Where should a forensic analyst search to find a list of the wireless networks that a laptop has previously connected to with a company owned laptop?

Five case studies of interest to corporate investigators

Attorneys, forensic professionals and e-discovery providers have become very comfortable working with traditional types of digital evidence (e.g., email, text messages, spreadsheets, word processing files). There is a lot to be learned there, but technology evolves rapidly. As our world becomes increasingly digitalized, there are ever-increasingly creative ways to find information. Here we look at five cases that show the potential in underused and emerging types of digital evidence.

This article assumes that most investigations attorneys are at least passingly familiar with the basics of digital forensicsi and that most investigations attorneys are also experienced with the review of traditional types of digital evidence such as email, text messages and standard PC filesii  to develop an understanding of underlying facts.iii
 

Case study one: Locational data – geotags

The facts: Following the Russian annexation of Crimea in February 2014, international tensions built over allegations that Russian troops were operating in other parts of Ukraine. Russian officials repeatedly denied these allegations.iv  Starting in late June 2014, Alexander Sotkin, a sergeant in the Russian Army, posted a month-long series of selfies taken from his cell phone to his public Instagram account. The press picked the story up when it was discovered that the jpeg files posted included geotag metadata, and that the geotags and pictures showed the sergeant moving on-duty from a military base in Russia into eastern Ukraine and then back to the base.v

The takeaway: Geotags, such as those embedded in Sotkin’s pictures, are a form of locational metadata. Geotags generated by smartphones tend to be very accurate and are associated with other types of file metadata, like date- and timestamps. Combine these attributes with the conventional wisdom that a picture is worth a thousand words and reports showing that smartphone users take over 150 pictures per month, and you have a treasure trove of data to pin down who/what/when/where details during an investigation.

Geotags and other types of locational data can also be embedded in other types of files, such as video files and SMS text messages. Other cell phone locational data can be drawn from routes stored in mapping applications, Wi-Fi connections, cell towers in call history and applications like weather or real estate tools.
 

Case study two: Wearable sensors

The facts: Connie Dabate was murdered in her home in 2015. According to his arrest warrant, her husband Richard provided an elaborate explanation of the day’s events, claiming that he returned home after receiving an alarm alert. Richard went on to claim that, upon entering his house, he was immobilized and tortured by an intruder. He told police that the intruder then shot and killed Connie when she returned home from the gym. Relying on evidence collected from Connie’s Fitbit, police were able to show that she had been in the house at the time Richard said she was at the gym. According to the Fitbit’s data, Connie stopped moving one minute before the home alarm went off.vi

The takeaway: Wearable devices like Fitbits monitor location via GPS and activities like distance traveled, steps taken, sleep time and heart rate. The devices are configured to synchronize data to applications on smartphones and personal computers or to cloud or social media sites. Evidentiary collections can be made from either of these sources using standard digital forensics tools and techniques.
 

Case study three: Data from asset trackers – sensors and IoT devices

The facts: The case of Howze v. Western Express, Inc.vii revolved around injuries caused when a tractor-trailer forced a motorcycle off the road. The truck in question could not be definitively identified by an eye witness, although the witness recalled that the trailer logo read “Western Express.” The defendant’s trucks were equipped with asset trackers which included a GPS feature. Data from the trackers was collected and retained in a centralized database. The defendant claimed that a search of the database showed that it had no trucks on the road in question on the night of the accident. To counter that claim, the plaintiff cited Western Express’ six-month GPS data retention policy, and challenged the validity of the defendant’s search, which was conducted 27 months after the accident. The judge decided that there was a question of material fact that needed to be sorted out by a jury.

The takeaway: Asset trackers take advantage of GPS, Wi-Fi and Bluetooth technology to allow organizations to monitor their moveable assets. They may collect basic locational data or may have expanded features that capture other information like diagnostics, messaging, weather conditions, or compliance data. They are used to track high-value, moveable assets (e.g., fleet vehicles, construction equipment, medical devices) and are starting to show up in the growing array of consumer IoT devices.viii  Howze helps demonstrate that asset tracker evidence is highly probative. It is also highly available to investigators who are working for an organization that owns or finances the asset. As in Howze, the client’s database can be searched or the data can be extracted to a better platform to help understand and preserve the who/what/when/where details in a controlled manner. The investigators can avoid having to examine the asset itself or involve the asset custodian in their inquiry. Howze also demonstrates the need to handle structured data (i.e., records stored in a database) in a defensible manner. Structured data should be collected and validated early in the investigation to avoid spoliative events like a regularly-scheduled database purge. Handling of the structured data should be defensibly documented. If the dataset is large or if queries are complex, a forensic consultant who understands structured data should be retained. Structured data analytics is a complex discipline and is not included in the standard forensic examiner’s toolkit. Specialists will be needed.
 

Case study four: Network data reveals theft of trade secrets

The facts: Xiaolang Zhang worked as an engineer for Apple’s autonomous car division. He had been with the company 2 ½ years when he announced that he would be resigning and returning to China to take care of his elderly mother. He told his manager that he would be working for an electric car manufacturer in China. The conversation left the manager suspicious. Company security started an investigation. They searched Zhang’s two work phones and laptop—but were most alarmed when they reviewed Zhang’s network activity. The story the network data told was that Zhang’s activity had spiked to a two-year high in the days leading up to his resignation. It consisted of “bulk searches and targeted downloading copious pages of information” taken from secret databases he could access. When confronted, Zhang admitted to taking company data. The matter was referred to the FBI, and Zhang was indicted for theft of trade secrets.ix

The takeaway: Network forensics is a sub-specialty of digital forensics. It involves analysis of log data from servers and other networking tools (e.g., firewalls, routers, intrusion detection applications) in order to trace or monitor network activity. Attorneys with cyber law practices have become very familiar with network forensics, as it is one of the go-to tools for intrusion and breach detection. Network forensics can involve retroactive analysis or live-stream traffic monitoring. The volume of data collected can be enormous, so data analytics techniques are used heavily.

It used to be the case that network forensics was seldom practiced. To reduce the need for storage hardware, few organizations had their network logging features turned on. Fewer still retained their logs long enough to be of value when investigators came calling. Practices have changed as companies have become more sophisticated and diligent about cyber security. The Zhang case demonstrates that the availability of network data presents opportunities to investigate user activity in non-cyber cases, (i.e., a theft of trade secrets matter). As in the Zhang case, network logs can be analyzed to identify mass movements or deletions of data and other suspect user activity.
 

Case study five: Data from vehicle infotainment, telematics and black box systems

The facts: A 2017 story from Digital Forensics Magazinex  describes a hit-and-run car crash caused by the driver of a dark SUV without lights on. The SUV hit a car, ran into a clump of trees and then drove off. Police were able to locate an SUV that fit the description. After downloading data from its on-board diagnostics, infotainment and telematics systems, police were able to determine that the vehicle had passed the scene at the approximate time the crash had occurred, that the lights had not been on and that the SUV had been placed in reverse and forward several times immediately after the time of the crash in the proximity of the damaged trees. Police also found other implicating details of the SUV’s trip that night from routes and destinations in the navigation system.

The takeaway: Vehicles are becoming nearly as rich a target for investigative data as personal computers or smartphones. According to Edmunds.com, the top five things a car knows about its driver are:xi

1. A home or business address

2. A list of recently-navigated or commonly-frequented locations

3. Phone contacts

4. Emails and texts

5. Speed, braking and seatbelt use data

And there is more—some vehicles are also equipped with web browsers that may keep history, cookies and cache information. There also may be data from manufacturer-embedded applications such as Facebook. As with personal computers, it is possible to identify devices that have been attached to a vehicle’s computer. It may also be possible in the near future to recover video data and history from the autonomous driving features already showing up in cars.

Vehicle forensics has emerged as a developing specialization in digital forensics. To date, most of the activity has centered on a single forensic tool; however, the tool’s developers claim that it works on over 10,000 makes of automobiles and trucks. There is already an active user base in vehicle forensics among auto insurance investigators, auto manufacturers, car rental companies, law enforcement and intelligence agencies.
 

Conclusion

No aspect of the world we live in changes faster than digital technology. A corporate investigation will likely find itself operating in a technologically different landscape than previous investigations. Having a digital forensics team that is thinking creatively and in the technological vanguard is essential to the success of an investigation.
 

iIf you’re not familiar with digital forensics, the (highly-simplified) basics are:

• There are three primary goals with digital forensics: 1) collect electronically stored information in a sound, defensible manner, 2) Analyze the results of the collections, and 3) Present the findings either in formal legal proceedings or less formally to inform a client.
• Electronic evidence can be fleeting and fragile. It needs to be collected in a defensible, methodological manner to preserve it accurately, and to withstand scrutiny in legal proceedings.
• Electronic evidence can be highly probative, both as it appears to users, and behind the scenes. There is a lot of information that a computer user never sees (e.g. metadata, logs, registry entries). This behind-the-scenes evidence may provide a wealth of information about who did what when and where. Forensic analysts are trained to preserve, collect and interpret this kind of evidence.
• Some digital files can be recovered, even if a user has tried to delete them.

iiE.g., word processing documents, spreadsheets, presentations, images/photos, PDFs.

iiiElectronic document review is routine practice in litigation during electronic discovery. During an investigation, attorneys may employ e-discovery tools and techniques, but the goals of their review often differ from those of a discovery exercise. Attorneys reviewing a document collection during an investigation generally need to glean foundational facts and insights very quickly. To do so, they may use the same electronic document review software that would be used during discovery. The difference is that the investigators are less focused on document production than on fact-finding. As such, they may rely on advanced searching techniques and data analytics to help speed their review.

ivSee, e.g., David M. Herszenhorn & Peter Baker, Russia Steps Up Help for Rebels in Ukraine War, New York Times (July 25, 2014) at A1; BBC World News, Ukraine Crisis: Russia Vows no Invasion (BBC, March 14, 2014), available at https://www.bbc.com/news/world-europe-26799326.

vSee, Sean Gallagher, Opposite of OPSEC: Russian Soldier Posts Selfies—from Inside Ukraine, Ars Technica (Wired Media Group, August 4, 2014) available at https://arstechnica.com/tech-policy/2014/08/opposite-of-opsec-russian-soldier-posts-selfies-from-inside-ukraine/; Will Stewart & Jennifer Newton, Are These Selfies Proof That Putin is Operating in the Ukraine? Photographs Posted By Russian Soldier On Instagram 'Were Taken Across The Border,' (Daily Mail.com, July 31, 2014) available at https://www.dailymail.co.uk/news/article-2711722/The-Russian-soldier-selfie-obsession-prove-Putin-operating-Ukraine-Comms-officer-operates-kit-like-used-MH17-accidentally-reveals-border.html.

viTracy Connor, Fitbit Murder Case: Richard Dabate Pleads Not Guilty in Wife's Death, NBC News, NBC U.S. News (April 29, 2017) available at https://www.nbcnews.com/news/us-news/fitbit-murder-case-richard-dabate-pleads-not-guilty-wife-s-n752526; Norman Byrd, Richard Dabate Murders Wife, Blames Burglar, But Fitbit Tracker Proves Husband Lied, Police Say, Inquisitr (April 27, 2017) available at https://www.inquisitr.com/4175629/husband-murders-wife-blames-it-on-burglar-but-fitbit-tracker-proves-richard-dabate-lied-police-say/. The Dabate case is not the only one where a fitness tracker has been used to investigate a crime. In a California case, Anthony Aiello was charged with the murder of his stepdaughter Karen Navarra. Video evidence was linked to Fitbit data to show that during the period that Aiello visited Navarra’s residence, her heart rate rocketed up, then slowed precipitously and stopped. BBC Tech News, Fitbit Data Used to Charge US Man with Murder (BBC October 4, 2018) available at https://www.bbc.com/news/technology-45745366.

viiHowze v. Western Express, Inc., 101 Fed. R. Evid. Serv. 107, WL 4180898 (N.D. Ala., 2016)

viiiAn “internet of things” (IoT) device refers to “smart” devices that are equipped with embedded sensors and computing capacity and connected to a network to collect and exchange data.

ixStephen Nellis, Ex-Apple Worker Charged With Stealing Self-Driving Car Trade Secrets, Reuters (July 10, 2018), available at https://www.reuters.com/article/us-apple-theft/ex-apple-worker-charged-with-stealing-self-driving-car-trade-secrets-idUSKBN1K02RR

xJoel Bollo & Ben LeMere, Vehicles Solve Crime, (Digital Forensics Magazine, February 2017) at 34.

xiRonald Montoya, Car Technology and Privacy: Top 5 Things Your Car Knows About You (February 12th, 2013), available at https://www.edmunds.com/car-technology/car-technology-and-privacy.html.

Which type of monitoring would utilize a network tap?

Which of the following commands would provide information about other systems on this network?

Which role validates the user's identity when using SAML for authentication quizlet?

What containment technique is the strongest possible response to an incident?