Computer Forensic Investigations

1
ComputerForensic Investigations

• Mark Lanterman
• Computer Forensic Services

2
Today

• Background
• Define Computer Forensics
• Case Examples
• Got Phone?
• Dos and Donts
• Extra Credit

3
What is Computer Forensics?

• Computer Forensics is the application of the law
  to computer science. It is the use of scientific
  and analytical techniques to computer data
  structures in determining the potential for
  evidence.

Or simply put Processing electronic data devices
for evidence
4
Computer Forensics Challenge

• The challenges are
• Recognizing and accessing data sources
• Collecting and preserving the evidence
• Presenting/explaining the evidence
• in a manner acceptable / understandable.

5
Deleted Data

• Hard drive technology data storage
• What are deleted files?
• What about formatting?
• Can you tell if deletions have taken place?

6
Age Discrimination

• Plaintiff claimed Word documents he saved to a
  floppy disk in 1997 proved his application for
  other positions in company.
• Analysis showed documents were created using Word
  2000 (registered to Plaintiffs wife) one month
  prior to disclosure.

7
Metadata is often described as data about
data. But what does this mean?
8
There are two components to any computer
generated document/file 1) the content of the
document 2) the layer of information about the
data. This is metadata.
9

• Metadata may include a files name, size and
  creation/deletion date.
• It may also include the source of the data, its
  author, time it took to create, whether others
  have viewed it, printed it and so on.
• Allows compilation of critical timelines

10
Timeline Review

• External drive is attached to laptop.
• System rebooted by user.
• WipeInfo is executed from external drive.
• WipeInfo process is ended and system is shutdown
  at approx. 1106 am.
• Laptop signed for by messenger at 1107 am.
• Receipt signed by plaintiff.
• Messenger had arrived at approx. 1045 am.
• We were charged 11.00 for messengers delay.

11
Timeline Review

• Analysis produced evidence of
• Satellite television signal descrambling
• Pirated software and decryption software
• Child pornography
• Plaintiffs sanctioned for spoliation

12
(No Transcript)
13
(No Transcript)
14
Family Business Embezzlement (and Explosion)

• Former United States Congressman
• Working for Family Business
• Suspicion of embezzling to support
• Vegas
• Girlfriend(s)

• Suspicious Explosion
• Call from BATF and Insurance Company Investigator

15
(No Transcript)
16
(No Transcript)
17
Printed Email analysis

• 17 printed emails produced by Defense

No sign of these emails on Plaintiffs computer
18
Printed Email analysis
19
Printed Email analysis

• Affidavit
• Court grants access to work/home computers and
  company email server
• All 17 emails deleted-traced to Bosss Draft
  folder
• No Message IDs found in emails to employee
• Emails fabricated
• Settlement

20
Dont Forget Phones!
21
The iPhone File System
22
Complete Call History
23
(No Transcript)
24
Active and deleted emails
25
Map History
26
To
From
27
Deleted Text Messages
28
Browser Bookmarks
29
Suspended Browser
30
Web History
31

• And dont forget active and deleted voicemails!

32
And This Is Really Interesting
33
What is Logical?

• Meet and Confer
• Rule 26(f)
• The parties shall conferto discuss any issues
  relating to preservation, disclosure or discovery
  of electronically stored information including
  the form in which it should be produced.

• Court appointed neutral

34
Most Important!

• Do not turn on the computer
• Alteration of date/time stamps
• Inadvertent spoliation

35
Extra Credit

• How to securely delete sensitive data

36
(No Transcript)
37
(No Transcript)
38
(No Transcript)
39
(No Transcript)
40
(No Transcript)
41
Questions Comments
Mark Lanterman Computer Forensic Services 601
Carlson Parkway Suite 630  Minnetonka, MN
55305952.924.9920 mlanterman_at_compforensics.com w
ww.compforensics.com