IP Addresses - Evidence or Clue?

There are any number of cases that involve IP addresses.  The question is: are the IP addresses associated to the computer's evidence or just a clue?  A recent Child Pornography case led investigators to the home of two gentlemen that were accused of down loading several hundred pornographic images from a file sharing site.  The normal response in most of these cases is "Oh Some Other Dude Did It".  This case would appear to be pretty easy to determine that the accused was guilty.  Just go get the owner of the computer do a forensic investigation that shows there is child pornography residing on the hard drive.  Arrest the accused and charge him.  BUT WAIT!

• How was the computer connected to the internet?
• Directly to the router?
• Through a wireless network?

• If it was connected through the wireless, was it a secure or open network?
• There were two individuals in the household that had access to the computer.
• What was the version of Windows that was in use at the time? (It makes a difference.)
• Were there different logins for each of the users?
• Did they use them?

A motion picture company filed suit against thousands of file-sharers who allegedly exchanged copies of a movie.  The accused were targeted via their IP addresses.  So what's wrong with this picture? (Pun intended.)

• How was the computer connected to the internet:
• Was it a direct connection through the router?
• Was it on a wireless?
• Was it a secure connection or open?

• What time of day were the files downloaded?
• Can the motion picture company prove that the files reside or resided on the accused computer?

Here are a couple of examples of how things can go wrong:


A hotel receives a notification that they have been one of the thousands of accused file-sharers.  They can pay a couple of thousand dollars settlement and be done with the issue or fight it.  The hotel is not guilty of the act of downloading the movies.  Their clients are as they used the internet to download the movies.


A business receives the same notice regarding downloading the movie from their IP address.  The business makes claim that they had an open wireless network (something their IT Guy should not have allowed.) and that the movies were downloaded during the times that the business was closed.  That they had seen several cars in the parking lot after hours that had people in it using laptops.

I'm a bit suspicious about the cars in the parking lot downloading movies from an open network.  I would be more inclined to think that they were attempting to steal personal or business information.

There are a couple of points to this article.  The first is that IP addresses can be a great clue, and often times connect the dots so to speak.  The IP addresses cannot be really more than a clue.


The second point is there are so many avenues to search that without a competent computer forensic expert to assist you may miss the real evidence. 



Computer Forensics Northwest White Papers

Mobile Cyber Crime! Do You Know What To Do? Where is the Evidence and How Do I Get It?

We have witnessed an explosion of mobile computing, cell phones, smart phones, laptops and tablets.  We are using these devices to a greater extent.  We socialize with friends, we bank, conduct business, and shop on them.  These mobile devices encourage innovation but they also present attractive targets for cyber stalkers, identity thieves and other criminal activity.

Cyber Attacks on the Rise in the Mobile Market
A great example of this happened March of 2011 in a discovery of more than 60 apps for the Android mobile operating system that were classified as malware or containing malware.  The apps were modified to gain access to the users' personal and confidential data.  The malware named “Droid Dream” secretly installed malicious code on the device along with the applications functions.   The malware enabled the apps to steal sensitive information from the device, and were even able to receive update instructions from the criminals.  It was fortunate that Google was able to remove the app from the Android Market before it infected the millions of users’ devices.  This is just one example of the criminal attacks that have targeted personal devices.

 Mobile Cyber Stalking
Stalking is not a new crime.  The increased use of mobile devices raises new challenges.  One important outcome of the propagation of mobile devices and services is that they allow for the collection of the users location and other personal information.  The users are at the mercy of stalkers, abusive spouses, and others intent on victimizing the user.  These individuals can use information gleaned from their mobile device to determine their whereabouts and activities of the user in question.  More and more stalkers are misusing an array of computer technologies to bully, panic, terrorize, and monitor their victims.  Perpetrators are also misusing technology to stalk before, during and after perpetrating sexual violence.  New technologies bring the risk of digital abuses like unsolicited and constant texts, breaking into personal e-mail and social media accounts.

Mobile Phone Forensics Best Practices
Mobile phone forensics is growing exponentially.  Courtrooms are relying more and more on the information inside a cell phone as crucial evidence in cases of all types.

There are 4 primary parts to the investigation:
·         Seizure
·         Isolation
·         Documentation
·         Analysis

Seizure -  Like in any other computer forensics case, seizing a device has legal guidelines that must be followed.  If you don’t have the proper authority to examine the device then don’t do it!  It will only cause problems, and could cause the evidence to be suppressed.

Isolation - Cellular phone data can be tainted, altered, and deleted over the air.    The user can employ applications to remotely wipe the data, as well as the carrier.  It is like a double barreled shotgun.  You can get blind sided from either direction.  Therefore it is very important that as soon as a device is acquired, that it is disconnected from the network to prevent spoilage.

Documentation -  Following a chain of custody, photographing the phone at time of seizure, and when it changes hands to an analyst is all part of the documentation process.

Analysis -  Only a qualified forensic analyst should be accessing the device and performing the analysis.  This is to ensure that the evidence is not spoiled and that sound forensic practices are performed.


10 Questions That Should Be Asked of Any Computer Forensic Expert

---

Computer Forensics Northwest specializes in the forensic analysis of all types of digital assets and media (Computer Forensics) for corporate clients, law firms, individuals, and government agencies.  Our expert forensic examiners are trained to present technical findings in a detailed and easy to understand format.  All Examiners hold multiple certifications in a variety of disciplines, including CSFA (Cyber Security Forensic Analyst) and ACE (The AccessData Certified Examiner) a leading forensic software tool.
Computer Forensics Northwest is a bilingual company which will be able to support both the legal and civil cases that employ or involve Spanish speaking individuals.  This capability allows Computer Forensics Northwest to recover documents and e-mails that are written in Spanish quickly and efficiently.

Why Do I Need A Computer Forensic Expert For A Divorce Case?

Hiding assets, immoral activities, or il­licit affairs are common in divorce cases.  These actions could be relevant in child custody proceedings even in a no-fault state like Washington. Crucial information such as deleted emails, documents, photos and files can be preserved and evaluated. Internet history, creation dates and time stamps of files as well as content in the text of instant messaging conversations can provide insight into the character and behaviors of the spouse’s.

When any of these actions are suspected the first thing that should be done is have a complete copy or forensic image taken of the hard drive. The minimal expense of securing a forensic image early in a case may make the difference between winning and losing.  Forensic investigators need not view the contents of a hard drive when creating an image, so arguments of relevance, privilege, confidentiality, and admissibility can be saved for another time.
The forensic method to obtain an exact image of a computer hard drive copies every byte on the hard drive to an evidence drive.  This copy, or im­age, holds all the information that resides on the computer.  The copy or image may include information that may have been deleted long ago. It also preserves information that is stored in areas a normal computer user does not have access too. Forensic imaging is a critical step in the preservation of the hard drive information as well as a solid, foundation for retaining its admissibility.

If at the beginning of a case you believe that there are assets being hidden, immoral activities, or il­licit affairs going on it is best to have a forensic image of the hard drive taken for future analysis.  The sooner the image is taken the less chance there is for evidence spoilage.  Since in most cases the computer is community property you will need a court order of course or permission from both parties.

Later a forensic expert can proceed with an investigation to collect and document evidence.  When children and custody are involved, having a computer forensic investigator perform a complete analysis of the evidence to prove or clear certain suspicions can be valuable. Computer forensics investigations go far beyond basic looking around on a computer.   Don’t trust the IT person or the local computer shop down the street.  They more than often do not have the skills or the tools to find the evidence, and most certainly the proper certifications to be recognized by the courts as an expert.

Computer Forensics Northwest
425-780-6061

The Difference Between Computer Forensics, Data Recovery and E-Discovery

June 1^st of this year my partner Alan Delgado and I were asked to speak at the Whatcom County Bar Association CLE on Computer Forensics.  We certainly appreciated the opportunity to share with them the basics.  When asked to speak to a group I usually ask several questions, one of which is:”Do you know the difference between Computer Forensics, Data Recovery and E-Discovery?”  I wasn’t too surprised at the results.   Only one person in the room raised their hand.   So for the record.

The three fields work with digital data.  It's all in the form of zeroes and ones. It's taking information that may be hard to find and presenting it in a clear and concise manner.  There are some common characteristics; the skill sets require different tools, different specializations, different work environments, and different ways of viewing the results.

Data Recovery normally involves broken hardware or software. When a computer crashes, or an external hard disk, thumb drive, or memory card becomes unreadable, then data recovery might be required. Normally a digital device that requires data recovered will have electronic damage, physical damage, or a combination of the two. 

E-Discovery or electronic discovery typically deals with hardware and software that is undamaged. Due to the nature of computers and of email, there are likely to be very many identical duplicates ("dupes") of various documents and emails. The largest challenge for e-discovery is "de-duping." Searches often are conducted through a very large volume of existing or backed-up emails and documents.

E-discovery tools are designed to reduce the data to a manageable size by indexing and removal of duplicates.  E-discovery is mainly software driven.

Computer Forensics has components of both e-discovery and data recovery. The forensic examiner (CSFA) searches through both active (existing) archival (data that has been backed up and stored) latent (previously existing, or deleted data).  Performing this type of discovery, a forensics expert may need to work with damaged hardware although uncommon. More frequently the forensic examiner encounters purposeful attempts to hide or destroy data.

The computer forensics expert is also often called upon to testify as an expert witness in deposition or in court. The computer forensics expert’s methods and procedures may be scrutinized.  The expert often is called upon to explain and defend his or her results and actions.