Forensic Data Collections 2.0. (Fried R.) (z-library.sk, 1lib.sk, z-lib.sk)

📄 File Format: PDF

💾 File Size: 6.6 MB

📖 Read Online ⬇️ Download

Registered users can read the full content for free

Register as a Gaohf Library member to read the complete e-book online for free and enjoy a better reading experience.

📄 Page 1

FORENSIC DATA COLLECTIONS 2.0 A SELECTION OF TRUSTED DIGITAL FORENSICS CONTENT SECOND EDITION 0 0 ° o 10 1 0 9\io j (f3 o/io 1 0/ i o oi ao i o 0 (h.1 0 ROBERT B. FRIEO INTRODUCTION BY LEE FELSENSTEIN DESIGNER OF THE PERSONAL COMPUTER

📄 Page 2

Advance Praise for Robert Fried's Writings and Some Insightful Thought Leadership Steve Crocker, Internet Pioneer “Robert B. Fried's collection of articles and related advice to forensic investigators is a pleasure to read. Navigating the Internet, and digital evidence is often confusing, and the technology is constantly evolving. Robert and his co-authors offer tips to investigators on what to look for, how to get help, and how to avoid critical mistakes. He writes from having been there and done that. His tone is collegial, not preachy. If you're a forensic investigator, this book needs to be on your shelf — or on your digital reader. Even better, you should read it. And read it again from time to time.”

📄 Page 3

Vint Cerf, Internet Pioneer I VP, Chief Internet Evangelist at Google “Robert B. Fried's Forensic Data Collections 2.0: A Selection of Trusted Digital Forensic Content: Second Edition, is a compendium of articles on various aspects of forensics that offers glimpses of the challenges and environments within which digital forensics must work. Some topics apply to long-term preservation of digital content insofar as they address the problem of formats, assured digital integrity, standards, etc. For forensic reasons, companies and perhaps even individuals and governments will want to insure that digital content is available over long periods of time for reference. For forensic practitioners, the book offers reminders of what to be aware of and thoughtful about. For casual readers, this book may alert them to the increasing complement of digital detritus they produce that may someday be subject to forensic discovery and investigation."

📄 Page 4

Dr. Robert Kahn, Internet Pioneer “Robert B. Fried has authored an informative collection of vignettes about digital forensics and cybersecurity. He has extensive practical experience in dealing with such matters, which he relates in straightforward and easy to understand articles. These can assist individuals to better understand what is happening in the digital world. One is always well advised to take safety precautions, including in one’s endeavors online; this compilation will be helpful to those for whom the Internet is still a potentially unknown space and to many others who can benefit from the author’s experiences.”

📄 Page 5

John C. Klensin, Ph.D., Internet Pioneer | Standards Expert | Protocol Developer | Consultant “As an author of several Standards for the Internet (documented in the Requests for Comments (RFC) series) and leader in standards development in several other areas, I understand the importance of documenting technical concepts and how they are critical for different implementations being able to work together, and for future innovation. For example, the standard for the File Transfer Protocol (FTP) was published in 1985, but the discussions and documentation from which the fundamental architecture for file transfer started in the 1970s. FTP allowed the ARPANET to move forward beyond the distribution of working documents by postal mail and what we described affectionately as "sneakernet". Only a little bit later, it was key to multiple inter-institutional scientific and other collaborations. It provided the transport mechanism for early ARPANET and Internet mail and its basic architecture and conventions were adapted for contemporary email and web transport protocols. As it relates to digital investigations today, the use of electronic transfer protocols (for example, Secure File Transfer Protocol (SFTP)) provide a foundation for uploading and downloading data. An investigator can subsequently access and sift through data more swiftly, rather than wait for the data to arrive on physical storage media.”

📄 Page 6

Forensic Data Collections 2.0 A Selection of Trusted Digital Forensics Content Second Edition Robert B. Fried Introduction by Lee Felsenstein Designer of the Personal Computer

📄 Page 7

Copyright © 2024 by Robert B. Fried All Rights Reserved. No part of this publication may be reproduced, distributed, or transmitted in any form or by any means, including photocopying, recording, or other electronic or mechanical methods, without the prior written permission of the publisher. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is sold with the understanding that the publisher is not engaged in rendering legal, accounting, or other professional service. If legal advice or other expert assistance is required, the services of a competent professional should be sought. ISBN: 979-8-218-38956-7

📄 Page 8

To Rachael—my wife and my love, and to our children — Aaron, Madeline, and Michael, my legacy.

📄 Page 9

Acknowledgements I would like to sincerely thank the following individuals with whom I collaborated, allowing Forensic Data Collections 2.0: A Selection of Trusted Digital Forensics Content: Second Edition to become a reality: Anna Albraccio, Lee Felsenstein, Ralph Friedman, Arman Gungor, Jeff Hedlesky, Gary Hunt, Dr. Henry C. Lee, Zachary Muzzin, Christian H. Parker, Ryan Parthemore, Richard Perrillo, Dominic E. Piernot, Jon Rowe, Jason Scheid, and Hannah Westwood. I would also like to thank my family for their unwavering support over the years, in my successful pursuit to discover a career in digital forensics that merges my passion for science, technology, and law.

📄 Page 10

Preface The technical acumen of the digital forensics practitioner must be balanced with soft skills. In an age of hypersensitivity to data privacy and security, one must know how to convey technical concepts—while ensuring that all parties involved are on the same page—when addressing the identification, preservation, collection, and examination of electronic evidence. The digital forensics practitioner must stay ahead of the curve; not only is technology continuously evolving but so are the wants and needs of clients. For example: legal counsel may request the forensic collection of a mobile device but only of chats from a specific app on the device, from a specified period, and between two individuals; the chats must be delivered in a format that displays them in 24-hour intervals. The scope of this effort would require several considerations for the digital forensic practitioner: ■ The support for the mobile device and the targeted app (including its version), using the forensic tool(s) in their toolkit. ■ The methodologies and workflows required to cull. ■ The export of relevant data only, and its format. Additionally, the digital forensics practitioner must be prepared to consult the parties, including explanations made in a clear, concise, and confident manner of the overall process, setting proper expectations about the logistics involved, and when the deliverable will be available.

📄 Page 11

The objective of Forensic Data Collections 2.0: A Selection of Trusted Digital Forensics Content: Second Edition, is to provide reliable, verified, and validated information, so that you can gauge what you need to know, and the questions you need to ask, when encountering electronic evidence. As you navigate the contents of this book, I hope that you can appreciate that there may not always be a tool for every scenario in which you encounter electronic evidence, but when devising a potential solution, methodology or workflow, it is important to remember the fundamental principles in forensic science, while approaching things with an innovative mindset and taking into consideration your audience. Robert Fried March 2024

📄 Page 12

Contents Acknowledgements Preface My Exploratory Path Be That Trusted Advisor B.Y.O.D. Policies: When a Personally Owned Device Contains Potentially Relevant Data Cloud Attachments: Inside an Email - Yet Stored Outside Cloud Storage Services: ESI Beyond But Within Your Reach The Corporate Data Disappearing Act - How'd They Do That? Cryptocurrency: A Digital Forensics Perspective I Say “Alexa” and You Say “Franziska” Uncovering Digital Footprints A Digital Forensics Playbook: A Living Document What's in a (Digital Forensics) Toolkit? Email Evidence: Be Careful How You Click Perspectives on Electronic Evidence Management

📄 Page 13

Applying Forensic Fundamentals to the Evolving Evidence ofToday Don't Grab and Go: Stop, Drop (the Mouse), and Call! Forensic Validation: What to Know and What to Ask You've Encountered an IoT Device, Now What?! It Is Not Enough to Know. You Also Need to Educate and Communicate. Digital Forensics Laboratory Accreditation A Change Has Done Us Good: Available Now: Advanced Mobile Device Solutions Forensic Preservation and Examination of Digital-Based Evidence During a Pandemic Dinosaurs, Technology and the Human Element About the Author About the Co-Authors

📄 Page 14

Introduction My Exploratory Path As a consulting electronic designer in the early days of personal computers, I found that I could add the most value when the client was not sure that they knew what they wanted. I had fortunately spent years investigating how computers could be used by untrained casual users, so I was at least aware of significant questions that begged answers in that area. As the market developed in its first year, I was able to devise solutions that helped to define what a personal computer architecture should be. The Fundamental Misunderstanding I once had a client that was the American R&D outpost of a large Japanese corporation (this was around 1985). After I had done some work for them, I was introduced to a man whom they described as a higher executive in the Japanese offices - we were discussing the design of a “multifunction” device which would integrate a wide range of office functions. At one point in the discussion, when he was prematurely pressing me for an estimate, I commented, “You’re actually paying me to learn.” I had my ears pinned back by the executive’s instant retort - “NO! You should know!” That was the end of that discussion and, as I recall, of my consulting work for that company. The best I could say would be that they had the wrong engineer - this fellow assumed that, with my BSEE from Berkeley my head had been stuffed full of detail on “the way everything is done”, and that I had access to libraries full of the latest periodicals. Of course, the problem was that if that were true, I would already be behind the “state of the art” - they weren’t about to pay for exploratory work done outside the known boundaries. This is where I earn my fees - staring at an empty corner of the room and musing “what if...” and pursuing that line of inquiry to the point of trying something out.

📄 Page 15

Talent is Discovered, Not Learned “Daydreaming and explaining" are the two talents I can confidently claim - if I can reduce my daydream to something I can explain then I can reduce it to practice or find someone who can. Of course, I wouldn’t hang out a shingle advertising these talents per se - “Contract electronic design engineering" sounds so much more solid. Perhaps if I were better skilled at giving useless estimates and tap dancing around the details while murmuring comforting lyrics, I could have developed a contract with that company, but the outcome would have most likely been negative. I could also make a living designing the same thing over and over for different clients, but I would hate to have wasted what talents I have that way. To create something where nothing had been before has an artistic appeal, and to have that creation be of helpful, practical use to a swath of humanity is delightful to the engineering side of me. I have just wrapped up writing a book, Me and My Big Ideas, explaining how I got to where I did (in my case, creating the first public-access social media system and defining the personal computer) and it’s a long story where not much happens in the short term. On the Path It’s a story of exploration extending through years of getting to understand one thing after another and trying to put what I’d learned together into something that worked - when no one could tell me what was going to work. I got used to people telling me “I don’t understand why you’re doing what you’re doing", realizing eventually that this was confirmation that I was on the right path. There were “Aha!" moments when I realized I could get more out of less simply by changing the way I looked at the situation. There was opening day (in 1973) when all but one unsuspecting person approaching our system (announced as “an electronic bulletin board - we’re using a computer”) responded with interest and eagerness -1 had expected at

📄 Page 16

most 50 percent. And when my major critic came around after 15 years to agree that I was not crazy after all and had had a good point. Starting Point All of this stemmed from an incident when I was 19 and discovered that, if I wanted to be of use to society then waiting for orders would be a losing strategy—I would have to follow a path of exploration, marking it as I went and finding companions along the way, with no assurance of success. Best of all, there’s no completion - the path opens out to new fields of possibility where I could never learn and try everything. All I can do is write down directions for where others ought to go and what they should try. The path, as it is said, is indeed the destination. This is more satisfying when some others are asking me “aren’t you sorry?” (spoiler—the answer is “no”). Those questions provided my motivation, as an inveterate explainer, to write the book. The Fellowship of Exploration To those of us who follow the path of exploration in our work, I say, “Well met - I hope you can take delight in an arduous journey and hope you can tell us about the high points - leave some notes along the way if you can”. To the others, I say, “look at the notes I left and see if they mean anything to you - you’ll find me heading for the horizon”. Like electrical engineering, the field of digital forensics is dynamic - innovation and creativity are often necessary to address the ever-changing landscape of electronic evidence. Today’s investigators/practitioners must rely on fundamental principles in their field, while maintaining an exploratory mindset, as a solution may not always be at one’s fingertips. Lee Felsenstein

📄 Page 17

February 2024 Lee Felsenstein is the author of the text of this chapter, initially published in Forensic Data Collections 2.0: A Selection of Trusted Digital Forensics Content: Second Edition. This text may appear in other publications by Lee Felsenstein.

📄 Page 18

Chapter 1 Be That Trusted Advisor As forensic practitioners, we must do our best to stay ahead of ever-changing technology, but sometimes we are thrown curve balls. For example, taking a trip down memory lane, several years ago, I was excited to take a course on the Apple file system. After a week of in-depth training to learn the HFS+ file system, Apple announced that it would soon be releasing the APFS file system! Another fond memory I often recall, I went to perform a forensic preservation of a data custodian’s phone only to discover that the phone—that was supported by the forensic tool the day before—was no longer supported, as the phone’s operating system had automatically updated overnight. When it comes to technology, things change frequently and quickly. Collaboration Is Key We are often engaged because something is wrong. Clients reach out because there is a matter, likely involving litigation or an investigation, and they need expert guidance. Some clients have previously engaged a forensics practitioner, while others have not. In any case, every matter is unique, and must be dealt with in a manner where we can gather as much information as possible from all available parties. We must take on an important role—the trusted advisor. Legal practitioners and corporate personnel are faced with the task of identifying and ensuring that data relevant to a litigation or investigation is preserved in a forensically sound manner. The number of data sources and the volume of data are continuously increasing. Data is not always stored onsite, or in its default or designated location; this has become even more of an issue as a hybrid and remote workforce has become prevalent in recent years. Identifying and preserving data must be a collaborative effort between various teams—Legal (internal and outside), IT, business stakeholders, and forensic practitioners.

📄 Page 19

Communicate Effectively It is important that we understand the scope of the matter, taking into consideration any known complexities and sensitivities. Emotions may be running high and knowing what to say—and how to say it—can make a difference to a client at this particularly delicate time. This includes conveying technical concepts in a manner that is clear, concise and that can be easily understood, regardless of whether the client is tech savvy or not. The tone of delivery is important; we must remain calm and confident throughout. Often, time is of the essence, and the easier it is for a client to understand the issues at hand, the more likely it will be that all relevant parties are on the same page with a path forward. What and how we communicate is just as important as the method of delivery. Depending on the preference of the client, email may suffice. Providing updates and summaries of findings to a client via email is effective, especially when communicating to multiple stakeholders. If a matter is urgent, and if time sensitive, some clients prefer to text message or call for real-time updates. More recently, many clients are using video teleconference solutions; this has allowed for clients to not only see each other but also to screen share between attendees, which can be helpful when reviewing findings or drafts of reports. No matter what method of communication is utilized, we must be transparent and provide regular updates to a client (the frequency of which can be decided upon by the client and I or the forensic practitioner). Stay Ahead of the Curve With over twenty years of experience in the digital forensics industry, I am continuously taking steps to attempt to stay ahead of the curve. I began my career as a Computer Crime Specialist with the National White Collar Crime Center (NW3C), where I developed courses and trained local, state, and federal law enforcement personnel on basic and advanced topics related to computer forensics—continuing education is part of my DNA. Digital forensics is a highly dynamic industry, and as forensic practitioners, we must be aware of training opportunities that may help us to stay

📄 Page 20

current, properly advise clients, and advance our careers. Many professional training organizations offer onsite and on- demand courses. These courses not only allow forensic practitioners to gain knowledge but are also an opportunity to network with others. There have been several instances where I have reached out to classmates, well after a course has ended to discuss a scenario that I had encountered. Courses are not the only option when it comes to continuing education. Many vendors of forensic software and hardware offer webinars where valuable information is shared about their products or an important or trending topic. Additionally, many vendors post upcoming events in newsletters or on social media platforms. We know that there may not be a solution for every situation encountered. Be it a forensic tool’s lack of support for a device that must be forensically preserved, or a request from a client to deliver data in a specific format, it is important to be innovative. I can recall recent matters where it was necessary to develop a customized solution to accommodate client needs; this has included the development of an automated script to convert mobile data into a format that could be utilized to ingest the data into a document review platform. Additionally, in the last two years, many workflows that my teams had utilized needed to be reviewed and revised due to the COVID-19 pandemic. Restrictions on travel, and for many, the shift to performing operations remotely has resulted in many of us having to rethink the ways in which we complete tasks. In recent years, there has been an increased focus on data security and data privacy. Although many of us take direction from legal counsel, it is important to be aware of such sensitivities, and be knowledgeable regarding local laws. We are often asked to address how we go about ensuring that client data in our possession is secure. Further, many data custodians are particularly sensitive about their personal data that may be commingled with work data on their devices; it may be necessary to develop customized workflows to address their concerns. It is important that everyone is comfortable, and on the same page regarding the actions that will be taken—but still ensuring that the methodologies utilized are defensible. Measuring Success How can we measure the success of a client engagement? Often, once a matter starts, things move relatively quickly.