COMPUTER FORENSICS FOR THE CLAIMS HANDLER 

Presented and Prepared by: James C. Feehan, Jr.

Peoria Computer Forensic Associates, LLC EnCE Digital Forensic Specialist

866.938.4041 James@PeoriaComputerForensics.com

The views of independent presenters may not represent the views of Heyl, Royster, Voelker & Allen.

M-1

What Every Claims Professional Should Know about Computer

Presented by:

Peoria Computer Forensic Associates, LLC

(866) 938 4041

Forensics

(866) 938-4041

Instructor

• James C. Feehan Jr.– EnCE certified digital forensic specialist

– Professor, Bradley University

– Court qualified digital forensic expert• Federal: (Central District of Illinois) 16 cases

• State: (Peoria and Tazewell) 7 cases

• Illinois House of Representatives

M-2

Similar Lectures

• “Solving Crimes with Digital Forensic Evidence”, Las Vegas NV National LEOEvidence , Las Vegas, NV. National LEO

• “Solving Crimes with Digital Forensic Evidence” International Association of Identification & Forensic Science. Par-A-Dice Hotel, East Peoria, IL

• “Forensic Success Stories”, Department of Justice, St. Louis, MO and Atlanta, GA

Peoria Computer Forensic Associates, LLC

• A computer forensics firm specializing in computer forensics analysis andcomputer forensics analysis and consulting within the areas of general corporate litigation, employment litigation, and divorce litigation.

W id t t di t• We provide outstanding computer forensics services to law firms and businesses throughout the country.

M-3

Perform Forensic Examinations Into• Corporate e-mail• Intellectual property disputes• Wrongful termination disputes• Malicious acts by terminated or disgruntled employee(s)• Employee activity (search for excessive personal

browsing during work hours)• Divorce cases• Sexual harassment• Insurance fraud• Stalking hacking illegal activities• Stalking, hacking, illegal activities• Employee theft• Business fraud• Embezzlement• Hacking• Trade and business secrets theft

Computer Forensic & Electronic Data Discovery Services

• Forensic hard drive imaging • Observation and documentation of imaging process

H til it i iti• Hostile site acquisition • Password recovery/removal • Data decryption • Data compression & imaging • Media type conversion • Duplicate file elimination • Forensic examination of log files and computer registry • Swap / META file examinationSwap / META file examination • Website visit logs and internet cache examination • Email searches • Expert report writing • Expert testimony

M-4

Digital Forensics

• What is Digital Forensics?g– Digital forensics is the identification,

preservation, extraction, interpretation and presentation of computer-related evidence.

Digital Forensics

• Can be performed on:– Computers– Computers– Networks– Flash Drives– CD’s, DVD’s, etc. – Cellular Telephones– PDA’s

Vid S ill S t– Video Surveillance Systems– GPS Devices– xBox 360– iPod

M-5

Why Technology?Why Technology?

CD Media Comparison

M-6

Data vs Printed Pages

• One megabyte = 1 400 pagesOne megabyte 1,400 pages

• One gigabyte = 140,000 pages

• One terabyte = 140 000 000 pages• One terabyte = 140,000,000 pages

Digital Data• 80% of all corporate and business data is stored

electronically.

• 95% of all information generated today is in digital form.

• 80% of this information stays in electronic format like email pdf word documents and digitallike email, pdf, word documents and digital images.

• Very few business documents created today ever leave their digital form and get printed out.

M-7

Digital Data Discovery

• This means that in almost every legal tt iti l d l t id imatter, critical and relevant evidence is

electronically stored on personal, business and corporate computer systems.

• Are you confident that you have viewed• Are you confident that you have viewed every document in discovery?

Wh Di it l F i ?Why Digital Forensics?

M-8

“The Smoking Gun”

• We all are looking for the “smoking gun.”

• Every case has it’s smoking gun. Searching for the smoking gun once meant searching through reams of paper stored in folders, boxes and cabinets.

• Today fewer and fewer businessToday, fewer and fewer business communications and records find their way into paper form, so your smoking gun is likely stored on someone’s digital storage media.

“The Smoking Gun”

• Not only is the smoking gun more likely to b t d di it ll th i f l dbe stored digitally, the informal and immediate nature of electronic communications makes them more likely to be smoking guns.

M-9

Evidence Is Left

• At home, through the use of a computer.

• At work, through the use of a computer.

• On the road, through the use of a computer.

Additionally:

• People aren’t as guarded in what they say i il h iti l ttvia e-mail as when writing a letter.

• Electronic communication is so frictionless that a damning e-mail and or text messages are just a click away frommessages are just a click away from dozens or hundreds or thousands of in boxes.

M-10

Types of data often considered as critical

evidence in litigation include:

• e-mail • plain text and documents p• graphics • calendar files • databases • spreadsheets• digital faxes • audio files • videos• websites • computer applications • viruses and spyware

Why a Computer Forensic Examiner?

• Far more information is stored by a t th t lcomputer than most people are aware.

• Proper techniques and procedures must be followed in acquiring and examining data.

• Inadmissibility?• Inadmissibility?

• Sanction for spoliation of evidence?

M-11

Computer Based Evidence

• Courts have recognized the importance of computer forensic investigations tocomputer forensic investigations to authenticate computer evidence.

• Gates Rubber Co. v. Bando Chemical Indus., Ltd.,13 is a particularly important decision where the court defines a mandatory legal duty on the part ofmandatory legal duty on the part of litigants to perform proper computer forensic investigations.

Gates Rubber Co. v. Bando Chemical Indus., Ltd.,13

• The court ruled and issued harsh id ti ti F th th tevidentiary sanctions. Further, the court

criticized the errant examiner for failing to make an image copy of the target drive. The court stated that when processing evidence for judicial purposes a party has "a duty to utilize the method which would yield the most complete and accurate results.”

M-12

Famous Computer Forensic Cases

• Michael Jackson– Forensics recovered Internet history andForensics recovered Internet history and

Email.

• Scott Peterson– Forensics recovered Internet history which

showed web searches for dump sites.

• BTK KillerBTK Killer– Forensics used to trace letter back a computer

at his church.

Dennis Rader, BTK Killer

M-13

The BTK Killer

• Dennis Radar was responsible for 10 murders around Wichita Kansas between 1974 andaround Wichita, Kansas between 1974 and 1991. Dennis taunted investigators with letters he had written boasting about the murders.

• BTK Killer again resurfaced in 2004 when he sent a local television station a floppy disk which contained a file titled “Test A.rtf”, and a 3 x 5 index card which read “"Any Communicationsindex card which read Any Communications will have a # assigned from now on, in case one is lost or not found."

The BTK Killer

• The floppy disk file instructed investigators t d th i d dto read the index card.

• A computer forensic exam of the floppy disk revealed other data on the disk, including the previous disk user, “Dennis”.

• That same data also revealed that the disk• That same data also revealed that the disk had previously been used at Wichita's Christ Lutheran Church.

M-14

The BTK Killer

• Investigators checked the church’s website and discovered the church’s list ofwebsite and discovered the church s list of officers, including a man named Dennis Rader. Investigators were then able to link Radar to the crime scenes with the use of DNA.

• After more than 31 years and 100 000• After more than 31 years and 100,000 man-hours, the case was cracked by a 15 minute computer forensic exam.

Why a Computer Forensic Examiner?

Why Not A Computer Repair Technician?

M-15

Digital Evidence

• Digital evidence is unlike any other h i l id b it bphysical evidence because it can be

altered or changed easily. The integrity of the evidence is fungible.

• Therefore digital evidence must only be• Therefore, digital evidence must only be handled by properly trained individuals.

CRIME SCENE CRIME SCENE CRIME SCENE

M-16

Digital Forensic Principles

1. No action should be taken that would change data held on a computer or storage mediadata held on a computer or storage media which may subsequently be relied upon in court.

2. In exceptional circumstances, where a person finds it necessary to access original data held on a computer or on storage media thaton a computer or on storage media, that person must be competent to do so and be able to give evidence explaining the relevance and the implications of their actions.

Digital Forensic Principles

3. An audit trail or other record of all li d t t b dprocesses applied to computer based

electronic evidence should be created and preserved. An independent third party should be able to examine those processes and achieve the same result.

M-17

Digital Forensic Principles

Special hardware and software are utilized t th i t it f th idto preserve the integrity of the evidence for use in court proceedings.

Computer Forensic Examination

• Active Data: Files that are not deleted and are available to the user through theand are available to the user through the operating system.

• Ambient Data: Deleted files, RAM dumps, swap files, printer spool files.

• Archival Data: Data that has been “backed up” on tape, DVD, CD, etc.

M-18

How Computer Forensics Can Help You

• Find the “Smoking Gun” in your case • Help you determine which devices need to be examinedHelp you determine which devices need to be examined • Determine if evidence has been modified or tampered

with • Discover or prove if the opposition is “guilty” of

wrongdoing • Offer strategies regarding the report findings • Provide facts that are backed up by the forensicProvide facts that are backed up by the forensic

community • Testify in Court as an expert witness

Divorce Cases

• InfidelityChat room logs incriminating e mails digital– Chat room logs, incriminating e-mails, digital photographs

• Hidden Assets– Quicken balances, brokerage account records

• Online access of financial accounts– Overseas account passwords, business

correspondence

• Doctored records

M-19

Corporate Cases

• Sexual harassment

• Doctored records

• “Smoking Gun” document

• “Too Candid” memo

• Product liability cases

• Wrongful discharge claims

• Anti-trust actions

Sensitive Business Information

• Did a former employee leave and take iti b i i f ti t dsensitive business information or trade

secrets to a competitor or new company? – What information did they take?

– Where did they send that information?

– How did they cover it up? y p

M-20

Employee Litigation

• Discovery of Theft of Company’s Digital A tAssets

• Misuse of Corporate Property

• Denial of Unemployment Claims

• Criminal Prosecution for Fraud or Other Statutory ViolationsStatutory Violations

Employee Litigation

• Employees who sue their current or former employer often allege discrimination, harassment, wrongful g gtermination, or compensation irregularities.

• Sometimes, plaintiffs fabricate evidence in support of their case before leaving and filing litigation.

• Establishing the facts by conducting a forensic examination of the computer used by the plaintiff can be crucial to managing an effective legal defense and can be pivotal to obtaining a prompt resolution and avoiding protracted litigation.

M-21

Why Digital Forensics?

“Not only is computer forensics necessary in the guilt phase to establish a defendants culpability, it is just as important in exposing the lies of his defense.”

Thomas Keith, Supervisory Assistant United States Attorney, Central District of Illinois

Forensic Example

• United States v. Lance Pisman

• Lance Pisman met Wilkerson via chat rooms. Pisman lived in Iowa City, Iowa. 

• Evidence against Pisman was weak, therefore, on March 1, 2004, investigators made contact with Pisman to ask him to cooperate with the prosecution against cooperate with the prosecution againstWilkerson.

M-22

Pisman Forensic Exam

Lance Pisman hard drive file structure

Contents deleted

Pisman Forensic ExamAIM chats with Wilkerson that had been deleted from hard drive.

M-23

Pisman Forensic ExamID21.lnk stored in Pisman’s recent folder

• 040301_1523·E:\My Documents\ID21.psf····E·:·\·M·y· ·D·o·c·u·m·e·n·t·s·····– Source: hard drive physical sector 6423706

Forensic Example

• United States v. Lance Pisman

• Pisman was confronted with this information. He confessed that he made the disc and hid it under his kitchen sink. The disc was recovered and the chats were located on the disc. 

M-24

Pisman Forensic Exam

CD001 040301 1523

DVD data that had been recovered 

CD001·· 040301_1523 ········3······3············································Ò······ÒÙ··········Ý···

·"·················h···)·è········· EASY CD CREATOR 5.1 (053) COPYRIGHT (C) 1999-

2001 ROXIO, INC.

Source: Data located at 

Physical sector 16 on DVD

Side by Side File StructureDVD file structureHard drive file structure

M-25

Forensic Example

• United States v. Michael Leahy• Michael Leahy was convicted locally of 

weapons offenses in 2001 and was placed on probation. 

• Local probation officers received a tip that Leahy was possessing child pornography. 

• Officers seized a computer. A subsequent exam revealed images of cp.

investigators interviewed Leahy who confessed to the cp.  Leahy also attempted to abduct a minor child locally. 

Leahy Library Forensic Exam

M-26

Leahy Library Forensic Exam

Leahy Library Forensic Exam

M-27

Leahy Library Forensic Exam

Forensic Example

• Leahy fled to the United Kingdom

• He was apprehended and extradited back to CDIL and convicted for possession of child pornography. 

M-28

Questions?

Presented by:

Peoria Computer Forensic Associates, LLC

(866) 938-4041( )

M-29

James C. Feehan, Jr. EnCE Digital Forensic Specialist James Feehan is a Computer Forensic Specialist and owner of Peoria Computer Forensic Associates, LLC, located in Peoria, Illinois. He is an EnCE certified digital forensic examiner who has conducted thousands of digital media forensic examinations and has been qualified in state and federal court numerous times as an expert in this field of digital forensics. Additionally, James is an associate Professor at Bradley University, where he developed and instructs the computer forensics curriculum. Major Investigative Assignments Detective, Computer Crime Unit, Peoria Police

Department (March 2000 to present) Special Federal Officer, Federal Bureau of

Investigation, Cyber-Crime Taskforce (June 2003 through August 2009)

Special Federal Officer, United States Secret Service, Cyber-Crime Taskforce (September 2009 through present)

Representative Academic Positions Instructor (March 2001 to 2007); Computer

Forensics, Computer Crime; Mobile Police Training Center, Peoria, IL

Instructor (January 2006 to 2007); Computer Forensics, Computer Crime and Investigations; Traffic Institute; Northwestern University, Evanston, IL

Instructor (August 2007 to present); Child Exploitation Investigations, State of Illinois, Illinois State Police Academy, Springfield, IL

Representative Presentations “Solving Crimes with Digital Forensic Evidence,”

Training Resource Services, Las Vegas, Nevada, May 2004

“Solving Crimes with Digital Forensic Evidence,” International Association of Identification Forensic Science Conference, East Peoria, IL, April 2007

“Social Networking,” Illinois Juvenile Officers Association 51st Annual State Conference, Peoria, IL, June 2007

“A Forensic Success Story: The Digital Evidence Working Group of the Central District of Illinois,” 2008 Project Safe Childhood State Conference, United States Department of Justice, Forsyth, Georgia, August 2008

“What Every Lawyer Needs To Know About Computer Forensics,” Peoria County Bar Association, Peoria, IL, February 2010

Representative Expert Testimony United States v Christopher J. Wixom, January

26, 2007 in the Central District of Illinois. Expert testimony rendered regarding computer forensic examination techniques, data residue recovered from the Microsoft Windows operating system, Digital Versatile Discs (DVD), file-sharing programs such as Limewire, Ares, and encryption programs such as Truecrypt.

People v John D. Stufflebeam, October 15, 2008 in Tazewell County, Illinois. Expert testimony rendered regarding computer forensic examination techniques, and ICQ data recovered from a database file for instant messaging.

United States v Jeffrey Ellington, January 23, 2009 in the Central District of Illinois. Expert testimony rendered regarding Digital Media Forensic Analyses, and Digital Data Reconstruction and Recovery.

United States v Kenneth Clark, January 6, 2010 in the Central District of Illinois. Expert testimony rendered regarding Digital Media Forensic Analyses of Garmin Street Pilot GPS Navigator.

People v William Malone, February 24, 2010 in Peoria County, Illinois. Expert testimony rendered regarding computer forensic examination techniques of a Cellular Telephone and associated Micro SD card.

Training Department of Justice. Online Undercover

Investigations - National Advocacy Center Image Scan, Computer Forensic Utility - Federal

Bureau of Investigation Mobile Digital Evidence Previewing - 2007

National Project Safe Childhood Conference Windows Law Enforcement Tools and Windows

Vista for Investigators - Microsoft Corporation - 2008 National Project Safe Childhood Conference

RAM Analysis - 2008 National Project Safe Childhood Conference

M-30