Blended Enterprise InvestigationsBlended Enterprise InvestigationsUsing Digital Forensics and Physical Security to Build Your Case
By John Grancarich, Paul Hastings Janofsky & Walker LLP
P A G E P A G E 11
Blended Enterprise Investigations
IntroductionPure digital investigations are becoming a thing of the pastThe physical world is increasingly going digital A puzzle contains more than one piece - investigate them all
— Digital forensics— Interviews of key players— Building/floor access logs— Floor plan analysis
The essential aspect of the blended role? Solid investigative skillsCan one person do it all? Not always
P A G E P A G E 22
Blended Enterprise Investigations
AgendaInvestigative methodologyCase study – workplace harassmentBlended investigation techniques
P A G E P A G E 33
Blended Enterprise Investigations
Investigative PhilosophyThe goal of any investigation is to discover and present the truthHow do we get to the truth? Trusted, non-biased methodology and technologyThe effectiveness of the investigative process depends upon high levels of objectivity applied at all stagesIntellect over emotion at all timesUnderstand difference between examination and investigation
— Examiner reports on findings— Investigator puts all the pieces together
P A G E P A G E 44
Blended Enterprise Investigations
Investigative Process Model
Incident Alert / Accusation / Claim
Reporting
Persuasion and Testimony
Analysis
Organization and Search
Reduction
Harvesting
Recovery
Preservation
Identification or Seizure
Incident Response / Protocol
Assessment of Worth
Crime or policy violation
Prioritize / choose
Actions at scene
Recognition & proper packaging
Maintain integrity
Get it all!
Data about data
Filter and eliminate
What is the focus?
Scrutinize and understand
Prepare detailed record
Translate and explain
Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey
P A G E P A G E 55
Blended Enterprise Investigations
Investigative Process Model – Stage 1
Incident Alert / Accusation / Claim
Reporting
Persuasion and Testimony
Analysis
Organization and Search
Reduction
Harvesting
Recovery
Preservation
Identification or Seizure
Incident Response / Protocol
Assessment of Worth
Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey
• Triggering event• Consider source and reliabilityof information• Start gathering initial facts• Delicate stage in aninvestigation
Stage 1
P A G E P A G E 66
Blended Enterprise Investigations
Case Study – Workplace HarassmentIncident Alert / Accusation / Claim
— Client’s IT group consists of two employees working in secured area— Claimant accuses respondent of downloading adult content to work computer
and viewing it in workplace— Alleges this activity has been going on for approximately nine months— Two days before claim was made alleges that respondent attempted to initiate
a physical relationship with claimant in the office against claimant’s wishes. Attempt was graphic and involved according to allegation.
— Claimant goes to HR and makes claim— Incident is documented and claimant immediately goes on paid leave, stating
severe physical side effects and emotional distress as a result of this experience
P A G E P A G E 77
Blended Enterprise Investigations
Investigative Process Model – Stage 2
Incident Alert / Accusation / Claim
Reporting
Persuasion and Testimony
Analysis
Organization and Search
Reduction
Harvesting
Recovery
Preservation
Identification or Seizure
Incident Response / Protocol
Assessment of Worth
Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey
Stage 2
• Apply investigative resourceswhere needed most• Questions asked to focus on mostsevere problems• Result of this step is one of two options: no further action or continue to investigate
P A G E P A G E 88
Blended Enterprise Investigations
Case Study – Workplace HarassmentAssessment of Worth
— Internal investigators immediately informed of incident— Very serious allegations— Do the respondent’s alleged actions (the unwanted physical advances)
constitute harassment only, or sexual assault?— Claimant deserves to have allegations investigated, and company has duty to
determine what happened— Would have serious ramifications if not pursued— Continue to investigate? Yes
P A G E P A G E 99
Blended Enterprise Investigations
Investigative Process Model – Stage 3
Incident Alert / Accusation / Claim
Reporting
Persuasion and Testimony
Analysis
Organization and Search
Reduction
Harvesting
Recovery
Preservation
Identification or Seizure
Incident Response / Protocol
Assessment of Worth
Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey
Stage 3
• Retain and document items atscene• Follow accepted protocols• Result of this step is secure scenewhere evidence is “frozen” in place
P A G E P A G E 1010
Blended Enterprise Investigations
Investigative Process Model – Stage 4
Incident Alert / Accusation / Claim
Reporting
Persuasion and Testimony
Analysis
Organization and Search
Reduction
Harvesting
Recovery
Preservation
Identification or Seizure
Incident Response / Protocol
Assessment of Worth
Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey
Stage 4
• Identify and seize potential evidence• Goal is not to seize everything –make informed, reasoned decisions• Documentation is key• Use memory aids (procedures, checklists, forms)
P A G E P A G E 1111
Blended Enterprise Investigations
Case Study – Workplace HarassmentIncident Response / Seizure
— Work area is observed – Claimant and Respondent have left the premisesNo video surveillance in work areaArea is secured though – do access key records exist?
— Work area is photographed— Computers are found powered off at time of arrival on scene— Hard drives from Claimant’s and Respondent’s computers are forensically
imaged at scene— Any other items of interest on desks or in work areas? CD/DVDs, USB, mobile
devices, notes, folders, etc.— Server e-mail, e-mail backups and home shares forensically copied for further
analysis
P A G E P A G E 1212
Blended Enterprise Investigations
Investigative Process Model – Stage 5
Incident Alert / Accusation / Claim
Reporting
Persuasion and Testimony
Analysis
Organization and Search
Reduction
Harvesting
Recovery
Preservation
Identification or Seizure
Incident Response / Protocol
Assessment of Worth
Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey
Stage 5
• Take proper actions to ensure integrityof physical and digital evidence• Often first stage that uses tools of aparticular type• Output of this stage is usually a set ofduplicate data
P A G E P A G E 1313
Blended Enterprise Investigations
Investigative Process Model – Stage 6
Incident Alert / Accusation / Claim
Reporting
Persuasion and Testimony
Analysis
Organization and Search
Reduction
Harvesting
Recovery
Preservation
Identification or Seizure
Incident Response / Protocol
Assessment of Worth
Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey
Stage 6
• Extract deleted, hidden, camouflaged or otherwise unavailable data• Performed on copies of digitalevidence from the preservation stage• Objective is to identify, and if possiblemake visible, all data that belongs to a particular data type
P A G E P A G E 1414
Blended Enterprise Investigations
Case Study – Workplace HarassmentPreservation / Recovery
— Still primarily in realm of digital forensics at this point— Allegation partially relates to images downloaded from internet— Where to begin:
Images and html from allocated and unallocated space All Internet history filesAll Windows event logs All Windows registry files All files in C:\Documents & Settings\Respondent\Recent and Desktop and any other potentially relevant user foldersWindows prefetch files
— Goal is to recover everything that is potentially relevant for later research and analysis
— At this point in investigation, no perceived need to conduct physical investigation
P A G E P A G E 1515
Blended Enterprise Investigations
Investigative Process Model – Stage 7
Incident Alert / Accusation / Claim
Reporting
Persuasion and Testimony
Analysis
Organization and Search
Reduction
Harvesting
Recovery
Preservation
Identification or Seizure
Incident Response / Protocol
Assessment of Worth
Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey
Stage 7
• Scrutiny of evidence begins• Facts begin to take shape thatsupport or negate claims oraccusations• Look for categories of evidencethat seem or are known to be relatedto key facts of investigation
P A G E P A G E 1616
Blended Enterprise Investigations
Case Study – Workplace HarassmentHarvesting
— First question: does Respondent’s computer have prohibited images on it?— Start with the low hanging fruit - targets or goals which are easily achievable
and which do not require a lot of effort— Review of images from allocated space on Respondent’s computer reveals a
substantial number of adult images are present— This evidence supports Claimant’s allegation. Or does it?
P A G E P A G E 1717
Blended Enterprise Investigations
Case Study – Workplace HarassmentHarvesting
— Two ways to look at Claimant’s allegation:Scenario 1: Yes, Respondent downloaded prohibited images and videos to his computerScenario 2: There are prohibited images and videos on Respondent’s computer, but we don’t have enough information to determine who put them there
— Step outside of digital realm: consider physical layout of work area— Recall that only two employees are in secured work area – Claimant and
Respondent— Recall that Claimant alleges several months of illicit downloading of
pornography before making claim – this is an unusually long time before making a complaint
— Conclusion: there is not enough evidence to prove scenario 1 is true
P A G E P A G E 1818
Blended Enterprise Investigations
Investigative Process Model – Stage 8
Incident Alert / Accusation / Claim
Reporting
Persuasion and Testimony
Analysis
Organization and Search
Reduction
Harvesting
Recovery
Preservation
Identification or Seizure
Incident Response / Protocol
Assessment of Worth
Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey
Stage 8
• Separate the wheat from the chaff• Consider material facts of case tohelp prioritize evidence• Intended result is smallest set ofevidence that has highest potentialfor containing data of probative value
P A G E P A G E 1919
Blended Enterprise Investigations
Case Study – Workplace HarassmentReduction
— Initial Findings on Respondent’s ComputerSeveral hundred pornographic images (allocated and unallocated)Multiple visits to various pornographic sites over several month periodApproximately 75 e-mails from Claimant’s Yahoo! account, including Claimant’s written complaint to HR from unallocated spaceReimaged computer on day claim made against him
— QuestionsHow did Claimant’s e-mails get onto Respondent’s computer?Did Claimant download the illicit images onto Respondent’s computer?How credible is Claimant?Further investigation of Claimant warranted
P A G E P A G E 2020
Blended Enterprise Investigations
Case Study – Workplace HarassmentReduction
— Initial Findings on Claimant’s ComputerMultiple visits to various pornographic sites over several month periodComputer reimaged on same day claim was madeKeystroke logger “SoftActivity” installed
Summary to this point— There is truth to Claimant’s allegation, but…— Claimant has serious credibility issue too— Who did what and when?— Too many open questions – need to broaden scope of investigation— Need to put people in place and time
P A G E P A G E 2121
Blended Enterprise Investigations
Case Study – Workplace HarassmentRecovery and Harvesting, Phase II
— Domain controller logsWho was logged into which computer, and when?What activity took place?
— Blended Investigation TechniquesVideo Surveillance
– Work area? Hallways? Stairwells?Floor Plan
– Open plan? Small or large space?Access key records (i.e. floor entries and exits)
– Who entered or left and when?Interview of supervisor and other knowledgeable personnel
– Do they have any helpful information to provide?
Ultimate goal is to build defensible timeline of what we know happened
P A G E P A G E 2222
Blended Enterprise Investigations
Investigative Process Model – Stage 9
Incident Alert / Accusation / Claim
Reporting
Persuasion and Testimony
Analysis
Organization and Search
Reduction
Harvesting
Recovery
Preservation
Identification or Seizure
Incident Response / Protocol
Assessment of Worth
Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey
Stage 9
• Organize reduced set of materialinto meaningful “buckets”• Simplifies locating and identifyingdata during analysis stage• May incorporate search technologyor topic/cluster-based review
P A G E P A G E 2323
Blended Enterprise Investigations
Investigative Process Model – Stage 10
Incident Alert / Accusation / Claim
Reporting
Persuasion and Testimony
Analysis
Organization and Search
Reduction
Harvesting
Recovery
Preservation
Identification or Seizure
Incident Response / Protocol
Assessment of Worth
Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey
Stage 10
• Detailed scrutiny of materials• Assess content and try to determinemeans, motivation and opportunity• Experimentation with untestedmethods• Correlation and timeline• Validation
P A G E P A G E 2424
Blended Enterprise InvestigationsCase Study – Workplace Harassment: Organization and Analysis
Claimant alleges Respondent sexually harassed him on June 16, 2008 between 5:00-5:30pm in secured IT area on 13th floor.Physical security: access key records for June 16, 2008, 4:30-6:00pm
Respondent admitted to 14th floor stairwell06/16/2008 17:38:17
Respondent admitted to 13th floor IT area06/16/2008 17:32:27
Respondent admitted to 13th floor server room06/16/2008 17:17:19
Respondent admitted to 13th floor IT area06/16/2008 17:13:46
Respondent admitted to 13th floor server room06/16/2008 17:13:39
Claimant admitted to 13th floor IT area06/16/2008 17:12:20
Claimant admitted to 13th floor lobby06/16/2008 17:11:57
Claimant admitted to 13th floor IT area06/16/2008 16:58:48
Claimant admitted to 13th floor lobby06/16/2008 16:58:34
Claimant admitted to 14th floor cafeteria06/16/2008 16:57:25
Claimant admitted to 14th floor lobby06/16/2008 16:55:54
Respondent admitted to 13th floor IT area06/16/2008 16:40:29
Respondent admitted to 13th floor lobby06/16/2008 16:40:02
Respondent admitted to 11th floor lobby06/16/2008 16:32:40
ActivityTime
Maximum amount oftime together during alleged confrontation:4 minutes 59 seconds
P A G E P A G E 2525
Blended Enterprise Investigations
Case Study – Workplace Harassment: Organization and AnalysisDomain controller log for Claimant’s computer from morning of alleged physical incident until time claim was filed
Temp Account06/19/2008 18:03:3106/19/2008 18:00:31Logoff3CompanyClaimantPC
Temp Account06/19/2008 18:00:31Logon0CompanyClaimantPC
Temp Account06/18/2008 10:24:27Logon0CompanyClaimantPC
Claimant06/18/2008 09:12:0306/18/2008 08:34:43Logoff37CompanyClaimantPC
Claimant06/18/2008 08:34:43Logon0CompanyClaimantPC
Respondent06/17/2008 18:36:3806/17/2008 06:34:51Logoff1CompanyClaimantPC
Respondent06/17/2008 18:34:51Logon0CompanyClaimantPC
Administrator06/17/2008 18:34:3706/17/2008 18:23:14Logoff11CompanyClaimantPC
Administrator06/17/2008 18:23:14Logon0CompanyClaimantPC
Administrator06/17/2008 18:19:4906/17/2008 18:18:48Logoff1CompanyClaimantPC
Administrator06/17/2008 18:18:48Logon0CompanyClaimantPC
Temp Account06/17/2008 18:17:3406/17/2008 18:15:28Logoff2CompanyClaimantPC
Temp Account06/17/2008 18:15:28Logon0CompanyClaimantPC
Respondent06/17/2008 18:15:1006/17/2008 17:43:16Logoff31CompanyClaimantPC
Respondent06/17/2008 17:43:16Logon0CompanyClaimantPC
Claimant06/17/2008 17:35:2906/16/2008 08:36:58Logoff1978CompanyClaimantPC
Claimant06/16/2008 08:36:58Logon0CompanyClaimantPC
UserTimeLogin TimeEventDurationDomainName
P A G E P A G E 2626
Blended Enterprise Investigations
Case Study – Workplace HarassmentOrganization and Analysis
— Interviews of human resources personnel indicate Claimant met with them to discuss allegations on June 18, 2008 between 2:00-5:00pm in 14th floor conference room.
— What was Respondent doing during this time frame? Reimaging his computer.
Respondent reimages computer with Windows XP06/18/2008 16:47:00
ActivityTime
— Is this a coincidence?— What could cause Respondent to reimage his computer during the time Claimant was meeting
with HR regarding his claim? Could he have learned of the meeting?
P A G E P A G E 2727
Blended Enterprise Investigations
Case Study – Workplace HarassmentOrganization and Analysis
— Floor plan for 14th floor mapped with Respondent’s access key records during time frame of Claimant’s meeting with HR
6/18/08
2:51:07pmRespondent enters 14th
floor (stairwell 2) – was on same floor during Claimant’s meeting with HR
2:52:35pmRespondent returns to 13th floor (stairwell 2)
2:52:59pmRespondent enters secured IT area on 13th floor
Respondent does not enter secured administration area from 2:00-5:00pm on 6/18/08
14th Floor
P A G E P A G E 2828
Blended Enterprise Investigations
Investigative Process Model – Stage 11
Incident Alert / Accusation / Claim
Reporting
Persuasion and Testimony
Analysis
Organization and Search
Reduction
Harvesting
Recovery
Preservation
Identification or Seizure
Incident Response / Protocol
Assessment of Worth
Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey
Stage 11
• Should contain important detailsfrom each step• Focus of report is on the analysis• Can demonstrate investigator’sobjectivity be describing eliminatedtheories that were unsupported orcontradicted
P A G E P A G E 2929
Blended Enterprise Investigations
Case Study – Workplace HarassmentReporting
— Should contain important details from each step of the process— Focus of report will be on the analysis leading to each conclusion and
descriptions of all of the supporting evidence— In a report, no conclusion should be presented without a thorough description
of the supporting digital and physical evidence and your analysis— Be prepared to be challenged— In our case study, because of the significant number of details and movement
of the parties, investigator requests a comprehensive timeline of events for both Claimant and Respondent as opposed to a technical examination report –tie the digital and physical evidence together
— Investigator reserves right to request background technical information and documentation to corroborate all items in timeline
P A G E P A G E 3030
Blended Enterprise Investigations
Case Study – Workplace HarassmentReporting / Timeline
— Evidence of Respondent’s viewing of pornographic websites and other prohibited activity
Approximately 1,200 pornographic images located on computer (allocated and unallocated)Multiple visits to various pornographic sites over several month periodApproximately 75 e-mails from Claimant’s Yahoo! AccountInstalled keystroke logging software on Claimant’s computer
P A G E P A G E 3131
Blended Enterprise Investigations
Case Study – Workplace HarassmentReporting / Timeline
— Evidence of Claimant’s viewing of pornographic websites
Internet History AnalysisClaimant visits adult website06/17/2008 10:35:00
Access Key RecordsClaimant enters secured IT area on 13th floor06/17/2008 10:26:46
Access Key RecordsClaimant enters 13th floor06/17/2008 10:26:33
SourceActivityTime
— Where was Respondent during this time frame?
Access Key RecordsRespondent enters secured IT area on 13th floor06/17/2008 10:54:32
Access Key RecordsRespondent enters 13th floor06/17/2008 10:53:53
Access Key RecordsNo entries to any other floors are recorded by
Respondent06/17/2008 8:37:47 - 10:53:52
Access Key RecordsRespondent enters 14th floor pantry06/17/2008 09:40:17
Access Key RecordsRespondent enters 14th floor06/17/2008 08:37:46
SourceActivityTime
P A G E P A G E 3232
Blended Enterprise Investigations
Case Study – Workplace HarassmentReporting / Timeline
— Respondent’s spying on Claimant
Domain Controller LogRespondent logs off of Claimant's computer06/17/2008 18:15:10
Internet History AnalysisRespondent installs keylogger software "SoftActivity" on Claimant's computer06/17/2008 18:05:23
Internet History AnalysisRespondent visits www.softactivity.com using Firefox06/17/2008 18:00:00
Internet History AnalysisRespondent visits www.dirfile.com/revealer_free_edition.htm using Firefox06/17/2008 17:55:00
Internet History AnalysisRespondent visits www.keyghost.com06/17/2008 17:54:00
Internet History AnalysisRespondent visits www.freedownloadscenter.com using Mozilla Firefox and searches forkeystroke
06/17/2008 17:53:00
Internet History AnalysisRespondent performs another Yahoo! search using Internet Explorer and searches for free keystroke software
06/17/2008 17:53:00
Internet History AnalysisRespondent performs another Yahoo! search using Internet Explorer and searches for keystroke software
06/17/2008 17:51:00
Internet History AnalysisRespondent visits Yahoo! using Internet Explorer and searches for Yahoo! password helper06/17/2008 17:47:00
Domain Controller LogRespondent logs on to Claimant's computer using Respondent’s user ID06/17/2008 17:43:16
Access Key RecordsRespondent enters secured IT area on 13th floor06/17/2008 17:37:23
Domain Controller LogClaimaint logs off Claimant's computer06/17/2008 17:35:29
Domain Controller LogRespondent logs off Respondent's computer06/17/2008 17:34:57
SourceActivityTime
P A G E P A G E 3333
Blended Enterprise Investigations
Case Study – Workplace HarassmentSocial networking evidence also refutes Claimant’s story of physical and emotional distress
— Uses pseudonym – same as Yahoo! E-mail account name— Pseudonym was unique, not common – useful for search engine research— Google searches revealed social networking profiles or dating profiles on the
following sites:MySpaceFacebookMultiple dating websites, including at least one nude photo
— MySpace entries during leave of absence include:“Are you ready to party?”“So where will you be tonight?... I am your new stalker.”“Thank you so much for the wonderful experience of last Saturday night”.“We should go and have a blast tonight”.“I had a blast with you guys! Where is the next party?”
P A G E P A G E 3434
Blended Enterprise Investigations
Case Study –Workplace Harassment
Social networking evidence— Photograph of Claimant
located on Internet at a trendy hotel in New York City
— Taken during time of Claimant’s leave of absence
— The hotel was hosting an event the weekend of June 28-29, 2008
P A G E P A G E 3535
Blended Enterprise Investigations
Investigative Process Model – Stage 12
Incident Alert / Accusation / Claim
Reporting
Persuasion and Testimony
Analysis
Organization and Search
Reduction
Harvesting
Recovery
Preservation
Identification or Seizure
Incident Response / Protocol
Assessment of Worth
Source: Digital Evidence and Computer Crime, 2nd Ed., Eoghan Casey
Stage 12
• May be necessary to testify oranswer questions before decisionmakers can reach conclusion• Much preparation required• Use techniques and methods totranslate technical detail intounderstandable terms
P A G E P A G E 3636
Blended Enterprise Investigations
Case Study – Workplace HarassmentPersuasion and Testimony
— More difficult to explain digital evidence than physical evidence— If you weren’t a digital forensics practitioner, would YOU understand what you
were saying?— Your audience must be able to comprehend what you’re telling them in order to
make appropriate decisions— Practice your techniques on a co-worker or lay person if necessary— For some helpful tips on testifying and conveying information, see
http://www.justice.gov/usao/ne/vw/prep%20testify.pdf
P A G E P A G E 3737
Blended Enterprise Investigations
Case Study – Workplace HarassmentInvestigation results
— After two weeks of investigation Respondent was terminated for violation of the company’s technology usage policy
— Claimant filed a demand letter threatening to sue employer— Investigation established that Claimant was a ‘bad actor’ and had also violated
the company’s technology usage policy— Claimant filed a demand letter threatening to sue the company while on leave— Claimant’s activity was tracked for six weeks while he was on leave; activity
clearly refuted claims of physical ailments and emotional distress— In order to avoid further conflict and possible legal action, the company
decided to settle the matter with the Claimant
P A G E P A G E 3838
Blended Enterprise Investigations
SummaryBlended investigation techniques are a crucial must-have in your investigative methodologyPossible areas to investigate and pursue:
— Digital forensics— Face to face interviews— Access card logs— E-mail discovery and review— Voicemail— Video surveillance and analysis— Inventory audits— Financial statement analysis / forensic accounting— Anything else relevant to your investigation
P A G E P A G E 3939
Blended Enterprise Investigations
Contact informationJohn Grancarich, EnCEPractice Support Electronic Discovery ConsultantPaul Hastings Janofsky & Walker [email protected]
Top Related