Tuesday, November 1, 2011

Forensic Course Review: SANS Forensics 558 (Network Forensics)

I was fortunate last week to attend SANS Network Forensics (FOR-558) taught by Paul Henry during SANS Chicago 2011 event. Overall, I would give this course four and a half (4.5) out of five (5) stars and highly recommend it to any #DFIR practitioner. Of mention, fellow forensicator, friend, and blogger, Ken Pryor, also attended FOR-558 and I am sure he will have a review posted over at the Digital Forensics blog soon. As with any SANS event, the "SANS fire hose effect" began the morning of day one. Before diving deep into FOR-558, I would like to thank Mr. Paul Henry. Paul is a great instructor, bringing his many years of experience to the classroom, and an expert in all facets of InfoSec and Digital Forensics (Paul, you rock!).

Day One: Covert Tunnels 
Day One we hit the ground running capturing network traffic utilizing tools like tcpdump, which is pre-compiled right from the SNIFT (SANS Network Investigative Forensic Toolkit) workstation that is issued to FOR-558 students. We went through network protocols and the layers of the OSI Model starting with DHCP, MACs, and quickly moved into capturing and filtering data packets utilizing the SNIFT workstation. We then moved into network tunneling of encapsulated data packets, which was cool! We even dissected an ICMP Tunnel .pcap using tcpdump, Wireshark, and a hex editor. The afternoon of Day One was spent on hands-on labs looking at covert ICMP and DNS tunnels. We also went through a quick *nix command-line refresher, since we would be working primarily from the command-line on our SNIFT workstation for the entire week. I quickly learned how important | grep | and other Linux command-line tools would be during the labs and capstone investigation.

Day Two: Deep Packet Analysis
Day Two was focused on forensic methodology, collecting evidence, and deep packet analysis, which was full of wireshark, tshark, ngrep, ssh, scp, tcpxtract, oftcat, pcapcat, networkminer, and smtpdump to name a few. Day Two we spent a lot of hands-on using Wireshark reviewing packets from an OFT (OSCAR File Transfer). During these lab exercises, it also reiterated anomalies in Wireshark (and other forensic tools) on how data is parsed and presented to the GUI. Validate, validate, validate! Day Two could have been an additional half-day with all the lab exercises.

Day Three: Firewalls, IDS, Proxies, and Data Reconstruction 
Day Three was full of analysis on firewalls, routers, IDS, Splunk and Log analysis, and full content reconstruction from packet captures and proxy caches. The morning of Day Three, I had some networking issues with my MBP and VmWare Fusion 4, so Paul was gracious enough to let me utilize his machine for the labs and by the afternoon, I had the networking issues with my system corrected. Through these lab exercises I learned a ton of information about iptables and firewall rules, which aided me during the capstone investigation, as I was tasked with analyzing all the firewall log entries for my team. We also looked at snort, splunk, and squid cache in our afternoon lab exercises. The file carving exercise from squid cache was pretty darn cool (Note: Those of us whom were "forensicators" really enjoyed the file carving exercises that were integrated into the labs). Day Three could have also been an additional half-day with all the lab exercises.

Day Four: Network Forensics Unplugged
Day Four was 802.11 and was my favorite day of FOR-558. We spent the day discussing WAPs with lab exercises on acquiring and analyzing data. The lab exercises were great and tied everything together for the week to gear the class up for the capstone investigation on Day Five.

Day Five: Capstone Investigation
Day Five was our final/capstone investigation. We were broken up as a class into 4-5 person teams. Without revealing too much about the capstone, it drove home a concept that often we as forensic analysts overlook. If you work a case from just one angle, you can overlook other indicators that may lead down an opposite path, where you locate other forensic artifacts that may support/refute your hypothesis. Maintain focus on the goal of your digital forensic examination, but be prepared to change your hypothesis, if necessary. Always have a Plan B, Plan C, and so forth, when Plan A doesn't go as strategized. Objectivity, during your forensic examinations, will ensure you are looking at the digital evidence through a broad lens. As with any digital forensic examination, have a plan, establish chain of custody, take good case notes, include supporting artifacts, and complete a solid, easily understandable report. All of which were important during the capstone, but also during any digital forensic examination/investigation.

In summary, FOR-558 was a great course. The data carving techniques that we use in everyday forensic examinations are symmetrical to network forensics. I'm giving the course a four and a half (4.5) star review because more time is needed for lab exercises. After speaking with several attendees, they also felt more time was needed on lab exercises. If you decide to attend FOR-558 or any SANS Forensics course, make sure that you practice the labs in the evenings and on your own time, as it will aid in retaining the course material. I found this very helpful on the evening of Day Three. As forensic practitioners ("forensicators") we like to get our hands dirty and tear things apart (per se) to learn the process, and understand what the output from the parsed data is showing us. The lab exercises rocked; however, more time is needed to really drill down into the data and learn the concepts.
Having primarily a forensics background and listening to Paul discuss some of his DF/IR engagements, reiterated the importance of the lab exercises we were doing, and it made it easy for me to relate to the command-line kung-fu with my own present and past cases. After attending any course, the real learning takes place when the course is over and the analyst returns to his/her everyday routine. Just like any learned skill, if it is not used then it will fade. FOR-558 is no different and I highly encourage anyone working in digital forensics or the network realm to complete FOR-558. If you enjoy the command-line and learning through hands-on labs then FOR-558 is for you!
 The lab exercises and course material give the student practical application immediately, plus you get the SNIFT VM, supplement exercises, VMs, and puzzles.
Speaking of puzzles, checkout the ForensicsContest.com for network forensic puzzles. Puzzle #10 is due 11/22/11 (11:59:59PM UTC -11) and one cool thing about these puzzles, are the forensic tools that have been developed as a result of solving these forensic puzzles (i.e. oftcat, pcapcat, etc.). Now head on over to ForensicsContest.com and maybe you'll solve the puzzle. :)

No hard drive? No problem. Network Forensics to the rescue.

Thursday, August 11, 2011

Img2Txt.pl (beta forensic tool)

If you followed the Casey Anthony murder trial or my DF Source interview with Detective Sandra Osborne of the Orange County Sheriff's Office, the chloroform searches were a hot item of discussion and evidentiary value during the Casey Anthony Trial. Part I and Part II of my interview with Det. Sandra Osborne.

Matthew Seyer  (part of Richland College's digital forensics program) has created a perl script called Img2Txt.pl [beta], which extracts text from images using the program tesseract. After running Img2Txt.pl the extracted text can be indexed and used for reference for keyword searches. Matthew was inspired to write this script from watching the digital forensics of the Casey Anthony Trial. Matthew has created a YouTube video on how his {beta} script works and he even uses an image presented during the Casey Anthony Trial during the demo.

During a conversation with Mr. Seyer, "I think the best way that this script can be used as of now is to extract out all image files with EnCase and preserve the folder structure, then run the script on the root folder of the extracted images. The script should preserve the folder structure of the images and copy the text to the output folder; the text files are named the same as the image in the same folder just with a .txt added to it. You can then index the output folders and search for keywords with your tool of choice. This was the quickest way of keeping track of what image it came from that I could think of on the spot."

Matthew stated, Img2Txt.pl has not been peer reviewed or tested (this is where you come in). This tool is in beta and Matthew is looking for feedback from the digital forensic community and is releasing this tool via DF Source. Please give it a test drive and provide feedback. While this tool is in its beta stage, with DF community support it has the possibility to bring context to digital forensic investigations and how we approach keyword searches, pulling text from images, indexing the text, and then integrating text data into keyword searches. (Disclaimer: As with any digital forensic tool, you must test and validate your findings. YMMV)

Visit the Img2Txt.pl page for more information on this beta digital forensic tool.
Img2Txt-v1.0Beta.pl (hosted on DF Source)

Contact Matthew Seyer
About Matthew Seyer

Exclusive: An Interview with Sandra Osborne Part II (UnCut)

Detective Sandra Osborne providing expert testimony in Casey Anthony Trial

Brad Garnett of the Digital Forensic Source blog, had the recent opportunity to interview Det. Sandra Osborne of the Computer Crimes Squad for the Orange County Sheriff's Office. Det. Sandra Osborne provided expert testimony, on behalf of the State of Florida, during the Casey Anthony Trial. This is a detailed and in-depth interview. We discuss an array of issues with Sandra; including but not limited to, her law enforcement career, digital forensics, the Casey Anthony Trial, and digital forensics in the courtroom. This is Part II of our series with Detective Sandra Osborne.

Author's note: This series takes you deep inside the workings of a large law enforcement agency, through the lens of a forensic examiner; sharing her experiences and reflections in what the media is calling, "the trial of the century", Casey Anthony Murder Trial. It was great to interview Sandy and spotlight the career of a fine law enforcement and digital forensic professional. In regards to the Casey Anthony Murder Trial, this interview focuses on the digital forensics and the expert witness testimony. For readers that have never testified in court as a witness, you should take a lot away from this interview. For the reader that has provided expert witness testimony or has testified in a legal proceeding regarding digital evidence, you should also take something away from this interview. This interview is "uncut"; Det. Osborne discusses some issues that were stipulated and agreed upon that never made it to trial. 

* Read Part I of DF Source's interview with Det. Sandra Osborne here.

DF Source: Sandra, I'd like to move into discussing the Casey Anthony trial and digital forensics in the courtroom. Earlier you mentioned, that you were recently responsible for the block of instruction covering courtroom testimony during the IACIS basic course in Maitland, Florida. You further mentioned that you would be revamping that instruction block, due to your recent experiences in the courtroom. Let's discuss those recent experiences. In particular, I'd like to shift right into the Casey Anthony trial. First, from reviewing your Computer Forensics Report there were several different pieces of digital evidence (i.e. computers, digital cameras, cellular phones, removable media devices, etc.) that were submitted to your computer crime lab for examination. Please provide a brief overview of how you became involved with the digital evidence in this case?

SO: When I became involved with the Casey Anthony case in July of 2008, I had been assigned to the computer lab for about a year. I had never formally worked a homicide examination but I had some practice conducting exams on all kinds of other cases. I happened to be working later in the day than usual when one of our missing person's detectives, asked me how late I could stay. That's never a good question! She told me they were working an active missing child case on a 2 year old and that they would be submitting a laptop computer and a cell phone to us later that evening after they secured a search warrant. Of course, I offered to stay as late as they needed me to. I figured this one was an easy one and that it wouldn't take long to get what the detectives needed. A phone number or two, maybe some text messages to some friends or the nanny and we would locate the child and be done. I received both items sometime around 9pm. I was notified that the search warrant was signed and I was good to go for the exam. I cranked up EnCase, threw the hard drive onto my FRED / Tableau write blocker and starting imaging. I chose to image instead of preview because something told me I would need to eventually anyway. Meanwhile, I attempted to process the phone with the CelleBrite, but no luck. I think all I got that first time around was the phone contact list. Paraben's Device Seizure wouldn't connect at all. That was the extent of the cell phone / mobile forensics software I had at my disposal at the time. I believe I gave the CelleBrite report and the phone back to the detective to peruse through to see if there was anything of interest to them. I wasn't yet briefed about the case, other than the child's mother (Casey) was being less than truthful about the location of her daughter Caylee. I knew we were looking for a nanny, Zani, Zenaida, or something similar. There were hundreds of numbers, but Zani was not one of them. The family was unsure about the exact date they actually saw Caylee last. They knew it was family gathering on Father's Day, but they couldn't decide when that was exactly (unbelievable!). The family digital camera (submitted a day or two into the investigation), revealed a video of Caylee and her great grandfather at the nursing home on June 15, 2008 at about noontime. I don't believe Casey was there at that gathering. That is how we knew what exact date to start our timeline.

Page 6 of Det. Osborne's Computer Forensics Report
Over the next few weeks, about 11 cell phones and 7 computers, all from various sources, were submitted; as well as, several digital cameras and a thumb drive. In every situation, the focus was on finding Caylee. I would spend the next 8 months or so combing through this data one file and keyword search at a time.

DF Source: Do you feel there are forensic artifacts that may have been important to add into your report, that were left out due to relevance or stipulated upon, during one of the many pre-trial hearings? Anything you would like to have added or introduced as evidence at trial?

SO: At the time I completed the first report, we were still looking for a live Caylee. We had not yet recovered the remains. Thousands of tips and leads were pouring in and we had all we could do to keep up. I was searching the case file every day for new information based on the tips/leads coming in. Any findings were reported by me. The missing persons' squad conducted follow-up leads on "Internet detectives" who were calling in tips, sightings, premonitions, and visions from God telling us where to look for Caylee. At one point, the "Cat Lady" gave us her two-cents on where she envisioned we would find her. There are plenty of unemployed folks online who actively search for cases like this to "help" investigate. One website that hosts web sleuths had reports and information before we did! Crime-line tips from citizens were pouring in as well. I searched the computers for anything and everything that Casey may be associated with; such as, Universal Studios, night clubs, shot girls, social websites, email, etc. I found lots of stuff, much of it not worth reporting, but nothing that led us to Caylee.
Needless to say, we were also very busy accommodating all the requests from detectives wanting to know if we found this or that on any of the computers. As detectives gathered physical evidence and testimony from witnesses, they inquired as to whether or not anything could be found on any of the computers. This case became a media frenzy so quickly; because of, the families' requests from the local and national media for help; the town went crazy. Masses of people from all over, took days off work to search and work on this case.
We had two local police officers get fired over their relationship with this girl. I know at least one of our deputies was dishonest when detectives interviewed him and he said he barely knew Casey. I found chat between their two screen names that told us otherwise. He was fired and this evidence did not get entered at trial, although it is in my report. The second officer worked for the Orlando Police Department and is no longer employed as a law enforcement officer.
The information I included in this first report covered any files of interest to the detectives with an emphasis on the files created, accessed or written during the 31 days that Caylee had not been reported missing. This included many graphics and videos of Caylee, Casey partying at clubs, My Space IM, AIM Logger chat, Casey’s Cupid.com profile and similar items. It became very clear very early on in my investigation that members of this household spent a lot of time on the Internet. The IE history alone covered 4.5 years, from 2004 to July 2008. I felt I provided detectives with everything relevant to what they requested. From the looks of the HDD contents, it seemed the computers were used very rarely for academic study or Word processing. It was apparent to us as well that someone began dumping loads of files from the desktop computer right about the same time we began investigating this case. We believe that’s why the deleted Mozilla Firefox MORK database was so intact when we got the computer. There were 9,075 records in one deleted Internet history record. There’s only one way that could happen. It was dumped and we shut down the box.
Detectives honed in on July 16, 2008 rather quickly into the investigation. I'm not sure how or why they did, but they asked me to conduct a timeline that showed the use of the computers for that day. The original timeline I conducted was through the functionality of EnCase. I set the program to look at July 16 and July 17, 2008 and provide an indicator of the computer's activity during those 48 hours. EnCase gathers the information for the timeline by the file system dates and times; created, accessed, modified and deleted. EnCase then shows which files were active during that time. What I didn't realize at that time (but I know now) is that this was not the best approach. My timeline showed large gaps of time where it seemed there was no activity at all on the HP home computer. Therefore, I reported those gaps in time to detectives. They were working off the presumption that large gaps of time away from the computer could possibly mean that was the time frame when something may have happened to Caylee. I looked very closely at July 16th again just as the trial was starting. I filtered all the files on the HP computer to show only the 24 hours for that day. I sorted every file first by creation time and then by accessed time. What I learned was that the temporary Internet files were being accessed and created during some of those large time gaps when I thought nothing was going on. What I didn't think about in 2008 was that the index.dat files are stored in a database (hence the file extension .dat - DUH!). The EnCase timeline function reported the MAC times for the database itself and not for the individual records it contains. So, while the user is accessing the Internet, the index.dat file is not being updated the whole time it is in use. What I discovered was an AIM Logger chat (not about Caylee), lots of MySpace activity and local files being created and accessed to the desktop\pictures\shotgirls folder during the times I thought there was nothing going on. This activity goes on all day, from just before 0800hrs with a break for lunch time for about an hour and a half. At 1330hrs or thereabouts, the activity picks up again, after everyone has gone to work. What that means is that someone is one the computer from 0756hrs until 1146 hrs on the 16th of July, 2008. George (Casey’s father, Caylee’s grandfather) testified that Caylee and Casey left at about noon. The computer activity stops at 1146 hrs, right on time. George leaves for work; Cindy (mom) is already at work earlier that day. The same type of Internet and local file activity resumes after 1330 hrs, when everyone is supposed to be gone. The AIM logger chat was between two users who identified themselves in the chat by name; Casey and the other user. The MySpace appeared to be Casey’s as did the shotgirls photos. Casey was dating a DJ at a local night club at this time and although she didn’t work at the club, she promoted the local talent there and “hired” girls to work the bar serving shooters. So, it makes sense that she would be researching the clothing the girls should wear. There were many pictures in this folder, some of which were created/downloaded from MySpace that day that Caylee went missing. I was prepared to testify about this new information as soon as Mr. Baez announced in his opening statement at trial that the baby drowned in the family pool the morning of July 16, 2008. Well, the computer tells us a story that indicates either this traumatic event never happened or the computer user ignored the crisis completely.
There is a lot I would like to have added to my testimony at trial. Many hearings were held before the trial and some of them were to determine what evidence would be allowed and forbidden. Much of the evidence I included in my reports, was either stipulated to or not allowed. Sgt. Stenger did quite a bit of work with Photo Bucket.com obtaining the information about Casey's account, where she logs in from, all the pictures uploaded to the site, etc. None of that evidence made it in. All the party pics were taken by a professional photographer and uploaded during the 31 days Caylee was missing. There were other IM sessions, emails, blogs, and chats with friends all throughout those 31 days that didn't make it to trial. Not much of Casey's conversations were about Caylee.
I provided detectives all the email, pictures, blogs, Internet History, TIFs and the timeline I could find. I did look in the Volume Shadows for restore points during the times of interest, but found nothing more than I had already found.

DF Source: From watching your testimony during the trial, we know that you used EnCase as your primary forensic tool for analysis. What other forensic tools did you utilize? From 2008 to just prior to the start of the trial in May of 2011, were there any new forensic tools that you were able to implement into your forensic analysis capabilities, of digital evidence relating to the Casey Anthony trial?

SO: EnCase was the first automated forensic software I learned how to use, so that is what I feel most comfortable using. Getting an EnCE certification was the second thing I did after CFCE. I imaged all the digital evidence in this case using either EnCase or FTK Imager.
I did some work with FTK version 1.3 and then 1.8. I like the indexing feature, even if it does take forever on the front end to complete. The live searches are so much easier when you need a quick response.  I looked at all the email and attachments with FTK. I mounted the image file as an emulated disk and used Net Analysis to examine the Internet history, cookies, and temporary Internet files.
The majority of the exam work was done with EnCase. Many of the keyword searches and the email was worked in FTK, the Internet records were analyzed with Net Analysis and CacheBack. Those are the only tools I used for this one. I must say that I wish I knew then what I know now about forensics and how to stay on track with a huge, media frenzy case. I would approach the examination differently, with more experience and detail.

DF Source: Sandra, Let's move into the chloroform searches. You stated that you used Cacheback and NetAnalysis for internet history analysis. Recently, we've seen both companies issue a press release regarding these discrepancies in the output as it relates to processing the MORK database in early versions of Mozilla's Firefox browser. There have been several blog postings and articles from various sources supporting one tool over the other. Can you share additional information with DF Source readers to add context to the chloroform searches?

SO: As a result of conducting a keyword search on the Anthony's home computer for "chloroform", I found several hits within a deleted Mozilla Firefox Internet history record. I recognized the data as being from an Internet record, but that is all I could tell from the data. My sergeant found the beginning of this very large record and recognized the MORK header as an old Firefox database. He was able to carve out the entire database, which consisted of over 9,000 records (we've since learned this after the confusion at trial). He worked with that data from there.
Sgt. Stenger was not very familiar with this old database, so he enlisted the help of John Bradley, the creator of CacheBack. Mr. Bradley was asked to verify that this was in fact a MORK Mozilla Firefox Internet history database. CacheBack is a great tool for parsing Firefox (and other records) and rebuilding web pages. The class John gave us a few years ago here in Orlando was very intense and informative. He knows IE, Firefox, Chrome, and Safari very well. Because this record had been deleted, Sgt. Stenger named the file  history or Header.dat (I think) and imported it into CacheBack and into Net Analysis. Net Analysis reported many of the records but not all of them. It did, however report the page visit count for the sci-spot "chloroform" search in Google as "1" where CacheBack interpreted the page visit cout incorrectly at "84". From what I understand about the MORK database, if a web page is visited only once, the page count is left at "0" and will not increment to "1" until the second visit. This was apparently the case with the sci-spot "How+to+make+chloroform" google search page. Because the page visit count was only "1", the byte value for that was null. CacheBack did not interpret that data correctly, so it went down the database list of records until it came to a page visit count it recognized. That happened to be the MySpace.com page with a visit count of "84". Consequently, CacheBack inserted the "84" into where it thought that value should go; in the sci-spot page visit count. CacheBack also did not return the correct number of records in this large database.
Craig Wilson, creator of Net Analysis, submitted a very detailed explanation of how the MORK database works. You can read it at http://blog.digitaldetective.co.uk/2011/07/digital-evidence-discrepancies-casey.html. Both Mr.Wilson and Mr. Bradley have re-evaluated their tools as a result of this misunderstanding. Both, now report the correct number of records in the deleted history at 9,075.

(see file CacheBack errors 7.19.11.pdf) 

The Internet history from the Anthony's home computer, deleted or allocated, was submitted to the defense in the form of the evidence files via the discovery process. Defense had the raw data, as well as the .csv and .xls files containing the deleted Firefox records, as of October 2008. I know of at least 2 forensic examiners hired by the defense that did not raise any issue. That being said, the CacheBack report was created sometime after October, 2008. I'm not sure when Mr. Bradley finished working with Sgt. Stenger on the records. It was, however turned over to the defense as soon as they were finished with the report. Again, nothing was disputed from the defense examiners.
During the trial, Sgt. Stenger was asked to testify about the CacheBack report, specifically the "84" hits on the sci-spot page. He testified as to what the report said was the page visit count of "84". John Bradley was also asked about the "84" page count, to which he testified that he did not create the report (Sgt. Stenger did), but that the CacheBack reported that the sci-spot page was reportedly visited 84 times. Nothing more was said for several weeks. Defense brought Sgt. Stenger back to the stand later to challenge the CacheBack report. Mr. Baez walked Sgt. Stenger through the report and asked several questions  to dispute the "84" count. Mr. Baez basically concluded that CacheBack mis-interpreted the data and that the "84" count actually belonged to the MySpace page. Obviously, Mr. Baez had been contacted by a forensic expert to come up with the conclusions he did; but nontheless, his conclusions proved to be correct. As a result of the testimony provided, Mr. Bradley re-evaluated the way CacheBack interpreted the database and realized that it was incorrect. He worked non-stop to correct the errors and reported it immediately to Sgt. Stenger and the prosecution. At some point, the data was provided to Craig Wilson. Net Analysis has also been re-evaluated and is now interpreting the data correctly.
Neither Sgt. Stenger nor John Bradley were brought back to the stand to testify about this issue. It is not up to the witnesses to dictate the course of the trial. It was the position of the prosecutors that the CacheBack issue had been visited, revisited and corrected. Mr. Baez made his point in court and Sgt. Stenger conceded the fact that the report appeared to be incorrect. In response, Mr. Baez's closing statement was that the Computer Evidence was fraudulent. They are upset because the prosecution didn't apologize to them for the mistake. To validate more then 9,000 records that were carved from UC is literally impossible, especially since we can't recreate the scenario. I am curious to hear from others about how the validation of the tools used with this particular record could have been performed. If the creators of the tools didn't know about the errors, then I'm not sure what more could have been done at that time and with the information we had. It is unfortunate these "bugs" in the software were discovered during such a public event, however mistakes happen. It is not unusual that examiners catch mistakes in all kinds of software. We see it every day on the list serves. It's just not pleasant to be on the losing end of the mistake. The bottom line is and always has been, validate, validate, validate WHEN YOU CAN and seek several opinions when in doubt.

DF Source: The Anthony trial was a very high profile trial that centered around the digital evidence in the prosecution's case. I think the entire digital forensics community can learn from this case, and review tool validation processes and see what can be changed. What are your thoughts?

SO: I've been thinking alot about tool validation lately. In the Anthony case, I didn't work with the deleted firefox records. I just located the "chloroform" search hits in unallocated space and exported Internet history out to Net Analysis. I was still very new to CFE and didn't know what I was looking at. I didn't know how to run CacheBack at the time either, so I let my Sgt. handle all that. I had enough to do working with everything else. Now, I understand what happened, but then I didn't. We have validated CacheBack and Net Analysis many times and we use both these tools regularly. Should it become the standard to test and validate every software tool every time I use it? EnCase, FTK, X-Ways, Linux tools?
In the Anthony case, we were dealing with an old MORK database created  around 2004 or 2006 I think. We didn't know how to manually decode it. That is why we use the brilliant tools that are out there. In order to validate ANY tool, I would have had to manually decode the MORK database to verify the values being returned for each field. There were 9,075 records in that deleted history file. But for the sake of this discussion, let's say we just needed to decode only one record of interest. I would still have to manually decode the record to verify that the software is rendering the data correctly. Why would I need to software if I knew how to manually decode it?  Even if I validated Net Analysis and CacheBack earlier that same day on some other database, would it have rendered THIS MORK database correctly? Probably not.
To accurately validate a piece of software so that it is "evidence specific", you really should test it on the exact version of the software you will be using. You can only do this by manually decoding the values and then comparing what the software tool returns back to you in the form of a report; or, recreate the scenario using the exact same software that created the problem. In the case of allocated files, you could boot the image into LiveView or into a VM session or VOOM maybe, and work with it as the user would have seen it. In this case, we had deleted Firefox records.
Aside from the obvious record validation that should have been done in the Anthony case, I'm not sure what the proper protocol should be anymore. I am reluctant to dump all the history into one report now, and say that it is accurately reporting all the records that exist on the hard drive. How do I know? Must I manually decode every piece of data that I plan to call evidence to verify it? I would have to know how to dismantle every database and application out there (I suppose I could work in WinHex and forget the other tools).
I am really curious to know what other examiners are thinking about their tool validation procedures. I have received emails from friends that have said their labs are reviewing their policies, as a result of our experiences. This is probably a very good thing for all of us to do, I just don't know how far tool validation needs to go. If I knew how to reverse engineer Yahoo! Messenger chat sessions, I wouldn't need the Super decoder to decrypt and report it for me. So here we are......?

DF Source: Sandra, I know we've discussed privately how you have grown professionally as a result of the Anthony trial. Personally, I took a lot away from your testimony during the Anthony trial. I know I've said it once, twice, and then some, but fantastic job to you and Sgt. Stenger. What advice do you have for forensic examiners in the field that have never testified in a legal proceeding regarding digital evidence? Preparation really starts once you come in contact with the digital evidence; Regardless, if it is in a lab environment or in the field.

SO: Thank you again for your compliments. They are well received, I assure you. You are correct when you say your preparation for court starts once you come in contact with the digital evidence. I like to think that your prep starts from the minute you began your career as a forensic examiner.

The most important document you will write when preparing for court (second only to your forensic report) is your curriculum vitae, a/k/a fancy resume. All of your education, training, certifications, and expertise are detailed in this document. Any time an expert works on a case and is expected to testify, a CV must be submitted with your report(s) for discovery. This is counsel's first impression about you professionally. The judge will read your CV long before he/she meets you. It is the judge’s job to decide whether or not you will be permitted to testify as an expert. With a well written CV, the judge will make an informed decision about your training and qualifications and decide that you are, in fact, an expert.
Being in the hot seat is never fun (unless you just like pain), but it doesn’t have to be stressful. With a little practice, you can overcome much of the self-induced stress that goes along with testifying. Several of the questions that are always asked are who you are, what you do, and what are the training and qualifications for being a computer examiner. The first two are easy, but the last one can be a bit tricky. If you have never read your agency policy for your job description, that’s a great place to start. If you belong to any computer forensic organizations, they most likely have a description of what the job entails. I like to describe my job as my A.R.E.A.A. of expertise. Computer forensics is the Acquisition, Reconstruction, Examination, Authentication, and Analysis of data stored on electronic media. Depending on the formality of the situation, I may say something like, “My job as a computer forensic examiner is to assist detectives with the handling and processing/examination of digital and electronic evidence.” These statements are short and to the point. You can build from there, if asked.
Another question you will be asked is, “Describe for us any certifications you have and what did you have to do to obtain those?” This one requires some practice. My primary certification is through IACIS, so I will offer this explanation of their CFCE. As a CFCE candidate, I attended a 72-hour course of classroom-style instruction which consisted of both lecture and practical exercises designed to teach basic concepts of computer forensics. Following that, I completed a series of four practical problems led by a coach / mentor who peer-reviewed my work. Upon successful completion, I was required to examine an evidence file designed to simulate a computer / crime scene scenario. This portion is completed without the assistance of a coach / mentor. Finally, I passed a 100-question technical knowledge examination with a score of 80% or higher. To maintain this certification, I am required to maintain a minimum of number of continuing education hours every year and I must re-certify my competencies every 3 years.
This may sound like a lot of information, but if you can deliver this one to a jury or to counsel with confidence, everything else you say afterward will come easy. From here, you will begin talking about the facts of your case. I can’t help you there except to say document your work well and study it like your job depends on it.
The only thing I was thinking as I prepared to testify in the Anthony trial was that I couldn’t afford to embarrass my agency and I didn’t want to embarrass the membership of IACIS. When I was in the police academy in 1990, I remember one of my trainers telling the class that every call for service you handle in the field will either positively or negatively reflect on every other cop that follows you. He said, “Don’t make me follow your bad call!” I don’t know about you, but I’ve followed a few “bad calls” in my day and that’s never fun. I don’t want to be that person, so I train and practice. I considered very seriously the implications of being on a national stage and how my performance would be viewed by anyone interested. I am not very experienced in the field of computer forensics compared to yourself and many of your readers. I studied my own testimony and picked it apart. I could have said some things better, but when you’re up there under pressure, you perform how you train. There’s always room for improvement.
I encourage you to consider yourselves teachers. Most likely, you are already teaching someone about what you do every day you go to work. You teach your co-workers every time you explain what you did to extract evidence in a case. You teach your bosses the importance of maintaining certifications and training (or whatever) every time you have to beg for more money. You teach the jury about your job and how to properly handle digital evidence every time you testify. Instead of having the mindset that you are being “grilled” about your work product, take that opportunity to "teach" your audience about your profession and how you handled the evidence in the case. It helps to be on the offensive side of the field instead of constantly being on the defensive. Even during cross examination, which is designed to be controversial and combative, you can still “instruct” the opposing counsel instead of merely answering their questions in a defensive posture. How you view the court process will have a direct effect on how you behave in that environment. Practice makes perfect!

DF Source: This next question is several, encompassing a central theme of courtroom testimony. What did you do to prepare yourself for your testimony? It was clear during your testimony that you had a large case file that you were able to reference during the trial. Can you explain how technology may or may not have aided you during your expert testimony? Juries like to see, hear, and touch things. Did the prosecution having any exhibits covering your testimony that were not allowed to be entered as evidence?

SO: I actually did a lot to prepare for this case. The Anthony case spanned a period of three years. After the initial surges of “find all evidence” requests, I frequently went back into the case file to satisfy subsequent requests by detectives.
There were three prosecutors assigned to the case; each had their own job to do. The prosecutor handling the computer evidence was Linda Drane-Burdick. She is NOT a computer person. She is still learning how to use her new Blackberry. She is, however, a quick study and she is very capable of grasping concepts unfamiliar to her. Several evidence hearings were held in the weeks prior to the trial going live. Once we had a sense of where the defense was going with their arguments, we were able to formulate a plan to counter attack. Linda met with Sgt. Stenger and me four times prior to trial to discuss strategies and to formulate the questions she should ask to illicit the proper answers. She gave us her angle of attack, and we gave her the questions she should ask to get the right responses that she wanted. We wrote our own script based on the evidence she wanted to present. There were a few unrehearsed questions asked on direct, but not many. The cross examination is a different story!
One new thing that we did do was at the prompting of Lt. Dan Purcell of the Seminole County Sheriff’s Office; he offered to play the role of consultant to the prosecutor at trial. He was allowed to sit in on our strategy meetings and he sat near the prosecutor’s table at trial to help her interpret technical points. This strategy came in handy during cross examination. Mr. Baez showed me a print-out of a picture that came from an ex-boyfriend of Casey’s computer. Baez said the ex-boyfriend saved the picture of a woman sitting at a dining table and a man standing behind her. He was holding a white cloth and was reaching around her face apparently to hold the cloth over her face. The caption was “Win Her Over with Chloroform”. I had searched for that graphic on this persons’ computer during the course of this investigation but didn’t find it. Mr. Baez asked me why I didn’t find the word “Chloroform” anywhere on his computer during my searches when clearly the word was there in that graphic. I explained why sometimes we don’t find files that once existed on the hard drive (the usual deleted, overwritten stuff). He asked the question in such a way that I was not permitted to explain further and he cut me off with “No further questions.”  Linda didn’t know the answer to that question, so she didn’t know how to clarify the point on re-direct. Lt. Purcell was able to formulate a question for her right on the spot which then allowed me to explain to the jury that the word “chloroform” in that graphic is a result of the colored pixels imbedded in the graphic file and not because of text that was typed into a document.
The nature of computer evidence is such that it is not practical to print out everything. The mountain of paperwork would have been huge. As a result, much of what I wanted to show the court was on CD/DVD. This is where you and your prosecutor have to get together to discuss what you will be presenting and how it will be presented to the jury. The fancy courtroom we were in has audio / visual equipment that allows the operator to display the computer screen to the judge, the clerk, the podium, the witness and eventually to the jury once the judge allows its submission to the jury. Any reports, spreadsheets or pictures were simply opened from the disk and displayed on the monitors. Other types of evidence were displayed by laying it on an overhead projector table and then displayed through the computer screens. I found this to be a good way of viewing items without having to handle them and it saves time not having to wait for the jury to examine the item individually, one after the other.
One of the first things I did was create a chronological timeline of everything I did, start to finish. It was simply a Word doc that started with “June 15, 2008 – Compaq laptop computer and Nokia Cell phone belonging to Casey Anthony submitted to me in the lab by [name].” I then listed the main evidence I found in that evidence item. This document was a living, breathing document of my involvement along the way in condensed form. I referred to this often during my three times on the stand. Plus, it helped me refresh my memory right before the trial. It was a good way to study.
Much of the evidence I documented in all my reports was either not allowed at trial or was stipulated to by counsel in the hearings before trial. There were emails, pictures, documents and web pages in my first two reports that I never got to talk about. I conducted a very specific time line of computer events for June 16, 2008 and submitted two reports regarding that evidence that I never got to testify to. Defense counsel stated that Caylee drowned in the family pool on the morning of June 16, 2008. The home computer shows a user (“caseyomarie”) logging into AIM Chat beginning at 0756 hours and chatting with “whiteplayboi” until 0806 hours. They called each other by name during this chat session; “whiteplayboi” referred to the other user as “Casey”. Meanwhile, Firefox and MySpace were launched and pictures were downloaded and saved two folders deep into the “Shot Girls” folder on the users’ desktop. Casey claimed to be a self-appointed “shot girl” manager for the night club where her boyfriend works. All these pictures were of scantily, clad women wearing barmaid or cheerleader outfits. Other local files were accessed during the time frame of 0756 and 1146 hrs that day. There were no significant breaks in the user activity time, which indicated that the user stopped using the computer long enough to handle a family crisis, such as your child drowning in your pool. As an expert, I would have been permitted to state my opinion about this user activity to the jury. If asked, I would have stated that my opinion is that one of two things occurred; 1) either the user of the computer completely ignored the family crisis or 2) that crisis didn’t happen. I believe the jury would have been able to see through that smoke screen. It’s not often, if ever, that we get to say who is actually sitting at the keyboard, but that’s about as good as it gets.
The first picture I included in my first report was of a cartoon caricature. The graphic displays a young girl, maybe 2-3 years old, staring upward at a teddy bear hanging by a noose around its neck. The caption says, “Why do people kill people just to show people that it’s not nice to kill people?”  I can’t say where this picture came from, but it was saved to the users’ desktop during those 31 days we were looking for Caylee. I found this file rather relevant; Mr. Baez disagreed. I was not asked about this graphic at trial, much to my chagrin.

Page 11 of Det. Osborne's Computer Forensics Report

I have not spoken with the attorneys, since the verdict. Jeff Ashton’s last day with the prosecutor’s office was the day the verdict was rendered. He’s been waiting for the trial to be over, so he could retire. He’s put in his 30+ years and was ready to retire. Of course, the media made it sound like he was a bad sport and quit because he lost; not true. He stayed on longer than intended to finish working this case. I know that all the evidence was discussed at length by counsel and the judge prior to the trial. It was decided that we would not be permitted to overkill the “bad girl” bashing, so I think a lot of the evidence was either not allowed by the judge, because it was too prejudicial, or it was stipulated to by both parties. I’m not sure what the jury was permitted to see other than what was published to them in court, but it is clear they didn’t review much, if any, evidence during deliberations. They simply didn’t have time and they returned their verdict within hours of closing arguments.
Sgt. Stenger was asked to conduct a live demo search of a spreadsheet during one his trips to the stand. The technical computer operator in the courtroom actually did the search, so all Sgt. Stenger had to do was direct him where to go inside the document, but this was highly unusual. When you are used to working the mouse yourself, you know how hard it is to watch someone else do it for you. Live demos that have not been rehearsed are a bad idea. Fortunately, this one turned out rather well, but Sgt. Stenger wasn’t happy about it.
Jurors are typically not technical people. The evidence you present must be easily understood and over simplified or else you will lose their attention. We had one juror on our panel that had some IT experience and we picked him out right away. If my testimony in the Anthony case seems very elementary, that’s because I had to talk in language that my prosecutor understood and that translates to language that the jury can follow. It seems counterintuitive to not dazzle the court with all your brilliance, but they don’t want to hear it, honestly, and they won’t understand all the techno-speak. Keep it simple and in terms that they can relate to and you will be more successful.

DF Source: What advice do you have for the digital forensic student or new digital forensic examiner?

SO: My advice is never, ever work late in the lab. Nothing good could come of it.

#1. Complete any unfinished education or degrees in progress as soon as you can. I have 4 classes to go to get my BA. I really don't like the fact that I only have a 2 year degree to come to court with. Git R'Dun!

#2. Compile a CV that you are proud of.  Practice testifying with it and bring it with you every time you go to a deposition or to court. Provide a copy to your prosecutors as well. I have provided a paper that I wrote that explains how to complete a CV.

#3. Read and study your agency policy describing your job description. Also read the description from the certifying body where you received your forensic certification. Practice this for testimony; it works! If you aren't certified, I strongly suggest you check into it. I know some people are opposed to belonging to a single organization and they float around. That's okay, but consider what your resume sounds like to a lay person who doesn't know you or your profession. Also consider your opponent who will be making every attempt to discredit your training and qualifications. If your studies and work product have never been peer reviewed by another computer forensic professional, than how do you know your work product is good and who will speak up for you, if you don't belong to any professional organizations? Even with minimal credentials, I was able to explain to the court that I successfully completed a rigorous certification process that tested and validated by knowledge, skills, and abilities in the computer forensics arena.

#4. Take your work seriously and study like your livelihood depends on it. Do work that you are proud of and learn from yours (and others) mistakes. No one knows everything there is to know about this work. We must depend on each other to share information and work together. As cops, we tend to be loners, but this is different. We network together and share our findings with others.

#5. Take every opportunity to teach others about what you do. It will help solidify your own knowledge and you will become very comfortable testifying as well.

Sunday, July 17, 2011

Exclusive: An Interview with Sandra Osborne: Part I

Detective Sandra Osborne providing expert testimony in Casey Anthony Trial
Brad Garnett of the Digital Forensic Source blog, had the recent opportunity to interview Det. Sandra Osborne of the Computer Crimes Squad for the Orange County Sheriff's Office. Det. Sandra Osborne provided expert testimony, on behalf of the State of Florida, during the Casey Anthony Trial. This is a detailed and in-depth interview. We discuss an array of issues with Sandra; including but not limited to, her law enforcement career, digital forensics, the Casey Anthony Trial, and digital forensics in the courtroom.This is Part I of our series with Detective Sandra Osborne. 

Author's note: This series takes you deep inside the workings of a large law enforcement agency, through the lens of a forensic examiner; sharing her experiences and reflections in what the media is calling, "the trial of the century", Casey Anthony Murder Trial. It was great to interview Sandy and spotlight the career of a fine law enforcement and digital forensic professional. In regards to the Casey Anthony Murder Trial, this interview focuses on the digital forensics and the expert witness testimony. For readers that have never testified in court as a witness, you should take a lot away from this interview. For the reader that has provided expert witness testimony or has testified in a legal proceeding regarding digital evidence, you should also take something away from this interview. 

Q: Thank you for taking the opportunity to speak with DF Source, Sandy. Please tell our readers a little bit about yourself. How long have you been in law enforcement and digital forensics? How did you get started in the Computer Crimes Squad with the Orange County Sheriff's Office?

A: My name is Sandra Osborne (formerly Sandra Cawn). My family settled in Florida in 1847, just 2 years after Florida became a state in the union. That makes us true Florida Crackers. We are called crackers because we used to be all cattle ranchers and orange grove owners. It was the crack of the cattle whip that branded us as crackers. I am a 21-year veteran of the Orange County Sheriff's Office in Orlando, Florida. Prior to my service here, I was legal secretary for our prosecutor's office for 6 years. So, I guess that puts me at about 28 years in law enforcement. I have the distinct pleasure of having worked with a great prosecutor, Jeff Ashton twice on big, first time ever cases. Jess Ashton brought the first human DNA case presented in a United States court, to our 9th Judicial Circuit in Orlando and I was his law librarian at that time. I had to research European human DNA court cases and bovine (cow) DNA for case law guidance. The only DNA cases in the U.S. at that time were a result of the cattle rustlers taking blood samples to identify their cattle. It was pretty cool. The second case he and I worked on together is, of course, Casey Anthony on trial, which we’ll discuss later.
I started my career in patrol, like most cops do. And, like most 1990's police departments, they liked to assign the small-in-stature women officers to the roughest parts of town. What doesn't kill you makes you stronger. My first 3 years of patrol was in a little town northeast of Orlando called Apopka. It's a pretty rough little place and I weighed all of about 120 lbs at that time.
During my first few years on the street, I realized I had a knack for processing crime scenes. Being a former secretary, I had a flare for detail. My Sergeant used to comment that I often took too long to clear a call and my reports were too long to read. In my 5th year on the department, I joined our crime scene investigations squad as a sworn LEO. We have since replaced the sworn officers with civilian CSI's. Although I didn't like the idea at the time, it was the best thing for the Agency. We have a top-notch CSI Squad.

While I was a CSI, the OJ Simpson case happened. That case changed everything we ever knew about crime scene processing. We changed all our policies; we had to start wearing gloves, carrying bleach for our shoes and hand sanitizer / wipes for our equipment, biohazard bags were now a standard, and many other changes came down in a hurry. All these new changes took a toll on our budget; it was expensive, to say the least. I believe this was our first introduction as a police agency to crime scene science coming into the new millennia.
The OJ Simpson also started what we call the CSI effect. All of sudden, crime scene work was fascinating to everyone. We got bombarded with volunteers and interns wanting to job shadow. We accommodated many for a while, but it became so invasive that we had to limit our visitors to a legitimate few who needed the college intern hours. We had to make it very hard for people to get in so we could get our work done. Then we started seeing all the Hollywood CSI shows on t.v, which fueled the fire even more. People can't get enough!
Funny (but sad) CSI story- I went to a suicide call where a young man hung himself from a rope in his back yard tree. He was cut down when I got there and was lying on the grass. When the medical examiner investigator got there with the gurney, I took the "head" end and he took the "feet end". As we moved across the bumpy grass, I gripped the gurney underneath so I could lift up the wheels for a smoother travel. Well, the gurney didn't lock out and we hit a bump, which collapsed the gurney and trapped my hands inside the rails. The gurney and the deceased went down to the dirt and so did I because my hands were trapped inside the gurney next to the victim's head. When we landed, my face was right at his nose! Instead of throwing up, I started laughing and didn't stop until they released my hands. There are many stories I could tell from my CSI days. I loved that job.
So, from the CSI squad I went to sex crimes and child abuse investigations. In my opinion, this was the hardest job of my career. I did about four years in sex crimes and the other two or so, in child abuse. I found the job transition difficult. As a CSI, I didn't have to interview anyone or know him or her personally. I just had to photograph and pick up stuff. I never had to fight anyone, except once when I had to keep a family member away from a body so I could work. As a detective, I had to get to know each victim and usually their families as well. I didn't like it. It gets very personal and that makes it hard not to bring that stuff home to your family. Fortunately, I have a very supportive family! I got really jaded working sex crimes cases. Many victims lie and say anything and everything that will get them out of the trouble they found themselves in. One of the last cases I worked involved the infamous "Octopus Man". He's the bad guy who breaks into the house very quietly and attacks the victim while she sleeps in bed. The man grabs the victim around the throat with one arm while holding a knife to her throat with the other. Then with his third hand, he unclothed the woman and himself while with his fourth hand he put on a protective device. He then battered the victim repeatedly. She had no injuries, anywhere and there was no sign of forced entry. The bottom line was that the victim's husband went to play cards with "the boys" and she was angry so she made up this story so he would have to come home to her. Of course, there were many legitimate cases, too many to count. But I digress. I did get to work child abuse cases for a couple of years, which included SIDs deaths and child abuse deaths in children. During this assignment, our very old Medical Examiner retired and we were introduced to Dr. Jan Garavaglia (a/k/a the infamous "Dr. G."). She is awesome and great to work with! She changed many of our policies regarding how we were working death cases.

It was during my tenure in sex crimes and child abuse that our agency decided to go "paperless." We were introduced to our new laptop computers and new report writing software. We had to set up our own Outlook email and I panicked! I was very good with a typewriter, but I knew nothing about computers and was very upset at this new change. Several of the detectives actually refused to learn about them and transferred out. I had to make a choice, quit or learn. I decided to learn. I started taking some very basic computer classes with NW3C (National White Collar Crimes Center). I learned the FAT file system by studying a cartoon choo-choo-train. No kidding! I had no idea how to tell the difference between the Registry and Windows Explorer. It all looked the same to me. The more I studied, the more I realized that I was hooked. For me, it was like coming back to the crime scene squad; only my crime scenes now were in digital format. As soon as I got a chance, and a position became available in the computer crimes squad, I put in for it and got it.
My sergeant in computer crimes, Sgt. Kevin Stenger, likes to tell everyone that he is the sergeant and I am the squad. There are only two of us for the whole county and we are one of the largest agencies in Florida with about 1500 sworn and about 900 civilian support staff. Since joining the squad, I have taken almost 800 hours of computer forensic related training. I belong to our local U.S. Secret Service Electronic Evidence response team as well as IACIS (International Association of Computer Investigative Specialists). I obtained my IACIS CFCE certification in 2007 and my EnCase (EnCE) certification in 2009. I've only been actively doing computer forensics for about 4 years, so I have a lot to learn still. I learned very quickly that the best way to learn is to teach, so I jumped right in with coaching responsibilities for IACIS. This past year, I was chosen to be a team lead/topic leader for the courtroom testimony block of instruction at our basic training event that we hold every year in Maitland, Florida. I am in the process of revamping this block, mainly because of my recent experiences in the courtroom.

Q: Sandra, you have had the opportunity to work with some great people throughout your career, not to mention, experience many different areas of law enforcement. Having a very supportive family is crucial to having a successful LE career, which I'm glad you mentioned. You also mentioned your work and experiences in the CSI squad and the CSI effect on law enforcement. We could spend this entire interview discussing the CSI effect on law enforcement. I want to focus on the first part of what you said, regarding civilian CSI's. You said that having your agency switch from sworn to a civilian CSI squad was the best thing for your agency. This is something that we are just now seeing in digital forensics. As law enforcement, we are very territorial, slow to change, and want others to follow the footsteps we chose (i.e. Go put your time in patrol and then come talk to me). I think this is very important in order to grow digital forensic capabilities for law enforcement, that we put the right person in the right position. We've seen this at the federal level where civilian forensic examiners are being hired and it is good to see this working it's way to the local level. Explain how the civilian model for your CSI squad is working for your agency and do you think this model could or should be applied to digital forensics within law enforcement?

A: Like many cops, I was also very, very resistant to the idea of having civilians doing police work. I felt “lesser” people were shoving me out. Gun toting, badge carrying lawmen (and women) are trained to be in total control of everything. When things get out of control, take care of it however you know how. How many times have we heard, "We must go home every day with the same number holes we came to work with”? Civilians can't control a violent situation! They are not trained to fight, shoot, investigate crimes, write a police report or testify in court. It used to be my opinion that only cops were capable of all these things and that a civilian could not possibly understand the dynamics of crime scene/police work. Although I am still a strong believer in the law enforcement mentality where investigations are concerned, I have been proven wrong many times. Non-sworn personnel can be a very strong asset to any police department, with the proper mindset, training and equipment. What I mean by proper mind set is that police work isn't a career that everyone can or should do. Some people are just not "cut out" for it. On the other hand, a capable investigative analyst can do more to solve crimes than any street cop ever could, given the proper bulldog mentality, training, and equipment. Like you, I have realized over the years that sworn cops tend to dislike change; changes in themselves and changes in their working environment. With the technology age in full swing, things are changing constantly (and always were). We must adapt, learn and grow if we are to succeed in this business. Looking back now on my CSI days, I realize we were stagnant, not growing and not learning new technologies. Our college-educated civilians came in with just the right stuff we needed to move ahead. Our non-sworn CSIs still work within the para-military, sworn LEO chain of command. This command structure is very strong with our Agency and it works well for us.

My views of non-sworn personnel working in computer forensics are the same. Again, I strongly believe that digital crime scene work is not for everyone. I often ask others this question; "Do you believe it is better to train a cop to do computer work or is it better to train a computer geek to be a cop?" I believe the answer is "both." A good examiner, in my humble opinion, must possess the qualities of both the geek and the sworn officer. We can all learn from each other and we must. I agree with you, Brad, that we must put the right person in the right position; put the round peg in the round hole. Unfortunately and at least with our Agency, the vast majority of officers believe it is in their best interest for their careers to be promoted at every opportunity. Therefore, few choose a specialty and stick with it. For instance, as a 21-year veteran and with all my experiences, I have no rank. I have no desire to move up that ladder. I only want to be good at investigating crimes and mentoring others. As a result, I have been told I will not be promoted, even though I tested for corporal rank twice and made the list both times. It is the policy of our sheriff that in order to be promoted, you must go back to road patrol. I tested for corporal only because my sergeant is retiring very soon and I wanted to have some control over who would work in the computer lab with me. Actually, I was hoping to fill his position and add a third person (non-sworn) to our lab, but with all the budget crunches, that is not likely to happen. I declined the offer to promote out to a midnight patrol shift merely to satisfy the promotion requirement. How would that benefit the agency? We currently have no cross trainers to fill my spot. I feel that by staying in the computer lab and declining the promotion I am doing the best thing for the agency. I am not unique to this dilemma. Our helicopter pilots and K-9 officers (and others) are also very specialized and they can't get promoted in place either. Yes, I'll take that cheese with my whine. 

Q: Sandra, I think you hit on some very good points. We are gradually seeing law enforcement, "move with the cheese". Having civilian forensic examiners work with sworn forensic examiners or under the sworn chain of command is very important to ensure agency objectives are fulfilled and policy followed correctly. Earlier, you mentioned that you have been doing digital forensics for about 4 years with your agency. That seems to be the common denominator from talking to fellow LE forensic examiners; we chose to adapt to our work environment and quickly became the to go to person when it came to fixing computer problems around the office and next..."Hey, there's an NW3C class coming up and we need to send someone. It's FREE. Would you go?" Now, we become the experts and realize we found our niche; attend more and more training, get certified, and now (hopefully) we get a forensics budget (or upper echelon support within agency) and begin working cases. The 4 years that you have been doing digital forensics, what are some of the challenges that you see from your perspective that we face as law enforcement? What about the digital forensics community overall where law enforcement, private sector, intelligence, and academia converge?

A: Your explanation of how the computer expert gets started is right on target. The person who has the patience to remove the paper jams from the copier becomes the go-to person for everything from VCR clock setting to video file conversion. For me, however, it was exactly the opposite. It seemed every time I walked near a piece of electronics it would try to spark and catch on fire. It was the running joke in the office not to let me near anything you might want to use again. I was horrible! 

It is interesting that most examiners we find have been doing the job officially for about 4-6 years. This must be because only few agencies were buying into the technology before that. Many examiners have been doing computer forensics for a decade or more just for the love of doing the work. My sergeant has the #51 DOS forensics certification. He started our lab in 2002 with a few small pieces of equipment and DOS / disk edit. There are a few challenges that we face in the computer forensics realm of law enforcement. Obviously, the cost of doing business is steep. Typically, the people who control the purse strings do not understand the need to replace a perfectly good workstation every 4-5 years. It is a never-ending battle to explain the need to keep up with the ever-changing software and hardware technologies. The rapid pace at which electronic technology is evolving is the topic of Moore's Law. Since the 1970's, experts have been trying to predict how many transistors can be crammed into smaller and smaller circuit boards and how much faster computers would perform year after year. In 1975, Moore predicted that the complexity of computer components doubles every 2 years. We are certainly not waiting 2 years any more for technologies to make their way to the market. Moore predicts eventually, by 2015 - 2020, the size of a chip would be the size of an atom and you can't get any smaller that. Intel and some others predict that the size of the circuit card would just get bigger and we could stack the chips for more, more, more power. For those things that make me afraid or that I don't do well, what I did (and still do) have is a sense of humor and a desire to learn. Computers were both of those things for me; I was afraid of the technology. After all, I was born in the early 1960's. We grew up with transistor radios and 3 stations on a push/pull knob television. I still had a push/pull knob TV when my husband and I started dating in 2004. He laughed at me forever and we still joke about it. That mentality sounds ridiculous to me now. I was permitted to attend NW3C training because they were still traveling to Orlando to teach and it didn't cost the agency anything to let me go. When my administration decided I wasn't quitting, they paid for me to go to IACIS basic and here I am, grabbing everything I can get my hands on.
Another challenge we face is keeping good quality employees at the police department. The agencies have it made where we are concerned. They get a cop when they need a cop and they get a computer examiner when they need an examiner. For instance, in 2004 when the central Florida area endured 4 major hurricanes within a month, we examiners (and other specialty units) were out delivering water to mobile home parks and directing traffic in 12-hour shifts. On one occasion, I had pet duty at the main operations building because we were housing employees who lost their homes or working 12-hour details and their pets were staying with us too. The civilians were at home or volunteering if they wanted to, but they were not required to work.
We get requests from folks who want to learn what we do because they are getting ready to retire and they see the potential to earn more money as an examiner when they leave. Obviously, we don't waste any time entertaining those who are not really interested in putting their skills to work for us. What should we do about those who come to train, get all the schools on the agencies' dime and then leave once they get a year or two under their belt for a more financially lucrative position outside? This is a major drain on the budget with no benefit to us.
The growing trend in police agencies around the country is to hire more and more non-sworn personnel to fill non-combat positions in the department. The justification is that civilian personnel are paid less, they require less agency-issue equipment (cars, uniforms, guns, etc.) and they are required to come in with more educational and specialty qualifications than the cops-turned-examiner have. We heard this reasoning when the decision was made to convert our CSIs to non-sworn positions. The way our retirement benefits work for non-sworn is that they receive much less return on their retirement pension plans than the sworn LEO's too, so there is another savings to the budget. This theory is still in play, although I believe we proved it completely wrong with the CSIs. They came to us with masters’ degrees in chemistry and biology. We have to pay for that in the form of a higher salary. We have a strong career path plan for our non-sworn employees to accommodate upward mobility for them to get promoted and increase their earning potential. For the CSIs, there is little room for promotions within the unit, so we had to come up with pay increases for higher certifications. Step 1 certifications earn $1000 per year extra, Step 2 is $2500, and Step 3 is $5000 per year. We didn't figure that in their entry level salary and the sworn officers do not have this. Furthermore, Florida State legislation has ruled that CSI's and any other personnel who handle biohazard materials as a regular part of their workday are entitled to high-risk benefits, just like sworn LEOs. Well, there you go. We hired them at competitive pay based on the industry standards in the private sector, we pay them extra for their certifications and now we contribute the same amount of % to their retirement benefits as sworn LEO. So, we didn't save money there after all. For the record, I'm glad we pay them that way. They deserve it and then some!

I believe the arguments are the same in the computer forensics community. The same rules will apply as with the CSI. If you want good and qualified people, you will have to pay them. Otherwise, they go where the money is. The main reason I don't leave the agency is because I am deeply rooted there and I have less than 4 years to go to retire with 25 years on. The second reason is the same as I stated before; there is no substitute for loving what you do every day. I love catching bad guys! Even if I am not making the arrest, I know I helped in some way. I have to believe that is why many of us came to love this job in the first place. It's a double bonus that we get to be cops and do computer forensics.

Q: Sandra, very insightful. Watching technology advance over the next five to ten years and beyond should be interesting, but even more interesting will be to see how the digital forensics community adapts. I have found that I am doing more of a triage approach, when case officer requests an examination (i.e. mount forensic image and run set of tools against image, based on the case; or, even just a forensic preview to gather mission critical data). Then if a full digital forensic examination is necessary, utilize EnCase or SIFT Workstation for forensic analysis. This has helped prioritize cases and aid with case workflow. How have you had to adjust your forensic tactics in the last few years to handle larger capacity hard drives and devices that you just can't remove the hard drive from and throw onto a write-blocker?

A: I hope every examiner is adapting to the ever-increasing numbers of devices being submitted to us these days. Not too long ago we were following the exact protocols for wiping every target drive, overwriting with "0", and reformatting it before imaging evidence files onto them. That was time consuming a cumbersome. Now that we have a server / NAS, we just create a new folder named appropriately for the case and image the devices to that folder. Sometimes, like you, we preview devices before imaging them if the investigator is not sure which device may contain the evidentiary files. Previewing is a huge time saver, although you may not locate hard to find evidence this way.

We rarely conduct "find all" examinations anymore. We focus the exam on the specifics of the search warrant and only that. Of course, any other contraband located will be dealt with appropriately. If there is no warrant (consent), we still try to focus the exam as much as we can. Conducting an active file preview is very important and it helps cut down on time. Examine the obvious files that the user has access to before going to the obscure, harder to find stuff. Knowing where to find files of interest on the OS you are working with saves times too. If you can tell immediately the difference between WinXP and Win7, than you know that the user files are not in the same place by default. Merely poking around the drive to see what you can find is not a very efficient way to conduct a thorough exam.

I will always remove the HDD and bridge it with a hardware write blocker, when possible. We use a LiveView CD for practice, but I've never had to use one on an evidence drive. I have used SPADA2 on occasion to preview in the field. And then there was this one time when a whole group of us assisted our local probation officers as they conducted surprise computer checks on the registered sex offenders late in the evening hours. The fourth and last house I was assigned to check was a young man who had four computers all live and on line in his bedroom at midnight. They were all running Ubuntu. Two other examiners and myself could not get our write blockers to recognize the removed disk drives, of course. We wound up just poking around live in the machines. I told him, "You won this one." Not only were we very tired but none of us could do anything "forensic" with the equipment we had. What a disaster!
We don't seem to get called out to the field much anymore. I wonder if that is the case everywhere. My sergeant ran all our CSI's through an 8-hours computer collection class and certified them via IACIS protocol in how to seize computer / digital evidence. They were happy to learn and we are happy to keep them trained. Our detectives collect digital evidence at almost every scene. If we were to go out on every one (as we used to do) we would never go home. With 2 teams of crime scene investigators working 24/7 collecting evidence, that is just too much for the 2 of us to keep up with. We do lose the opportunity to catch the RAM and to see what apps were running at the time they shut the machines down, but we have to draw the line somewhere. If they are faced with a server or a bunch of machines that they believe are networked together, they'll call us out.

Another time saver for us is that our agency (mercifully) purchased 5 CelleBrite devices. They are scattered around throughout the tactical squads, robbery, narcotics, and the computer lab. We continue to train as many people as possible in how to use it for on scene consent to searches and for searches incident to arrest prior to booking the suspect into the jail. For now, we are still permitted by law to search the contents of a cell phone, if it is reasonable to believe the phone may contain evidence.

Our crime analysts and a particularly clever programmer that works with them, created a master database that it searches all the "little" databases that we have access to, and then compiles a comprehensive report. They wrote code that will extract the phone contacts out of the CelleBrite report.xml file and run it against all the other databases in our system. The new database reports every time a number is found and whom it comes back to. For example, if a phone number is stored as the name  "drug runner" in one guys' phone but that same number is stored in another phone as "Joe Smith", that phone number will report back to us with the two different references.  We are identifying our suspects who may have reported themselves as a victim or they were listed as a witness at one time all because our database had the number. We are connecting multiple suspects together who we may have never known were companions. The other local agencies within our county love it. Pretty cool stuff!

I have a question for you. How much information do you believe examiners should be including in their reports? I had lunch with my favorite prosecutor last week and he said we should be putting everything in our reports; including, every picture on the drive (allocated), email, document, etc. UGH! How many times have you included event logs, jump lists and stuff like that in your reports? If you bookmark a particular file, do you also bookmark and explain in your report EVERY other time you find references relevant to that file, even if it's not really evidentiary? For example, if I bookmark a document, should I also be documenting the application that opened it, the temp file that Windows created while it stood open for a while, etc.? Maybe the EMF or Spool files with metadata, but everything else? Some examiners find everything there is to find for every file they find and report on it. Wouldn't this make testifying to all those facts much harder than it needs to be? Maybe I'm not doing enough.
  • DF Source response: Sandra, I'll stick with the standard response we utilize in forensics, "It depends". I would say what is relevant in one case, may not be relevant in another. Also, including every file (/dir listing) in a report that a jury may potentially see would be cumbersome, unless it is all "relevant". However, if you are doing forensic timeline analysis using a tool like Log2Timeline, it will bring context to your forensic analysis. Log2Timeline is a powerful tool and is great for creating a super-timeline, incorporating your event logs, registry, link files, internet history, etc. Rob Lee wrote a great article in March of 2010 on the SANS Computer Forensics blog, outlining super-timeline creation, utilizing the SANS SIFT Workstation. Volume Shadow Copies (difference files) can also be important, for showing historical information or lifecycle of a particular file. I think the bottom line is the investigator, forensic examiner, and prosecuting attorney have to be reading from the same sheet of music. As a forensic examiner, we need to ensure the investigator knows what forensic capabilities we have, and moving away from, "Here's this computer. Find evil." Is it a sundae without a cherry on top? No. Just because there is an illicit image on a suspect's hard drive, we still need to put him at the keyboard. I think any forensic artifact (or a missing artifact is an artifact in itself) that shows user interaction with the computer system should be included in the report, based on the time that you are looking at when the "event" or alleged crime occurred. Of course, YMMV!

Stay tuned for Part II in this series, as we'll discuss the Casey Anthony Trial and digital forensics in the courtroom.