Category: Uncategorized


Ransomware: A primer for lawyers

By Rogue Heart,

Ransomware: A primer for lawyers

Exfiltration is on the rise. Lawyers need to know how attacks like exfiltration are investigated to prevent further damages to a client or firm’s finances and reputation. Our digital forensic examiners team up with you to understand the scope of the attack and help your investigation. 

What is ransomware?

First, let’s get clear on ransomware.

Ransomware attacks often involve the threat of exfiltrated data. Attackers threaten to publish stolen, sensitive data unless someone pays a ransom.

Here’s what goes down in the event of a ransomware attack:

Ransomware attackers, or cyber attackers, steal your data before encrypting it. And they’re only getting more sophisticated. Think of it like someone stealing something in your house but first changing the locks and holding the new keys hostage. Instead of physically breaking into your home, ransomware attackers enter your device through an email attachment you opened, an ad you clicked on, a hyperlink you followed, or a website you visited that’s embedded with malware (FBI.gov).

These phishing attacks aren’t detected right away. Code is loaded onto your computer and coders work in the background until your files and data are locked and inaccessible. The process could take weeks until you see messages demanding payment to access your data and files again.

Now, back to exfiltration. Exfiltration often relies on circumstantial evidence. Once files are encrypted, usually during exfiltration in most ransomware attacks, firewall log data is encrypted if it’s being saved or stored in the network.

Culprits of ransomware attacks often go for laptops, workstations, and other user-controlled devices – consider starting here to investigate exfiltration attacks. Be mindful that the attackers may have targeted network backups and can disable software used to detect a ransomware attack.

Ransomware protection 

Unfortunately, most ransomware investigations happen after the attack has been deployed. There are precautions your clients can take to prevent an attack. 

  • Look for red flags in activity such as a user logging into a system from a different country at an unusual time of day. 
  • Review log activity
  • Review and update retention policies
  • Make a plan 
  • Automate anti-virus and anti-malware solutions and run scans regularly 
  • Enable two-factor authentication 
  • Backup often and in many places, especially with one isolated backup so data can’t be encrypted or destroyed
  • Update your devices’ software often 

Stuck? Our examiners know where to look for other clues and can help you fill the holes in your client’s network exfiltration story. Give us a call.

The Complete Picture: Cloud-Based Evidence

By Rogue Heart,

The Complete Picture: Cloud-Based Evidence

Explore the fastest growing area in Digital Forensics

Cloud-based evidence is the fastest growing area in digital forensics. Accessing cloud evidence means having legal authority to compel production of the data, manually being provided the username(s) and password(s), or having other authentication credentials to access data, such as a login or password through an authentication token (Elcomsoft 2018). But, having the keys doesn’t mean you’ll access the locked chest treasure trove of data. And there are ethical concerns.

Opinions vary on cloud computing, cloud forensics, and cloud computing environments’ impact on digital forensics (Barrett 2020). Gathering evidence depends on:

  • Standard evidence acquisition procedures
  • Federal and local laws
  • Court accepted methods
  • Cooperation of the individual(s) who “owns” the data
  • And the cooperation of the cloud provider

Protecting and preserving electronic evidence can be done through simple practices:

  • Two-factor authentication
  • Strong passwords
  • Encrypted email services
  • And secure storage.

Safeguarding information is ethical and essential along with streamlining forensic teams’ workflows.

Cloud-Based Data Storage 

Evidential, cloud-based data stored for mobile phones include (American Bar Association 2016):

  • Locations
  • Text messages
  • Pictures
  • Videos
  • Music
  • Voicemails
  • A list of wireless networks where the phone connected
  • Address book
  • Email
  • Call logs
  • Web history

As tech giants move into stronger user-privacy practices, this data could become inaccessible. Google, whose widely-popular browser, operating system, location apps and entertainment platforms are accessed daily by internet users, recently started auto-deleting user data after 18 months. What can you do when your case is impacted?

Call us, the experts.

In traditional digital forensic acquisition, examiners focus on individual computers and isolated environments. Cloud computing forensics acquisition processes are different because they look into account servers, applications, and operating platforms that may be located abroad (Barrett 2020). The challenge is pinpointing the laws and jurisdiction that govern a region where a crime against data occurred (Tripwire 2019). Cloud servers and their data can be hosted in several countries, which makes cloud-based evidence susceptible to third-party compromises, legal red tape, or simply a lack of cooperation with your local laws.

Cloud-Based Evidence. Delivered.

“[Our clients] benefit by having a more complete picture…Of the algorithms that go on and capture information and report on it, we don’t ever see them because they exist somewhere else. But for the Cloud specifically, you know, we’re able to see your Gmail, your Google account, you’re able to see a timeline of activity,” says Josh Michel, a senior examiner on our team.

Roloff Digital Forensics’ examiners keep abreast of the new policies, datasets collected,  and general emergence in cloud-based privacy and technology, bolstering your case strategy, and getting the complete picture.

Want to get the complete picture for your case? Drop us a line.

Brains Beat Algorithms: Why Digital Forensics Still Need Humans + AI

By Rogue Heart,

Brains Beat Algorithms: Why Digital Forensics Still Need Humans + AI

We get it, understanding artificial intelligence and keeping up with emerging technology is hard and probably not taught in law school. Artificial intelligence is and remains a current and future challenge for the digital forensics community.

Law enforcement agencies are struggling with digital investigations worldwide. According to a study by Cellebrite, each digital investigation case involves 2-4 mobile devices and nearly half (45%) will involve a computer (Muhlberg 2020) and this is just the beginning as third-party service providers will frequently maintain, often in the cloud, relevant data as well. With all of that hardware, software, and information to comb through, you need experts and tools to make sense of the data.

Our examiners help you understand the benefits and constraints of artificial intelligence in digital evidence and show you that we’re your best source for when it comes to understanding the data in your case, as well as the data that may be missing. This understanding can be critical when preparing a case.

We combine knowledge of the legal system and the courts, prioritize tasks, and follow investigative intuition. We walk you through the process. Algorithms can’t do that. At least not perfectly.

Big Brains Vs. Big Data 

According to researchers in a study by Jarrett and Choo (2021), AI enables digital forensics, especially during the evidence analysis phase. These days, you need the resources to have evidence analyzed efficiently and a compelling story.

“Ultimately, human mindsets, understanding a scenario’s full context, and logical thinking cannot be entirely replicated by machine learning,” says Josiah Roloff, President of Roloff Digital Forensics. “The human mind has an amazing capacity for investigative intuition and can prioritize tasks versus needing to process full datasets simply because they are there. AI automation has its place, but all of this and more, make it important in understanding the roles we give automation versus a hands-on approach.”

AI: What Lawyers Need to Know 

Artificial intelligence does AND doesn’t make your job easier. Highly trained and experienced examiners can help you to fill in the gaps.

Pros to artificial intelligence:

  • Parses through massive amounts of data in a short amount of time (Jarrett & Choo 2021)
  • Finds and filters specific objects in images, tracks down keywords in texts, and creates relationship analysis (Muhlberg 2020)

Cons of artificial intelligence

  • No guarantee it works. Make sure you understand the AI you’re using (the data used to develop it and by whom) (Bloomberg 2019)
  • Bias and prejudices may exist from the developers and trainers, skewing the results. Our examiners always test the evidence, our findings, and automated findings, before presenting it. 
  • “Black box AI” – proprietary information where companies aren’t transparent about how the AI generates its information. Examiners can’t analyze and dig into how results occurred (American Bar Association 2020)
  • Many AIs are ineffective (American Bar Association 2019)

 

Your Trusted Digital Forensics

AI isn’t going anywhere. It’s legit to be skeptical of the technology and follow the “trust, but verify” principle. Trust is at the center of our work. We combine technological and relational skillsets with ongoing training to walk you through emerging technology, helping you take the right steps forward to win your case. Meet our team and how we’re qualified.

Leave it us, not just the machines

Drop us a line

Smile, You’re on Camera: A Lawyers Guide to DVR Forensics

By Alissa Roloff,

Smile, You’re on Camera: A Lawyer’s Guide to DVR Forensics

THE WORLD IS WATCHING

 

Big brother is everywhere these days. You can’t stop for a coffee on your daily commute without encountering a camera on every block. The average American is caught on camera over 50 times per day. This is alarming to some, but it could be the key to making or breaking your case.

The odds are good that relevant individuals were caught on surveillance footage during or around the events in question. Frequently, this information is overlooked or completely missed and it’s up to you and your team to identify, obtain/preserve, navigate, and ultimately determine how to best present this crucial footage.

Image of a surveillance camera capturing a van driving past

RESEARCH

Time is of the essence when it comes to DVR Forensics. Typically, DVR systems hold 30, 60 or 90 days worth of video and in many instances, much less. After that window, the hard drive begins to overwrite/delete potential evidence. The faster you can identify and obtain the data, the more likely you will be to recover the footage you need.

Start with the basics: 

  • Map out the location of the alleged incident
  • Create a list of potential footage sources 
  • And take the proper legal steps to get the footage itself. 

You need to get this raw data from its original format into a product that is easily digestible. This is where thorough organization is key to success. At times, you may be dealing with 3-5 different DVRs, all using different file systems, with 8-10 cameras per system.

Once you can obtain the video or DVR systems you are after, the real work begins.

 

Close up shot of DVR system

UNDERSTANDING DVR SYSTEMS

Most DVR systems are proprietary and built overseas. Which makes them challenging to find more support for than is supplied with the original user manual. There is a large variety of file structures, storage capacity and capabilities, playback options, features, etc. being used with each manufacturer. To make things even more confusing, often we find ourselves dealing with multiple DVRs from several manufacturers that are using a variety of different file structures and features (motion, steam, etc.).

ORGANIZE

Upon initial review of all available footage, we recommend making yourself a “KEY” or “SUMMARY” to help you conceptualize the big picture. By organizing using your set naming conventions, file structure, angles and associations, you can more quickly and efficiently review hours of footage.

Carry this organizational structure through to your export keeping in mind what option is going to be most efficient for playback and presentation.

DOCUMENT

For the purpose of a smooth testimony, it is always best practice to document every step taken throughout this process. Make it easy on yourself to accurately speak to the actions you took to forensically preserve, acquire, image, review and export all the data presented. The amount of detail you document is up to you, but at a minimum, we recommend documenting the programs used to acquire, image, export and review the DVR footage.

WE HAVE YOUR BACK

DVR Forensics can be a massive time constraint on your case. As your client’s expert counsel, you must be dynamic and strategic with your time management. We have an experienced team of Digital Forensic Examiners with extensive backgrounds ready to tackle your DVR forensic needs. Whether it’s just an initial review, consultation of options, exporting for compatibility, or a full-on acquisition to testimony need, Roloff Digital Forensics has you covered.

Contact us for help with your case.

Current and Future Challenges for the Digital Forensics’ Community

By Alissa Roloff,

Current and Future Challenges for the Digital Forensics’ Community

The digital forensic community has been around for decades (remember when it was simply called ‘Computer Forensics’?). Unlike many tech fields where processes can become simpler and more streamlined, Mobile tech and cloud storage has brought on more complicated and cumulative obstacles.

From the sheer number of devices a person or household maintains, to the total volume of data now stored on cell phones, cloud locations, and network attached storage devices, quantity has become a major hurdle. Digital forensics examiners must be taught how to examine digital devices with such large volumes with efficiency and an ability to meet client needs under short deadlines.

Another challenge: the products we use advance. For example, Apple Inc. has made strides to the manner in which they store and protect data on their devices which can impede the digital forensic team’s ability to properly extract and analyze crucial data.

As many are aware, Apple Inc. has a process called “Continuity” which, among many things, allows a user to answer FaceTime, text messages and phone calls with any of their connected devices. A person with this capability can move from device to device to do things. Which can bring up a frequently seen question: Which device first received the message and what person in the household was responsible for the response?

Over the last few years, Apple Inc. has been migrating their computer file system from Mac OS Extended also known as HFS+ (Hierarchical File System) to APFS (Apple File System) and even prior to this, introduced Fusion Drives on some of their computers. Simply put: a spinning hard disk drive and a solid-state drive work in tandem as one drive, transparent to the user. To make things even more complicated, Apple produced FileVault full disk encryption to assist users in protecting their data.

If an examiner doesn’t understand the system they are attempting to extract data from, including what type of file system is in use, if there is a Fusion Drive installed, and if the disk(s) are encrypted with FileVault, usable data will not be properly acquired.

Which means potential evidence can be lost or simply missed.

These types of changes and advancements have and will continue to have a significant impact on digital forensic software and hardware designers, methodology employed, and ultimately, digital forensics teams.

Which brings us to how examiners can handle these changes when attempting to best handle devices, data, and deadlines: Proper training. Though not always a requirement, many Clients seek out examiners holding specific certifications related to the type of data being analyzed. This can assist when testimony is being introduced or for additional weight to be given for an opinion that is provided by way of written report. Many of the major forensic software tool manufacturers have their own certification processes which can be time intensive and costly to maintain, but a well-certified examiner can be invaluable when opinions are necessary.

At Roloff Digital Forensics, we overcome both old and new challenges with proper training, team collaboration, and the necessary tools for forensic acquisitions, extractions and analysis. See our staff page to learn more about our personnel’s current certifications.

Location Data: The Story Our Devices Communicate

By Josiah Roloff,

Location Data: The Story Our Devices Communicate

The notion that our digital devices communicate our location is concerning for many people, and understandably so. The truth is, our day to day activities are monitored closer than ever before. Location-based data provides detailed insights into a person’s life, habits and interests. Imagine your location is logged every time you pick up your phone to check an  email, tweet, “check-in” to a location on Facebook, snap a photo for Instagram, purchase from Amazon, request a ride from Uber, or look up the nearest coffee shop – the list goes on. This isn’t hypothetical, these actions can immediately log your location, often to multiple places by multiple sources for the purpose of understanding and influencing your digital behavior.

At Roloff Digital Forensics, we target and utilize this data to assist attorneys in the representation of their client. We might demonstrate or debunk a location-based alibi by verifying the specific geographical location artifacts while factoring in the places they come from and the overlap of additional technologies such as the surrounding cellular towers or terrain, that can add uncertainty (or the opposite) to the accuracy of the available data.

Depending on a person’s digital footprint, location-based data can be voluminous and stems from many places:

  • Personal digital devices: phones, tablets, computers, etc.
    • Images and videos you create, installed applications, wireless access points, global positioning system (GPS), wireless and cellular networks, etc.
  • The service providers electronic devices interact with: AT&T, T-Mobile, Verizon, Comcast, etc.
    • Call/text records (CDRs) with accompanying site location, historical precision location data/nelos reports, etc.
  • The applications and services utilized on the device: Facebook, Kik, Google applications, Apple applications, third-party applications of many varieties and sorts that you’ve installed and given permission to access your “location data”, etc.
    • Much of this information isn’t easily visible to the user. But it can be found by forensically analyzing the digital devices, issuing subpoenas, court orders, reviewing locations/applications on digital devices, and with certain service providers; by accessing your account and locating the data that has been logged about your locations.

Location-based data can seem daunting and intrusive, but if found, collected, and analyzed correctly, it could contain the missing piece in your litigation.