Forensic Challenges in the Courtroom - SANS Computer Forensics

computer.forensics.sans.org

Forensic Challenges in the Courtroom - SANS Computer Forensics

Craig Ball

Austin, Texas

craig@ball.net


Craig Ball

◦ Court Special Master for ESI

◦ Board Certified Trial Lawyer (Licensed in Texas)

◦ Multiple Computer Forensic ECertifications

◦ Columnist, Ball in Your Court, Law.com/Law Technology News

◦ Instructor, Computer Forensics/E-Discovery

◦ Member, The Sedona Conference WG1

◦ Author of many CF/EDD publications

2


What types of civil cases involving

digital evidence are you seeing

most often and why?


2/3rds of white collar employees

depart with sensitive company data

“My data” syndrome

Moral ambiguity

Antiforensics


Sergey Aleynikov


Immediate Preservation

Former machines

Server mail stores

Exchange “dumpster”

Backup media

Portable media

Who can you trust?

Vector analysis


Immediate Preservation

Former machines

Server mail stores

Exchange “dumpster”

Backup media

Portable media

Who can you trust?

Vector analysis


System/ENUM/USBSTOR

System/IDE

Optical media burn logs

Latest installed apps

OLK folders

Parse Recent LNKs

Antiforensics

Empty Recycler

Wiped Unallocated

Other wiping artifacts

Active data

is where

I get the

best stuff


ID transfer media

Personal media

ID e-mail accounts

Hash sets of source data

Unique content search


13

Example: CaseSoft TimeMap


14

Contempt of Court

July 27

July 28

July 29

July 31

August

3

August

5

August 7

2008

Preservation letter

Watson surfs for disk wipers

Watson deletes 737 MB of data

Lawsuit filed

Restraining order signed

System clock back dated

1,957 files deleted

System delivered for forensic exam


Magnetic Storage

101010010001

1 0 1 0 1 0 0 1 0 0 1

0

1 0 1 0 1 0 0 1 0 0 1

0

Computer Forensics


Magnetic Storage

- Disc -

Computer Forensics


100100

111001

011000

100100

100001

110010

100100

110010

TRACK

SECTORS


Data Carving in Unallocated Clusters

Header signature match

EOF or footer signature match


MD5

Authentication

Folder

File Drive

1F3D7D74C3091A05E4A287EAFF1EBE81

13BFB1528002A68D94249C4FFB09359F

7E249D449863B146E3A9E88E9D076A8F

Drive IDENTICAL Imaging

7E249D449863B146E3A9E88E9D076A8F


Use caution!

Resist the hero mindset

Competence

Context

Credibility

Character

More magazines by this user
Similar magazines