Computer Forensic Investigations Explained by the DoD

If you have been reading my blog lately you have noticed that I’m interested in technology and computer forensics. This has even lead me to learn a bit about private investigation work. I took the time to convert a video from the DoD into text so you could read it:

The Many Uses of Computer Forensics

You name the crime and there’s going to be a digital nexus to that crime or it could be anywhere from a homicide, unattended death, espionage, terrorism, maybe a major intrusion. There’s not a case type that I can think of that doesn’t have some computer component to it.

A terminal screen shows a computer hacker typing in commands.
A terminal screen shows a computer hacker typing in commands.

When you think of a hacked computer, you can think of it in terms of a digital crime scene. In almost every general crime investigation these days, you do have a digital evidence component. Anytime there is a computer involved, any type of media, cyber department is called immediately.

The Changing Digital Landscape

Now the computers have gone from being an element of a crime to actually being a crime scene itself. In a computer forensics examination, our crime scene is the hard drive, the media. That’s where the evidence lies.

You have to take risk anytime that you’re opening up a device and getting at its most complex inner workings. We go any place where the data is.

We have deployments in Afghanistan, going to particular spots where there might be media that we can seize and process.

Cyber-crime leads investigators all over the globe.
Cyber-crime leads investigators all over the globe.

They have to respond to something within minutes (if not sooner) because they may be chasing someone, they may be just looking for information on a terrorist cell and it’s only going to be there for a short period of time.

The world we’re fighting today is very different. I would like to do my part in trying to help fight a war that’s not only physical, but it’s cyber.

Digital Detectives are on the Case

Searching for digital evidence in a homicide case, tracking the trail of a computer hacker. Protecting U.S. service members from internet fraud and identity theft. These are all a priority for defense department special agents fighting cyber crime.

They’re on the front lines of a new war being waged around the world and the battle ground is cyber space. They support the growing DOD mission of cyber security, helping to protect defense computer networks and data. With a unique blend of training and skills in law enforcement, forensic science and computer technology, DoD special agents and teams of cyber investigators are cracking computer codes and helping solve crimes.

Whatever the cyber crime may be, DoD Digital Detectives are on the case.

Nearly every NCIS investigation has a cyber dimension. The NCIS technical services division provides agents with investigative expertise and specialized gear.

There’s nothing like actually going to a scene, where there’s people who have been brutally murdered, where there’s a lot of blood or a body that’s been there for a very long time. There’s a lot of smells that go along with that. In criminal cases, we have to understand what we’re looking at with the body. The body is a crime scene in itself. An agent is an agent. Basically, we’re all trained law enforcement officers to work criminal cases and to follow the investigative process to come to an end, to help gather information, gather evidence, solve a crime.

Computer investigations, computer examinations, they often lead to strategies of perpetrators, where they’re going next.

Solving Recent Cases

New developments in the Camp Lejeune marine, who is suspected of murdering pregnant Lance Corporal Maria Lauterbach. An Onslow County North Carolina Grand jury indicted marine corporal Cesar Armando Laurean, Thursday on five charges.

Cesar Laurean was already absent without leave, so the fugitive team seized the government computers in an effort to see if there was anything, any communication or whatsoever to maybe the whereabouts of Cesar Laurean or the death of Maria Lauterbach.

Whatever you do on a government computer, we can examine for criminal activity. However, in this case we also got authorization from the commanding officer. Our job as computer forensic examiners is to extract that information from these computers, provide it to a case agent. They can use that for legal proceedings. We look at things like recently accessed files, photographs, documents that were typed, communications.

Cleared your Browser History Lately?

I examined that computer and specifically examined Cesar Laurean’s computer profile for any activity. I found information on his internet history. As you can imagine, we’re in a situation where we need to get information right away. Since he was already on the run, I was looking for specific dates. I wanted to get the last activity that was conducted on his computer. There was a specific MapQuest search for his residence to a particular hotel in Raleigh, North Carolina. He was doing Google searches for defense attorneys, on how to conduct a homicide investigation and job opportunities, classified ads in Puerto Vallarta, Mexico. That gave the fugitive team something to act upon. A viable lead.

A 3-month man hunt for a Marine Corporal charged with the murder of a pregnant fellow Marine has ended with his arrest in Mexico.

That’s the beauty of a computer examination. It gives them insight into their activity. Every aspect, where they may go next? We testified in court, as far as the MapQuest searches, the Google searches and what he was doing. I think it helped the jury, as far as premeditation and the deliberation of Cesar Laurean and his intentions.

Traditional forensics is going into a room and actually jamming the room and finding evidence. However, in a computer forensics examination, our crime scene is the hard drive, the media. That’s where we extract the information from. That’s where the evidence lies. In April of 2008, in the Hampton Roads neighborhood, a female was found in her home.

Her father came home and found her dead.

It looks like somebody tried to restrain her as her arms were tied behind her back.

The female was a daughter of a Navy Sailor. She was half dressed and bound, laying in a pool of blood. NCIS Norfolk Field Office and Portsmouth Police Department opened up a joint investigation. Because it was such a heinous crime, we threw a full spectrum of law enforcement resources at this to ensure we caught the assailant. One of those law enforcement resources was computer forensics, which NCIS Cyber Department brought to the table. We obtained the victim’s computer. We discovered numerous email chats, communications. One individual stood out, a Navy Sailor, who was interviewed. He was actually later cleared of the charges of sexual assault and murder.

A Corner Turned..

The investigation went on. A few months later a suspect was identified to interview. He had a computer, so we were again called to conduct forensic examination on the computer. It had email communications and, of course, chats. What the individual said was, “He had done a very bad thing and no one will understand what happened.” It doesn’t mean anything, until it’s actually brought together by the forensic examiner and identifying the person connected to the individual who put that information on the computer. The individual plead guilty and he was sentenced to 42 years for sexual assault and murder.

Cyber touches every part of everything that NCIS does. We’ve grown from a couple of guys in the Washington area, to now we’re worldwide. As the internet grow, so did the crime involving computers and other electronic media. In some cases, obviously, the digital evidence can expedite you solving a case and other times it can … Yeah, certainly it can slow it down, but it’s an essential part of producing a solid case that you’re going to take to court.

We have to have the ability to get evidence wherever it lies. We have to have every agent running an investigation understand where evidence may be, because digital evidence or just plain evidence, there’s really not any difference. It could be the linchpin to the entire investigation and often it is.

I’ve done computer support to murder for hire investigation. An individual had hired a hitman to kill his wife. We caught him. Things like text messages, email now, all that data links back into that communication that was necessary to prove a very serious criminal conspiracy. The end result, if we did not investigate, did not succeed in that investigation would have been death.

With any data we’re looking for to place the suspect at the location of the crime.

A lot of the investigative techniques with cyber investigations are simply an evolution of the general criminal investigative techniques.

The hard drive is just bits and pieces. It’s similar, again, to going into a room and doing traditional forensics. You’re not bringing the whole entire room to court, but you’re bringing the evidentiary pieces to court.

Almost every device you have today is supported and contains digital media, which might be relevant to an investigation or an operation.

Private Investigations: What is Computer Forensics?

Since the computer and the Internet were invented, it has made our lives easier. The computer has great benefits, especially when it comes to forensics and the gathering of evidence, a field which is also known as computer forensics. Many private investigators offer computer forensic services.

Computer forensic science pertains to information found in computers and digital storage medias to use as evidence in court against a presumptive criminal. The mission is to identify, preserve, recover, analyze and present facts about digital data, and had been most often used in investigating a wide variety of computer crimes, and can also be used in civil proceedings. e-Investigations International offers computer forensic services as well.

A private investigator who specializes in computer forensics examines a hard drive for evidence.
A private investigator who specializes in computer forensics examines a hard drive for evidence.

Since the Internet is widely used nowadays and creating a fake online identity is such an easy thing to do, the emergence of computer forensics began to protect people from cyber-crimes like hacking, identity theft and cyber-bullying. Computer forensic investigation involves recovering and investigating digital evidence that can be used in court.

As criminals become more technically inclined, more crimes will continue to be committed online. And, naturally, if you are the victim of a cyber-crime, your first instinct would be to find out who has done this to you. And the perfect person to hire for this job? Why, a private investigator, or course! While the investigator him or herself is probably not the person who will be doing the forensic analysis, contacting a PI is probably the easiest and most consumer-friendly way of hiring a computer forensics specialist.

Famous investigations involving computer forensics

Many people have been convicted in court with the help of computer forensics and private investigative work. Some of the more popular cases would be:

Dennis Rader: also known as the BTK Killer who had been convicted of numerous serial killings that happened for almost seventeen years. Investigators cracked this case with the use of a floppy disk that was sent to the police department, the Metadata (data which is embedded in files or stored externally from a separate file that contains information about the file, the author, date of creation and so on) within the files contains and author’s name ‘Dennis’ and a location at “Christ Lutheran Church” that helped lead to his arrest.

Joseph Duncan III: a spreadsheet on his computer contains plans to commit crimes that were used against him in court that showed premeditation of crime and was convicted to death penalty.

Sharon Lopatka: hundreds of emails on her computer led investigators to her killer, Robert Glass.

Dr. Conrad Murray: Michael Jackson’s doctor who was partially convicted due to the digital information that the investigators found on his computer that shows medical information pertaining to lethal dosage of Propofol.

Computer forensics: The standard process

In conducting a computer forensic investigation, there are standard processes that are usually followed, they are:

  • Acquisition
  • Examination
  • Analysis
  • Reporting

Though with the advanced technology nowadays, CF still faces issues when it comes to investigating cybercrimes and other crimes involving computers, may it be hardware or software. What usually happen is due to technical, administrative and legal problems. To understand clearly, further details will be discussed about the issues that investigators faced.

Technical issues

One of the major problems in conducting a CF investigation is when a technical issue occurs. A technical issue usually happens when the computer was accidentally or automatically shut down that hinders the investigators to retrieve or copy data from the prospect’s computer for evidence or due to:

Encryption

Let’s face it. Encrypted data’s are impossible to open without the correct password or keys. Investigators who handle the case usually have problems in retrieving evidence with encrypted computers. Acquiring data through live acquisition is impossible or quite hard to do.

Live acquisition is the process where the investigator or examiner would run a small program in the suspect’s computer to copy the data to the investigators storage device. By doing so, the investigator will have to make changes in the suspect’s computer which are not done on his presence, however, the evidence that will be found in the suspect’s computer are considered admissible in court.

Going back to encryption, in retrieving data from the suspect’s computer, the investigators have to consider that passwords or keys might be located on the other computers that he had access to, or it could be stored in the volatile memory (also known as RAM) of the computer which is usually lost upon the computers shut down.

Increasing storage space

In copying or acquiring data from the suspect’s computer, an ample space for the investigators storage device must be considered because the stored information in the suspect’s computer are larger or greater than the investigators storage device sometimes or perhaps due to the fact that the stored media and multimedia files holds a large amount of storage space.

New technologies

With the evolving technology today, new computer devices, software, hardware and operating systems are emerging to compete with the latest technology. And honestly speaking, no single investigator is an expert in all areas of CF. In order for the investigators to deal with the situation, they have to be prepared and able to test and conduct experiments with the behavior of technology nowadays, especially when they haven’t experienced this situation before.

Anti-forensics

Anti-forensics is a practice where in someone is trying to contravene CF analysis. There are ways to do anti-forensics, it could be through encryption, over-writing of information that makes it unrecoverable, modification of files in metadata and even ingeniously disguising files. Rest assured, anti-forensic tools had been improperly used or the individual isn’t knowledgeable about the program that hinders him in doing such act.

Legal issues

There are certain issues that lead to legal actions, one of which that an investigator is charged with legal actions by the suspect himself in doing CF investigations without his knowledge or consent. An example of which, is acquiring evidence through live acquisition, a subject that had been discussed above in encryption.

One of the reasons is by accessing the suspect’s computer that has an installed program called “Trojan Defense”. The Trojan Defense got its idea that happened during the Greek War, as told by the story in Greek Mythologies wherein the warriors hid inside the wooden Trojan Horse that was taken to the city they siege. Just like the Trojan Horse, The Trojan Defense has been a computer code that is disguised as benign, however contains a malicious purpose and contains hidden information.

With the help of a competent opposing lawyer, it is arguable by law that certain documents or evidence are caused by a Trojan Defense that leaves no trace on the suspect’s computer and supplied with the help of a competent computer analyst.

Administrative issues

Administrative issues can also hinder CF investigations. One of which is due to standards and the ability or competence in doing the job. To further explain:

Acceptable standards

Unlike other types of investigation, computer forensics has complex guidelines and standards that the investigators have to consider and must follow, though only a few are universally accepted. The reason why standards have to be imposed is because of:

  • The bodies that set the standards are tied to particular legislations
  • The aims of the standards are EITHER by law enforcement of commercial forensics, BUT NEVER in both
  • The authors of the standards are not accepted by their peers; or
  • Due to high fees in joining for professional bodies that dissuades the practitioners in practicing CF

Competency to practice CF

There is no qualifying body in certain jurisdiction to check the integrity and competence of the investigators in CF. There are cases that someone can present themselves as CF professionals that may result in questionable CF examination results that leads to an overall negative view.

In doing a computer forensics investigation, there are certain techniques to master the art of CF, however, the techniques we’ll be discussing is used in law enforcement.

Cross-drive analysis

The technique involves combining hard storage devices that can lead to single evidence. Though still on the process, this technique can be used to identify social networks and do anomaly detection.

Live analysis

It’s basically the same as Live Acquisition, wherein the investigators copy the suspect’s files from the computer by making changes in the program and installing a file to copy to the investigators storage device.

Deleted files

This technique involves the recovery of deleted files with the use of modern forensic software that can do the job easily. Though most operating systems and file systems do not permanently erase data from the computer, the investigators can reconstruct deleted files from physical disk that meticulously search for known file heads in the disks images and deleted materials.

Stochastic forensics

Using this technique, the investigator reconstructs digital activities and codes from the suspect’s computer, and analyzing the emergent properties. This method is widely used to detect and investigate insider date theft, by someone who had a technical authority to access the data from the software and hardware of a computer.

Steganography

This technique involved hiding data in an image, for example, a pornographic picture or any given image that the suspect doesn’t want to be discovered. What the investigators do to decode this image is that they compare the hash of the original image to the files that was encrypted, though the image may appear exactly the same, however the hash is different.

Nowadays, due to the advancing technology CF investigations are needed, most especially in decoding evidence that may help in court. There are now available certifications in CF, namely:

  • ISFCE Certified Computer Examiner
  • Digital Forensics Investigation Professional (DFIP)
  • IACRB Certified Computer Forensics Examiner

There are also institutions that offer programs and certificates for CF, such as:
The International Association of Computer Investigative Specialists (IACIS) – Offering certified computer forensics examiner (CFCE) programs.

There are certain companies as well that offers proprietary certificates on their products, and they are:
Guidance Software – they offer (EnCE) certificates on their product tool EnCase
AccessData – they offer (ACE) certificates on their product tool FTK
PassMark Software – they offer (OCE) certificates for their product tool named OSForensics
X-Ways Software Technology – offering (X-PERT) certificates for their software product named X-Ways Forensics

Though there are no college courses for computer forensics, these certificates and courses can assure the victims and those individuals who need the help of the private investigators that they have the competency to solve the case.

Want to Learn Computer Programming?

Almost any person can learn to program. You will find only a few requirements (like accessing a computer), and you do not have to be a genius. (Well… it will help if you are a genius, I suppose, however, you don’t HAVE to be one).

This short article addresses some of the motivations you may have for wanting to learn to system computers, looks at some things to think about, and discusses a few various ways to start learning now!

program-code-on-a-monitor_Gk1VESvO-1024x683

What exactly is it you want to do?

There are a lot of reasons for attempting to learn computer programming, and what you want to do with it can help guide you throughout choosing your path in learning. Maybe you are interested in programming as a profession. In that case you will want to make sure you are mastering things that will make you attracting those who hire programmers. However, you might just be looking for a interesting hobby, and in that situation you can let be a extra casual about what you learn and also focus only on things that attention you.

Maybe you need to handle various applications you use at the office. For example , perhaps you want to preset a word processor to do sending labels or a spreadsheet to perform customized financial forecasting, or possibly you want to write computer games, and still have a cool web site, or… the reason why are endless, just as the items you can do with a computer are usually.

The languages you learn is going to be influenced by these things, along with the approach you will want to take while you begin to learn to do computer-programming.

What resources do you have accessible?

Time, money, people who will help guide you, computers, books, encoding clubs, classes, programming community forums… these are all resources which will be handy as you are learning to plan.

If you have a lot of time and cash, a computer, and access to finding out opportunities like college courses and developer group meetings, you’ll likely be able to learn at a quick pace. If you can only spend an hour or so each day, and you don’t have your personal computer, and you can only get one or two books, you will have to change your expectations a bit. But either way, or someplace in-between, you will be able to learn to software.

What is the level of your inspiration?

This is a very important consideration. That isn’t going to be easy. You are going to have to keep going even when things appear impossible and you can’t discover the answers you need. It takes a fair amount of brain power, will power, and also the ability to work things away. You will be well served if you possibly could muster a “stick-it-out” type of attitude.

One of the attractions associated with computer programming is that there is a large amount of problem solving, and you will have to resolve a lot of them both while you are learning as well as when you are using your abilities to do useful things. It requires a lot of interest and commitment to stick with it long enough to obtain somewhere – if this nevertheless sounds good to you, in all probability you’ll do okay.

So , how to begin?

There are a lot of ways to go about starting. You can get started today, regardless how you are going to approach this on the long run. Here are a few tips on getting going quickly:

* Learn with baby steps – Begin with something very easy, and add into it. There is no advantage to bouncing in with both feet until you have unlimited time and sources.

* The quickest method to start might be to use a vocabulary that comes with software you already have. For example , you can do a great deal of programming in Microsoft Word using Visible Basic for Applications. There are many commercial software applications that include a method to enhance them using coding or scripting languages.

2. Here is another idea to get started quickly: There are easy languages available with almost every operating-system (Windows, Linux, Mac) with regard to automating your repetitive duties. For example , in Windows you should use VBScript. Again – an easy internet search will get you plenty of information.

* Pick a much more full featured language that can be found free – To get started using the least expense and as rapidly as possible, one approach would be to download a programming atmosphere for free on the internet. For example , you are able to download the Ruby terminology and everything you need to work with this for free. Another example will be the Microsoft. NET Express different languages (VB. NET or C# are good choices) – once again, you can download everything you need free of charge from Microsoft. A little search on the internet on either “Ruby Language” or “Microsoft. NET Express” will get you all the information you need.

* Use the internet – You already know this or you more than likely be reading this article, however the internet is full of resources to assist you learn to program. That makes feeling, since the internet has been developed and programmed by developers. A lot of programmers are willing to discuss their knowledge through totally free tutorials, forums, tips websites, and articles. You will find hyperlinks to a lot of good resources simply by doing a simple search. Something is certain, there is no shortage of info.

* Work with what you possess, or what you can easily obtain – To get started quickly, a strategy to adhere to do something right away to hold doing something every day. Quickly you will be better able to judge exactly what areas are most interesting for you and best fit your needs, along with where to get the information you need to maintain progressing.

* Buy utilized books – Many of the guide sellers on the internet now provide used books through a system of thousands of book re-sellers and private individuals. You can save lots of money this way.

* Once you begin, write simple programs which help you automate something that is actually wasting your time. For example , if all every day you make a back-up of the files you labored on during the day by copying the actual files “by hand” to some cd, you could write a course that automatically searches your own working folders and duplicates the files for you — without you having to do anything. The extra time you get through each little helper program you write is time you need to use to learn more about programming.

* Look for a computer developers”user group” somewhere near you. Almost all bigger cities have such organizations that meet on a regular basis : usually monthly. Many of these conferences are free, and usually they provide delivering demonstrations on “how-to” do numerous programming tasks. They often also provide study groups and novices sessions. Not all languages are generally represented in all cites rapid but anything is better than absolutely nothing, so it can be worthwhile to attend any meeting of this type that you can find that is within an acceptable distance.

* Take a starters course at a local community university or extended studies system. These classes are usually offered by a very reasonable cost, and can help you get started. I have found a number of these classes available on line instructions and if you are eligible for access, it can be very convenient to have a course this way.

It’s time to get started
Development can be fun, challenging, useful, along with profitable. Not everyone has the nature or interest to become a a lot of the time programmer, but almost anyone who are able to use a computer can learn how to do something useful or enjoyable with computer programming. If you think it really is something you might enjoy, however encourage you to give it a try and find out what it’s all about. It will take time and dedication to be proficient, but it all starts having a single step. So now could be the time.