Eric Cervone: All right. Welcome to Quimbee CLE, I am your host, Eric Cervone. Today, I am honored to be joined by Lars Daniel. Lars is the co-author of the book, Digital Forensics for Legal Professionals: Understanding Digital Evidence from the Warrant to the Courtroom. He's also the co-author of the book, Digital Forensics Trial Graphics: Teaching the Jury through Effective Use of Visuals. And his forthcoming book, The Attorney's Field Guide to Digital Forensics Mobile Phones will be released later in 2021. Lars has qualified as an expert witness and testified in both state and federal courts.
He's qualified as a digital forensics expert, computer forensics expert, cell phone forensics expert, video forensics expert, and photo forensics expert. Lars, the expert, thank you so much for joining me today.
Lars Daniel: Happy to be here. Thanks so much.
Eric Cervone: We are here to talk about digital forensics, provide just an introduction to what digital forensics is. Can you start with just a definition of this topic and why it's so relevant?
Lars Daniel: Yeah, that's an excellent question. When you think about technology and everything that you create and consume today, it's done with an electronic device. Imagine years ago, maybe you read the newspaper, maybe you utilized a computer for most of it. Today, we have your phones and your computers, all these devices syncing together and all that information is stored in places, and we can access it, and including deleted data. In general, when you think about digital forensics, it's going to be the examination of just about anything that gets electricity and stores data in some fashion. That's going to fall under the umbrella of digital forensics generally.
Eric Cervone: Let's get into the state of digital forensics. Currently, it's anything related to technology, I think it's so tough to keep up with because technology changes so quickly. Even for me, as someone in my early 30s who considers myself relatively tech savvy, it's tough for me to keep up. So, I don't know how these courts keep up with it. Can we get into just the pace of technology and how this whole industry has changed? Just in, you could even go a decade ago.
Lars Daniel: Yeah, even a decade ago. I've been doing this for a little over 13 years at this point in the evolution of both the toolsets to access the evidence and the evidence of self have changed dramatically, to say to least. When you think about the pace of technology and we think about what used to be, it's very different than what we have now. When you think about years ago, maybe you were playing Oregon Trail on the computer, you see on the screen or whatever else in school, I know I was, I try not to get-
Eric Cervone: I was playing that too.
Lars Daniel: Trying not to get dysentery, always choosing the doctor, right?
Eric Cervone: Yep.
Lars Daniel: Well, back then, right? You want to share data with someone else, you had to use what we call the sneaker network. You lace up your sneakers, you put on a floppy, and you run it from one computer to another. Now it's not like that. Obviously we understand that. We have a tremendous amount of devices that connect and sync and speak to each other. The goal is hyperconnectivity. So, you have all your information anywhere you want it at any time. So, not only do we have devices interfacing with one another through sensors and cloud data, storage, and so forth, we also see the connectivity between people, this network and this information that's created through all these applications, such as social media, and banking, and the rest create a massive amount of data that can be mined for evidentiary value.
Eric Cervone: Let's get into the subdisciplines of digital forensics, because you have multiple subdisciplines, which you would think digital forensics would be enough of a subdiscipline in and of itself. But lawyers have to break things down as small as they can, just because I think they just like having outlines that have 1A, B4. Is there any other reason to break this down into even deeper subdisciplines than just digital forensics?
Lars Daniel: Yeah, because it's really complicated. Digital forensics, we utilize as a umbrella term. Originally, you would've heard this called computer forensics when all the evidence examined primarily was computers. I got to kind of grow up through the age of the mobile phone revolution where we saw phones become the primary source of evidence. But digital forensics is an umbrella term. There's simply too many types of data to be examined and devices and information for one person to have it all in their head. At our lab, for example, we specialize our experts in handful of subdisciplines.
No one does all of them because it would be impossible to keep up. So, if you're an attorney and you feel bad about keeping up, we have full-time experts who do this, and we specialize them in a subset of subdisciplines.
Eric Cervone: What are those subdisciplines?
Lars Daniel: Yeah, that's a great question. First of all, would be computer forensics, that's the oldest of these disciplines. This is going to be the examinations of computers, of servers like you might have at a business, external storage devices, such as thumb drives, external hard drives. Your cloud data, that's going to be connected that you would access through a computer or through a mobile phone or other device. That will fall under computer forensics generally. Other types of archived data, some of that archived data is actually one of the most challenging where you have to pull data back from 20 years ago that's on a tape drive or something like that.
But all that falls under the discipline of computer forensics. And then we have mobile phone forensics. Mobile phones are the most common form of evidence today in almost all types of cases. This mobile device forensics, that's going to include cell phone forensics itself, also includes tablets. It includes the online accounts associated with your phone. So, that could be something related to a wearable device, like a fitness application, or it could be your Apple account, right? It also is going to include backups of phones.
Many times the backup of a phone, like you would do with iTunes, is just as good as having the phone itself, and sometimes better. If you think of a scenario where an incident happened, perhaps a year prior and the phone has still been in use for a year, you may want the backup that's closer to the time contemporaneous to the event than currently might be better than what you would get with the actual phone. That also includes cloud data as a part of mobile device forensics. Now there's ... Go ahead, please.
Eric Cervone: I was just going to say, what's crazy is, just in the 13 years that you've been doing this, this entire subdiscipline just came into existence really, right? I mean, there wasn't mobile data 15 years ago.
Lars Daniel: Yeah. The reality of it is too, is that to see widespread adoption for the examination of something like mobile phones, there has to be a tool to address the issue, because digital forensics, unlike some other forensic disciplines, really stem from law enforcement. So, you have to have a tool that makes it accessible broadly to law enforcement to get widespread adoption to see it start coming into cases. Typically, what we see is that new evidence, new types of digital evidence starts in the criminal courts and then gets to the civil courts.
When tool manufacturers got their act together over that 10 year period and made it so you could actually get data from these without having to be an ultra hacker, basically, that's really when this took off.
Eric Cervone: Talk to me about location forensics now.
Lars Daniel: No, absolutely. And there's, just to say, there's a ton of location you can get from phones today too, but that is a different class that will also be on Quimbee. Moving on from mobile device forensics to location forensics. This includes like cellular location analysis. So, using records called call detail records are the primary source of evidence for this, they're kind of like a super phone bill. We provide language for free for that, that allows you to get it from particular carriers.
If you need that, we can provide it with a class I assume, or you can contact me to get it. These records are a super phone bill. Not only do they include transactions, such as calls that happen back and forth, they can include SMS messaging or text messaging that happened back and forth depending on the carrier. But it also includes location data. You get the cell tower associated with where that activity took place. So, you get location information. Also, that includes radio frequency verification. One of the things that our lab does is we are able to drive an area where an incident occurred with specialized hardware and software and see the actual propagation coverage of a tower.
An important thing to understand with location forensics is that all that information about their radio frequency and their coverage and stuff is all their proprietary, protected data. That's really strong business stuff that they need. These records, these call detail records or super phone bills were not designed to track people, right? They're a business record to show that you paid your bill, we provide you a service, so that we're safe and we're CYA, right? Those records will give you a general idea of location. But if you drive it with this radio frequency verification technology, you can actually create a map to see if there was a hotspot or different types of coverage, or if they really were likely to be in that particular area where cell tower is covering.
It also includes GPS, forensics, and other types of location data too. Honestly, there's so many types of location data now. I'm not going to list them all on this slide.
Eric Cervone: I assume these companies, these cell companies are so used to providing this information now that it's relatively easy to get or is there still a lot of back and forth in terms of being able to get what you need in terms of this type of data?
Lars Daniel: Yeah. It changes over time. There was a point where you could use a certified letter to get your records. Now it seems to be like you have to have subpoena power. And you have to ask for it in the right way or you're going to get incomplete information or not the information you want, or the rest. That's why I highly suggest that you just use the language that we, or experts who only do location data have put together to ask for those records.
Eric Cervone: Next subdiscipline is something I never would've even thought of, which is vehicle infotainment systems. I wouldn't have thought this as a category of evidence, but explain to me why this is so valuable.
Lars Daniel: This is valuable for many reasons. Understand like, even a Tesla right now, if you get too close to that car, it thinks you're going to do something, it'll start video recording you. I mean, the amount of technology in our cars is pretty phenomenal. Important thing to understand first is that we're not talking about an event data recorder, okay? We're talking about the actual infotainment system in the vehicle. This is maybe what you touch with your hands, your CarPlay, and so forth. From that device, we can get a lot of information. First, if you synced your phone to it, a lot of your data from your phone is now in the car.
That could be messages, social media data, contacts, location information. Your car is also typically tracking you, even if you have no location set. So, it's recording location history in the car in that infotainment system. But what are the best sources of information, especially for distracted driving cases, comes from the infotainment system inside a vehicle. And here's why. You're riding down the road and you go to change the volume in your car. Okay? You can use the buttons on the back of the steering wheel, or you can reach across and turn a dial.
What about lowering or raising windows and the rest? You can see where hands were in the car at a particular time. You can see what was being touched. This is also valuable if someone says I was alone in the vehicle traveling somewhere, yet, when you look at the data, you see three doors open simultaneously, like two in the backseat, one in the front seat. That type of information, especially, can be utilized. The second one, more to determine if an alibi is correct or not. The first example of where hands are in a car, we would pull that information and provide it to a human factors expert who could then make a determination of distraction.
Eric Cervone: Wow. I remember seeing that Will Smith movie, Enemy of the State back in, what was it? 1998, 1999, and thinking, that's insane that they'd be able to track people like that. But we are so far, even beyond what they were able to imagine back then, just 20 some odd years ago.
Lars Daniel: Yes. There's a massive amount of ability to track us, including facial recognition technology and the rest. It's not going anywhere unfortunately.
Eric Cervone: Let's move on to the next one, the internet of things.
Lars Daniel: And this is actually a part of the internet of things when you're talking about the surveillance states that are starting to appear around the world and really grow into their own fruition in life. But the internet of things has got a really long, complicated definition that I think is not helpful. Here's what the internet of things is. It's everything connected to the internet. Okay? It's your smart light bulbs, it's your dog camera that you can call and press a button and shoot it a treat. It's your phone, it's your computer, it's your wearable technology. All of that is a part of the internet of things.
I separate this out primarily to understand it as consumer electronics, industrial internet of things, and other devices like that, that aren't primarily wearable technology, which we'll talk about in a moment. But if you thinks about things like your Amazon Alexa, your smart home assistants, your security systems you install yourself, all of that information is a part of the internet of things because you have sensors in those devices that are recording information and dumping that data back to essential repository, where that data is stored.
One valuable point to understand with the internet of things stuff is like your Amazon Alexa or your Google Home, you're not getting any data off that local device. Where you get that data is for more traditional digital forensics means from the phone or the computer or the online account. The reason being is that those devices, like your watches and so forth, don't have the processing power or the storage capacity that they need to utilize to really create a robust application and do everything they need to do. So, they dump all that data to your phone, to your computer, to an online account so we can get the data from those locations.
Eric Cervone: And you mentioned wearable technology. I'm sorry. Did you want to finish there?
Lars Daniel: No, no, that's fine. It's just there's a scary world of insertable and ingestible medical devices too, from rice sized things that get injected in your tricep, would have your entire medical history. You can get scanned. That's been approved by the FDA, to pills that you take that are both part medication delivery system and IOT device.
Eric Cervone: Wow.
Lars Daniel: The reason being is that it costs hospitals a huge amount of money for improper taking of medication or not completing medication, but that syncs back to an application and is recorded on a phone provided to your healthcare provider, aiding when you choose to provide it to, and yourself and your application. So, you could see if someone, for example, say it's a truck driver going down the road who has a medical event. You would be able to see later on through that application if they took their medicine like they were supposed to, or if there was an incident with their prescription or something like that. There's a lot going on in this world with this type of information.
Eric Cervone: Yeah. How much do you deal with fourth amendment or right to privacy issues? Or is that stuff just out the window when it comes to this?
Lars Daniel: Well, my favorite line to answer that question is I am not an attorney and do not answer legal questions.
Eric Cervone: I try to get you. I try to get you. But basically, your job is to collect the information you can, and it'll be up to the attorney to decide what's actually legally admissible and what isn't, is that basically how it works?
Lars Daniel: Yeah, absolutely. So, we're retained by counsel or appointed by counsel to act as experts on their cases. And we don't go after anything that we're not allowed to, we're supposed to. We can certainly assist and requesting or writing the language to try to go get it. We're all about trying to get as much as we possibly can, but my team does not hide in the back of a car waiting for the wife to leave so we can image the ... Make a forensic copy of the husband's phone or something. I'm not trying to get shot.
Eric Cervone: Right. Good. I want you to be safe.
Lars Daniel: Yeah, me too.
Eric Cervone: All right. Let's move on to wearable technology. This is the one that I would've most closely associated with this topic, I would think, because you have your phone on you. Many people have their apple watches now, and that collects so much personal data. Talk to me about that.
Lars Daniel: Yeah. And just to correlate on that last one, I just talked about with the pill, we've actually seen this in a case now where a truck driver was traveling down the road. Those claims by the plaintiff of distracted driving, like using the phone while driving, they did not. What had happened is that they had a medical event and the Apple watch recorded that. It can see if you're having like a heart issue or if you've fallen or whatever, you have that turned on. So, it recorded the medical event occurring before the accident, which was very valuable for the defense in that particular case, as far as for use of mediation.
But yeah, but wearable technology includes things like smart watches, fitness trackers, medical monitoring devices. If you have one of those continuous glucose monitoring patches, things like that, that are electronically enabled, it can also be things like pacemakers. But primarily, when you think about your smart watches and your fitness trackers, they record a tremendous amount of data. It's hard to really explain how much information is recorded now. For example, your phone will do this on its own, but with a watch, it gets even better, the Apple iWatch.
It records every time you take a step, when you upstairs and things like that. You've seen it record that. It dumps it to the phone. We have logs on the phone of when you're moving, when you're stopped, when you're sleeping. All that information is recorded on your phone. It's recording heart rate variability, it's recording heart rate. For example, if someone says they were assaulted at a particular date and time, and you look at the heart rate for that date and time, and it's equivalent of someone like eating Cheetos and watching Netflix on the couch, that's problematic, right?
That would provide that information to the appropriate expert off that electronic device so that they could go make a determination on the likelihood of you being assaulted. Right?
Eric Cervone: I am going to move to a cave in Idaho after having this conversation. This is nuts hearing all this. Okay. Let's go on to video recovery.
Lars Daniel: I guess I won't talk about drone technology and stuff then with the caves.
Eric Cervone: I mean, I have to do my job and get it all out of you, but I'm telling you, it's scaring me.
Lars Daniel: Yeah. I'm going to include this one finally here. This is our final subdiscipline. There are more that we could talk about. These are kind of the big stones. I really include forensic video recovery for a very particular reason here. Just because there is an expert who is qualified in computer forensics does not mean they're qualified to handle video evidence. A lot of times, video evidence is very weird in how you have to get it and collect it. And you cannot do it using standard forensic procedures like you would with computers or phones.
For example, let's say you had a DVR unit, a digital video recorder surveillance system that was burned or damaged, right? You can't just pulled a hard drive out and forensically image it, hook it to a computer and see the video because it's inside of a proprietary body, that actual physical unit, and it's also probably got proprietary software around encapsulating the actual video footage. So, you can't open it without the right tools.
Say all that to say this, what you would have to do in that example is yes, you create a forensic image or copy of the original data on a hard drive that's inside of that video recording system to preserve it. You'd make a clone of it on the same type of hard drive that was originally in that DVR unit. Then you have to buy another DVR unit, just like it as an exemplar, put the hard drive in it, boot it up, pull the video off. But now, if you're pulling the video off and you don't do it at the highest quality, at the best possible setting, the highest frame rate, you don't have best evidence.
What happens a lot of times is a first responder goes and just pulls the video from a running system, which is totally fine to do that and not take them offline, but they don't do it at the highest possible settings that they can. In essence, you lose a lot of quality and potentially make that, or render that evidence not useful at all, but this is going to include digital video recorder, surveillance system, dash cams, body cams, your taser cams. Now understand too, that most of your dash body and taser cams are all going to be cloud based.
So, you have to access and pull those from the cloud. One important thing to note too, is usually things like evidence.com, which is tasers group, that's going to have their dash body and all their cameras as a part of that. There's audit logs in those. So, if you have concerns that something happened, or there was a usage issue, you can go in there, into evidence.com, and pull petrified audit log, meaning an audit log that you cannot change related to those devices so you can see what actually happened.
If you ever get in discovery like an Excel spreadsheet or something and it's not ... You could tell it's not the original item directly from the software, whether that's any type of evidence, but in particular, when you're talking about audit logs coming from things like that, definitely request to get the original from the software or have your own person collect it.
Eric Cervone: Let's talk about what you do with the information itself. Let's start out with identification. What do you do to identify this, keep the data safe? Let's get into all of that.
Lars Daniel: Sure. Yeah, the foundation of digital forensics are one, protecting evidence, and two, data recovery. That's really what the foundations are. That's what it stems from. The first thing that you need to do, if you're collecting an evidence item, whoever you are, is first, you need to ice device users. What this means is that you need to just separate them from their device. The reason is, is that they could be deleting, modifying, or changing things on that device intentionally, or unintentionally, just through an aptitude or not understanding what they're doing.
There's also the issue of the ability to remotely wipe a device. When I say isolate device users, that means you would like collect the phone, you put it in something called a Faraday cage or a Faraday bag, which blocks any outside communication, whether that's wifi or cellular, it's a radio frequency shielded bag. So, you could not remotely wipe that device. It's protected, it's safe. You also want to make sure that they can't access online accounts, or whatever else, if at all possible.
Now, that's not always possible especially if you're dealing with a civil case other than doing the attorney side stuff. You can't lock them in the room, but that is the goal. And we can see if they've accessed stuff remotely most of the time. The big issue is remote wiping of devices. We've had a number of cases, never with my experts, but we've seen opposing experts in law enforcement. They collected an item, they failed to pro properly make sure it was not connected to cellular and wireless networks and it was remotely wiped on the way to put into secure storage.
Eric Cervone: Wow.
Lars Daniel: Yeah. The other part we you put in that Faraday cage or that Faraday bag where it keeps it from talking to the outside world is also part of isolating devices. So, you want to a disconnected from the internet, disconnect it from cellular more or less. The reason is, is that new data comes in, it can delete old data, it can override other data. You have remote access issues, automated changes. It could be an automatic update that occurs or something that changes stuff that could really matter in a case.
Eric Cervone: Yeah, I was going to say it's amazing to think that an entire case could swing on whether you get there one second in time or not before they can delete all the information.
Lars Daniel: Yeah. When we talk about ...
Eric Cervone: It used to be you just had to stop them from flushing it down the toilet, now it's remote wipe in an instant.
Lars Daniel: Well, the great thing is if you flush your phone down the toilet, for most models of phones, we could dry it out, pull the chip out and get the data right off of that, or just fix it and get the data off too. Done that a few times. Had one that was ... We had a hard drive that was in a bucket of water for two years. We pulled it out, we were able to get the data off of. Then we had a phone that was in the ocean for a few months and was just corroded, and we cleaned that thing up and got the data off of that too. Yeah.
Eric Cervone: How did you find a phone that was in the ocean?
Lars Daniel: We didn't find it. Law enforcement found it. Weren't able to recover the data. They gave it to us and we were able to clean it up enough to get the chip off and pull the data from it.
Eric Cervone: Wow. I need to talk to that guy because to find a phone in the ocean, that must have taken a lot of work, it must have been a big case. I'm sure that took some resources.
Lars Daniel: Honestly, it was a murder case. Ding, ding. Going all out for that one.
Eric Cervone: So, talk to me about protecting evidence on computers.
Lars Daniel: Yeah. When we think about computers specifically, there's general protocols, and these are the general protocols that would happen for a first responder. If the evidence item that computer is powered on, you need to see if there are volatile processes, running things that would use memory on the computer that you might want to collect. When you turn a computer off, what's stored in the memory, and the memory is like your short term storage on a computer. That's not your storage space. That's your hard drive.
Your memory's your short term storage. It fills up with stuff that could be really important. You turn the computer off and it goes away. Now, it's important to understand what's in the volatile areas of a computer like that are usually not of interest in many types of cases. It's going to be like your hacking type cases or stuff where there's going to be code temporarily stored there to execute something nasty on a computer.
Most types of cases, that's not going to be super important. Are there destructive processes running? Is there anti-forensics being run on the computer right then? Is it connected to network drives? That's really important because if you disconnect that computer when it's running live, you may not be able to access that network drive again, it may be encrypted, so when it powers off, you can't get to it again. And it's also important to know if it's part of a business environment. A lot of that is just going to be, what can I access? What can I not access as a forensics person? What should I be collecting and not, what has the court said? We have the access to collect, all that stuff needs to be known as well.
When you're talking about a civil case in a business environment, every effort needs to be made to minimize the impact on that business. That's just best for both sides as much as you can. If the computer's not powered on, don't turn it on and just secure it as evidence and take it back to the lab. That's what that is. Or make a forensic copy right there on site. So, pretty straightforward.
Eric Cervone: Right. Now let's talk about mobile phones. How do you protect that?
Lars Daniel: Yeah. With mobile phones, it's a little more complicated. We've covered some of this already, but once again, you have to put it in that radio frequency shielded bag. That keeps it from talking to the outside world. If you don't have one of those and you're collecting a phone from a client, the best thing you can do is put the phone in airplane mode with wireless turned off. You all know you can go on an airplane and turn wifi on and connect to that. If you do that, that will protect it as best as you can and then power it off.
A Faraday bag works on the same technology as your microwave. That's the easiest way to understand this. So when you put your hot pocket in the microwave and are heating it up, it microwaves the food and keeps all those microwaves in the microwave instead of microwaving your head. The same thing with a phone, it keeps all that in that bag so it can't talk to the outside world. The second reason as well is the auto deletion. Now, this is primarily an issue, other than the remote access, right? This is primarily an issue with your less sophisticated phone, maybe your burner or throwaways, where they don't have like an unlimited storage capacity, like a lot of modern smartphones today.
As new data comes in, like a conveyor belt, it will delete the oldest data. Okay. That's a real problem if what you care about is the oldest data that existed on that device.
Eric Cervone: When we were kids, we used to put our faces up against the microwave because we thought it might make us radioactive. Because there was all these shows on at the time about these radioactive superheroes, and it didn't work, but it might explain some other things that happened to us.
Lars Daniel: Well, here's something you can try. If you've ever been trying to make a phone call and you notice you have bad signal and you just turn a little bit and you have much better signal and you can hear now, the reason is, is that organic materials absorb radio waves. So, you're doing that with your phone already. You're just sucking in radio waves right into your head all day and just trying to get to the tower. You're already kind of doing that. Maybe we'll all develop superpowers one day.
Eric Cervone: I was going to say, you're making me feel real great about the modern world here today. I appreciate it. Let's go to video evidence. Go ahead.
Lars Daniel: Yeah. Video evidence, once again, as we've talked about in general, it can be difficult to acquire. What you have here is an example of an exemplar that we put a drive into and we're able to recover the data. But what I want you to see here primarily is that other screenshot where we're selecting the resolution and what views. A lot of video is multiplex, where you'll have multiple videos on a single screen. What happens in a lot of cases is that an expert will just export out that main screen, right? So, you'll have a bunch of little tiny thumbnails, like think about Zoom, a bunch of people's heads, instead of having one big picture, what should happen is each camera should be exported individually at the highest possible resolution in case what you care about is on camera eight, instead of having a tiny little picture.
Because you can't increase the resolution of a video. It is what it is. You can do some enhancement and so forth, but what you got is what you got. So, you need the best quality coming out of that device as you can. And we've challenged many of these. I've testified a few times related to just getting the data off of these correctly and how it wasn't done correctly because it can be a real issue.
Eric Cervone: Let's talk about preservation and chain of custody. I assume this follows generally what you would do with any type of evidence.
Lars Daniel: Yeah, absolutely. And we'll cover this a little more later on, but you have to have complete chain of custody. I think that's pretty simple to understand. It doesn't always happen, but you need that, that's forensic best practices. In your forensic acquisitions, you have to have what's called a hash verification, that is digital DNA. I'm going to explain that after we talk about different types of data because it makes more sense once you understand the data that exists on your devices.
Eric Cervone: Let's move on to the types of data. We've got three different primary types of data when it comes to this stuff. Talk to me about that.
Lars Daniel: Yeah, absolutely. So, we're going to talk about logical data, deleted data. I put that in quotes because I personally don't like the terminology because it's etymologically incorrect. It's not actually deleted. It's just, it's not, but we'll move on. I can't change that now. Then unallocated space. We'll start with this. So, you've got this little picture of a hard drive, right? All your data is stored on your hard drive. If you think about your data, that's the storage areas. You can think about it of like a big empty filing cabinet. Okay. Now, data that is allocated to something are our green ones and the orange ones are unallocated. Okay? Data that is allocated is data that is inside something.
Those file drawers are full of data or they have data inside of them. That's logical data. Okay? Logical data still exists. It's still existing data that you can access as a user. Deleted data is a little different. That is data that is partially deleted, but recoverable. Unallocated space data in there can be data that you have to recover. You just have to do a little more work to get to it, and I'm going to blame that here in just a second too. Those are our types of data. You've got allocated data, as you see at the beginning. That's logical data that still exists.
You see files in there. Our one below that, that unallocated and empty is space on your computer that's just empty. There's just nothing in those sections of the hard drive. It's just empty space. The bottom part is data that still exists on your computer that you cannot see anymore because it's not associated with anything. It's either been deleted or it's not used or it was temporary files and the rest. You have logical data. If you wanted to make a copy of this, you just pull it out of the filing cabinet and make a copy. Right? Pretty simple. Deleted data is kind of like pulling data out of the trash bin and flattening it back out.
Forensically, the way this looks is that imagine you're in a library. Remember those library card catalogs that told you where the books live?
Eric Cervone: Barely. Yes.
Lars Daniel: Yeah. The books don't live there, right? The books live on the shelves. What we do forensically is we find the book and we reconnect it back to its library card catalog and recover the data because all data runs on like a big master table of where it lives. You've got a big table that tells you where all the files live. You delete a file, what the computer says is that, or the phone says in many device is that they don't need to see this anymore. I can use this space when I need more room to store new data. It doesn't delete anything. It just disconnects it from its library card catalog. We reconnect it, we get the file right back. Okay?
Then there's unallocated data. This would be like trying to find the book in the library, but that library card catalog entry's been deleted. It's gone. That's when you use things like keyword terms, you try to carve out or forensically rebuild types of files and there's massive amounts of data that you get out of unallocated space. But that's the equivalent of having to kind of take the shredded paper and put it back together. Obviously, it's a lot easier than that with forensic tools and automated for the most part. But that's what that process looks like.
Eric Cervone: When you talk about deleted data not really being removed completely, is there a difference between just deleting something and say when you wipe your hard drive or you wipe your phone, is that different than just deleting it?
Lars Daniel: Absolutely. That's an excellent question. Deleted data should just be called unallocated data, in my mind. It's just unallocated or unallocated and empty. There shouldn't be something called deleted data in that sense, but it is what it is there. When you talk about true deletion, really, really deleting something, what you have to do is you have to override data with new data. That's why when you run an anti forensics tool that gets a set of files or an entire computer, what it does is it goes through the entire hard drive and writes random data over the whole thing. That's how you truly delete something. You have to override data with new data.
Eric Cervone: Okay. Gotcha. Gotcha. I'm safe, when I'm turning in my old iPhone and they say, "Make sure you wipe everything before you turn it in," all my stuff's gone when I do that?
Lars Daniel: Yeah. If you factory reset that iPhone, you're safe, and most Androids as well, especially with your iPhones currently at the recording of this class, they are encrypted at a hardware level. So, we can't actually crack those open and pull the chip off. However, we do have relationships with two companies and we can get the passcodes cracked on those. Yes.
Eric Cervone: All right, let's move on. Forensics acquisition. What's this about?
Lars Daniel: Yeah. Acquisitions are the copying or the creating a forensic image of the original evidence item. When we're talking about creating forensic images and how we do our work and what digital forensics looks like, one of our great benefits is that we don't have to touch the original evidence much. We just got to make a copy of it, a forensic copy, and that forensic copy allows us to work from that and not touch the original evidence item anymore. When we're making a copy, first, what I want you to understand is what is not forensically correct.
What you're seeing on the screen is not correct. You have your target drive and your source drive. Your target drive's like your USB stick, you want to copy data onto. The source drive's the computer you plug it into, okay? As you're copying files, it's reading and writing in both directions. It's changing information on both devices simultaneously. To make that not happen, you have to use something called write blocking technology, which does exactly as it says, it prevents the writing of data to the original evidence item, which would be our source drive.
Yes, it does look a bit like a bomb and it's not fun to take through the airport. [crosstalk 00:35:46] what that looks ... Go ahead.
Eric Cervone: I was going to say, I've had to take recording equipment through the airport before. I know what that's like.
Lars Daniel: Yeah. It's not fun to take all this tech through the airport, but you got to do what you got to do. This is correct however. See, we have that right blocker in the middle. Our target drive, we're able to copy everything we want to copy onto it. That source drive, which is the original evidence. You can't touch it. You don't change that original evidence at all. The next question naturally is how do you approve that? You approve that with what's called a verification using a hash algorithm. This is a mathematical algorithm that is ran against the entire dataset that you have selected.
You could run this algorithm, it gets a complete hard drive and you'll get a unique number. If that hard drive was plugged in for half a second, that number would completely change. You have a perfect snapshot time with that data. The same if it's a folder filled with files, if you do what's called a logical acquisition and collect all that data, you can give it that algorithm. Later on, if someone says you changed something, you modified, whatever, you can say, "I can pull it from the file we collected which has a hash algorithm that you cannot tamper with." You can do the same thing with a file and so forth. That is your verification. That's kind of your spoilation proof piece of this.
Eric Cervone: Now talk to me about image verification, what's this?
Lars Daniel: Yeah. This is the same thing. That is the verification that must be done. What I want you to see here though, is something that should be able to be provided to you by an expert. If you have an opposing expert, or whatever else, and they've created a forensic copy, or they said they've copied evidence, we need to make sure they actually use forensic tools and didn't use an IT tool. IT tools are not forensic tools. IT tools are great at recovering your data and fixing your things. They're not great at doing what we need them to do forensically.
Just real quick, understand that, yeah, I can fix your computer and do some other stuff like that. But I am not an IT genius the same way that some of these guys who do this day in and day out are. In digital forensics, we have a massive amount of knowledge of completely useless information outside of forensics. Like what people did at what times and what all this stuff means. I need to make sure that the robots don't take my job, but what you see here ...
Eric Cervone: Don't we all?
Lars Daniel: Yeah. No, right? But what you see here is that computed and reported hash. So it ran that number against the original evidence item and then it checked it, more or less, and the numbers match. The numbers match, everything's fine. If they can't provide this or the numbers don't match, there's a problem and you should just consult with an expert because it can get complicated pretty quick, but there's a problem if they don't match. Why, for example, this is a good question too, why should I create a snapshot in time or a forensic image of data that I'm just going to copy and it's going to go back into use sort of business, right?
Once again, that is your spoilation proof point in time. You create that snapshot of data and you can reproduce from it a million times and it's never going to change. This is not like playing phone where things could change over time just by too many hands touching it since you can reproduce it from the original. You can always go back to it. Well, you can go back every time to prove that this evidence is correct and has been properly handled and safe.
The next on that, and we're just talking about acquisitions is that physical acquisition, a physical acquisition copies everything. It's called bit stream, bit for bit forensic image. That's what you may be hear it called. This is normally what it occurs in most instances for any device that is not like a network share drive or something or a device that cannot be taken offline at a business. This gets everything that's on that hard drive. You have your forensic verification. You've got all that information, the algorithm, and it's encapsulated. Here's another thing I want you understand.
Anytime you create a forensic image of a device or a forensic copy, you can't go edit that copy. You can't like dig in like a super hacker and change evidence or something because it's encapsulated in a forensic file format that is tamper-proof. Because it will show in things called like cyclical redundancy checks in other places that it had been tampered with. It'll report it immediately.
Eric Cervone: Oh, that's interesting.
Lars Daniel: Yeah. Just to kind of bring this home, here's Maryland State Police, here's a computer forensics computer crime scene, investigation by John [Vocaveir 00:40:08], a very respected forensics examiner just explaining, if you are touching, turning on anything digital evidence, it absolutely is possible that you're going to lose information or change information in the rest.
Eric Cervone: When you were talking about how this can't be tampered with, how much of this is a game of trying to keep up with people who are trying to do tampering? Because I think back, I don't know if you saw the documentary Icarus, which is all about tampering ...
Lars Daniel: I did.
Eric Cervone: With drug samples in the Olympics. It's fascinating, you would think these ways of trying to prevent tampering are foolproof, but there's always someone who's staying one step ahead of this. So, is that kind of the way it works in forensics?
Lars Daniel: You should see my module on a faking social media and text message content because it requires a low level of technical sophistication with a lot of fake evidence. Reality, the answer to almost all those questions is not like that there's a bunch of people trying to fake stuff and this that we can't tell, it's that we need forensic images to work from, and we can prove all of it, right? The issue is that evidence gets into cases and gets into court that has not been verified in a way that is forensically acceptable for a digital forensics perspective.
Now, I'm not an attorney and I know there's lots of ways to get evidence into court. But if you gave me a picture of an email, I'm going to say this isn't the email. This is a piece of paper that purports to be an email. I need the original electronic copy so I can see the header and footer information, other data, to prove it's real email because I can make this in Microsoft Word in 15 seconds. That stuff matters a lot. I mean, one case exam I've got coming up that'll explain this. This was a racketeering case I did, a Rico case, and this particular case, the opposite side had been ordered by the court to provide all their computers and the rest and their phones to me to be forensically imaged, and then both sides would get those images.
They did not want to do that. They fought tooth and nail. I didn't hear anything about it for a long time. Finally, I got a bunch of images in the mail, or copies of data. I look at these, these were Norton Ghost images. Norton Ghost is a great utility for IT people. It has no forensic verification, does not meet forensics standards and the rest. I kind of forgot about the case. A month or so later, I get a phone call. I answer it on my Bluetooth. I'm going down the road on my road bike, and it's the federal judge on the case.
I pull over, I give voir dired. I get sworn in, I testify as an expert witness on the side of the road, simply explaining that they did not provide these in a way that I could verify anything. I cannot tell anything from these, I cannot use this. They did not follow forensic protocol. And then the judge ruled in our side's favor in that case based upon that alone. Yeah, so they understood that. The judge understood. He might not have understood it before I explained it. After I explained it, it was clear as day. It had nothing to do with my profound explanation. It's just simple.
It's a simple fact of how preserving evidence matters when you're talking about digital forensics.
Eric Cervone: Talk to me about fact witness versus expert witnesses.
Lars Daniel: Yeah. I include this because I find it to be just super important. Whenever you're talking about call detail records, computers, cell phones, anything, there's times, right? There's times on all this stuff, but when you're dealing with a call detail record, depending on the switch, for example, it could be, reporting is UTC0, but actually it'd be UTC minus four, and then your local time is this. And you've got to convert all those times to figure out what the real time was something happened. Or you're dealing with computers, for example, this is just one little sheet from Sans, a really, really great resource for forensics people like me, just showing what happens with a file for the modified access created and metadata changes.
When you do different things between moving files or copying files, whether it's a local move or to an external device or to a share drive, time is incredibly complicated on electronic devices. If someone is going to say that someone did something at a date in time and not simply read what is being reported by the computer as far as a time, they should have to qualify as an expert witness. I did work on a case like this, and this person, this expert really had to get a time that they needed to get into court. They were wrong under understanding of the time. I knew that completely. It was a simple, you could provide research papers showing that this was simple. They did not listen to that.
The prosecution really wanted to testify as an expert. What we did during that one is that, through his questioning by the attorney who was an excellent attorney, he could not explain the time stuff. He still managed to get it, some of that in, in that original part. But he said, "I don't have to understand what my forensic tools do or this time stuff because it has a big audit log and records everything." And that is true. As a result, the following day, I told the attorney I'll pull the audit from his stuff. I pulled it, go print it. They printed it out. It's thousands of pages.
He got to walk up to the witness stand first thing in that morning and just stack those papers on the top. It was a few feet high at least. Flipped to any page and asked him what any of it means, and he could answer any of it. So, he was relegated to only being able to testify as a fact witness and I was able to testify as an expert witness.
Eric Cervone: Just to go back to that last slide. I'm just thinking about having to get sworn in, in the middle of a bike ride. Did the judge at least ... Did he at least let you catch your breath?
Lars Daniel: No. No. They just carried right on, man. It's ...
Eric Cervone: Did you have to tell him, did you say, "Hey, I'm in the middle of something here."
Lars Daniel: I had a moment to catch my breath. No, I didn't. No, the judge wants me to do something, I'll do whatever the judge wants. No, I had a moment to recover while our side did some voir dired to qualify me as an expert and the opposing side just stipulated, so I had a few minutes.
Eric Cervone: Okay. Were you able to finish the ride?
Lars Daniel: Yeah, I think I had a lot of energy after that. I think my adrenal was going pretty good. I wasn't expecting a call from a federal judge on the side of the road.
Eric Cervone: Sure. All right. Well, yeah, we can move on. We can move on to analysis and reporting here, and private browsing. I'm interested to hear about this.
Lars Daniel: Yeah. I'm going to move through these pretty quick. There's so many types of artifacts. One of the things I want you to understand is that we are looking at a tiny sampling of what can be recovered. But first of all, what you need to understand is that there is no such thing truly as private browsing. Any of your browsers, we can recover private browsing data. So, what is commonly referred to as porn mode does not actually really work.
You absolutely can recover a huge amount of information from private browsing. All this you see here is all private browsing. If see right CCleaner, that is from an actual case. This is somebody downloading a tool to delete data intentionally. That's not an anti forensics tool, but it can be used that way. It's just a good utility, but that's how they used it in this case. For example, we can also see all of those types of anti-forensic tools that are on the computer, if you look at Cleanup.exe, here's another one here. The thing is, is that, with anti-forensic tools, you can run them against the computer and really delete stuff that's overriding data with new data.
But the problem is, is that it's like a hurricane went though a city. It leaves a huge mess, so we know that you used it. That's the one part of that. A lot of times, it creates a list of everything you deleted with some of these applications that people don't realize they need to delete. So, you have this massive list of all the files they selected to delete, which is excellent to have sometimes. Your web chat URLs, any web chat type stuff. Yes, we're covering too. Here's a Google Hangouts example. Your passwords and tokens we were able to recover. So, we have these blurred out. Obviously these are from actual cases that we've had permission to use, but we have both your username that has been recovered and your password, what the actual password was.
This could be a great source to try to go find additional information to subpoena or to secure, if someone says they have one email address, but you find out they have five, for example, that gives you some excellent leads. And we could not go log into their accounts without permission to do so. But that gives us the information we need to do that without having to try to get a password from someone. You're able to recover it. There's always the issue of someone, especially in your data exfiltration employee Ron and Dewey cases, all types of stuff like that, where they'll try to exfiltrate data from a company to a personal or a shared Dropbox, Google Drive, Citrix, whatever account where you store data, remote access like that.
When we're looking at that information, we can see from the computer, we don't need to go into the cloud, what had been accessed, what had been opened, what is stored locally from your cloud storage devices and a lot of deleted data for all of these. Keep that in mind. Windows event logs create a huge amount of information when you log on, when you log out, remote access. You're thinking, for example, here we have 224,000 event logs, and this was not a computer that was heavily used. Okay? So, these are created constantly. Shell bags, shell bags are pretty neat. These track your view mode.
For example, you have your Microsoft Word open. You shrink it down to a different size and you drag it from monitor A to monitor B. Next time you restart your computer and you open Word, where does that window go? It goes to the last place you left it, right? The computer remembers that, that's called a shell bag. It remembers where you left that shell and where you put it. The reason this matters is it shows user attribution, a person accessing a folder, accessing a file at a time, and moving a window. Someone cannot say that they never saw it or that a person didn't do that.
Similarly, with jump list, jump list record recently accessed files. You can think about jumping to a file like in your recent, so your quick access. If these exist in a jump list, someone opened a file. Once again, if they opened an inventory sheet, a customer list, whatever else, then you see it go to a cloud account or you see it sent to a personal email account or texted to a phone or whatever else. That's how exfiltration happens with data from companies. Jump list is an excellent way to see what they accessed. A lot of times you'll see tons of files accessed right before they leave a company or something like that.
Same thing with link files. Link files are created to link a file from one place to another. For example, your recents create a little link file that connects when you click on that recent button from like your launcher to the actual file where it lives on the computer. The easiest way to understand this is if you have an icon on your desktop to open like your Outlook or something like that, Outlook isn't stored in that little picture icon. You click on that, that's a link file that opens the application that's stored in your program files.
But a link file's created when you open files and things like that. If a link file's created, a person opened it. Okay? Once again, locally accessed files and folders. We have all that stored on your computer, too. This is great for seeing a proper usage of computers, company policies that might have been broken, data theft and so forth. It's literally just a list of all the stuff you've opened.
We have to talk about searches because searches are super important. The reason being is that, I want you to understand, when we're talking about searches, it's not just searching on Google. Anywhere with a search bar, creates search records. So, here we have Bing in that top one. Next you have Facebook. If you saw that entire thing, you have a number that's unique ID for a particular person, not the vanity name. So, you could actually take that number. We could go to a web browser now and I could show you how to see what person that was that they were communicating with. Okay? And search for. Also, with maps below, that's a Columbus, Ohio map that was searched for. But as ... Go ahead.
Eric Cervone: Does all that apply to even a private search like DuckDuckGo?
Lars Daniel: Yes, absolutely. The private search on DuckDuckGo go is protecting you from outside parties interfering with your search, not what's stored on your comp computer. Yeah, we get all that back too. That's a great question. But this is anywhere there's a search bar, right? So even when you think about YouTube, it's on there too. YouTube is the video repository of all human knowledge. If you don't know how to do something, you can learn how to do it on YouTube, which is pretty awesome. But sometimes people search for some weird things.
I had a lady who was, was accused of embezzling three point some million like an exact amount. And before she knew the exact charges that were coming against her, she YouTubed how long will I go to jail for embezzling X amount of dollars, the exact amount.
Eric Cervone: Exact amount.
Lars Daniel: Yes. I was like, what are you ...
Eric Cervone: She couldn't fudge the numbers a little bit just to try to [crosstalk 00:52:49].
Lars Daniel: I'm telling you, just like, why would we do that? We also had a gentleman who did behead his girlfriend, and before doing so, he YouTubed, how to behead my girlfriend. Truth is stranger than fiction.
Eric Cervone: Well, and again, does he think there's a separate video based on the relationship with someone? Does he have to do girlfriend?
Lars Daniel: I don't know. I don't know why people do what they do. I think a lot of times just people don't think their stuffs ever going to get looked at. I think it's the reality of it, right? They're not-
Eric Cervone: They're just not thinking about.
Lars Daniel: Yeah. They're just doing it, just doing it. That's all on YouTube. And once again, Facebook, we can see who you search for, what you're looking for, all kinds of things like that coming from those two. Another thing to note too, and what I want you to see about Facebook chats here, let's say, for example, you deleted your Facebook chats. They're actually gone. They're really gone from Facebook. Okay? But they're stored in that unallocated and kind of deleted space on the computer. Even if you delete them all there, we can recover that from those places on your phone and everything else up to the point where you delete it.
So, there could be years of history of that on there. That goes for pretty much any chat application. We're not including some of your secure ones like Signal or Snapshot or a few others, which I'd have to talk to in a different class. Connected devices, if there's a concern that someone connected a USB drive or an external drive, a phone and stole data, walked out with it, did anything, implanted data on something, we can see what's connected and when. We can see external devices. For example, here, in this one, we see someone connected a device. You see that E and interlink path, that's going to be an external drive.
They copied their entire email onto that external drive. That has all the customer lists and everything else they could possibly want, and all the information related to that company that brings a lot of value. Finally, real quick, what you see here, and this is from a sex crimes case, a child pornography case in particular, this is highly problematic because we can see where this gentleman translated every term for preteen from English into Spanish, French, Arabic, Dutch, all the way through. So, he's trying to find that to search for it in different ways. Once again, we are skimming the surface of what's on a computer, but there's a massive amount there.
Eric Cervone: And something you didn't cover that I would've thought you would've covered, but now I understand why you didn't is VPN, because a VPN will, correct me if I'm wrong with any of this, VPN will hide your IP address for someone looking for you remotely. But like you said, we're looking on your computer locally, and so VPN doesn't do anything to protect any of your information that way.
Lars Daniel: Exactly right. I'm perfectly cool with VPNs. They're great. But if we get the actual original evidence item, none of that's helping you.
Eric Cervone: Right. Let's move on. You've got some interesting case examples here.
Lars Daniel: Yeah. This case is a pretty interesting one. This goes to show that the devil really is in the details when you're talking about digital forensics. In this particular case, what we're looking at in that red circle there is 2, 4, 2, 1, 7. What they're trying to say in this one is that two payments were made from a wife to a hit man of 24,000, like $25,000 each to do the hit on the husband. Now that looks problematic, because if you look, you'll see words like Western Union and stuff here.
But this is simply a misunderstanding of having to translate that data. If you translate this actually into the right type of information, because webpages are complicated, you have to go and you parse them correctly into the right type of language that it is, you can rebuild it, and this is what it looks like. This is actually from that case. How much money is this? It's $217.13. That's either a very cheap hit man, or as it looks like, this was used to pay for their car payment. That is not someone attempting to pay a hit man. Then one more here. This was an opposing expert. This is the opposing expert report we're looking for.
This is what we're looking at now, the opposing expert report, I want to make sure that's completely clear as I talk about it. This is a capital murder case where a 16 year old, I believe, he drinks Four Lokos and grabbed a big two handed sword he had, and went to a stepbrother's room and chopped him to death. Pretty sad case. What they were trying to do in this one was to say that he premeditated. This capital murder premeditated by searching for things like insanity defense, defense in insanity. All these other words too, that they somehow tried to make this argument that a lot of words like if murder's there 2,400 times on a computer, that it means something.
That it doesn't mean nothing. There's tons of words on your computer that mean nothing all over the place. But they noted the number of hits that FTK noted. So, insanity is not insanity defense. Defense is not insanity defense. And defense in insanity is not insanity defense. What that is that defense in insanity is a contains type search where someone is looking to try to find one word within a space range of a bunch of other words, like within a range. If you did that with any book Bobbie Dick, or whatever, that's got any kind of pages on you, you'll get all kinds of crazy stuff, and your computer has way more data on it than that.
When we see this, that's meaningless, and it's pretty easy to really debunk this whole case, and I'm going to show you how right now. They're trying to say that this user searched for it. First, we see from his report, detective noted user input a search term or keyword of homicide. And he's got a date here that matters to them. But if we look at this, we see ads.fido.com. Now, if you go to ads.fido.com, all you have to do is see if there's a search bar. We'll do that in a second. But they also said, every time, he said on the stand, every time you see KW equals, it means a person typed in the search term, which is absolutely false. Anytime the internet or a person searches for anything like an ad agency or whatever, it'll have KW equals. Now, if we go to fido.com, there's no search page.
This is an advertising organization that works with like Pitney Bowes, Cisco, Groupon, and Bing, big companies. If you actually look at the artifacts he's trying to say that matter, we can see those right here. First, are these user inputted search terms? No, they're not. The first one comes from your messenger, microsoftmessenger.lexicon. That's a lexicon. So, insatiably, insatiable, insanity, insanitary. This is what it looks like when you recover data from unallocated space, by the way. the second one is a system file, a fair amount of insanity annual wrestling.
Third, another wrestling event. And then fourth is my favorite, that last one, this is Jeff Dunham, spark of insanity bed scene. That's the guy with the funny puppets. These are meaningless as far as trying to show premeditation. He did go to jail, or go to prison obviously, but not a death penalty in that case, and that's what we were after.
Eric Cervone: Oh, that's interesting. If it weren't for someone like you on the other side, would that have been admissible? I mean, would they have said, oh wow, yeah, he searched insanity all these times. That's-
Lars Daniel: That's the problem. If it had not been challenged, it would've gotten in because that type of stuff is very technical. And you have to understand that one, how the forensic software actually works. If you don't know how the forensic software actually works, you would not catch that, that was a contained type of search. That's what really mattered in that particular instance is understanding how it worked, because the way he said it was not at all what the reality was as far as what a user did.
Eric Cervone: All right, Lars, unfortunately that's all the time we have for today. I could keep going with this all day, but do you have any final words before we go?
Lars Daniel: No, thank you so much for being with me here today. The language packets, another information that I mentioned that we give out at no cost, if you want to send me an email, you're happy me to do so, and I will send that out to you immediately. Okay. I appreciate it.
Eric Cervone: Great. Well, Lars Daniel again, thank you so much for your time. This has been Quimbee CLE. I appreciate all of your time for watching. Please go to quimbee.com for all of your legal education needs. We have CLE courses across dozens of topics at this point. If you know anyone who's studying for the bar exam, go to quimbee.com/barreview. Quimbee.com for any kind of study aids. If you need a refresher on your law school courses, if you need any kind of outlines, we have beautiful videos, everything's available at quimbee.com. Thank you again. Have a good day.