good afternoon! jim emerson vp, nw3c
TRANSCRIPT
PLANNING CASES WITH DIGITAL EVIDENCE
GOOD AFTERNOON!
JIM EMERSON
VP, NW3C
WHY DIGITAL EVIDENCE (DE)?
(Almost) all crime involves digital evidence.
Photo by Rami Al-zayat on Unsplash
Phones and crime.
Image 226716517 Bigstockphoto.com
Illicit drugs online.
137421494 Copyright Ruslan Guzov, 2018 Used under license from Shutterstock.com
Scams target seniors.
Fruit of crime
Evidence of crimeTool of crimeTarget
of crime
WHY PLAN?
• Discreet and lacking physicality• Transient and volatile• Easy to change or destroy• Complex and voluminous• Distributed with remote relationships• Validated tools and handling• Unique custodial nuances• Complicated legal considerations
PLAN WHAT?
Preservation
3Recognition
2Preparation
1Collection
4
LOCAL
ISP
ASP
TELCO
#IACP2020
LOCATION?
Locally
Computer hard driveMobile phoneThumb driveExternal hard driveAny internal memory
Remotely
Cellular service providerInternet service provider (ISP)Social media platformsCloud storage
Both
WHERE IS THE DATA?
Internal
• Built‐in memory• Memory card• SIM card (UICC)
External
• Cellular service provider• Cloud storage• Third‐party apps
The SIM card contains information that the cellular network uses to identify and authenticate the phone.
#IACP2020
SOURCE AND CONTEXT?Local
ObviousLess ObviousSystem StatusPhysical AccessLogical Access
Remote
Cellular and WiFi service Other Data CommunicationsInternet Service StatusApps, Networks, CloudRemote Access Risk
Both
WHAT’S AVAILABLE?
Subscriber/device identifiers
Contacts
Calendar
Text messages
Call logs
Pictures and videos
Audio
Web historySome app data is stored on the phone—also point to data held remotely.
KEYS?Credential Pairs?
LEGAL AND TECHNICAL BARRIERSPrivacy by Design
Cryptographic Control
User Only Controlby Design/Default
S. 4051 ''Lawful Access to Encrypted Data Act''
INITIAL HANDLING OF COMPUTERS…
If it’s off, leave it off.
This is rule number one for protecting digital evidence.
Turning a computer on will necessarily alter the data—remember the “golden rule.”
If it’s on, turn it off.*
Turning a computer off after collecting preliminary data
prevents changes to the data and prevents destruction of evidence.
EXCEPT when Special Circumstances Exist…
*Does not apply to cell phones.
10
SPECIAL CIRCUMSTANCES—LEAVE IT ON
Shutting the computer down may make the data unrecoverable.
Encryption
Cloud storage
Destructive processes
Where is the storage located?Legal authority to collect data?
The destructive process should be killed immediately.
WHY CONDUCT A PREVIEW?
Form probable cause
Eliminate a device containing
no evidence
Exigentcircumstances
Devicecannot be shut down or seized
In place of a forensic exam
SYSTEM-OFF AND SYSTEM-ON PREVIEWS
Is the computer
on?
Off On
System‐off preview (dead box)
Extracts non‐volatiledata only.
Entire Geometry
System‐on preview (live box)
Extracts volatile and non‐volatile
data.
Changes to System
WHY ACQUIRE A FORENSIC IMAGE?
A complete capture and storage of data that does not change or manipulate any of the data.
Photo by Markus Petritz on Unsplash
The ‘golden rule of electronic evidence’—never, in any way, modify the original media if at all possible.
Forensicon
THE VERIFICATION TRIAD; VALIDATION WITH MATHEMATICS
Acquire an image, then hash the image.
2
Hash the suspect’s computer.1
Re‐hash the original.3
Validation procedures
show that the evidence remains in
“substantially the same condition.”
Validation
PHYSICAL AND LOGICAL IMAGING
Physical Logical
Critical EvidenceAccessible Evidence
TRADITIONAL AND LIVE IMAGING
The image is acquired directly from the computer, while it is powered
on.
The hard drive is removed from a powered‐off computer.
If the drive can’t be removed, the image is acquired directly from
the computer.
Traditional Live
INITIAL HANDLING OF MOBILE PHONES
Mobile phones are treated differently. If they are powered on, investigators usually isolate them from the network
and leave them powered on.
Photo by Rami al Zayat on Unsplash
PHONE STATE
Unlocked Locked Powered off
The examiner removes the memory chip and uses a reader to attempt to acquire data.Potential for Damage…
LEVELS OF ANALYSIS
Physical
Logical
Manual
Chip‐off
The examiner operates the phone to display contents. Tools are used to capture and save information.
The examiner uses a forensic tool to read user‐accessible files.
A physical acquisition of data stored in the device’s built‐in memory. Potential for Damage…
ONSITE TRIAGE: PREVIEWING PHONES
A manual or logical extraction of data can be done at the scene along with a preliminary analysis.
Phone is encrypted, but currently unlocked.
Exigent circumstances.
KEEPING IT UNLOCKED USED TO BE EASIER…
Is a passcode enabled?Can the auto-lock or timeout be delayed or disabled?
Unlocked
#IACP2020
AVOIDING DESTRUCTION OF EVIDENCE…
Find My iPhone
Most modern phones and tablets can send location data, alerting their owners to start “wiping” or overwriting data.
Android Device Manager
23
HOW DOES THE PHONE COMMUNICATE?
• AT&T• Verizon• Sprint• T‐Mobile• Etc.
• Bluetooth (≈100 meters)
• IrDA (within a few feet)
• NFC(within a few inches)
A wireless internet connection.
Cellular network WiFi Short‐range connections
24
DON’T FORGET TRADITIONAL EVIDENCE
DNA
Fingerprints
Trace evidence
Controlled substancesConventional latent evidence must also
be collected.
Manuals and papers
ASK THE SUBJECT…
• Who owns the devices/files?• Passwords/passcodes• Encryption• Cloud storage• Hidden devices
Interviews are an important part of
the process.
#IACP2020
LEGAL
ENCRYPTION
Investigative and Forensic Context
DIGITAL EVIDENCE CHALLENGE
DE Functions• Collect• Preserve• Analyze
LocalDE
Sources
ENCRYPTION
LEGAL
Custodial and Quality Management System
RemoteDE
Sources
DF Environment• Field• Lab• Cloud
Access Access
CASE STUDY #1A string of armed robberies occur at convenience and cell phone stores in your jurisdiction.
One of two suspects are reported to be armed.
Two witnesses report an automobile involved with similar description at two different robbery scenes.
Two of the victim businesses claim to have working security video systems.
CASE STUDY #1
Based on the video surveillance: • The suspects wore masks due to COVID • A cell phone was observed with a subject in their jeans pocket• A partial license plate for the departing suspect vehicle was captured along with
description.• Other potential witnesses departing immediately prior to robberies may result from
business POS system dataBased on witness in-car video evidence:• More license plate information was provided narrowing plate to several possible• Angled image of one suspect without a mask• Image of the second suspect with a cell phone
CASE STUDY #1
Cell Tower Dump?Geo-Fencing Data?
Mobile App Geo-Location Data?• SOCIAL MEDIA? • GOOGLE MAPS?
Car Computer Data?
CASE STUDY #1
Through our investigation, one (1) suspect is arrested and found in possession of a cell phone. The suspect refuses to talk, invoking his Fifth and Sixth Amendment’s Rights. • Cell Phone Warrant? • Compelling Biometrics and/or Passcode Production? • Other Methods of Obtaining Access?
The Observer
CASE STUDY #2
• A complaint is received from parents in your jurisdiction that their children were sexually exploited online.
• One victim, David Jones, reports that while playing the Call of Duty video game series he was befriended by a player, “Gi‐John.”
• David was subsequently redirected by Gi‐John to a private livestreaming online platform known as the “Playground” to those invited.
• David was exposed to child sexual abuse material being produced and exchanged at the Playground by Gi‐John known there as “The Piper.”
CASE STUDY #2
• David Jones, reports playing the Call of Duty video game primarily on an Xbox One and sometimes on an Android tablet.
• David was encouraged by Gi‐John to use the Android tablet with camera to visit the private livestreaming platform known as the “Playground” under the pretext that there were amazing COD game play videos there.
• Gi‐John /The Piper claimed his camera was broken when David visited the Playground two days ago. According to David he then showed him videos he was uncomfortable watching.
CASE STUDY #2• Legal Process to Activision COD
(LE Guide/Preservation/Notification/What is available?)
• Legal Process to Microsoft Xbox
• Legal Process to Uniregistry, Corp. to strip Privacy Protection from Registered Owner <playground.game>
• Related Financial Account Discovery
• OSINT / Dark Web Investigation “Gi‐John and The Piper”
• Forensically examine the Xbox One
• Forensically examine the Android Tablet
Request consent to take over David’s COD and Playground accounts?
CASE STUDY #3
Multinational operation…
Operation Bayonet
OPERATION BAYONET
-AlphaBay-Hansa -TOR-Markets-2017
ALPHABAY
2015 Largest market
Alpha02/Admin
> USD $23M
pwoah7foa6au2pul.onion
400,000+
Digital contracts/escrow
Multiple CryptocurrencyUC Buys; Drugs, Counterfeit ID, other…
Attribution?
ALPHABAY
Major Break in the case…2014 AlphaBay Forum Welcome Email and Password Recovery EmailHeader included…Return Path: [email protected] Recipient, Mail Server, Hotmail
LinkedIn – owner - EBX Technologies, CA OSINT, LinkedIn, Public Recordswww.commentcamarche.com Alpha02/Cazes
Alexander Cazes Preserve Critical EvidenceIdentify Corroborating Evidence
Key to further Investigation? Financial Records, Infrastructure?
Risk of Evidence Destruction is High
ALPHABAY
Deconfliction…Dutch AuthoritiesTargeting Hansa dark market First Arrest/Seizure
Authorities Run Hansa Lawful Intercept on Hansa
Ultimately… AlphaBay members migrate to HansaIdentify AlphaBay Suspects
Risk of Evidence Destruction is High
ALPHABAY
Seizure/Arrest…International Targeting 5 July 2017Cazes Residence Thailand Computers Must be ControlledCazes Mobile Device Thailand Mobile Device Must be Controlled7 Servers in Multiple Countries Synchronized International Control
Ultimately… LEA Creates Technical ProblemThailand Ground Operation
Risk of Evidence Destruction is High
CLOSING THOUGHTS…
Sound Digital Evidence Planning
• Requires Coordination and Deconfliction • Must Keep Up with Technology• Must Keep Up with Service Providers• Must Keep Up with Case Law and Legislation• Must be Thorough Anticipating Challenges• Must Not Rely on a Single Type of Evidence
