Forensic Computer Techniques

How to Identify Useful Data and Secure a Chain of Custody

Frederick S. Lane

www.FrederickLane.com

www.ComputerForensicsDigest.com

NASDTEC/Professional Practices InstituteBoise, ID

24 October 2013

Background and Expertise

• Attorney and Author of 7 Books

• Computer Forensics Expert -- 15 years

• Over 100 criminal cases

• Lecturer on Computer-Related Topics – 20+ years

• Computer user (midframes, desktops, laptops) – 35+ years

• 10 yrs on Burlington VT School Board

From VT to Brooklyn

Current Projects• Cybertraps for Educators (2014)• Safe Student and School Employee

Relationships (2014)• Cybertraps.wordpress.com• CPCaseDigest.com• MessageSafe.com• Informational Web Sites:• www.FrederickLane.com• www.ComputerForensicsDigest.com• www.CybertrapsfortheYoung.com

Lecture Overview• Pre-Incident Preparation• Common Types of Incidents• Electronic Evidence Is Everywhere• Response to Civil Litigation• Response to Criminal Activity• Risks for Administrators and

Teachers• A Quick Intro to Computer

Forensics

Pre-Incident Preparation

• Policies and Procedures• District Decisions re Access, Services, Storage• AUPs for Staff and Students• Data Handling and Response Protocols

• Professional Development for Teachers and Staff• Typically First Responders• Potential Legal Risks• Technology Is Continually Changing

• Student Education• Critical Component of K-12 Curricula

Common Types of Incidents

• Employment Issues• Harassment/Hostile Work Environment• Disciplinary Issues

• Student Misconduct• Cyberbullying & Cyberharassment• Sexting

• Teacher/Student Misconduct• Student Attacks on Teachers• Inappropriate Relationships

E-Evidence Is Everywhere

• Inventory Possible Devices• Computers (Desktops, Laptops, Servers)

• Mobile Devices (Phones, Tablets)

• Peripherals (USBs, CDs, external drives, etc.)

• Inventory Possible Types of Data• Communication (E-Mail, IMs, Texts, etc.)

• Social Media (Facebook, Twitter, etc.)

• Web Activity (URLs, cookies, bookmarks, etc.)

• Network Logs and Access Data

• Cloud Storage (Dropbox, Flickr, Boxy, etc.)

• Deleted Data

Whose Data Is It Anyway?

• Where Did the Incident Occur?• On-Campus vs. Off-Campus

• Zone of District Responsibility Is Growing

• Who Owns and Uses the Device?• Misconduct Using School-Owned Equipment

• Misconduct Using Privately-Owned Equipment

• Who Runs the Service?• Evidence Hosted by District

• Evidence Created by Teachers/Students

• Evidence Hosted by 3rd Parties

Response to Civil Litigation

• Preservation of Potentially Relevant Evidence• Adherence to Established Policies for

Handling Data• Notice of Litigation or Reasonable

Anticipation of Litigation

• Discovery Requests• Privacy Concerns• Burdensomeness of Requests• Production of Data Held by 3rd Parties

Response to Criminal Activity

• Anticipate Prosecution and/or Disciplinary Proceedings• Adherence to Policy/Process Is Critical• Involve Law Enforcement ASAP

• Protect and Preserve Data• Restrict Access to Potentially Relevant

Data• Hire a Computer Forensics Expert?• Some Evidence Is Radioactive

Risks for Admins. & Teachers

• Good Intentions, Bad Outcome• “Sherlock Holmes” Syndrome• Forwarding Content for Advice

• The Cover-Up Is Always Worse• Trying to Protect Colleagues and Friends• Desire to Protect District by Handling In-

House• “Delete” Is a Myth

A Cautionary Tale• Ting-Yi Oei, now 64• Assistant Principal at

Freedom HS in So. Riding, VA (Loudoun County)

• Told to investigate rumors of sexting at HS

• “Inappropriate” image was forwarded to Oei’s cellphone, then computer

• Charged with “failure to report,” then contributing to delinquency of a minor

• Charges ultimately dismissed

Computer Forensics 101

• Field Previews• Acquisition & Mirror Images• Some Data Are More Fragile Than

Others• Speed Is Of the Essence• Powerful Forensics Tools• Data Recovery and Analysis• IP Addresses Link to Real World• 4th Amendment and Privacy

Concerns

Forensic Computer Techniques

How to Identify Useful Data and Secure a Chain of Custody

Frederick S. Lane

www.FrederickLane.com

www.ComputerForensicsDigest.com

NASDTEC/Professional Practices InstituteBoise, ID

24 October 2013