Want to capture cell phone evidence related to a restraining order? Maybe someone sent a video, a text message, or a photograph to your smartphone – or a mobile device belonging to your child -- and you’d like to preserve it so you can show it to a judge or justice of the peace. Perhaps the evidence will provide grounds for granting of a restraining order. Or perhaps the evidence shows that the sender of the message is violating an existing restraining order. A restraining order, sometimes called a protective order, is a rule issued by a court requiring someone to refrain from doing something. An example would be an order that an abusive family member stay away from and not communicate with other family members. Sometimes the problem with evidence on an iPhone or other mobile device is that it can be erased, or the device itself may disappear. To learn how to save the evidence, please see my do-it-yourself training video. The training serves both lawyers and the self-help community. --Benjamin Wright Continue reading

Log-on and Password to Opponent? A few cases have required a social media user to give his password, user name and log in ID to an opponent for ediscovery. In these cases, the user was an individual. But what if the user were an enterprise? In Zimmerman v. Weis Markets Inc., an employee claimed he suffered great injury from a workplace accident, so he sued his employer. But the public portions of his Myspace and Facebook sites contradicted some of his claims. His employer surmised that non-public portions of his social sites would reveal more information relevant to his injury. No Expectation of Privacy? The Pennsylvania court compelled the employee to give to the employer his Myspace and Facebook passwords, user names and log in names. The court dismissed the employee’s claims to privacy, saying, “Zimmerman voluntarily posted all of the pictures and information on his Facebook and Myspace sites to share with other users of these social network sites, and he cannot now claim he possesses any reasonable expectation of privacy to prevent [his... Continue reading

Note to readers: I am more active on Google Plus than I am here. --Benjamin Wright Continue reading

Note to readers: I am more active on Google Plus than I am here. --Benjamin Wright Continue reading

Legally Preserving OSINT (Open Source Intelligence) How should investigators record fast-changing online evidence, such as social media? Case in point: The Mercer County (New Jersey) Prosecutor’s office followed hundreds of street gang affiliates on Myspace. How did it do that economically? Instead of using seasoned, highly-trained police investigators, it commissioned... Continue reading

To be relevant, credible and accepted, many investigators need to engage with the public. Increasingly that means embracing social media like Twitter and Facebook as a two-way conversation with followers. Failure to interact via social media can leave an investigator looking arrogant and out of touch. Two examples: 1. Roanoke,... Continue reading

Augmented reality apps enable the user of a mobile device to see data and symbols laid over the image displayed in real time from the device’s camera. Data Over Famous Images For example, while standing outside a famous commercial building like Caesars Palace in Las Vegas, the user could point the camera on her Android smartphone at the building. The phone could display a live video image of the building. As that image is displayed, an augmented reality app could use geolocation and image recognition technology to discern that the video shows an image of the famous building. With the knowledge that CP is being displayed, the app might cause to be displayed on top of the image additional information, such as an advertisement that says, “Thinking of staying at Caesars Palace? We’ll give you a better deal down the street.” Or (hypothetically speaking) the app might display remarks from other users about Caesars Palace, like “CP is a dump!” What legal steps might the owner of Caesars Palace take to prevent apps from displaying... Continue reading

Forensics Investigation as Computer Crime? OWADE (Offline Windows Analysis and Data Extraction) is an open source forensics tool for extracting “hidden” data from the hard drive of a Windows PC. According to New Scientist, OWADE enables an investigator to “bypass” the encryption Windows uses to store data on the hard drive so the investigator can discover web browsing history, including user IDs and passwords. New Scientist, “New forensics tool can expose all your online activity,” Sept. 7, 2011. I wonder whether OWADE violates the Windows EULA or other legal restrictions Microsoft asserts with respect to Windows. For example, paragraph 8 of the End User License Agreement for Windows 7 Professional says the user may not “work around any technical limitations in the [Windows] software.” What is the implication of an investigator violating the Windows EULA when he gathers data? Is the investigator committing a computer crime? Is he accessing a computer without authority and causing harm (paraphrase for violating the Computer Fraud and Abuse Act)? Is he infringing privacy law? Is he opening himself to... Continue reading

I am looking for cases and stories about digital evidence that had been collected but could not be used or authenticated (or at least became open to question) on account of problems like these: 1. Investigator could not vouch for the evidence due to the investigator's death, retirement, refusal to... Continue reading

I am looking for cases and stories about digital evidence that had been collected but could not be used or authenticated (or at least became open to question) on account of problems like these: 1. Investigator could not vouch for the evidence due to the investigator's death, retirement, refusal to cooperate or termination of employment. 2. Investigator committed some kind of error related to his/her securing of the evidence with a digital hash, key or signature. Example: investigator used a private crypto key to "sign" a digital evidence file, but the private key was compromised either before or after its use and therefore the trustworthiness of the evidence diminished. Have you seen any cases like this? Are any such cases documented? The reason I am interested is that I've been experimenting with webcam "signed affidavits" by investigators. http://legal-beagle.typepad.com/wrights_legal_beagle/2011/04/credible.html Many thanks --Ben Benjamin Wright Attorney SANS Institute Instructor: Law of Data Security & Investigations https://profiles.google.com/benwright214/about Continue reading

Is White Hat "Hacking" Illegal? Mark Lachniet publishes an excellent paper titled “Hostile Forensics.” He argues that sometimes digital forensics investigators have reason to take actions that are legally and ethically provocative. He calls these actions “hostile forensics.” Mark frames the topic: “Due to recent developments in counter-forensic technologies such... Continue reading

Minimizing Collateral Damage When the FBI raided DigitalOne, a co-location data center, in search of data belonging to criminals, it also disrupted innocent businesses. One of those was Instapaper. Services for Instapaper were offline for most of a day. The services unexpectedly stopped, and then resumed many hours later. Whether the disruption was unavoidable is unclear. The FBI did not explain how the raid transpired. DigitalOne suggested that the FBI was clumsy, taking a whole enclosure of servers, rather than the particular servers that were the focus of its raid. Some in the technical community have criticized the FBI for not knowing the difference between an enclosure and a server. I don’t know whether the FBI was in fact clumsy. The full story is probably complicated. Problem Will Be More Common This not the first time that a well-meaning FBI raid of a contract data center caused disruption to innocent businesses housed at the center. A company named Liquid Motors complained in court when an FBI data center raid damaged its business, which was not... Continue reading

Metadata in Micro-manufactured Products 3D printing creates physical objects as though they were units of digital data. It takes instructions from software to render physical objects by successively adding small points or layers of substance, one after the next. 3D printing will be a bonanza for digital forensics investigators, just... Continue reading

Microscopic End User License Agreement (EULA) for Physical Objects 3D printers will spawn new battles in contract law. Just as computers brought us software with EULAs, and just as the web gave us "terms of service" found through a hyperlink at the bottom of a web page, 3D printers will motivate makers of physical objects to attach contracts and EULAs to those objects. The EULAs might have clauses like this: “By accepting possession of this object, you agree not to create a three-dimensional software representation of it or to reproduce a likeness of it using a 3D printer or other means.” Illustration Here’s an industry example showing the incentives and economics at play. An innovative dentist named Farrand Robson has developed techniques for making oral appliances that help patients with breathing problems. The techniques apparently include making something like a bight splint, custom-fitted for the patient’s mouth, with special features and contours to channel the patient’s tongue forward in his mouth. Dr. Robson and dentists who have studied under him apparently charge many thousands of... Continue reading

Authenticated Record of What You See When You See It How should an auditor record his observations as he inspects evidence online? A multinational auditor in Hong Kong, BDO Limited, needed to inspect the online bank account of a publicly-held Chinese company China-Biotics Inc. (which is traded in the US).... Continue reading

Corruption Deterrent Crowdsourcing can be a tool of investigation. An official investigation can gather evidence by urging large numbers of people to submit information such as photographs snapped with smartphones. First Example: The Controller of the City of Philadelphia has released an iPhone app (the "Philly Watchdog") to help citizens... Continue reading

Dual-Camera Android Devices Tablets and smart phones are coming equipped with two cameras, one on the back and another on the front. These two cameras make it easy for an investigator to gather and authenticate audio-visual records about physical evidence -- such as graffiti on a fence or the appearance... Continue reading

Narrated Screencast Assures Investigator’s Personal Accountability The collection of cloud evidence vexes investigators, whether they be police, auditors or consumer watchdogs. As more and more social and commercial interactions occur in the Internet cloud, new methods are needed for proving what happened. Traditional Forensics Methods Usually Don't Apply in the Cloud Traditional digital forensics emphasizes an investigator gaining access to data stored on a computer, such as in a hard drive, where records show what happened through the computer (web surfing, email writing). Yet our digital lives are becoming centered less in our computers and more in the cloud, where we mingle by way of numerous, increasingly mobile, disposable, interchangeable devices. An investigator may never get access to the relevant user or service provider device(s), even though he can witness a live online event by connecting to it through his own computer. Online content is ephemeral. A Facebook Wall can show one thing now and something different a minute later. A chat session or an online game can transpire in a flash. How should a... Continue reading

Consumer Privacy Bill of Rights Some codes of privacy say that the holder of personal data must take steps to ensure the “integrity” or “accuracy” of the data. Why? Such a requirement seems to interrupt the privacy of individuals. Data Integrity Requirement Consider Section 303, the “Data Integrity” section of... Continue reading

PCI-DSS | Telephone Like the so-called right to be forgotten, requirements of the Payment Card Industry Data Security Standard (the PCI) can clash with record retention needs. The PCI sets industry standards for credit card merchants to secure card data. A student in my SANS legal course related the following story. PCI Section 3.2.2 states: “Do not store the card verification code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions.” His company, a credit card merchant, takes card payments over the telephone in live voice transactions between customers and the company’s representatives. For each transaction, the company audio records the entire voice exchange. Naturally, the company takes from the customer the card verification code covered by PCI 3.2.2. As the customer vocalizes that code, the company makes an audio recording of the code. The company noted that to record the code is a violation of the literal words of PCI 3.2.2. However, the company also noted that legal and business imperatives call... Continue reading

Privacy or Spoliation? A movement is afoot in the European Union to grant individuals an online “right to be forgotten.” The general idea is that a person would have the right to force a service provider to delete data the provider possesses about the person. That right would promote privacy. Yet the right to be forgotten clashes with another emerging expectation in modern law, that is, the expectation that organizations will maintain extensive records about their activities. Broadly speaking, law in the digital age has become increasingly suspicious of early destruction of records. See UK case, record retention trends and civil law jurisdictions. The ability of computers to create and preserve prodigious quantities of records has fueled a sense that organizations should keep records so they can be held accountable to society. Law expects organizations to retain records for many purposes: consumer protection, collection of taxes, investigation of fraud, resolution of civil disputes and innumerable other purposes. If an organization deletes records too early, law will punish the organization under doctrines like spoliation and obstruction... Continue reading

A prospective student in my SANS Legal 523 course had trouble getting a visa so she could travel to the US to attend the course. Following is the heart of a letter I wrote on her behalf to the US embassy in her country. [begin letter] I send this letter in support of a visa application by the “Applicant”, a lawyer for [a non-US revenue authority]. The Applicant is applying for a visa so she can attend a professional seminar titled “Law of Data Security and Investigations” (the “Seminar”) in Orlando, Florida. I am the instructor for the Seminar. I created the content for the Seminar, and I have been teaching the Seminar regularly for about eight years. The Seminar is organized under the SANS Institute, sans.org, premier outfit for training professionals on computer policy, security and forensics issues. The Seminar is held five times a year, in various cities around the US. These cities are selected for their good transportation and large hotels. The Seminar is always held as part of a larger technology... Continue reading