to institution

Designing Usage Policies

Faculty member utilized social media and other non-official mechanisms to communicate with students

– In violation of district policy

Complaints from parents over the content of communications are filed with school district

– Ability to monitor or perform discovery on non-official media is difficult

– Much of the evidence has been deleted or otherwise destroyed

– The integrity of evidence collected from student's personal online accounts can be easily questioned

Case Study 1

Faculty member is found to have inappropriate content on a district owned laptop computer

– Faculty member admits that the content is his, but insists he did not place it on district computer

– Subsequent forensic examination of the computer found that the content was automatically place on the computer by a backup process that occurred when a cellular phone was plugged in to the laptop.

– District has no policy that prohibits the connection of personal devices to institution computers

Case Study 2

A review of log files by IT shows that an employee has been utilizing a faculty office computer to view pornographic material.

– A review of attendance logs shows that the employee in question was not actually present when the infractions occurred

– A forensic examination of the computer showed that the browsing activity could be attributed to a different employee

– Lax institutional policy on safeguarding user credentials allowed one employee to gain access to the passwords of his supervisor and co-workers and gain access to an unknown amount of sensitive data.

Case Study 3

About AMRIC Associates

Capabilities

– Digital Forensic Examinations

– Private Investigation Services

– Interviews & Interrogations

– Surveillance

– Expert Witness Testimony

Contacts

6444 Fly RoadEast Syracuse, New York 13057315.437.5500www.amric.com

tonymartino@amric.com

Questions