Unusual devices

First published June 2010

by Sean McLinden

In 2007, New Jersey Governor Jon Corzine made the news twice for a single event. The first time was the report of a car accident on the Garden State Parkway in which he was seriously injured. The second time was a report, which appeared a few days later, detailing how the governor’s account of the accident had been contradicted by a witness, his automobile. Since 2000, most US cars have been equipped with a ‘black box’ known as the Motor Vehicle Event Data Recorder. Standards for a common data set, including protections against data theft, altering of vehicle information, odometer fraud and misuse of collected data on owners and drivers are the subject of the IEEE 1616a Standards for Motor Vehicle Event Data Recorders (MVEDRs). In spite of such protections, a number of states have enacted privacy protectionswhich regulate the recovery and use of such data.A 2007 Computerworld article was entitled Photocopiers: The newest ID theft threat. In 2010, CBS News was able to recover Personal Health Information, and other personally identifiable information (PII) from the hard disk drives of copiers found in a warehouse in New Jersey. These copiers had been leased by various health care, law enforcement, financial and other institutions.

The focus of these stories was the risk to personal privacy, but to forensic examiners and eDiscovery personnel, there is a more significant issue which is, When does the data contained in such devices constitute evidence deserving of preservation and a possible subject of discovery? More importantly, perhaps, is determining when a thorough investigation demands the investigation of information contained in a peripheral not, normally, the subject of a forensic examination?

A couple of recent cases presented to our offices illustrate when and how such concerns arise.


Get The Latest DFIR News

Join the Forensic Focus newsletter for the best DFIR articles in your inbox every month.


Unsubscribe any time. We respect your privacy - read our privacy policy.

Case 1: A branch office of a financial services company becomes concerned that confidential information is in the possession of unauthorized employees and outsiders. This arises after a client notices a securities trade that was undertaken on their behalf but without their knowledge or consent. Internal IT personnel examined each of the office computers and found no evidence of malware, keyloggers or possession of PII except by authorized personnel. An outside digital forensics (DF) firm was brought in to investigate and found no evidence of an intrusion or extrusion. A former IT administrator was the principle suspect but he had been gone for over 6 months and his account disabled. A second DF firm was brought in to confirm the findings of the original firm.

The second firm noticed, as did the first, that the small office used a Linksys wireless access point (WAP) in lieu of a wired network. Interviews with, then, current IT personnel and attempts to “sniff” the wireless network confirmed that WPA2-PSK was used and that the key was strong. The SSID was not advertised. Using the Web administrative console, the second DF firm determined that the firmware was not the Linksys default, but a modified kernel based upon Sveasoft Talisman. Further examination showed that it had been configured for port mirroring, something which was, also, not the default. The former IT administrator had set up a rogue access point which, effectively, doubled as the secure access point for the business.

Case 2: Another SOHO used a popular retail network attached storage (NAS) device for their Microsoft Windows® network. At issue was suspected unauthorized access to privileged information. While the network share appeared as a Windows® filesystem, the NAS OS was actually Linux running kernel 2.16 and SAMBA. Accessing the public share via Linux and root privileges by-passed Windows® authentication and nmap showed an unexpected open SSH port. Though root login was disabled, the system allowed authorized users to elevate privileges with sudo. In order to evade general detection, the miscreant had edited /etc/sudoers to restrict these permissions to a small number of accounts, nonetheless, once the appropriate credentials had been obtained, it was determined that the system had been altered in numerous ways to obfuscate records of outside access including iptables redirects and hacks to prevent logging of certain activities. One telling finding was the installation of the GNU C Compiler which was not the default for the firmware.

Note that both of these cases were initiated as computer forensic cases rather than what would be considered incident response. That there may have been an incident was only suspected.

Today, a number of USB and network attached devices, such as wireless modems, Bluetooth adapters and printers, accept CF disks, USB flash drives and mSDHC cards capable of storing up to 32 Gbytes. In the case of multifunction printers, a USB flash attached directly to the printer might appear in the registry as a network share rather than typical USB drive. What resources exist to identify the actual physical device attached in such a way?

Cases such as these illustrate the considerable complexity of performing a thorough digital forensic analysis given the ever expanding capabilities of even the “simplest” devices and the need for forensic investigators to thoroughly understand the enterprise; not just the computers, but any device for which the default configuration can be overridden by a user with no more sophistication than access to a Web browser and to the administrative console of the device, itself. Now, more than ever, there exists the need for digital investigators to think outside the “box.”

Click here to discuss this article.

Sean McLinden, MD, is the President and CEO of Outcome Technology Associates, Inc. (OTA), a provider of digital forensics, incident response., eDiscovery and litigation support services to clients in the US and abroad. Trained as a neurologist, McLinden applies the same methodologies he uses as a diagnostician to problems in digital forensics which includes the use of a probabilistic approach in determining the strategy by which to conduct an investigation. McLinden lives with his wife, also a forensic investigator, and son in a sleepy little Ohio River community near Pittsburgh, PA where, when he is not dabbling in forensics, he relaxes with his family on an vintage (1928) sternwheel paddleboat.

Leave a Comment

Latest Videos

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools. 

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

In this episode of the Forensic Focus podcast, Si and Desi explore how artificial intelligence is being leveraged to uncover crucial evidence in investigations involving child sexual abuse material (CSAM) and examine the importance of exercising caution when implementing these tools.

They also discuss a recent murder case in which cyber experts played a vital role in securing a conviction, and explore the unique challenges associated with using digital evidence as an alibi.

Show Notes:

A Practitioner Survey Exploring the Value of Forensic Tools, AI, Filtering, & Safer Presentation for Investigating Child Sexual Abuse Material (CSAM) - https://dfrws.org/wp-content/uploads/2019/06/2019_USA_paper-a_practitioner_survey_exploring_the_value_of_forensic_tools_ai_filtering_safer_presentation_for_investigating_child_sexual_abuse_material_csam.pdf

Man charged with NI murder ‘faked live stream to provide alibi’ (The Guardian) - https://www.theguardian.com/uk-news/2023/feb/02/man-charged-with-ni-faked-live-stream-to-provide-alibi

A YouTuber accused of murder faked a 6-hour livestream to produce an alibi (Sportskeeda) - https://www.sportskeeda.com/esports/news-a-youtuber-accused-murder-faked-6-hour-livestream-produce-alibi

European Interdisciplinary Cybersecurity Conference (EICC) 2023 - https://www.forensicfocus.com/event/european-interdisciplinary-cybersecurity-conference-eicc-2023/#more-493234

YouTuber reportedly faked GTA livestream to have an alibi while he committed murder (Dexerto) - https://www.dexerto.com/entertainment/youtuber-reportedly-faked-gta-livestream-to-have-an-alibi-while-he-committed-murder-2052974/

Forensic Europe Expo - https://www.forensicfocus.com/event/forensic-europe-expo/#more-493225

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_7QiFTiuY7Vw

AI In CSAM Investigations And The Role Of Digital Evidence In Criminal Cases

Forensic Focus 22nd March 2023 11:44 am

Throughout the past few years, the way employees communicate with each other has changed forever.<br /><br />69% of employees note that the number of business applications they use at work has increased during the pandemic.<br /><br />Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.<br /><br />Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.<br /><br />Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.<br /><br />With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.<br /><br />Join Monica Harris, Product Business Manager, as she showcases how investigators can:<br /><br />- Manage multiple cloud collections through a web interface<br />- Cull data prior to collection to save time and money by gaining these valuable insights of the data available<br />- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box<br />- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee<br />- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

Throughout the past few years, the way employees communicate with each other has changed forever.

69% of employees note that the number of business applications they use at work has increased during the pandemic.

Desk phones, LAN lines and even VOIP have become technologies of the past workplace environment as employees turn to cloud applications on their computers and phones to collaborate with each other in today’s workplace environment.

Whether it’s conversations in Teams, file uploads in Slack chats, or confidential documents stored in Office 365, the amount of data stored and where it is stored, is growing quicker than IT and systems administrators can keep up with.

Corporate investigators and eDiscovery professionals need to seamlessly collect relevant data from cloud sources and accelerate the time to investigative and discovery review.

With the latest in Cellebrite’s remote collection suite of capabilities, investigators and legal professionals can benefit from secure collection with targeted capabilities for the most used workplace applications.

Join Monica Harris, Product Business Manager, as she showcases how investigators can:

- Manage multiple cloud collections through a web interface
- Cull data prior to collection to save time and money by gaining these valuable insights of the data available
- Collect data from the fastest growing cloud collaboration applications like Office365, Google Workspace, Slack and Box
- Login to a single source for workplace app collection without logging into every app and pulling data from multiple sources for every employee
- Utilize a single unified collection workflow for computer, mobile and workplace cloud applications without the need to purchase multiple tools for different types of collections – a solution unique to Cellebrite’s enterprise solution capabilities

YouTube Video UCQajlJPesqmyWJDN52AZI4Q_g6nTjfEMnsA

Tips And Tricks Data Collection For Cloud Workplace Applications

Forensic Focus 20th March 2023 11:00 am

This error message is only visible to WordPress admins

Important: No API Key Entered.

Many features are not available without adding an API Key. Please go to the YouTube Feed settings page to add an API key after following these instructions.

Latest Articles

Share to...