Category Archives: Forensics

You too can make a forensic image! (Part 1)

NOTE: This exercise is to gain an understanding of what a forensic image is, and how they are created.  We strongly recommend that you contact a certified forensic examiner to create images that will be introduced as evidence.

Not long ago, I was speaking with an attorney over a case which involved dates of creation and dates of access.  They told me how concerned they were that when they copied these files to a flash drive, all of the creation dates changed to the day that they copied them!  What could possibly be wrong?

A simple misunderstanding of how to acquire information was all that was at stake.  Well, that and the case. For anyone needing to preserve the state of information of, say a hard drive, it is important to seek the assistance of a certified forensic examiner.  They will be able to make an accurate bit-by-bit “image” of the data source, so that it can be referenced, viewed, extracted, etc., without the risk of altering the state of the data.  Now some of you might wonder why I put the word Image in quotes.  This is a term of art.  Many attorneys refer to an image as a photograph, or a graphic.  In the scope of forensic acquisition, it means a bit-by-bit duplicate of the media, created is such a way that it can be verified, and not altered.

Can anyone make a forensic image?  Well, this part isn’t very difficult.  But you do want to be certain that you document what you are doing, and can explain how you were able to authenticate that the image was correctly produced.  At the very least, it is an EXCELLENT exercise for an attorney to do a forensic acquisition so that when you have to speak with an examiner, you will have more of an idea of what they are going to do for you and your case.

First, you will need forensic acquisition software.  Not to fear, it is free from my friends at Access Data.  The link for the Windows version that is current as of this writing is here: .  Once it is downloaded, go ahead and install it.  It is quite small.  I’ll wait.

The next thing we will need are two flash drives.  Smaller is better for our example.  One however should be slightly larger than the other.  So a 1GB and a 2GB flash drive would be great. (It is important that you use different size flash drives – your destination should always be larger than your source)  Format the larger of the two devices (your destination media) so that there is no data on it. (A forensic examiner would do a ‘wipe’ to make certain that the media is completely erased before beginning, but that is not necessary for this exercise). Take the 1GB flash drive (this will become our SOURCE media), and copy some files from your computer onto the drive.  Browse the flash drive to make certain that your newly copied files made it safely to our source media.  Next we start FTK imager.  Once you start FTK, Your screen should look like this:

At the top of the screen, on the left side are two small green icons.  The first one allows us to pick a single device that we want to image. When you click that, a screen will pop up to ask you what it is that you want to create a forensic image of.  In this instance we want to take an image of a PHYSICAL DRIVE.  Select that.  Your screen should look like this:

Click NEXT
You will now be presented with a drop down box asking you WHICH physical drive you want to image.  Remember when I told you to use different sized drives?  The drop down box identifies the devices that are currently attached to your computer.  Since FTK doesn’t recognize drive letters here, you should pick the device that is the size of your source media.  In this image you can see that I have two devices attached to my computer: my hard drive, and the 1GB flash drive:

When you click finish at the bottom of the screen, your source drive should be listed on the left hand side of the screen in FTK.

Now it is time to create our forensic image.  While leaving the source drive plugged into your computer, now add your DESTINATION flash drive. PLEASE be careful at this juncture to select the correct drives – we don’t want you to overwrite something important.
Right click on the drive that is in the evidence tree.  Using the above example, you would right-click on \\PHYSICAL DRIVE1.  A small menu should pop up – please select EXPORT DISK IMAGE.

So far, so good.  We aren’t done yet though …

When you click the EXPORT DISK IMAGE menu item, you will get a screen asking for the DESTINATION MEDIA information. It should look like this:

Please take care to tick the box at the bottom that says “VERIFY IMAGES AFTER THEY ARE CREATED”.  This is of paramount importance.  Then click the ADD button. You will be asked what type of image to create.  These are different formats that are readable by different systems.  The most universally accepted are DD and E01 images.  You should not concern yourself with the other two types at this time.  Just so we can all be on the same page, please select E01 and click NEXT.  On this screen you can identify the information relevant to your case.  None of this is mandatory, but it is all a really good idea.  Go ahead and populate this information – you will see why in a few minutes.  When you are ready click NEXT for the image destination screen.

First let’s click the BROWSE button, and find the DESTINATION flash drive that you plugged in. (Note, there shouldn’t be any files on it – if there ARE files, you either did not format the drive, or you have selected the WRONG drive.  So, using my example, my destination flash drive is drive Y and the image filename I have chosen is “DemoImage”.

For the purposes of this exercise, we won’t go onto the other settings on this page.  After you have these items properly populated, then click FINISH.  Now you are returned to the CREATE IMAGE screen.  Since we have no more source media to add, double-check that the box is ticked at the bottom that says “Verify images after they are created”, and click START.  Since the source media is only 1GB in size, this will only take less than 5 minutes to create the image and to verify it.  When the process is finished you will see “Image Created Successfully” in the STATUS field of the progress box.  A new box should have popped up on your screen that says “Drive/Image Verify Results”

Mine looks like this:

This is a really important screen.  When you see the word HASH, this is another term of art.  It is a method of positively identifying a file, folder, or drive, so that it can be verified that it has not been altered.  FTK Imager calculated two different types of HASH before it imaged your source drive.  After it completed the process, it calculated those HASHES again, and they both matched.  THAT means that you have authenticated your image and can be certain that it is an accurate representation of the source drive.  If anyone were to alter anything it this image, even a comma, the HASH that would be calculated would NOT match. So, you have successfully created your first forensic image of a drive.  Congratulations! Now …. What can you do with it? Lets go ahead and close the FTK windows that are up.  Let’s pretend that an attorney gave you this destination drive with the image on it for you to examine.

When you look at the drive itself, you will see lots of files that have the same filename, but a different extension.  You can’t use Word or Excel, or notepad to read this.  What can you use?  FTK Imager.  FTK Imager will not only CREATE images, it will also READ them.
Start FTK imager again.  Click the little green icon on the left to Add Evidence Item.  This time when it asks the source type, select IMAGE FILE. Click next and browse to the image that you created on your destination flash drive.
My screen looks like this:

Click on the DemoImage.E01 file.  Hey! There are TWO of those.  Well, not really.  One it a TEXT file that will have the case information and the hash information of the image, and the other one is the E01 file that you created.  Note the extension difference in the TYPE column.  Select the E01 file named DemoImage.E01, then click OPEN, and FINISH.

You have NOW opened your forensic image of the source media that you created.  In the column on the left, you will see the file DemoImage in the Evidence Window.  If you click the + sign next to the items in the list, you will drill down to the files that are on your source device.

The next article will talk about all the things you can see in an image that you may not be able to see on the source media.



The typical role of a forensic examiner is to find exculpatory information as designated by a discovery order.   It is common to receive a list of terms that are of interest to the attorney, and then the search begins.  But what happens when you need to find what isn’t there anymore ?

More importantly, why isn’t it there anymore ?

According to the Ohio Revised Code

2921.12 Tampering with evidence.

(A) No person, knowing that an official proceeding or investigation is in progress, or is about to be or likely to be instituted, shall do any of the following:

(1) Alter, destroy, conceal, or remove any record, document, or thing, with purpose to impair its value or availability as evidence in such proceeding or investigation;

(2) Make, present, or use any record, document, or thing, knowing it to be false and with purpose to mislead a public official who is or may be engaged in such proceeding or investigation, or with purpose to corrupt the outcome of any such proceeding or investigation.

Now why I am telling you, an attorney, that which you know so well?  Because there are a lot of ways to hide things that you may not be familiar with.

There are also quite a few ways to casually (or not so casually) destroy potential evidence.

I have been a forensic examiner for many years, and I have used many tools during that time to assist me in my job.  As the profession of computer forensics has become more widely known, it is no surprise that a group of tools would be created to thwart the efforts of the would-be examiner.  These tools, though seldom advertised as such, are known as “anti-forensics”.  Their very job is to destroy or obfuscate information so that it would be of no use in a legal proceeding.

This is a two-edged sword.  Whereas I have no problem with people using software designed to destroy information for the purpose of thwarting identity thieves, or protecting themselves from people that might be involved in industrial espionage, it is obviously a crime to use these methods, software, or hardware devices to alter or destroy information sought by the court.

Though ignorance of the law is not an officially accepted reason (for almost anything), it would be better to remove the specter of ignorance from a custodian’s claims by being specific in an order designed to elicit information

Litigation Hold (AKA “preservation orders” or “hold orders”), are designed to inform a party that they are to preserve any and all information regarding a potential discovery order.  Generally, the  Court Order is written in such a broad fashion as to cover any potentially discoverable information. What it never includes (at least as far as we have seen), is a prohibition from employing any software, hardware, or method,  that is “anti-forensic” in nature.  This is an important concern, because many potential Custodians employ their own software in a corporate environment which is designed to obfuscate their actions.  This software may be in use outside of the purview of the corporate IT department, and as such would fall outside the scope of a corporate retention policy.

Typical examples of common packages in use would be :

  • Window Washer
  • CCleaner
  • FileShredder

Software that is less common, but very powerful would be :

  • Tracks Erase Pro
  • Declasfy
  • Evidence Eliminator

By specifying the prohibition of any tools which could obfuscate or destroy data in the preservation order, you give yourself more tools should a case of spoliation occur, and you also aid the Custodian in understanding what is and what is not permissible.

Advanced forensic analysis is often able to uncover the use of such methods, however the investigator must be familiar with the “footprints” that these products often leave.  If you were to walk into a room where a couch was recently removed, there would be imprints on the carpet where the couch was.  In much the same way, when we are examining a hard drive, we are not only looking for what is there, we are also looking for the remnants of what USED to be there.

–Many thanks to my editor, Mark Kruse


What does my smart phone know about me? (And what do I know about it?)

As a Certified Computer Examiner, and a Mobile Certified Examiner, I have the opportunity to look into all kinds of devices looking for information which is responsive to a subpoena and has probative value.  I tend to forget that most folks don’t realize what is in their device.  I was asked to look at a website today to determine if I could tell when it was accessed and by whom.  Simple enough – I went to the access logs of the site, and found exactly what I was looking for.  Well, that seems straight forward enough, doesn’t it ?

I was a little surprised at the reaction of the attorney I was working with, until I realized that most folks don’t know what information that their Smart Phone is willing to give up.

I was able to tell the attorney :

  1. What type of phone the user had
  2. What browser they were using
  3. What they searched on their telephone to find the website in question
  4. and their GPS co-ordinates when the request was made.

Rule 26, Rule 37, HIKE!

Technical information to assist you in a Rule 26 Conference.

It is not always practical to take a forensic examiner to your Rule 26 Conferences – but if you can, we recommend it highly.  If you can’t however, there are some issues that you will want to include in your evidentiary requests.

You will undoubtedly ask for information from computers that are a target of the discovery process – however, did you know that you can also request a list of devices that were attached to that computer so that they can also be included in your discovery request ?  On Windows-based computers, the registry tracks the removable devices that have been attached to the computer – and in many cases, includes the serial number of the device.  So when you ask for all of the thumb drives, or external USB drives used on a computer, you will actually know if they are the ones requested, or if they were simply purchased earlier that day.

Certainly you will ask for any mobile phones that may contain valuable evidence, but did you know that most corporate email systems track the devices that attach to them to pull data ?  A simple request to the IT department for a list of all devices that a user used to attach to corporate resources takes the guesswork out of how many devices – personal or corporate – were used to access information from a protected source.

Backups are the bane of existence for many people and the companies that they work for.  With the advent of the Safe-Harbor clause in Rule 37, people can often declare that data does not exist because it was purged in accordance with corporate retention polices and therefore they are unable to comply with requests.  However, if the data purge that is in accordance with the corporate retention policy is unchecked and automatic, a litigation hold order might inadvertently be neglected.  It is wise to include the IT personnel of the company at the time to exclude or suspend the retention policy with respect to information sought.

Another item which must be considered is something called Shadow Copies.  With respect to Windows-based computers, Shadow Copies may exist on workstations which will allow you to “go back in time” to see revisions of documents.  This same technology may also be present on Macs using a built-in program called “Time Machine” which is an image based backup that often occurs automatically.  It is wise to query if a “Time Capsule”, or other such storage medium is/was in use.

Finally, copies vs. images is a topic that must be discussed.  Historically we refer to images as pictures, or graphics, however in the context of evidentiary discovery, it is something completely different.  If you are to request copies of documents in a proceeding, you will not have a lot of the information that you may require.  If, on the other hand, you request a forensic image,  the forensic examiner will create a complete “image” of the storage medium which will include deleted files, meta data, and other information that will not be found in copied documents.  As well, a qualified forensic examiner will create a hash, or digital fingerprint, of the device to ensure that the original drive and the forensic copy are identical, thus aiding in admissibility.

So if you can’t take your tech, take these suggestions with you.  It isn’t everything there is to know, but it might just be what you need to make your case.


BYOD – Bring Your Own Device, or Bought Your Own Disaster?

It seems that the talk of business is BYOD – employees don’t want to carry two phones – employers don’t want to buy phones for employees … what to do, what to do …

Here is a thought !  Lets bring our own devices, iPhones, iPads, Blackberries, and Droids to work and get our corporate email on there !

Here is a thought !  Lets tell our employees we will give them $ 25.00/month to use their own personal devices for corporate email and we won’t have to buy them phones !

And how wonderful that is, the win-win proposition of business.  What could be bad with that ??

Well – it may not be a bad thing at all, as long as the employees and the employer are both pleased with the employment arrangement that they have entered into.  But suppose, one day, the rose-colored glasses break, and it is time to change the employment arrangement. Most of the time, either the employer or the employee knows when this is going to happen before the other one does.  They both know, however, that some of the data on the phone is personal and some of it is corporate.

We now have a electronic data child custody battle.  I’ll bet you weren’t ready for this when the whole BYOD idea came up.

From a corporate perspective, the data on that phone needs to be wiped – but you can’t do that without wiping the whole phone, and those cute little pictures of the puppies the phone owner took this morning will be lost.  That will not go over well.

From a personal perspective, that phone belongs to me, and so does everything on it.  Im not tech-savvy and I don’t know how to back it up, but Im not asking my ex-company for help..

So, Solomon, the baby is in front of you … what do you do ?

It would not be uncommon for both sides to have attorneys to represent their interests – so what will you do ?  Will you, the employee, hand over your phone to be wiped and lose all of your personal information ?  Do you want them to see the texts that say that your boss is an idiot ?  Or perhaps the not-so-flattering pictures you took of a co-worker (who wants to continue being employed) when you were out last weekend ?

Will you, the company owner, be comfortable with the employee you fired saying “don’t worry, Im not upset over this, I’d be happy to erase all of your critical data that I have on my device” ?

No, there is no good answer in this situation.  How did we get here ??  Oh, that is right, we wanted a little more convenience and to save a little more money.

My advice is simple : don’t do it.  If you need your employees to have mobile devices, then provide them.  If they don’t want to carry two devices, then they can leave their personal phones at home, or in their car.  It might cost you an extra $ 50.00 / month, but your attorney bills will consume 3 years of that in one day of legal work.  As an employee, I value my right to privacy too much to allow corporate interests to infringe upon my personal life.  Yes, they would give me money per month to defray my data costs, but my rights are not for sale.

At the very least, when you are tempted to enter into such an arrangement, consult your attorney for legal advice.


Predictive coding: the future of electronic discovery?

(this article originally published 6/20/12)

If you keep up with news of the legal technology world, you’ve already heard about something called predictive coding, and about why it’s a game-changer in the field of eDiscovery (electronic discovery). And with recent legal cases both showing federal support of the technology and attempting to regulate its use, the judicial system seems to assume it’s here to stay.

And why shouldn’t it?

Why We Love It

Let’s say ne’er-do-well John E. Guilt got caught embezzling company funds and is being brought to court for it. He doesn’t much like the idea of jail time and is claiming innocence, the greedy rascal. Prosecutors are now faced with the task of sifting through all his personal and company emails from the last five years to look for evidence, which wouldn’t be so bad if there weren’t 3 million of those to go through before the case against him can be fully prepared (a relatively normal figure). And, with recent legal events like the rulings of Judges Peck and Carter in da Silva Moore v. Publicis Groupe (which supported a preference for the use of current predictive coding software over manual review techniques) and the US v. Metter et al ruling (which limits the amount of time prosecution can take to analyze and present electronic evidence), the prosecutors handling Mr. Guilt’s case are most likely going to turn to predictive coding to help them churn out their evidence on time.

Mr. Guilt’s prosecutors use a well-known predictive-coding software like Recommind’s Axcelerate, plug in Mr. Guilt’s emails, babysit it for the first few trial runs, then sit back and wait for their results to pop out. It gets through them in a few days (rather than the months a team of poorly-equipped manual reviewers might have taken), organizes those results for efficient access, cross-lists pieces of related information, avoids the false positives and negatives that generally come from manual review, automatically prioritizes documents by importance, and does it all 60-90% faster and cheaper than the team of unmotivated, underpaid interns who would have done the job using clumsy keyword-based searches in years past. The cherry on top? Axcelerate does it all with higher consistency and quality than any manual review team armed with a notepad and Google-type search engine ever could. What’s not to love?

Why We’re Not Pinning Our Hopes and Dreams On It

Your much-abused interns (and, especially, the third-party computer-forensic investigator that you’ve hired to help nail Johnny Guilt) have more going for them than you may realize. While companies like Recommind are quick to point out that manual review misses 25-50% of documents, they don’t claim it’s perfect, either – in fact, as Recommind’s Craig Carpenter puts it, “perfection is not the goal” compared to improvement over manual review. And the aforementioned court rulings aren’t wholehearted endorsements of it, either. Judge Carter from the da Silva appeal wrote, “There simply is no review tool that guarantees perfection…. [t]here are risks inherent in any method of reviewing electronic documents.” We tend to agree, and for a couple of important reasons.

First of all, predictive coding is absolutely perfect…for the honest criminal who knows he should go to jail, feels really really bad about what he did, and wants to make it up to society by gift-wrapping all the incriminating evidence for them. (We’d really like to meet one of those, but we’re also still holding out for proof of unicorns and leprechauns.) More than likely, your tech-savvy criminal is going to want to hide or destroy (spoliate) electronic evidence if he knows he’s been caught, so there’s a good chance he’s going to try to get rid of it or, barring that, to encrypt it. Encrypting electronic evidence is unexpectedly successful when it comes to predictive coding, because the software often can’t read encrypted files and won’t list it in search results. The software might have noticed something unreadable was there, but it’s probably not going to tell you about it. And sometimes, your really tech-savvy criminal will be able to remove evidence and leave only an indicator that something was deleted. Unfortunately, your predictive coding software isn’t going to find that, either.

In addition to encryption and deletion, there’s also the option to simply hide the stuff you don’t want the lawyers to find, and predictive coding software won’t always see it. For instance, there’s something called alternate data streams which allows you to hide a document within the structure of another document. Your software might find the outer “shell” document, which is a flier for the homeless shelter where you’ve been volunteering twice a week, but it won’t see the embedded document, creatively titled “My Scheme to Take Over the World.” For the especially devious, there’s also the option of hiding documents in completely unrelated file formats (steganography) – like hiding a document in an image file. Once again, predictive coding will find the picture, but not what’s hidden within it.

And, last but not least, there’s the issue that some criminals are intimately familiar with predictive coding software, and they know how to defend themselves against it (anti-forensic technology). It’s the reason why you may not want to put one of those “Protected by ADT” signs in your front yard if you have an ADT home security system – if you’re targeted by a criminal who used to work for ADT and knows how to get around it, there’s a good chance he’ll rob you blind, expensive security system or no. If predictive coding technology is ruled legally sufficient for all methods of electronic discovery, criminals will be able to accurately predict the methods which will likely incriminate them, and they can learn how to avoid them. It’s much more difficult for a criminal to know the methods of examination and analysis that, say, a forensic investigator would use, because he’ll use a wider range of tools (some of which use predictive coding, and some of which don’t).

Are we trying to start a blood-feud with all advocates of predictive coding technology? Not at all. We think predictive-coding softwares are great tools, but people are often quick to assume that they can replace the whole toolbox. So what method has the efficiency of predictive coding without losing the intelligence and problem-solving abilities of a human examiner? As you’ve probably guessed, we say that nothing can beat a forensic computer investigator. The right investigator has experience, certifications, the “imagination” to think of outside-the-box solutions, a thorough knowledge of the capabilities of hardware and software, expertise in a wide range of popular and lesser-known investigation tools, and the ability to put himself in the shoes of another computer expert. Best of all, you never have to pay to download his newest update. You can find the one we recommend here.