Defending Against the Digital Dragnet Stephanie Lacambra Criminal Defense Staff Attorney Electronic Frontier Foundation Sidd Bikkannavar, NASA JPL Scientist Forced Fingerprint Unlocking in SW https://www.documentcloud.org/documents/3143273-Mass-Fingerprint- Case-Redacted-Copy-1.html Reining in Digital Device Searches Digital Device Searches A digital device search is the examination of data stored on a device that uses a computer or microcontroller to record digital information. Digital Device Searches What is it? These digital devices may include cell phones, tablets, laptops, desktop computers, and medical devices such as pacemakers, hearing aids, heart- rate monitors, or smartwatches. Digital Device Searches How do they work? Digital device searches may occur: 1. manually - looking through data on the device as a user would 2. forensically - with assistance from other computers or software Digital Device Searches How do they work? The DOJ’s Manual for Searching and Seizing Computers and Obtaining Evidence in Criminal Investigations (https://eff.org/DOJDSM2009) sets forth a 2 -step process for digital device searches (pp. 76, 86-87): 1. “imaging” – law enforcement makes a complete digital copy or “image” of all device data 2. “analysis” - govt uses forensic software to examine the digital copy of the device data Digital Device Searches What guidelines does the govt use? Look at latest DOJ CCIPS training materials 2011 - Guide on admitting Electronic Evidence: https://eff.org/DOJOAEE 2009 – DOJ CCIPS Criminal Division Manual on Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations. https://eff.org/DOJDSM2009 Digital Device Searches What guidelines does the govt use? 1994 – National Institute for Justice Special Report: Forensic Examination of Digital Evidence: A Guide for Law Enforcement. https://eff.org/DOJNIJ1994 1994 – National Institute for Justice Special Report: Electronic Crime Scene Investigation: A Guide for First Responders. https://eff.org/DOJNIJ1st LISTS DIGITAL FORENSIC Search Leads ANALYSIS METHODOLOGY Data Search Leads Co Generally this involves opening a case file in PROCESS OVERVIEW the tool of choice and importing forensic Last Updated: August 22, 2007 image file. This could also include recreating n a networkLISTS environment or database to mimic the original environment. S Search Leads Relevant Dat Data Search LeadsSample Data Search Comments/Notes/Messages Leads: Generally this involvesRelevant opening a case file Datain PROCESS OVERVIEW the tool of choice andIdentify importing forensic and extract all email and deleted Use this section as image file. This could also include recreating Relevant Dataneeded. List is a list of data that is 3 a network environmentitems. or database to mimic Who/What the original environment. CASE- relevant to theSample forensic Note: request. For Please notify case agent Sample Data Search Leads:Search media for evidence of child Who or what application created, edited,FORENSIC modified, sent, when forensic data Identify and extractexample: all email and deleted 2 preparation is 1 3 items. pornography. OBTAINING & CASE- completed. TIFICATION ANALYSISFORENSICreceived, or caused PREPARATIONthe file to be? FORENSICLEVEL Search media for evidence of child IMAGING IDENTIFICATION ANALYSIS LEVEL pornography. Configure and load seized database for REQUESTWho is this item linked/ EXTRACTION to and identifiedREPORTING with? REPORTING Configure and load seizedIf database the forforensic request is finding FORENSIC DATA ANALYSIS data mining. data mining. ANALYSIS Recover all deleted filesinformation and index drive relating credit card fraud, any for review by case Recoveragent/forensic all deleted files and index dr ive examiner. forcredit review card by number,case agent/forensic image of credit card, Where examiner.emails discussing making credit card, web cacheExtracted thatData shows the date, time and Where was it found? Where did it come from? Prepared / Extracted Data Comments/Notes/Messages Prepared / Extracted Data searchList is a list of term used to find credit card Use this section as needed. If item or discovered items that are prepared or extracted to allow Does it show where relevant events took place? identification of Data pertaining to the If new “Data number program,Sample Message: Etc are Relevant Data a forensic request. PREPARATION / EXTRACTION IDENTIFICATION ANALYSIS Numerous files located evidence. inIn c:\movies addition, directory Victim information information can Sample Prepared / Extracted Data items: Search Leads” have .avi extensions but Start Start retrieved isare also actually ExcelRelevant Extracted Data for purpoDatas Start Processed hard drive image using Encase 1 2 3 spreadsheets. Wait for resolution. generate new or FTK to allow a case agent to triage the When generated, Start contents. of victim notification. Is there If new “Data Exported registryPrepared files and installed / Extracted Data Co Is there data“ forData analysis/more Search registry viewer to allow a forensic When was it created, accessed, modified, received, sent, No Unprocessed data in the data analysis “PREPARATION / examiner to Preparedexamine registry entries. / Extracted Data List is a list of Search Lead” No A seized database files is loaded on a U viewed, deleted,“Prepared/Extracted and launched? Leadsneeded?”, document database serveritems ready for that data mining. are prepared or extracted to allow Coordinate Does request Data List“? EXTRACTION”. is generated, Start with Does it show when relevant events took place? identification of Data pertaining to the contain sufficient S No Requester to newYes leads to information to start forensic request. “PREPARATION / Determine Time Analysis: WhatYes else happenedDocument on the this system at Relevant Data this process? ANALYSIS “Data Search Lead next step. same time? Were registry keysData modified?item and all Relevant Data Comments/Notes/Messages Relevant Data List is a list of data that is What relevant relevant meta Use this section as needed. EXTRACTION”. Who/What relevant to the Sampleforensic request. Prepared For / ExtractedNew Data items: Source type of to the data and Who or what application created,List edited, modified,”. sent, example: received, or caused the file to be? Sample Note: Yes. item is it. forensic attributes on Attachment in Start Who is this item linked to and identified with? If the forensic request is finding New Source ofOutlook.pst>message05 Data Leads 3 request “Relevant Data information relatingProcessed credit card fraud, any hard drive image using Encase has a virus in it. Make credit card number, image of credit card, How List”. sure an anti-virus Setup and validate forensic g g emails discussing making credit card, web Where or FTK to allowsoftware a iscase installed agent to triage the Integrity cache that shows the date, time and hardware and software; New Source ofbefore Data exporting Lead and List is a list of data Return Where was it found? Where did it come from? search term used to find c redit card not OK How did it originate on the media? contents. opening it. create system configuration there about the item? Does it show where relevant events took place? If item or discovered number program, Etc are Relevant Data as package to If new “Data that should beIdentified obtained and recoveredAnalysis to corroborate Resul or t Consider Is there evidence. In addition, Victim information as needed. Incriminating information can 12 emails detailing plan Requester. How was it created, transmitted, modifiedIf item can and used? Search Leads” retrieved is also RelevantExported Data for purpose registry files and installed What did theInformation user do with the item? generate new further investigativeto commit crime. efforts. generate new If new “Data When generated, Start of victim notification.registry viewer to allow a forensic Advising Does it showoutsidedata how relevantfor analysis/more events occurred? When was it created, accessed, modified, received, sent, “Data Search Analysis Results Co “Data Search Search Lead” “PREPARATION / scope viewed, deleted, and launched? No Leads”, document EXTRACTION”. examiner to examine registry entries. d If “New SourceDuplicate of and verify Leads”, document is generated, Start Does it show when relevant events took place? of the data analysis new leads to Sample New Source of Data Leads: Requester ofintegrity of new leads to “PREPARATION / Time Analysis: What else happened on the system at Analysis Result List is a list of meaningful warrant “Data Search Lead A seized database files is loaded on a ate DataNo Lead“Forensic” Data”? “Data Search EXTRACTION”. same time? Were registry keys modified? New Data Source Leads initial findings Identify any otherneed informationed? Lead List”. that is List”. datada thattaba sanswerse serve rtherea who,dy fo rdwhat,ata when,mining Associated Artifacts and Metadata If item or discovered If “New Source New Source of Data LeadsEmail address: Comments/Notes/Messages [email protected]. How where and howThis questions is self explanatory. Use in satisfying the a”, generated, StartIntegrity OK New Source of Data Lead List is a list of data relevant to the forensic request. How did it originate on the media? Server logsthis section from as needed. FTP server. Registry entries. Data NOT Mark “Relevant that should be obta ined to corroborate or Howinformation was it created, transmitted, modified can and used?generate of Data Lead” further investigativeforensic efforts.