Virtualized online for the first time in its nearly decade-long history, the National Cybercrime Conference (NCCC) — an annual event hosted by the Massachusetts Attorney General’s Office — brought together a record 133 speakers to deliver a considerable volume of advanced technical and legal topics.
Stretched from three to five days, NCCC drew four times the number of attendees typically seen at its on-site event: a mix of law enforcement and prosecuting attorneys, training together.
In addition to NCCC’s partners — the National White Collar Crime Center, SEARCH, the National Association of Attorneys General, the National Criminal Justice Training Center/Fox Valley Technical College, and the Federal Law Enforcement Training Center — commercial sponsors also delivered training and expertise.
Although Forensic Focus was not able to be present in some classes designated and restricted as law enforcement sensitive, we did attend several other sessions. This article highlights six sessions related to digital forensics technology and techniques, as well as legal issues with digital evidence. Look for additional “spotlight” style articles coming soon!
Digital Forensics Technology & Techniques
USB forensic artifacts have been a source of forensic evidence for years; however, in 2019, Windows 10 revealed a new event log that casts even brighter light on these artifacts. The Microsoft-Windows-Partition-Diagnostics.evtx (MWPD) file, or Event ID 1006, contains detailed information about removable devices.
Bob Osgood, a former FBI supervisory special agent who is now Director of Digital Forensics & Cyber Analysis at George Mason University (GMU), and Dave Ryberg, Sales Director at Truxton Forensics, spoke about the impact of USB devices on an organization’s security strategy — and consequently, forensic investigations.
Traditionally, USB forensics has relied on Windows Registry keys, such as HKEY_LocalMachine, to store entries about external device usage. However, because Windows treats some USB devices like SCSI devices, they aren’t always stored in the Registry. Windows partition event logs have stepped into the void.
Describing a PowerShell script written by GMU students to access USB metadata — including device manufacturer and other information — from event logs, Osgood talked about the data’s value to timeline building and the potential to correlate it to computers on which it was mounted and used. For example, Truxton experts tested the script using the declassified data from Osama bin Laden’s seized computers, in which 27 USB devices were identified along with associated files.
Following Osgood’s presentation, Bruce Hunter, Senior Forensic Engineer at Blackbag Technologies (a Cellebrite company), spoke about “Avoiding the ‘Gotchas’ while Triaging and Imaging a Mac” — including T2 encryption, which Hunter said effectively creates a “secure enclave” for Macs, including the latest iMacs.
Focusing on live running Macs, Hunter described how Apple’s iterative development process constantly changes not just iOS forensics, but also Mac computer forensics, rendering it much more difficult to establish standard operating procedures for particular models. This will continue, Hunter said, as Apple rolls out new silicon chips in its machines, and also now with the macOS 11 public beta available.
Authentication will be needed to get data in target disk mode; new secure hibernation and a cryptographically signed, sealed system volume create additional challenges in macOS 11. In addition, Time Machine backups will rely on APFS, not HFS+, as of macOS 11. Hunter also described how the Apple File System (APFS) could affect triage and imaging, especially as courts increasingly limit examiners’ ability to image entire drives.
Hunter offered some tips on approaching a live, running Mac in the field, bearing in mind that all Macs require users to have a password and that, as of v10.7, auto login is off by default — in part because FileVault or full volume encryption implementation is widespread and anticipated to become even more common as macOS11 rolls out together with new chip technology. Hunter’s tips:
- Always follow standard operating procedures for live evidence.
- Observe what’s happening on the machine, including what programs are running, notifications, etc. and photograph your actions as you take them.
- Use a tool like BlackBag’s MacQuisition to triage and gather data live — keeping in mind that this process changes access states and that the macOS Spotlight indexes this information, including date/time stamps.
- Although it isn’t possible to image the computer or gather RAM without being logged in with administrative rights, soft-rebooting the machine directly into MacQuisition enables you to gather “a good portion” of RAM into a raw image to put in a forensic analysis tool like BlackLight.
Yulia Samoteykina, Director of Marketing at Atola Technology, spoke about the forensic challenges and opportunities of hard drives with all different kinds of damage: platter scratches, logical errors, worn out magnetic layers, etc.
Damaged drives often contain key evidence, though, especially in child exploitation cases. Samoteykina said getting the data can be challenging because sometimes an examiner has only one chance — the drive is so unstable that if you power it off, you may not be able to get it to come back on to image. In addition, acquiring a damaged drive is often time prohibitive, sometimes taking days.
Still, because it’s harder to wipe evidence from damaged devices, damaged drives present an opportunity in their own way. Focusing on automated multi-pass imaging and image verification with segmented — versus linear — hashing, Samoteykina described how it’s possible to diagnose the problem and efficiently recover even deleted data from a damaged drive to obtain evidence.
A demonstration of Atola technology showed how multi-pass imaging could obtain data from “stubborn” sectors, but also allow examiners to pause the process and determine whether to continue.
In addition, Samoteykina talked about segmented hashing. Because standard imagers stop trying to calculate a linear hash when they encounter the first bad sector, segmented hashing — a way to virtually divide the drive space into customizable small chunks — allows the drive image to be verified.
Legal Issues with Digital Evidence
As U.S. lawmakers debate end-to-end encryption on mobile devices, device encryption itself was the topic of “Privacy, Crypto, Passwords, and the 5th Amendment,” a talk delivered by Dr. Gary Kessler, professor of cybersecurity at Embry-Riddle Aeronautical University and president of Gary Kessler Associates.
Kessler’s talk also followed a brief keynote address given earlier in the week by John Walsh, co-founder of the National Center for Missing and Exploited Children (NCMEC), who stated his belief that “…there is a way to achieve stronger user privacy without sacrificing children.”
Kessler, however, highlighted how tricky this is — not technologically, but legally, as our understanding evolves on what “self-incrimination testimony” means and why courts disagree on whether compelling a password, or even a decrypted version of an encrypted device, can be self-incriminating or testimonial.
Beginning with a brief history of cryptography — the science of secret codes and writing — Kessler described how cryptographic methods gradually moved from a primarily government function, to its use in private sector and ultimately consumer technology.
These methods dovetailed with the invention and development of ever more intrusive technology, said Kessler, starting with the camera. Although the word “privacy” never appears in the U.S. Constitution, he added, current technology has led to a “collision” between the expectation of personal privacy and the state’s legitimate interest in investigating crimes.
For example, two years after the 2015 terrorist attack in San Bernardino, California, former FBI director James Comey described the way strong encryption “shatters” the security-privacy bargain in society.
Kessler spoke about how backdoor access might affect citizens of U.S. allies, or political dissidents’ safety, in particular when an allied country becomes hostile. He also described recent legislative efforts to address encryption, from the “oblique attack” on encryption in the recently introduced Eliminating Abusive and Rampant Neglect of Interactive Technologies (EARN IT) Act, to the much more forceful Lawful Access to Encrypted Data (LAED) Act, also recently introduced, which would force companies to insert backdoors to products.
Taking a step back towards less weighty issues, MSAB’s Product Specialist/Technical Engineer Wil Hernandez teamed up with two attorneys from the Florida State Attorney’s Office: Justin Griffis, Supervising Assistant State Attorney with the Sexual Battery Unit, and Christine Bosau, Senior Attorney with the Crimes Against Children Unit.
Centered on cross-communication and teamwork between prosecutors and forensic examiners as each work to get the evidence they need to do their jobs, this discussion described how examiners benefit from prosecutors’ perspective even at a case’s earliest stages. Examiners who can help prosecutors to understand the facts of a case early on enable them to:
- Act in real time when needed, for example, to obtain search warrants
- Research legal unknowns to make better informed decisions
- Access the right judges — those who understand digital technology — to sign warrants to move investigations forward
- Determine what evidence is the “smoking gun” needed to prove a case
- Convey what digital correlations are needed to put the suspect behind the keyboard or mobile screen
This takes communication, Bosau and Griffis said, especially in such a rapidly changing landscape. Wording in search warrant templates may need to change; legal thresholds may also change. For example, said Griffis, the U.S. Supreme Court’s decision in U.S. v. Carpenter means a search warrant, not just a court order, is now needed to obtain cell site location information (CSLI).
Bosau gave an example of a human trafficking case, which can involve dozens of phones and multiple apps. In those cases, she sits down with forensic examiners to ask what they have and how it proves what she needs, as well as how to explain it all to a jury so it makes sense — often in visual terms, relying on analogies, artwork, iMessage emulators, and timelines, among other formats.
This part of the process is also important when it comes to dealing with defense attorneys around the evidence against their client. Examiners need to be able to explain any exculpatory data — including how to be certain everything was obtained — and potentially to help prosecutors think critically about forensic reports submitted by defense experts.
Hernandez added that to help address possible defenses, examiners have to be prepared to explain a voluminous report, including terms like “artifact,” why metadata is relevant, whether a file was downloaded or created, and potentially whether and why they need additional data.
In a similar vein, Ronald J. Hedges, J.D., a Senior Counsel with Dentons US LLP and a former U.S. Magistrate Judge in the District of New Jersey, spoke about new rules around evidentiary authentication, particularly for new digital data sources — such as social media — relative to more traditional evidentiary formats.
Focusing on the Federal Rules of Evidence, Hedges described how judges use the F.R.E. to approach admissibility — and how, when thinking about arguments for or against admissibility in advance of proffering evidence, attorneys consider how the evidence can be authenticated, whether a lay or expert witness is needed, whether the evidence could be considered hearsay or original, and whether it could be considered prejudicial or irrelevant to a jury’s fact-finding mission.
New rules adopted into the F.R.E. around self-authentication help to answer questions around whether computer information qualifies as a business record, especially in fraud cases; whether printouts or other records can be certified to avoid having to bring in a records custodian, especially if they aren’t local to the jurisdiction. For example, hashing can be a way to avoid bringing someone in to testify to a document’s authenticity, though hashes that don’t match will need someone to explain why.
Hedges also pointed out that technical information about a system or process can affect whether an opponent has a fair opportunity to challenge the evidence. This may become more of an issue with artificial intelligence (AI), as attorneys work with forensic examiners to determine how to challenge it or how opposing counsel might challenge it. Proffering AI evidence, whether an expert is needed, and other factors may affect these decisions.
Referring to case law on admissibility, Hedges talked about lay vs. expert testimony, the admissibility of scientific evidence vis à vis the Daubert and Frye standards, and the varying approaches — some stricter than others — which states have taken in deciding whether to admit social media evidence.
The National Cybercrime Conference is scheduled to commemorate its 10th anniversary next April in person in Norwood, Massachusetts.
Christa Miller is a Content Manager at Forensic Focus. She specializes in writing about technology and criminal justice, with particular interest in issues related to digital evidence and cyber law.