Thursday, November 16, 2017 9 a.m.–12:15 p.m.

2.75 General CLE credits

Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

iiFollowing the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

FOLLOWING THE DIGITAL TRAIL: HOW YOUR CASE CAN BENEFIT FROM COMPUTER AND PHONE FORENSICS

The materials and forms in this manual are published by the Oregon State Bar exclusively for the use of attorneys. Neither the Oregon State Bar nor the contributors make either express or implied warranties in regard to the use of the materials and/or forms. Each attorney must depend on his or her own knowledge of the law and expertise in the use or modification of these materials.

Copyright © 2017

OREGON STATE BAR16037 SW Upper Boones Ferry Road

P.O. Box 231935Tigard, OR 97281-1935

iiiFollowing the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

TABLE OF CONTENTS

Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Faculty . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v

Presentation Slides—Computer and Mobile Forensics . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

ivFollowing the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

vFollowing the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

SCHEDULE

Presented by Don Vilfer, VAND Group LLC, Sacramento, California

8:30 Registration

9:00 Using Computer and Phone Forensics

F What are digital forensics?

F Incorporating forensics into your case

F Recent case law

F Computer forensics overview

10:00 Break

10:15 Phone Forensics

F Overview

F Production of information

11:15 Break

11:30 Forensic Tools and Methods

F Live demonstration

12:15 Adjourn

FACULTY

Don Vilfer, VAND Group LLC, Sacramento, California. Mr. Vilfer specializes in general and complex investigative matters and has extensive experience testifying in state and federal courts, including as an expert witness. He previously was Senior Director of Litigation Support and Investigative Services for a large Sacramento accounting firm and before that was assigned to the FBI’s Washington, D.C., field office and worked on major cases involving bank fraud and public corruption. He also was a Supervisory Special Agent at FBI headquarters and served as the Special Agent in charge of the White Collar Crime and Computer Crime Unit in Sacramento, leading investigations of federal white collar crime violations and overseeing the FBI’s participation in the Sacramento High-Tech Task Force. Mr. Vilfer is a member of the Ohio State Bar Association.

viFollowing the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

1Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

© Duarte Design, Inc. 2009 1

Computer &

Mobile ForensicsDon Vilfer, JD, ACE

WHY DO WE CARE ABOUT FORENSICS?

• Lawyers need to be equipped to adequately advise clients or employers.

• You have a duty to prepare your cases for adequate discovery.

• You have a duty to advise your clients/management about their discovery obligations.

2Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

© Duarte Design, Inc. 2009 2

WHAT IS DIGITAL FORENSICS?

Digital forensics is a branch of forensic science encompassing the recovery and investigation of material found in digital devices, often in relation to computer crime. --Wikipedia

FORENSIC IMAGE

•The creation of a Forensic Duplicate of the storage media.

•FRE Section 1003: a duplicate is admissible to the same extent as the original unless (1) a genuine question is raised as to the authenticity of the original or (2) in the circumstances it would be unfair to admit the duplicate in lieu of the original.

3Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

© Duarte Design, Inc. 2009 3

CHARACTERISTICS OF A FORENSIC IMAGE

Hash Value (Digital Fingerprint) Data cannot be changed Includes Unallocated Space, Drive

Freespace and File Slack Difference from Ghost Acceptable in court as Best Evidence

FORENSIC IMAGES/DATA ACQUISITION

• Drive Removal and write-blocking• Live Images• Boot Disks• Triage-Live

Searching and Acquisition

• Networks-remoteImaging(even across the ocean) is possible

4Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

© Duarte Design, Inc. 2009 4

PRESERVING THE ORIGINAL EVIDENCE FOR EXAMINATION

i.e., To Shutdown Or Not To Shutdown

RAM-volatile data. Now capable of being forensically captured! Leave computer on if you suspect recent monkey business. Hard Drive-reasons to not leave computer

on or access files. The evidence changes simply by booting.

BUT, THE USUAL RULES OF EVIDENCE STILL APPLY

Chain of Custody—must be able to account for the location of the evidence from the moment it was collected. Authentication—computer evidence is

considered “writings and recordings” under the Rules of Evidence and must be authenticated to be admissible. Validation—is it really the same? (Hash

files)

5Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

© Duarte Design, Inc. 2009 5

RECENT CASE LAW

State v. Kolanowski, (Wash: Court of Appeals, January 30, 2017). In a case involving the failure to authenticate social media evidence, a criminal defendant unsuccessfully sought to admit a screenshot of Facebook evidence that he maintained would have served as critical impeachment of the prosecutions’ main witness. The State successfully argued the screenshot lacked foundation. Metadata that could have been obtained during the collection was not obtained—a simple screenshot did not suffice.

RECENT CASE LAW

The government’s retention of files outside the scope of a warrant for more than two years violates the Fourth Amendment. US v. Ganias, 755 F3d 125 (2d Cir 2014).

6Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

© Duarte Design, Inc. 2009 6

RECENT CASE LAW

Landmark United States Supreme Court case in which the Court unanimously held that the warrantless search and seizure of digital contents of a cell phone during an arrest is unconstitutional.

Riley v. California, 134 S.Ct. 2473 (2014)

• New paragraphs 13 and 14 of Rule 902 will remove some authentication hurdles for electronic evidence. The text of the new rule is as follows (emphasis added):

• The following items of evidence are self-authenticating; they require no extrinsic evidence of authenticity in order to be admitted:

• (13) Certified Records Generated by an Electronic Process or System. A record generated by an electronic process or system that produces an accurate result, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12).

• (14) Certified Data Copied from an Electronic Device, Storage Medium, or File. Data copied from an electronic device, storage medium, or file, if authenticated by a process of digital identification, as shown by a certification of a qualified person that complies with the certification requirements of Rule 902(11) or (12).

Changes to Federal Rules of Evidence 902

7Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

© Duarte Design, Inc. 2009 7

INITIAL RESPONSE

• Gather sufficient info to develop a response• Traditional investigation• Don’t attempt data recovery• Avoid spoiling the evidence (logs, free space,

etc.)• Consult with someone knowledgeable• Consider locations of relevant evidence

(thumbdrives, router logs, cameras)• Develop a strategy drawing on your skills and

what you will hopefully learn today!

Data Constantly Changes

8Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

© Duarte Design, Inc. 2009 8

FORENSIC PROCESSES (NOW WHAT DO WE DO WITH IT?)

• Review information on the drive• Recover deleted files.• Data Carving.• Searches in free space.• Recovering web-based e-mail.• Determining activities on the computer (copying,

printing, deleting, burning).• Break passwords and encryption.

Forensics of Mobile Devices

--after the break

9Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

© Duarte Design, Inc. 2009 9

How Cell Data Can Help Your Case

• Establish communication between subjects/witnesses-example

• Provide location during key times• Corroborate statements• Prove misconduct (harassment, relationships, use

of time, theft)• Develop leads (location, banking, contacts)

Benefits of Incorporating Cell Phones into Your Investigation

• No longer is it a “he said, she said”• Can contain irrefutable evidence• Many times the evidence is in their own words• There is often evidence available that cannot be

had elsewhere• Cell Phone data might inform other aspects of

the inquiry

10Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

© Duarte Design, Inc. 2009 10

Sources of Cell Phone Data

• Local Backups-not just backing up iTunes

• The cloud-oh, forgot about the cloud• Service Provider-limitations, but also

data that is not available elsewhere

• The phone itself

The Phone Itself

• Flash Storage vs Disk• Differing File Systems-iOS, Android,

Windows, Nokia (Symbian)• Security Issues: password,

encryption, wiping• What is Recoverable?- It depends.

11Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

© Duarte Design, Inc. 2009 11

Forensic Approaches

• Logical vs Physical extraction• SIM card• SD Cards?• Chip Off

Forensic Software

• Cellebrite• Accessdata-MPE• Magnet Axiom• Blacklight

12Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

© Duarte Design, Inc. 2009 12

Data Carving from a Physical Image

• Carved Image and Carved SMS

Local Backups

• The same data as on the phone• Not just iTunes• Includes deleted data• Often forgotten by those destroying

evidence• An opportunity for multiple snapshots

13Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

© Duarte Design, Inc. 2009 13

The Cloud

• The same data as on phone in many cases

• iCloud, Google, backup services• Sync across devices?• Often forgotten by those destroying

evidence• An opportunity for multiple snapshots• Forensic preservation notes

The Service Provider

• Limitations on stored data• Data not had elsewhere• Ping data and geolocation data• Transactional records• Case example of transactional

record not on phone

14Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

© Duarte Design, Inc. 2009 14

Gaining Access to the Data

• Consent• Ownership (company data, buy it)• Court Order/Subpoena• Proceed with Caution-ECPA

Failure to preserve text messages or other mobile data could result in “death penalty sanctions.” see Small v. Univ. Med. Center of S. Nevada

Legal Obligations to Collect Cell Data

15Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

© Duarte Design, Inc. 2009 15

Legal Obligations to Collect Cell Phone Data

• Texts and emails sent by public employees on their personal devices or accounts are a matter of public record if they deal with official business. see City of San Jose v. Superior Court, CA Supreme Court decided March 2, 2017

The Product You Want

Report vs ExtractionReport Formatting

16Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

© Duarte Design, Inc. 2009 16

LIVE CELL PHONE FORENSICS DEMO

What’s on your phone? (or mine)

Don Vilfer, JD, ACE916-883-2020

Don@VANDGroup.com

Digital Forensics and Investigations

17Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics

18Following the Digital Trail: How Your Case Can Benefit from Computer and Phone Forensics