Wednesday, August 10, 2011

My Security Forensics Final Paper The Forensic Tightrope of Justice



The Forensic Tightrope of Justice
SECR: 250
Bryant & Stratton College
Richard L. Pryor, Jr.
8/6/2011


Forensics, as defined as a noun, is the art or study of argumentation and formal debate. This is not what I was expecting to find. I figured there would be something more relevant to the course we are finishing up. The fact is, public policy and the law will always play a role in any forensic investigation. When a person's freedom is in jeopardy debate is what sets American justice apart. According to (Etzioni, 2004 pg. 44) "reasonable search meant the search had to serve a compelling public interest, especially public safety or public health." What this means in a practical sense today is that there are specific rules that need to be followed for a successful prosecution or in corporate or criminal cases. This paper will seek to anecdotally define Fourth and Fifth Amendments, further define U.S. Federal rules of evidence, site some recent cases involving digital evidence, and cover a case study involving guidelines for planning an investigation of an employee suspected of illegal activity, that will stand up to the scope of current laws.
The Fourth and Fifth Amendments to the Bill of Rights have been parsed and examined since they were written. In attempting to keep with the spirit of this assignment, it would be impossible to discuss every occasion where a higher court had to review an argument made by a prosecutor. The overall theme shall therefore be structured in a way that captures the definition of forensics, the art or study of formal debate. Just as a child might built what they consider is the perfect sand castle far enough from the water to be knocked down, defense attorneys are always seeking to harness creative ways to argue the innocents of their clients or use the wind to breach the castle wall. This cat and mouse dynamic is the very essence of why forensic investigators need to collect, process, validate, and be able to reproduce their results in near perfect fashion. They are the prosecutor's primary weapon in the arena of cyber crimes.
An example of the Fourth Amendment being reviewed by the Supreme Court was Smith vs. Maryland in 1979. The defendant argued his rights were violated since a search warrant was not obtained to set up a pen register to record numbers dialed from his home phone. He argued the evidence gained from this alleged illegal search was fruit from a poisonous tree. The Supreme Court disagreed stating that since he dialed numbers that used a telephone company's internal facilities then he should have no expectation of privacy. His conviction for the robbery was upheld. (findlaw.com) The case could have been decided in his favor and they might have agreed with his attorneys. If they would have, future investigators would have the onerous task of obtaining a warrant for every pen trap. Obviously, the framers of the Bill of Rights could have never envisioned a phone company or wire taps. What they did see was a need for the third branch of government the Judicial Branch. This branch is able to conform to the times we live in and use current circumstances to form precedence or former cases, which serve as guiding examples of how legal processes should be carried out.
In order to offer some additional information about pen register as a process (law.cornell.edu) outlined 18 USC Part II Chapter 206 § 3122. A pen register can be obtained by an attorney for the government or officer of law in some states. They need swear to the court that the pen register is needed for their investigation and that the information gained will "likely be related to their ongoing investigation." Interestingly (Etzioni pg. 159) quoted Peter Swire saying, "The term pen register comes from the old style for tracking all the calls from a single telephone" and "At one point the technology for wiretapped phones was based on the fact that rotary clicks would trigger movements of a pen on a piece of paper."
The Fifth Amendment, which protects a suspect from being compelled to testify against themselves, has been adapted to suit the computer age. Upon reading a case found on (caselaw.findlaw.com, 2006) the United States Versus O'Keefe, which was reviewed by the 11th circuit court of appeals, the issue of Fifth Amendment violation was raised. It was brought up that the defendant failed to alert agents of Homeland Security that he was acting as a self-appointed vigilante trying to stamp out child pornography, at the time his home PC's were seized. The defense claimed that under Fifth Amendment protection he was not obligated to make any statement at that time. The court sited Doyle vs. Ohio. They were making the case that a defendant's silence should not be considered an admission of guilt. That would violate their due process of law under the Fourteenth Amendment. However, O'Keefe was not arrested at that time and was not given Miranda warnings. Doyle violations can only occur if a suspect has received a Miranda warning. Since the warnings were not given Doyle did not apply in this case. Secondly, the mere mention of his omission by prosecutors was not a Fifth Amendment violation, since the judge gave instructions to the jury to only evaluate sworn testimony and evidence. His conviction was upheld.
Moving into the third area of law, U.S. Federal rules of evidence, chapter five of the (cybercrime.gov) site was clear on the rules. Hearsay, which is in section B stated that information that is the result of computer data processing could not be hearsay. The computer cannot say anything has been the consistent finding of courts who have reviewed these rules. Hearsay is divided into three distinct classifications: hearsay, non-hearsay, and mixed. The key difference is the human input element. The items a bookkeeper enters into a spreadsheet might be hearsay. Authentication has generally been given a low threshold of admissibility. The judge in the case can determine the weight of the evidence rather than the fact that it could have been tampered with. They do note a chain of custody record is important in showing the stops the evidence made on its way to court. Obviously, the defense attorneys mentioned earlier have tried many different ways to get evidence excluded. The best evidence rule stated that you should have either the data or a printout of the data to represent the one's and zero's that compose it. You cannot simply rely on a verbal description of what was witnessed on a screen at a given time.(cybercrime.gov)
In a blog post by Stephen Wu a subject which involves ESI was included in his post. This is a snippet of the post: "Here are some things to think about when doing eDiscovery work at your company: 
Preservation:  Ask whether your litigation hold policy covers cloud services, syncing, and automatic backup.  If not, change the policy to accommodate them now.  Make sure your policy actually works by testing it.
 Searching:  When a discovery request comes in, ask whether the search for potentially responsive ESI includes cloud services.  If not, make sure they are added to the list.  Probe your co-workers to make sure they have thought of all available sources of ESI."(Wu) ESI- electronic stored information.
If your strategy does not take into account cloud storage, you will run the risk of not finding all the evidence available or not be granted access to this data due to a poorly worded company policy or search warrant. In my opinion cloud, storage solutions are here to stay.
In a blog post by Sharon Nelson, Esq., noted that Federal Judges have issued at least two dozen warrants for Facebook users. The piece includes two terms Ms. Nelson refers to this way "What interested me most is that these warrants demands a user's "Neoprint" and Photoprint" - terms I had never heard before which apparently appear in law enforcement manuals and refer to a Facebook compilation of data that the users themselves do not have access to."(Nelson) These are terms, which I take to mean a metadata set of items the users posted on their account. I would guess that there was a process, which isolated potential criminal activity. This is worth more investigation in another forum. A common knowledge Google search also pointed out this might include government officials accessing your data and setting up false friend profiles to attempt to extract information from a Facebook, MySpace, or Twitter user.
The case study is a helpful tool to focus all resources on a small area, I believe. If I were hired by a law firm to perform a digital investigation, I would start out as Mr. Wu stated in his piece sited earlier. I would review the current policies to see what was on the books and what might need to be added to be able to do a complete search. If cloud parameters were not there, I would surely add them. I would also be sure that the target of the investigation had signed all of the pre-employment acknowledgements, verifying he/she was made aware of the policies in question.
As for the plan of action, I will refer to the (U.S. DoJ) listing. This guideline is composed of several chapters and I will hit the highlights:
·         Chapter one is a breakdown of what a computer is. It also includes various storage devices, peripheral devices, memory cards, external hard drives, thumb drives (interestingly there are photos showing a watch, pocket knife, and pen which are hiding their storage capacity as USB drives.) Also tape drives, thumb print readers, video game consoles, DVR devices, and MP3 players along with their respective manuals.
·         Chapter two covers tools an investigator might need like gloves, cameras, cardboard boxes, note pads, evidence inventory logs, tape, bags, anti static bags, crime scene tape, antistatic tools, evidence stickers, and permanent markers .
·         Chapter three speaks of the scene itself. Mentions securing all electronic devices, no unauthorized access to these devices, refuse offers of help from unauthorized persons, remove unauthorized persons from the scene, ensure the condition of the electronic devices is not altered. If PC is powered off leave it off, if it not clear if the device is off look for fans running, drives spinning, or LED's blinking. There is long list of preliminary interviewing of people present upon arrival. They should be asked for names, passwords, any automated applications in use, security provisions in use, any offsite storage, all login user names and accounts.
·         Chapter four documenting the scene includes the following among others. Creating a record of the investigation, move if needed devices to learn their serial numbers, detailed recording of scene using photos, videos, notes sketches, note type, location, and position of computers and components within the crime scene space. Note any networking wiring and switches/ hub or other infrastructure. Some components will need to remain online to prevent a service interruption for the business.
·         Chapter five evidence collection protocols including document current state of device upon arrival, if monitor is on and displaying activity photograph the screen as found. Move mouse to see if screen saver is in use without pushing any buttons on the mouse and see what is on the screen. ALYAWS document every step of the process as you proceed. If monitor is off, turn it on and note the results after complete. Label all power and other cords while still attached to their respective component. Take photos of the cords. Disconnect all cords and devices and secure them. Place tape over the drive input slots and check for media in the drives upon arrival. Record make and model of units at  the scene. For laptops photo, sketch, noted devices attached ( follow desk top protocols if applicable) Note any active chat or other applications in use upon arrival. If mainframe or server is involved in a networked environment seek out the network admin to assist in recovering any volatile data before proceeding. Loss of power could mean loss of evidence. Other devices to consider for having valuable data are: audio recorders, gps devices, answering machines, pagers, cordless telephones, copy machines, cell phones, hard drive duplicators, fax machines, printers, WAP's, Laptop power supplies, smart cards, scanners, caller ID units, ect..
·         Chapters six and seven speak about packaging and storage which is more pertinent to law enforcement.
These are steps worth considering when planning for the investigation. If the person has signed off on receiving a copy of the company policy there will be nothing to challenge from a legal rights suit. When an employee uses a company provided PC they should have no expectation of privacy as was stated in the Smith vs. Maryland case sited earlier.
            Being a corporate investigation all of the previous steps might not all be necessary. It is worth mentioning some undercover actions would also be useful. Video and audio recordings of the target should be considered. A remote acquisition of the target's drive would also be a good idea, as not to tip them off to the investigation. Cooperation from the network admin to access emails would be a must along with any internet logs they had about this particular PC. I guess allowing the target an opportunity to get caught would be the surest way of avoiding any future challenge to the findings. An audio recording of them selling company data or uploading spreadsheets to a non-network approved storage area would be the best way to make the case bulletproof.
            The investigation would have been legal since the target would have been aware of the company policies in place. The post Patriot Act world, we live in these days seems to have swung the momentum to those who are seeking justice through investigation. The law as sited earlier has a lower standard for allowing evidence into a proceeding. There seems to be a clear understanding that juries are able to parse through highly technical information and arrive at the best decision.
            The process of writing my final paper for Bryant and Stratton College has been one of intrigue and enlightenment. The laws in our nation are based on offering anyone who might be accused every opportunity to prove their innocents. I am grateful to live here where justice is possible while keeping a level playing field for both sides of a case. If I should need to call upon this information in the future, I will be glad to have taken this course.  


References
Data set (1979). U.S. Supreme Court Volume 442 735 Retrieved 8/02/2011from: http://caselaw.lp.findlaw.com/cgi-bin/getcase.pl?court=US&vol=442&invol=735
Data set (2006) U.S. 11th Circuit Court of Appeals. Retrieved 8/4/2011 from: http://caselaw.findlaw.com/us-11th-circuit/1404148.html
Etzioni, A. (2004). How Patriotic is the Patriot Act? Freedom Versus Security in The Age of Terrorism. New York: Routledge.
Na listed, (4/01/2008).U.S Department of Justice:  Electronic Crime Scene Investigation: A Guide for First Responders, Second Edition. Retrieved 8/5/2011 from: http://nij.ncjrs.gov/App/publications/pub_search_results.aspx
Nelson, S. (7/21/2011). Ride the Lightning Blog: How Much Data is Facebook Giving Law Enforcement Under Secret Warrants?
Retrieved 8/5/2011 from: http://ridethelightning.senseient.com/2011/07/how-much-data-is-facebook-giving-law-enforcement-under-secret-warrants.html?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+sensei+%28Ride+The+Lightning%29
Retrieved 8/4/2011 from: http://www.cybercrime.gov/ssmanual/05ssma.html
Retrieved 8/2/2011 from: http://www.law.cornell.edu/uscode/18/usc_sec_18_00003122----000-.html
Wu, S. (7/4/2011). eDiscovery, Digital Evidence and Cybersecurity Law
 Blog: Apple's iCloud Will Change how we do eDiscoveryRetrieved from: https://365.rsaconference.com/blogs/ediscovery





Please follow me on Twitter @RichardLPryorJr http://twitter.com/#!/RichardLPryorJr Please visit http://pyropooch.com/ My new Custom Pet Portrait wood burning venture.

4 comments:

  1. There are many other ways of storage besides cloud storage.
    document storage

    ReplyDelete
  2. I find security forensics to be interesting as well. It's infinitely challenging, and the toughest cases come from the unlikeliest places.

    ReplyDelete
  3. You just can't change the fact that this topic is definitely interesting. I'm glad you considered it.

    long island document scanning

    ReplyDelete
  4. Security has always been an issue. That's why most of us find these forensics very interesting.

    PC Repair Services

    ReplyDelete

Note: Only a member of this blog may post a comment.