Extreme Hexjumping Video

A few weeks ago I posted a picture of Martin Westman just before he jumped out of a plane while hex-dumping a phone. He has been in touch and sent a link to the Youtube video. I asked Martin if he has any more plans to do things like this in the future and he seems to have some nice ideas… I’m not going to spoil it, you’ll just have to watch out for them.

Digital Forensics – What We Don’t Know CAN Hurt Us

If my work with Volume Shadow Copies has taught me one thing it is that I don’t know anything. I have often said the more I learn, the less I know. Everything that we learn about computer investigations leads to more learning. It never ends. Anyone that thinks they know everything there is to know about digital forensics is either a liar or delusional. Each case should be teaching us something new and we should be learning from it.

The same goes for any new developments in the field. If we don’t keep up with all the latest developments how do we expect to be able to conduct a full investigation?

I have noticed a worrying arrogance lately in that digital forensic investigators believe that they know all that they need to know. They’ve been on all the AccessData and Guidance courses that are on offer, so they have all the knowledge they could ever hope to amass. There is no more room for progression.

This is incredibly dangerous not only to the analyst, but to the people that we represent.

A little while ago a friend of mine conducted an investigation for a police force. I remember him working very hard to experiment and test his findings, like any good examiner. He sent his report to the relevant authorities and got on with his next case.

Some months later the defence report arrived on our doorstep. This report was compiled by a digital forensic investigator professing nearly 20 years experience in the field.

His report went on to attack my colleague’s findings. This is not unusual but the manner in which he tried to do this left me feeling completely stunned.

The report was simply dismissive. This ‘veteran’ stated that he did not believe my colleague’s finding were accurate. He did not give any justification for this, he did not conduct any testing, he just said something along the lines of “I know of no method to recover this data so his findings must be incorrect.”

What?

I couldn’t believe this. At what point does an investigator allow himself to interpret his own limited knowledge as fact? It is disturbing and I hope that I never fall into this trap.

The question I would ask is: How do we safeguard against such arrogance? Clearly our field is intellectual and we know a great deal but how do we stop ourselves from becoming like this examiner? How do we keep ourselves firmly anchored?

Microsoft Word – What Lies Beneath

As a Forensic Investigator it is crucial that any investigation of a case is thorough and done to the best of an individual’s ability. In the interest of time there can be a temptation to delve deep enough to find the required evidence, report it, then move on to the next case. People may, in fact, be under very real pressure to do this. Sometimes doing such things can cause problems for a case in the future when another expert potentially reviews and comments on your own findings.

Imagine the following scenario as a forensic investigator. You are handed a case brief and a computer hard drive to examine. The case brief informs you that Bill, the owner of the computer, is suspected of using the computer to create fraudulent documents for their own financial benefit. The alleged offence took place between May and July. You image the disk, load the disk image into your preferred forensic software and begin your examination.

Initial searches uncover a large number of Microsoft Word documents. You open these documents and discover that they do, indeed, contain a number of fraudulent documents. You discover that the documents have been created over the period of two months and that they have been accessed by a the Windows user named ‘Bill’ on the computer. Well, there you have it. Guilty? Innocent? However it looks on the surface, if you dig a little deeper you could see things very differently.

You discover that the NTUSER.DAT registry hive for the user ‘Bill’ shows Microsoft Office to have been used and registered by this same user. When the software was first run he specified the user name ‘Bill’ and the initials ‘BT’. You also find that Microsoft Office was installed on the computer three months earlier.

Whilst a lot of people are aware that this and more information is stored by Microsoft Office, they may not be aware of how this can potentially swing a case. This information, as well as much more, is embedded into every Microsoft Word document by default.

When a document is created by the user selecting ‘New’ from the Office menu or the File menu Microsoft immediately records the time and date as a ‘Create Date’ for that document. Regardless of what happens to that original document or where it is copied to, this date and time remains the same. In addition to this the above user name and initials are also stored in this document as ‘Author’ details even before it is saved by the user. When the document is first saved a ‘Last Revised Date’ record is created, and a ‘Last Saved By’ field stores the current Microsoft Word user. This information is updated every time a document is saved, but ‘Author’ data remains the same. When a file is printed a ‘Last Print’ date and time is recorded. Depending on the version of Microsoft Office you may occasionally find the make and model of the printer used in plain text. This can be useful in determining whether a document was printed form a certain place.

You may know this already or wonder why this is relevant. Take the following examples.

A document has an NTFS creation date of 30th July 2009 but a Microsoft Word ‘Create Date’ of 12th February 2009. The Author and ‘Last Saved’ fields show ‘Ted’. The ‘Last Revised Date’ and ‘Last Print Date’ for the document both showed 13th February. What does this information tell us about a document saved on the hard drive of Bill’s computer? It tells us that maybe he didn’t put it there.

Another document has a Word ‘Create Date’ showing some time after the creation date saved by the NTFS file system and the ‘Last Print Date’ recorded by Microsoft Word. This shows that another document has been saved over an existing document. As a result it is not possible to determine exactly what was printed. The document as it exists now is likely not the document that was ever printed.

A further document has a ‘Create Date’ of 1st March 2009 but a ‘Last Revised Date’ 24th February 2009 and ‘Last Printed Date’ of 22nd February 2009. How can this happen? The document was likely created from an existing older document that has previously been printed, and had inherited a number of its properties.

It is of course possible for a user to modify their user name. An investigator would then have to determine the likelihood of a user having sufficient knowledge to make such changes. This can be determined by seeing what programs have been installed and used, where the user has saved files, and whether there is anything hinting at a more experienced user (I have seen computers with more than one anti-virus program running permanently. This could be the result of paranoia or a less than full understanding of how such programs work).

Now imagine having done a computer investigation having not looked for this information. An expert hired by the defence team then examines your findings and the disk images and finds this information. All of a sudden doubt can be cast over your work, which previously appeared to be quite convincing. The fact that you missed this information doesn’t help your own reputation.

I have had cases where apparent guilt was turned on its head as a result of investigating Microsoft Office embedded data. I have seen documents created before they existed on a suspect’s computer. I have seen documents printed before they were created or edited by Microsoft Word.

This information can potentially confuse an investigation. It can make or break a case and determine whether someone has been the perpetrator of a crime or not.

Testing of this is easy and of extreme importance. I would recommend that any forensic investigator take a few minutes to test embedded Microsoft Office data. Only then can you say with any authority that dates and times show in a specific order because of specific events. This embedded data can make all the difference to your investigation, and looking a little bit closer can provide a more complete picture, whatever that complete picture shows.

The Changing Face of Phone Forensics

Desensitisation

Working for a UK based forensic company I do a lot of work with cases involving indecent images of children (known commonly as child porn).  When such pictures or videos are found on a computer they are categorised.  The categorising of these pictures is according to the scale below:

1) Nudity or Erotic Posing of Child(ren)

2) Sexual Activity Between Children or Solo Masturbation

3) Non-Penetrative Sexual Activity Between Adult(s) and Child(ren).

4) Penetration of Child(ren)

5) Sadism/Bestiality Involving Children

Recent legislation also means that the above categories are divided into three subcategories based on the age of the subjects.

In our office we have a man who spends most of his time categorising material according to this scale.  Sentencing is also based on the level of images found on a suspect’s computer, if a suspect has level 5 images they will be given a more substantial sentence than if they possess level 1 images.  This individual has a job that I do not envy but he has been doing this kind of work for decades, and he has some interesting stories – but that’s for another time.

The work that he does helps us considerably.  First, we don’t have to spend hours doing the task ourselves and second, our exposure to this material is reduced.  We import his work into EnCase as bookmarks and perform a normal investigation.

This week this person had annual leave booked.  This meant that the tasks of categorising of images fell back on the investigators.  The last place I worked we did all of our own categorising so I’m familiar with the material and just got on with it.  I’ve worked in this field for three years and, in this time, I’ve seen and categorised several millions of these images.  Am I used to it? Have I become desensitised to this kind of material? Not in the least.

I can honestly say that categorising pictures this week has been horrible.  I am disgusted and appalled by the things I see.  Some people in this field will answer this with “You’re in the wrong business,” or “Don’t worry, you’ll learn to cope with it.”  These kinds of comments are not helpful or even true.

After three years these people suggest that I should have developed some sort of immunity to this material but I don’t agree.  I believe it is my disgust at these images that separates me from those people that view it illegally.  I never want to sit down to do such a case and not feel terrible about doing it.  I’m not saying that I can’t cope with the work, I can handle it just fine, but I never want to get to a point where it doesn’t affect me.  If I ever reach it I will consider leaving the field in order to preserve my own humanity.

This is the main reason that I won’t stop arguing that we, as forensic investigators, should not be debating the difference between a 15 and a 16 year old, we should be left to get on with what we do best.  We are not experts in child development, we are not paediatricians, we are digital forensic experts. I’m going to wave this banner until something changes or I die, whichever comes first.  Sadly, knowing the legal system in the UK I have a feeling I know which one will arrive most quickly.

Law Enforcement Only

Before I begin I want make it clear that I work as a subcontractor for several different police forces throughout England.  I work for several private/defence clients too.  I feel that this gives me good insight and a balanced point of view towards the two.  I know that this can be a somewhat emotive subject but, having said that, I am not one to stay quiet on subjects that I feel strongly about.  My colleagues know that, if they discuss it, that I will interject and verbally assault anyone that disagrees with me.

As a contractor for the police we are tasked with providing forensic reports and statements based on computer or phone evidence. During our day to day work we encounter the same material to which the police themselves are exposed. We perform an investigation on the submitted evidence and then send the evidence, and the reports, back to the relevant constabulary while we retain copies for archiving purposes. We act on behalf of the prosecution in these cases.  We are, in essence, doing the job of a trained cop.

As such it is my opinion that we should be permitted access to all the same training and software that are furnished for law enforcement officers.

Earlier this year a conference was held with the subject matter based on mobile/cell phone forensics.  On average our company completes around 80 phone investigations for various forces per month.  With this in mind we decided it would be a good idea to send a couple of our phone invesigators along to learn about any new developments.  Upon contacting the organisers of the event we were told that we could not attend as we were not law enforcement. Factually this may be the case but in what way do we really differ from law enforcement officers? We do the same work, their work, and we’re even on the ‘same side’ so to speak, so what reason could there be to exclude us? No explanation was offered. Not even an irrational explanation.

Excluding private and defence experts from such conferences is a strange practice.  Expert reports and statement that form part of a criminal case, along with the testimonies given, are made public record (obviously with some exclusions).  As a result any new investigation techniques discussed at closed conferences will seen become open knowledge anyway, so what is the point of restricting the flow of information in the first place?

The chasm between law enforcement and non-LE personnel widens drastically when you look further afield.  Commercial software and training is offered to law enforcement at a significantly reduced rate.  Why is this?  Everyone that I have discussed this matter with has been unable to provide a concise answer.  Is it due to budgetary requirements?  Everyone has budgetary requirements to meet, in what ways do private companies and police forces differ in that regard?

Software such as iLook, COFEE, and many others are released as forensic and/or indicent response tools for the use of law enforcement personnel only.  Once again, the question is ‘why’?  We work in an adversarial legal system where fairness and equality for both prosecution and defence should be central to each and every case.  The legal system should be fair. The evidence and tools used by the prosecution experts should be accessible to the defence, how else can the legal system claim to be fair? A defence expert may be left with no recourse if the prosecution presents evidence that has been found using one of these ‘LE only’ tools that has not, and can not, be indepently verified or the results challenged.  Should the court allow this? Of course not. But for some reason it is acceptable.

The legal system is about fairness and equality. How can disqualifying forensic practitioners from events or software be in the best interest of the law or justice? Why should it matter whether or not they wear a badge and carry a gun?

Something ironic to finish.  One of the organisers of the aforementioned conference (a police officer) recently contacted our company asking for some information relating to a case that we recently completed for a different force.  We do not do any work for his force in fact they do not outsource any of their work or permit the evidence out of their compound. We’ll gladly furnish him with the data but he’s not going to like our conditions or the cost.

This subject is not going away.  We will be discussing this very topic on a future episode of Forensic 4cast.  If you want to appear on that episode to share your own point of view let me know.

How Much Are Your Clients Worth?

I am subscribed to a mailing list in which several forensic investigators converse about various issues.  One such issue arose recently that struck me as slightly unusual, and some of the responses surprised me.  The issue in question was simply “Do you bill clients for machine time?”  The investigator was simply asking if we charge for time when the investigator is not working on the case but the computer is still working; things such as carving files or performing keyword searches.  I do not know how many times I have had to leave a case overnight, or even over the weekend, in order to complete a task.  All I know is that it happens frequently.  So what are the flaws in billing for machine time? How can investigators and clients both be satisfied with the final bill? Should I charge my usual fee, or even a reduced fee, for the time that the computer takes to complete a process?  My answer: it depends.

The variable in the answer is a case of exclusivity.

If you are an internal investigator or a law enforcement officer the article may not strictly apply to you, however I believe the principle of accountability applies to all regardless of their position or employer.  We all have to report to someone whether it be employer or client.  These people expect us to perform certain tasks in return for payment.  If we are dishonest in our endeavors it will inevitably come back to haunt us.  The best advice that I can offer?  Be completely honest with your employer, clients, and whoever else to whom you are contracted.

Billing is a basic concept.  We charge a certain amount of money ‘X’ per hour and do so many hours of work ‘Y’.  Therefore X x Y = Z (where Z is the billable amount).  The problem is that all ‘X’, ‘Y’, and ‘Z’ can be called into question if billing for machine time.

Look at your employment contract, it will likely state something along the lines of “you will not conduct business for anyone else during your working hours with…”  This is a reasonable request as your employer should not have to pay you for time that is spent working for someone else.  More to the point, why should clients feel any differently?  Many investigators will find themselves, at some point, working on several cases at once.  They may run keyword searches on two cases and, while that is processing, continue to work on a third.  What should they charge in such circumstances?  If, per se, you charge $200 per hour for your services would you charge for the work on all three cases simultaneously, totalling $600 per hour?  The compuer has been working on three cases so why not charge that much?  There are five potential pitfalls that can create a stumbling block for an investigator if they choose to do this.

• First – Audits

Imagine trying to explain to an external auditor that you have earned three times your earning potential in a year.  When the auditor looks at the total hours worked, and the fees charged for that work, how will you explain the discrepancies?

• Second – Computer Specification

Surely if you’re going to charge for machine time it should depend on how quickly your computer can process the data.  If you ran the same keyword search on the same case on two different computers the time taken to complete those searches would differ drastically depending on the specification of the computer.  What complex calculation would you use to determine the hourly rate for the differences in performance?  If you’re planning on charging for this you’d better have some answers as your clients may come back to you with this question.

• Third – Number of Cases

Aside from the spec of your computer the thing that will affect performance will be how many cases are you working on at any given time.  If you are running a keyword search on two cases simultaneously then the speed of the search could be halved, so do you charge half of your hourly rate?  What happens if the search on one case finishes before the other?  Do you charge half for the first hour taken and the full amount for the second hour?  Do you sit and stare at your screen, making notes on when the first search started so you know precisely how much to bill?

As you can see, this becomes very complicated and can waste a lot of time.

• Fourth – Expertise

Clients are not looking for the investigator with the fastest computer or the largest hard drive, the client is paying the hourly rate for your expertise in the field.  They are not paying for processing power, they are paying for your experience and knowledge.  The agreed hourly rate is for you, not for your computer.  The client is paying a substantial amount of money to you, they do not expect to pay you regardless of whether or not you are physically working on their case.

• Five – Reputation

What would happen if a client discovered that they were paying you while you were working for another client, or out shopping, or fishing, etc?  How would others perceive you?  Your reputation could well be on the line.

People may argue and say things like “What about my bills? The cost of running the computer, the cost of keeping the office open while a process is run, how do I recoup these expenses?  The answer is quite simple.  You do charge for these things but in such a way as to maintain your integrity.  When quoting for work don’t simply estimate, take your expenses into account.  The hourly rate should not only reflect your expertise, it should also take in to account depreciation of assets, such as computers, administrative efforts related to the case, as well as electricity, other consumables, and non-investigative staff.  Doing this will enable you to invoice clients with the confidence that you have done everything honestly with your integrity in tact.

There is, of course, an exception to the rule.  If you are called upon to perform an investigation outside your office (on-site) then the client should be paying you for the the time that you spend at the premises.  This will include the amount of time to acquire any devices.  You may ask ‘why the difference?’  It is down to exclusivity.  If you are at your own desk you will have other tasks that you can perform that do not relate to that client.  When you’re away from the office you are expected to give your full attention to the client, they expect exclusive access to your skills and knowledge while you are there.  Even if you are there to only acquire a single hard disk drive, the time taken to acquire, regardless of how long it takes, should always be billable.  Do not interpret this to mean that you should just kick back and wait for the process to complete.  Use the time wisely, they are paying for you to be there so do something productive such as completing forms, tidying up your notes, getting details about the case from the client (if applicable), and so forth.

There are many issues that affect how and what we bill clients but it is important that we get it right if we want our client to return with future business.  Remember the key is exclusivity.  When in the office keep track of what time you spend in front of the screen working for the client.  When you are not working for them, don’t bill them.  This way you will ensure that you clients are happy with the cost of the work, all you have to worry about is the quality.

Lee Whitfield BSc (Hons) MBCS CCE EnCE is a digital forensic investigator and founder of Forensic 4cast.

You are The Weakest Link… Goodbye

Some time ago I appeared on Anne Robinson’s Weakest Link. I wouldn’t normally wish to appear on a TV game show but whilst playing the Weakest Link at home with my family I became so adept at winning that they suggested I try my luck on the real gameshow.

Appearing on the Weakest Link was quite nerve wracking. Not because of the redoubtable Anne Robinson, but because I did not wish to appear stupid to a national TV audience. I was also determined not to make the “walk of shame” at the end of round one only to see a professional dog walker from Purley go on to win the cash.

I didn’t win and I don’t expect you to believe this, but I actually knew the answers to everyone else’s questions.

So, has my moment of TV fame made any impact on my Expert Witness role? Well, it has actually. I learned some valuable lessons during filming that I won’t forget quickly, such as:

• Don’t submit yourself for questioning unless you know the topic.
• Don’t guess the answer, it is probably going to be wrong.
• Don’t shrivel under the withering gaze of a dominant questioner, answer quickly, boldly and with conviction.

An Expert should always know his Topic

A quantum expert is expected to have an abundant knowledge of construction methods and the measurement thereof. They will understand the original contracted scope of work, the site application of the materials in use and quantities required to fulfil that scope. Finally, they will know how the contract deals with the evaluation of changes to the works.

Likewise, a planning expert will not only know how to manipulate planning software, but they will be experienced and practical. They will understand the processes of construction and how long an activity should take. The forensic expert will also know how the works should have been logically sequenced. Armed with this knowledge they can provide a tribunal with a fact based analyses.

It all sounds so obvious and simple but there are still many Expert Witnesses who fail to fulfil the basic criteria set out above.

On an engineering project that seriously overran the programme, the Contractors Planning Expert Witness accepted that the Contractor’s extension of time claim was correct, even though it sought an extension of time that took planned completion months beyond the actual completion date.

Disregarding strenuous arguments from the tribunal explaining the futility of such an expert finding, and despite being referred to earlier cases and learned academic texts to the contrary, the expert was immovable. In cross examination the expert faced the accusation that his findings were wholly “theoretical” and that as a matter of record the events did not happen at the times shown on his theoretical analysis. The Expert refused move from his stated position and a chance to narrow the issues was lost, as was the Contractor’s case.

Experts should not guess

Cardinal Wolsey said “A man may believe what he will, but he should believe what he ought”. In essence experts are allowed to have an opinion but that opinion should not ignore the evidence. An Expert’s opinion should only be constructed under strict criteria, namely:

• It should be on a matter upon which they are informed
• It should be on a matter where they are experienced
• It should be on a matter upon which they are qualified to opine
• It should always be based upon available facts, where these are available
• If contemporaneous facts are not available any published data relied upon must be from an reputable and reliable source
• Where it is a best estimate or guess, this should be clearly noted

In an arbitration on an overseas power project the Contractor’s expert was unable to verify the price of the Contractor’s bulk materials and so rather than carry out a measure of installed works the expert made the assumption that the total weights of pipeline materials delivered were installed. He applied an estimating rate and labour norms to the total delivered weights and valued the work accordingly.

Under detailed cross examination it was disclosed that the Contractor’s expert had not been able to find accurate weights for the numerous valves delivered and so he had allocated them into columns of “less than 2 kg”, “2kg to 10kg” and “10kg to 20kg”, making the assumption that every valve in each column was equal to the maximum weight in the column heading ie. 2kg, 10kg and 20kg respectively. This guess proved to be completely wrong with many valves being only 30% of that allowed.

This was a wholly avoidable error as the necessary valve weight information was available on the internet, just a few mouse clicks away.

Guessing isn’t acceptable for an expert and if experts are asked to give an educated guess then they should make it clear that their answer is an approximation based on experience.

Experts should be sure of their opinions

When an expert has carried out his research thoroughly, has found sound evidence upon which to rely and has then formulated his honestly held opinion based on his experience, he should be better placed than anyone else to influence the tribunal.

Advocates, no matter how skilled and informed, cannot know the Expert’s field better than the expert, yet they sometimes convince experts that they do. If the Expert has prepared properly he should know the answers to all relevant and important questions and then he can safely confess to the tribunal that he does not know the answer to irrelevant questions.

Perhaps because of nerves, or maybe due to lack of preparation, experts are occasionally knocked off course by aggressive questioning. Experts must remember that forming an opinion is only a small part of the expert’s job, defending his opinion in the face of cross examination is potentially the more important part.

A short while ago I watched as experienced counsel took an expert to task on his report. The expert had not done all of his own research and soon became nervous. Counsel smelled blood and moved up a gear. The expert, stammered and shook, soon his evidence collapsed completely. Later when the expert saw the transcripts he was shocked, he simply could not remember agreeing that the opposing expert’s view was probably more prescient than his own.

Facing experienced counsel in cross examination is difficult, but the expert should remember that on the issues in question, he should be better informed about his report than opposing counsel. Firm, bold answers will help to unsettle the cross examiner who is always anxious to avoid reinforcing the opposing expert’s opinion.

Conclusion

Choosing an expert can be tricky, will they do the research, can you trust them not to guess, will they fold under hostile questioning? Only time will tell unless you choose wisely from the ranks of experienced experts who have been there done it and proudly wear the tee shirt.

As for the Weakest Link, was Anne Robinson scarier than a QC, not really. In hindsight it was fun and if you don’t believe me and you live in Purley, ask you local professional dog walker.

Jeffery Whitfield LLB, FRICS, MCIArb, MAE is an expert witness and forensic consultant in the field of construction.  He is a partner at EC Harris.