Category: Uncategorized


Ransomware: A primer for lawyers

By Rogue Heart,

Ransomware: A primer for lawyers

Exfiltration is on the rise. Lawyers need to know how attacks like exfiltration are investigated to prevent further damages to a client or firm’s finances and reputation. Our digital forensic examiners team up with you to understand the scope of the attack and help your investigation. 

What is ransomware?

First, let’s get clear on ransomware.

Ransomware attacks often involve the threat of exfiltrated data. Attackers threaten to publish stolen, sensitive data unless someone pays a ransom.

Here’s what goes down in the event of a ransomware attack:

Ransomware attackers, or cyber attackers, steal your data before encrypting it. And they’re only getting more sophisticated. Think of it like someone stealing something in your house but first changing the locks and holding the new keys hostage. Instead of physically breaking into your home, ransomware attackers enter your device through an email attachment you opened, an ad you clicked on, a hyperlink you followed, or a website you visited that’s embedded with malware (FBI.gov).

These phishing attacks aren’t detected right away. Code is loaded onto your computer and coders work in the background until your files and data are locked and inaccessible. The process could take weeks until you see messages demanding payment to access your data and files again.

Now, back to exfiltration. Exfiltration often relies on circumstantial evidence. Once files are encrypted, usually during exfiltration in most ransomware attacks, firewall log data is encrypted if it’s being saved or stored in the network.

Culprits of ransomware attacks often go for laptops, workstations, and other user-controlled devices – consider starting here to investigate exfiltration attacks. Be mindful that the attackers may have targeted network backups and can disable software used to detect a ransomware attack.

Ransomware protection 

Unfortunately, most ransomware investigations happen after the attack has been deployed. There are precautions your clients can take to prevent an attack. 

  • Look for red flags in activity such as a user logging into a system from a different country at an unusual time of day. 
  • Review log activity
  • Review and update retention policies
  • Make a plan 
  • Automate anti-virus and anti-malware solutions and run scans regularly 
  • Enable two-factor authentication 
  • Backup often and in many places, especially with one isolated backup so data can’t be encrypted or destroyed
  • Update your devices’ software often 

Stuck? Our examiners know where to look for other clues and can help you fill the holes in your client’s network exfiltration story. Give us a call.

The Complete Picture: Cloud-Based Evidence

By Rogue Heart,

The Complete Picture: Cloud-Based Evidence

Explore the fastest growing area in Digital Forensics

Cloud-based evidence is the fastest growing area in digital forensics. Accessing cloud evidence means having legal authority to compel production of the data, manually being provided the username(s) and password(s), or having other authentication credentials to access data, such as a login or password through an authentication token (Elcomsoft 2018). But, having the keys doesn’t mean you’ll access the locked chest treasure trove of data. And there are ethical concerns.

Opinions vary on cloud computing, cloud forensics, and cloud computing environments’ impact on digital forensics (Barrett 2020). Gathering evidence depends on:

  • Standard evidence acquisition procedures
  • Federal and local laws
  • Court accepted methods
  • Cooperation of the individual(s) who “owns” the data
  • And the cooperation of the cloud provider

Protecting and preserving electronic evidence can be done through simple practices:

  • Two-factor authentication
  • Strong passwords
  • Encrypted email services
  • And secure storage.

Safeguarding information is ethical and essential along with streamlining forensic teams’ workflows.

Cloud-Based Data Storage 

Evidential, cloud-based data stored for mobile phones include (American Bar Association 2016):

  • Locations
  • Text messages
  • Pictures
  • Videos
  • Music
  • Voicemails
  • A list of wireless networks where the phone connected
  • Address book
  • Email
  • Call logs
  • Web history

As tech giants move into stronger user-privacy practices, this data could become inaccessible. Google, whose widely-popular browser, operating system, location apps and entertainment platforms are accessed daily by internet users, recently started auto-deleting user data after 18 months. What can you do when your case is impacted?

Call us, the experts.

In traditional digital forensic acquisition, examiners focus on individual computers and isolated environments. Cloud computing forensics acquisition processes are different because they look into account servers, applications, and operating platforms that may be located abroad (Barrett 2020). The challenge is pinpointing the laws and jurisdiction that govern a region where a crime against data occurred (Tripwire 2019). Cloud servers and their data can be hosted in several countries, which makes cloud-based evidence susceptible to third-party compromises, legal red tape, or simply a lack of cooperation with your local laws.

Cloud-Based Evidence. Delivered.

“[Our clients] benefit by having a more complete picture…Of the algorithms that go on and capture information and report on it, we don’t ever see them because they exist somewhere else. But for the Cloud specifically, you know, we’re able to see your Gmail, your Google account, you’re able to see a timeline of activity,” says Josh Michel, a senior examiner on our team.

Roloff Digital Forensics’ examiners keep abreast of the new policies, datasets collected,  and general emergence in cloud-based privacy and technology, bolstering your case strategy, and getting the complete picture.

Want to get the complete picture for your case? Drop us a line.

Brains Beat Algorithms: Why Digital Forensics Still Need Humans + AI

By Rogue Heart,

Brains Beat Algorithms: Why Digital Forensics Still Need Humans + AI

We get it, understanding artificial intelligence and keeping up with emerging technology is hard and probably not taught in law school. Artificial intelligence is and remains a current and future challenge for the digital forensics community.

Law enforcement agencies are struggling with digital investigations worldwide. According to a study by Cellebrite, each digital investigation case involves 2-4 mobile devices and nearly half (45%) will involve a computer (Muhlberg 2020) and this is just the beginning as third-party service providers will frequently maintain, often in the cloud, relevant data as well. With all of that hardware, software, and information to comb through, you need experts and tools to make sense of the data.

Our examiners help you understand the benefits and constraints of artificial intelligence in digital evidence and show you that we’re your best source for when it comes to understanding the data in your case, as well as the data that may be missing. This understanding can be critical when preparing a case.

We combine knowledge of the legal system and the courts, prioritize tasks, and follow investigative intuition. We walk you through the process. Algorithms can’t do that. At least not perfectly.

Big Brains Vs. Big Data 

According to researchers in a study by Jarrett and Choo (2021), AI enables digital forensics, especially during the evidence analysis phase. These days, you need the resources to have evidence analyzed efficiently and a compelling story.

“Ultimately, human mindsets, understanding a scenario’s full context, and logical thinking cannot be entirely replicated by machine learning,” says Josiah Roloff, President of Roloff Digital Forensics. “The human mind has an amazing capacity for investigative intuition and can prioritize tasks versus needing to process full datasets simply because they are there. AI automation has its place, but all of this and more, make it important in understanding the roles we give automation versus a hands-on approach.”

AI: What Lawyers Need to Know 

Artificial intelligence does AND doesn’t make your job easier. Highly trained and experienced examiners can help you to fill in the gaps.

Pros to artificial intelligence:

  • Parses through massive amounts of data in a short amount of time (Jarrett & Choo 2021)
  • Finds and filters specific objects in images, tracks down keywords in texts, and creates relationship analysis (Muhlberg 2020)

Cons of artificial intelligence

  • No guarantee it works. Make sure you understand the AI you’re using (the data used to develop it and by whom) (Bloomberg 2019)
  • Bias and prejudices may exist from the developers and trainers, skewing the results. Our examiners always test the evidence, our findings, and automated findings, before presenting it. 
  • “Black box AI” – proprietary information where companies aren’t transparent about how the AI generates its information. Examiners can’t analyze and dig into how results occurred (American Bar Association 2020)
  • Many AIs are ineffective (American Bar Association 2019)

 

Your Trusted Digital Forensics

AI isn’t going anywhere. It’s legit to be skeptical of the technology and follow the “trust, but verify” principle. Trust is at the center of our work. We combine technological and relational skillsets with ongoing training to walk you through emerging technology, helping you take the right steps forward to win your case. Meet our team and how we’re qualified.

Leave it us, not just the machines

Drop us a line

Introducing Amber

By Rogue Heart,

Meet Amber

Client Relations Manager, Musical Mom, and Advocate

Introducing Amber

“Every case has its own story, its own world.” – Amber Roy

Twenty years ago, Amber Roy and Josiah Roloff shared the same workplace and similar interests in digital forensics. Their professional paths diverged, eventually meeting again when Amber joined Roloff Digital Forensics (RDF) in January 2021. Having a trifold love for relations, technology, and servant leadership, Amber saw an opportunity to be creative at RDF.

Co-parented by a team (yes, it takes a team), Amber is the daughter of a Relationship Manager, a Businessman, a Shriner, and a Nurse. Servant leadership and finding creative ways to give back to her community run in the family. Her eldest daughter is in Nursing school, her youngest daughter is a Specialist in the US Army, and her son is focused on graduating high school and becoming an animator.

On working at RDF, “Every single person here is solution-minded. Their approaches are going to be completely different with unique perspectives. I work with people who genuinely enjoy one another. It’s impossible to not be creative in an environment that promotes that kind of growth and culture.”

 

A Few of Her Favorites

Amber wears many hats as the RDF Client Relations Manager, Scrum Master, Evidence Custodian and Continuous Improvement Manager.

My role at Roloff Digital Forensics combines my favorite things about working with people – always with the focus of being factual to those that we serve! I am honored to bring people together, assist with logistics, and I love looking for ways to grow our relationships and improve our processes.

RDF’s services and expertise span the expanse of technology from the Consumer Internet of Things (CIoT) to consulting on prosecution or defense in criminal cases or military-related cases.

“We’re creating a path, a footprint everywhere we go. And sometimes folks need help preserving that information. Sometimes they need our examiners to analyze the information and document what they find. Our focus is to be factual to those that we serve.”

 

What is digital evidence? 

Amber and her colleagues help clients understand digital evidence through intentional processes, including but not limited to: 

  • Photo/video/audio enhancements
  • Electronic document and/or file authentication
  • Recovering deleted electronic files
  • Discovery review and analysis
  • Identification and preservation of electronic data sources
  • Recovery and analysis of location data

“We work with people. We want to make forensics understandable to the people that need our help, and we are vigilant to remember that we are helping real people, not just working through a problem, or analyzing data. Our relationships are at the heart of what we do.”

 

No day is Groundhog’s Day

“Digital forensics is a fascinating world. Not a single day is a repeat. On any given day, I learn at least five new things about my team, or technology, or processes, or myself, or our world.”

Wall art that says "Be a voice, not an echo"

An ideal coworker is not a copy

“Diversity is hugely important here, especially with our size. The team at RDF is intelligent, transparent, and courageous. That’s important to me and aligns with my love of Agile frameworks and Scrum methodologies. We continue to grow together. This has a positive impact with us personally as well as professionally. It shapes us, our individual culture, and how we interact with each other and our clients.”

Passing down, giving back

Amber is involved in the community and finds opportunities to participate locally with her family. Her parents are active members of local car clubs and charitable organizations. These relationships help create opportunities to raise funds that benefit the community and young adults.

In her spare time, Amber reads medieval lit and poetry, is continuing her education, and plays music with her family. As a video game lover, she found herself enjoying the popular massively multiplayer online role-playing game World of Warcraft and enjoys an occasional console game or two with her son and daughters.

Want to jam with Amber? Apply to join our team! 

 

 

Meet Josh

By Rogue Heart,

Joosh Michel smiling in professional attire

Meet Josh

Senior Forensic Examiner with 8+ years in the field, Photographer, and Dad

Growing up playing video games, old game consoles, and building his first computer, Josh has always had a fascination with technology and the digital forensics field. The industry is ever-evolving, fast-paced, and RDF is on the cutting edge of what’s possible in evidence and legal technology.

“Not only is technology a kind of living, breathing entity,” says Josh. “You could be part of a case that creates new laws.”

To keep up with big tech, Josh and other examiners at RDF frequently attend trainings and update certifications (such as Cellebrite) and document learnings from conferences and programs. Roloff Digital Forensics’s examiners juggle research to keep up and adapt to changes in technology, testing of the evidence, and production, where someone goes to present the evidence.

“Part of forensics is you test your theory and the theory should be repeatable and verifiable. That’s what makes the evidence solid. Otherwise it’s an opinion.”

A father, artist, and Indigenous rights advocate, Josh is more than an examiner. He’s a truth seeker.

And truth reveals itself through art, continuous learning, and curiosity.

“It kind of drives us to find information,” says Josh, “to prove or disprove what might be presented as the truth. Then to keep an open eye or keep an open mind about it and try to show it and tell [clients] the best way, that I think, is representative of the truth.”

An enrolled member of the Confederated Salish and Kootenai Tribes of the Flathead Reservation in northwest Montana, Josh reaches out to various Native government agencies in his downtime. His interest lies in Native American industries, legal systems, and people. He also offers his services to help locate missing individuals.

“It’s an epidemic that I think most people don’t know about. Indigenous communities have a very high rate of going missing, especially young women.

But that’s the first thing I think of…taking the skills and the talent that I have and making a difference. Especially with young people. I think that’s what’s closest to my heart.”

Offline and unplugged, Josh and his family go for bike rides, runs, or to the park. The family squeezes in screen time, too, when they play video games together.

Chest-down photo of three people using cellphones

Stay on your toes: Digital forensics is an ever-changing playbook

“One of the most exciting parts about this job is just being a part of that creative aspect of the law, the creative aspect of understanding what’s possible with technology and evidence.”

Josh changes lenses as an examiner and a photographer.

“I love art in general. And you wouldn’t think that digital forensics would be an art, but the art form comes in the person that presents it to the person that collects it. The person that analyzes it, and then ultimately tells you about it. Which is kind of like an artist. An artist collects data. Whether it’s a picture, a moving image, they collect the information to show you or tell you something.”

Interested in working with teammates like Josh? Apply today to become the next Roloff Digital Forensics Examiner.

Smile, You’re on Camera: A Lawyers Guide to DVR Forensics

By Alissa Roloff,

Smile, You’re on Camera: A Lawyer’s Guide to DVR Forensics

THE WORLD IS WATCHING

 

Big brother is everywhere these days. You can’t stop for a coffee on your daily commute without encountering a camera on every block. The average American is caught on camera over 50 times per day. This is alarming to some, but it could be the key to making or breaking your case.

The odds are good that relevant individuals were caught on surveillance footage during or around the events in question. Frequently, this information is overlooked or completely missed and it’s up to you and your team to identify, obtain/preserve, navigate, and ultimately determine how to best present this crucial footage.

Image of a surveillance camera capturing a van driving past

RESEARCH

Time is of the essence when it comes to DVR Forensics. Typically, DVR systems hold 30, 60 or 90 days worth of video and in many instances, much less. After that window, the hard drive begins to overwrite/delete potential evidence. The faster you can identify and obtain the data, the more likely you will be to recover the footage you need.

Start with the basics: 

  • Map out the location of the alleged incident
  • Create a list of potential footage sources 
  • And take the proper legal steps to get the footage itself. 

You need to get this raw data from its original format into a product that is easily digestible. This is where thorough organization is key to success. At times, you may be dealing with 3-5 different DVRs, all using different file systems, with 8-10 cameras per system.

Once you can obtain the video or DVR systems you are after, the real work begins.

 

Close up shot of DVR system

UNDERSTANDING DVR SYSTEMS

Most DVR systems are proprietary and built overseas. Which makes them challenging to find more support for than is supplied with the original user manual. There is a large variety of file structures, storage capacity and capabilities, playback options, features, etc. being used with each manufacturer. To make things even more confusing, often we find ourselves dealing with multiple DVRs from several manufacturers that are using a variety of different file structures and features (motion, steam, etc.).

ORGANIZE

Upon initial review of all available footage, we recommend making yourself a “KEY” or “SUMMARY” to help you conceptualize the big picture. By organizing using your set naming conventions, file structure, angles and associations, you can more quickly and efficiently review hours of footage.

Carry this organizational structure through to your export keeping in mind what option is going to be most efficient for playback and presentation.

DOCUMENT

For the purpose of a smooth testimony, it is always best practice to document every step taken throughout this process. Make it easy on yourself to accurately speak to the actions you took to forensically preserve, acquire, image, review and export all the data presented. The amount of detail you document is up to you, but at a minimum, we recommend documenting the programs used to acquire, image, export and review the DVR footage.

WE HAVE YOUR BACK

DVR Forensics can be a massive time constraint on your case. As your client’s expert counsel, you must be dynamic and strategic with your time management. We have an experienced team of Digital Forensic Examiners with extensive backgrounds ready to tackle your DVR forensic needs. Whether it’s just an initial review, consultation of options, exporting for compatibility, or a full-on acquisition to testimony need, Roloff Digital Forensics has you covered.

Contact us for help with your case.

Current and Future Challenges for the Digital Forensics’ Community

By Alissa Roloff,

Current and Future Challenges for the Digital Forensics’ Community

The digital forensic community has been around for decades (remember when it was simply called ‘Computer Forensics’?). Unlike many tech fields where processes can become simpler and more streamlined, Mobile tech and cloud storage has brought on more complicated and cumulative obstacles.

From the sheer number of devices a person or household maintains, to the total volume of data now stored on cell phones, cloud locations, and network attached storage devices, quantity has become a major hurdle. Digital forensics examiners must be taught how to examine digital devices with such large volumes with efficiency and an ability to meet client needs under short deadlines.

Another challenge: the products we use advance. For example, Apple Inc. has made strides to the manner in which they store and protect data on their devices which can impede the digital forensic team’s ability to properly extract and analyze crucial data.

As many are aware, Apple Inc. has a process called “Continuity” which, among many things, allows a user to answer FaceTime, text messages and phone calls with any of their connected devices. A person with this capability can move from device to device to do things. Which can bring up a frequently seen question: Which device first received the message and what person in the household was responsible for the response?

Over the last few years, Apple Inc. has been migrating their computer file system from Mac OS Extended also known as HFS+ (Hierarchical File System) to APFS (Apple File System) and even prior to this, introduced Fusion Drives on some of their computers. Simply put: a spinning hard disk drive and a solid-state drive work in tandem as one drive, transparent to the user. To make things even more complicated, Apple produced FileVault full disk encryption to assist users in protecting their data.

If an examiner doesn’t understand the system they are attempting to extract data from, including what type of file system is in use, if there is a Fusion Drive installed, and if the disk(s) are encrypted with FileVault, usable data will not be properly acquired.

Which means potential evidence can be lost or simply missed.

These types of changes and advancements have and will continue to have a significant impact on digital forensic software and hardware designers, methodology employed, and ultimately, digital forensics teams.

Which brings us to how examiners can handle these changes when attempting to best handle devices, data, and deadlines: Proper training. Though not always a requirement, many Clients seek out examiners holding specific certifications related to the type of data being analyzed. This can assist when testimony is being introduced or for additional weight to be given for an opinion that is provided by way of written report. Many of the major forensic software tool manufacturers have their own certification processes which can be time intensive and costly to maintain, but a well-certified examiner can be invaluable when opinions are necessary.

At Roloff Digital Forensics, we overcome both old and new challenges with proper training, team collaboration, and the necessary tools for forensic acquisitions, extractions and analysis. See our staff page to learn more about our personnel’s current certifications.

Location Data: The Story Our Devices Communicate

By Josiah Roloff,

Location Data: The Story Our Devices Communicate

The notion that our digital devices communicate our location is concerning for many people, and understandably so. The truth is, our day to day activities are monitored closer than ever before. Location-based data provides detailed insights into a person’s life, habits and interests. Imagine your location is logged every time you pick up your phone to check an  email, tweet, “check-in” to a location on Facebook, snap a photo for Instagram, purchase from Amazon, request a ride from Uber, or look up the nearest coffee shop – the list goes on. This isn’t hypothetical, these actions can immediately log your location, often to multiple places by multiple sources for the purpose of understanding and influencing your digital behavior.

At Roloff Digital Forensics, we target and utilize this data to assist attorneys in the representation of their client. We might demonstrate or debunk a location-based alibi by verifying the specific geographical location artifacts while factoring in the places they come from and the overlap of additional technologies such as the surrounding cellular towers or terrain, that can add uncertainty (or the opposite) to the accuracy of the available data.

Depending on a person’s digital footprint, location-based data can be voluminous and stems from many places:

  • Personal digital devices: phones, tablets, computers, etc.
    • Images and videos you create, installed applications, wireless access points, global positioning system (GPS), wireless and cellular networks, etc.
  • The service providers electronic devices interact with: AT&T, T-Mobile, Verizon, Comcast, etc.
    • Call/text records (CDRs) with accompanying site location, historical precision location data/nelos reports, etc.
  • The applications and services utilized on the device: Facebook, Kik, Google applications, Apple applications, third-party applications of many varieties and sorts that you’ve installed and given permission to access your “location data”, etc.
    • Much of this information isn’t easily visible to the user. But it can be found by forensically analyzing the digital devices, issuing subpoenas, court orders, reviewing locations/applications on digital devices, and with certain service providers; by accessing your account and locating the data that has been logged about your locations.

Location-based data can seem daunting and intrusive, but if found, collected, and analyzed correctly, it could contain the missing piece in your litigation.