Google Plus

Note to readers: I am more active on Google Plus than I am here.

--Benjamin Wright

Undercover Agents Record Social Media Evidence

Legally Preserving OSINT (Open Source Intelligence)

How should investigators record fast-changing online evidence, such as social media?

Case in point:  The Mercer County (New Jersey) Prosecutor’s office followed hundreds of street gang affiliates on Myspace.  How did it do that economically?  Instead of using seasoned, highly-trained police investigators, it commissioned a team of mere interns.  The interns, acting as undercover agents, “friended” target gang affiliates.  One fake profile maintained by the interns attracted 180 “friends.”

Collecting evidence from that much online activity can be daunting.  Several tools exist, and I’ve previously published demonstrations using webcams and downloaded software. 


Free, Easy-to-Use Tools

Here’s another demonstration, which emphasizes low cost, easy-to-use tools.  The tools are

• screencast-o-matic, a free, Java-based, open-source tool for recording what you see on your screen, and
• Microsoft’s free Skydrive file storage service.

Picture this hypothetical setting.  The county sheriff’s office needs an efficient way to capture what is happening on a dynamic blog.  Information on the blog at this minute could be changed or deleted a minute later.  The sheriff’s office has no special equipment, but it does have two investigators who need to remain anonymous.  They will be identified by numbers.  Their voices will be recorded by microphone, but not their faces by webcam.

 


Two Witnesses Are Better Than One

The resulting screencast video is a unified package of evidence that captures the interaction of  the web better than a mere sceenshot does.  (Notice, for example, that the screencast video records the action at the beginning of the bad-guy video posted on the blog under investigation.  A sceenshot would not capture this action.) 

The two investigators corroborate the video and corroborate each other.  Each investigator signs the video with the unique sounds of his voice.  Each speaks the date and time with his unique, identifying voice.

The involvement of two investigator witnesses makes the Sheriff's Office less dependent on any single person to testify as to the authenticity of the video later, such as in court.  Witnesses like interns can come and go.

Depending on the use of the video, an authority (such as a judge in a parole hearing) might rely  on the video, signed by two witnesses, without requiring direct testimony from either of the witnesses on the video's authenticity.

 

Cloud Time Stamp

To further corroborate the date, the video is loaded onto Microsoft’s Skydrive.  Skydrive (a third party cloud service) shows the time that the video was last modified.

 

Thus, if the video, dated by the witness voices as October 10, were uploaded on October 10 but then replaced October 25, there would be a mismatch of dates, suggesting that the video in Skydrive is not the one originally created by the investigators.

To further corroborate the date, the investigators could give the video to colleagues, who could store the video in their own time-stamped, cloud-based file-storage accounts.

Click Here

Auditors and Whistleblowers

The techniques demonstrated here could be applied outside law enforcement.  They might be used by auditors, journalists, whistleblowers, public watchdogs, school administrators or private investigators.

Is this video absolutely unassailable as legal evidence?  No.  The two investigators could have colluded to make all of this up.  But collusion is not easy.  It requires coordinated lying by two equally unethical people.

It is rare for legal evidence to be perfect.  This video is reasonably good.

What do you think?

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Related article:

* Privacy, Investigators and Social Networks 

* OSINT Law

Investigators Engage Public Via Social Media

To be relevant, credible and accepted, many investigators need to engage with the public.  Increasingly that means embracing social media like Twitter and Facebook as a two-way conversation with followers.  Failure to interact via social media can leave an investigator looking arrogant and out of touch.  Two examples:

1. Roanoke, Virginia, police evacuate and search a shopping mall after report of a man with a gun.  They do not find the man.  They publish surveillance camera images of him on Facebook.  Local TV news links to police department’s Facebook page.  Facebook viewers debate whether suspect is carrying a gun or an umbrella.  The man in question hears about the investigation and comes to police to show that he was carrying an umbrella.  Tim Jones and Aisha Johnson, "Engaging the Public and Protecting Agencies and Personnel on Facebook and Beyond," The Police Chief 78 (July 2011): 58–61.

2.  UK has experienced riots and social unrest, in part fomented by social media and anti-Muslim sentiments.  West Midlands police saw that troublemakers, trying to attract a crowd to a rally in Dudley, tweeted, falsely: “Muslims with knives rioting in Dudley #EDL.” Many people retweeted.   The police were monitoring this Twitter stream.  Then the police tweeted, “There are no Muslims rioting in Dudley – all quiet #EDL”  The public retweeted the police.   This pattern of misinformation by the troublemakers, and refutation by the police continued. This police interaction helped to discredit the troublemakers and to dampen unrest in Dudley. “Social Media Handbook for Police: Part 12”  (“EDL” refers to right-wing English Defence League.)

--Benjamin Wright

 

Evidence Authentication

I am looking for cases and stories about digital evidence that had been collected but could not be used or authenticated (or at least became open to question) on account of problems like these:

1.  Investigator could not vouch for the evidence due to the investigator's death, retirement, refusal to cooperate or termination of employment.

2.  Investigator committed some kind of error related to his/her securing of the evidence with a digital hash, key or signature.  Example: investigator used a private crypto key to "sign" a digital evidence file, but the private key was compromised either before or after its use and therefore the trustworthiness of the evidence diminished.

Have you seen any cases like this?  Are any such cases documented?

The reason I am interested is that I've been experimenting with webcam "signed affidavits" by investigators.  A signed affidavit might, for example, help to show that a video is authentic and has not been tampered with.

  --Benjamin Wright

Related post:  Signed video of web legal evidence

Hostile Forensics | Offensive Countermeasures

Is White Hat "Hacking" Illegal?

Mark Lachniet publishes an excellent paper titled “Hostile Forensics.”  He argues that sometimes digital forensics investigators have reason to take actions that are legally and ethically provocative.  He calls these actions “hostile forensics.”

Mark frames the topic: “Due to recent developments in counter-forensic technologies such as strong encryption, it may soon be necessary for forensic analysts to use system penetration or ‘hacking’ techniques in order to obtain forensic evidence, a process here referred to as ‘Hostile Forensics.’”

Mark distinguishes “hostile forensics” from traditional forensics. Here is an example of traditional forensics: An investigator analyzes data on a hard drive, with formal authorization from the owner of the drive. The investigator has consent from the person who put the data on the drive. The drive is in the physical possession of the investigator.

Here is an example of “hostile forensics,” as I interpret the idea:  A publicly-accountable investigator, with justification, remotely interacts with a marveloustly complex cloud of computers,  while having something less than formal authority from each owner of each computer.  One or more of the computers is in part controlled (or influenced) by a suspicious-acting adversary of the investigator.  The investigator’s purpose is to gather evidence that incriminates the adversary.

Mark offers numerous intelligent steps to help cause a “hostile forensics” investigation to fall on the side of good and not evil.  He suggests, for instance, that the investigation be subject to detailed recordkeeping and tight supervision over individual investigators.

Hacking Back?

An idea related to “hostile forensics” is a style of computer secuurity that my fellow SANS Instructor John Strand calls “offensive countermeaures.” Sometimes John uses the term “hacking back.”

The range of actions that might qualify as "hostile forensics" or "offensive countermeasures" is huge, limited only by imagination.  It includes much more than just the examples that Mark and John  articulate.  

Illegal?

Do “hostile forensics” or “offensive countermeasures” constitute computer crime?  This is an exotic jungle of law, thick with nuance.  Much of the law is open for interpretation.  Simplistic interpretations of the law here are of little help.

In this field there's a lot of dubious folklore (e.g., "action X is always legal; action Y is always illegal").

In truth, the legality of any given action can be highly dependent on the facts of the particular case.  Change the facts slightly from one case to the next, and the conclusion whether an action is legal can change.

Two Observations

I have two big picture observations.  Neither of these observations is criticism of Mark or John, and neither of them passes judgment on any particular action.

1.  Words Matter. When law and ethics are nuanced, the words we choose carry immense weight.  The descriptions of an action can influence the understanding and treatment of the action.  Subtlies are important.

(a) Choose Adjectives Carefully

I am reluctant to use the adjectives “hostile” or “offensive” to describe what Mark and John have in mind.  Those adjectives carry emotional charges; those adjectives can be interpreted as negative.  But Mark and John are talking about actions that are positive and not negative . . . good and not evil . . . legal and not illegal.  

Therefore, under a given set of facts, an adjective like “justified,” “responsible” or “proportionate” might better describe an action.

(b) Choose Verbs Carefully

Well-meaning IT folks can be quick to use words like "penetrate" or "hack" or "strike-back" without carefully examining the definition of those words and without considering alternative words.  Instead of the verbs "to penetrate" or "to hack," the more accurate verbs to describe an action may be "to confuse," "to tease," "to elicit" or "to regale."  Example:  "We regaled the adversary bots with a multitude of honeypots."

Alternatively, a more accurate description might be metaphorical.  A security or investigative action might best be described as, say, “to depict a clever digital costume.”  The reasons for this description might be that:

• the action induces a suspicious person to believe something he did not expect and persuades him to reform his behavior or reveal evidence about himself; and/or 
• the action induces a malicious community of software, like a botnet, to perceive a new situation and persuades the community to reform its behavior or reveal evidence about itself.

2. Court Support.  Mark mentions the idea of getting court approval, such as a search warrant, for “hostile” action by law enforcement. Good idea. Typically such approval would come after a government agent, such as prosecutor, requests the approval.  

An alternative type of court approval might come from a civil lawsuit brought by a private party such as a corporation.  Microsoft is a pioneer in bringing civil lawsuits against cyber adversaries, such as bot herders and spammers.  Microsoft has gotten court approval for assertive actions against adversaries.   A civil lawsuit might be brought in either state court or federal court.

What do you think?

–Benjamin Wright

Wright teaches the law of data security and investigations at the SANS Institute.

3D Printing Forensics

Metadata in Micro-manufactured Products

3D printing creates physical objects as though they were units of digital data. It takes instructions from software to render physical objects by successively adding small points or layers of substance, one after the next.

3D printing will be a bonanza for digital forensics investigators, just as other digital technologies have been.

Digital artifacts -- like spreadsheet documents or digital photographs -- often contain metadata, such as timestamps and information about the source of the artifact (e.g., what software was used to create the artifact).  Metadata is often hidden from view.  Users are often surprised the metadata exists.  

Metadata can be a treasure trove to a forensic investigator who inspects an artifact like a photograph.  The investigator might, for instance, determine the time the photo was created, the type of camera that was used, its GPS location, the photo manipulation techniques employed and so on.

Metadata Surprises in History

History tells many stories of forensic investigators surprising the subjects of investigation with metadata. The more sensational stories involve technology that was new at the time, when the existence of metadata in the technology was little known.

* In the mid-1980s Col. Oliver North was surprised to learn that after he deleted e-mails, his deleted records were recoverable.  In addition, the e-mail system he was using kept metadata indicating that he tried to delete relevant records while an investigation was pending.  

* When product developers at one employer switched to a competitor, they took a Microsoft Word document with them. While working for the competitor, they claimed they invented new product ideas from scratch. But metadata in the Word document betrayed them.  They recorded their “new” ideas in the very Word document they took from the first employer.  The metadata in that document contained a code showing the document had been printed on a printer owned by the first employer. That code was the smoking gun; it showed that the plans were not created from scratch after the developers left the first employer. John H. Jessen, “Special Issues Involving Electronic Discovery,” 9 Kansas Journal of Law and Policy 425, 441 (2000).

* More recently, some Twitter users are surprised that sometimes Twitter associates GPS metadata with each tweet to show where the user was when the tweet was sent.  The GPS data might be taken from the user’s smartphone. A forensic investigator could use that GPS metadata to show, for example, that a spouse was at the home of a paramour.  

Metadata in 3D Printed Objects

It is into this historical context that 3D printing emerges.  3D printing technologies are diverse.  But in principle a 3D printer can incorporate words, codes and numbers into the objects they create.  

This web site demonstrates the incorporation of a unique serial number into each 3D printed object: http://www.gomboc.eu/site.php?inc=0&menuId=20   In that example, the serial number is visible to the eye.  But serial numbers and other metadata could be hidden from view inside the object, or could be microscopic.

It is natural that the makers of 3D printer technology would embed serial numbers, time stamps, GPS markers and many other codes into objects.  The codes can help with billing, shipping, quality control, inventory management and other operations.

3D printing is growing in popularity, and its growth will continue.  3D technology will make it easier and less expensive for anyone to design and print a custom object.  

Metadata as Legal Evidence

Eventually, 3D printed objects will be evidence in official investigations, just as spreadsheets and digital photographs are today.  When that happens, I anticipate that forensic investigators will be able to harvest metadata from those objects.

For example, suppose a California tax auditor wants to know whether an aircraft part was either designed or manufactured in the state of California.  Clues to answer those questions might be embedded as metadata in the aircraft part itself.

What do you think, dear reader?

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Related Article:   3D Printing and Copyright Compliance

Financial Auditor Gathers Cyber Evidence

Authenticated Record of What You See When You See It

How should an auditor record his observations as he inspects evidence online?

A multinational auditor in Hong Kong, BDO Limited, needed to inspect the online bank account of a publicly-held Chinese company China-Biotics Inc. (which is traded in the US).  The auditor needed to confirm how much cash the company possessed.  But when the auditor used a web browser to access the online bank account identified by the company, the auditor became suspicious that the bank web page was fake!  Michael Rapoport, “Auditors Sharpen Queries In China,” Wall Street Journal, June 29, 2011.

The auditor resigned on grounds that:  “In connection with BDO’s review of the Company’s bank account through the Company’s e-banking system using the Company’s computer, BDO was directed by the Company to access a suspected fake website for the bank.”  

Audit Evidence is Now Online

The evidence an auditor must examine is, increasingly, online.*  The evidence, such as a web page, could show one thing now and something different an hour later.  Auditors need more credible methods for capturing and authenticating what they see.  Sure, they can make screenshots, but screenshots are cumbersome and don't capture the full interaction of the web.

The following video demonstrates an alternative.  It shows how an auditor can capture a real-time screencast of his observations as he inspects web pages, mobile apps or e-banking accounts.  It allows the auditor to bind his observations with simultaneous, eyewitness testimony as to the steps he was taking and his interpretation of what he was witnessing.

 

Notice the auditor legally signs the final video record (like an affidavit) so that it is authenticated for future use, even if the auditor himself is not available later to vouch for the record.  See details.

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Sometimes online evidence is considered OSINT (open source intelligence).

Evidence from a Technology-Empowered Crowd

Corruption Deterrent

Crowdsourcing can be a tool of investigation.  An official investigation can gather evidence by urging large numbers of people to submit information such as photographs snapped with smartphones.

First Example: The Controller of the City of Philadelphia has released an iPhone app (the "Philly Watchdog") to help citizens report waste, abuse, fraud or bribry involving city government.  A citizen might, for example, use the app to submit a video of a city employee driving recklessly.

Second Example:  When a post-hockey game riot (fires, looting, vandalism) broke out in Vancouver, B.C., many witnesses recorded the riot by photo and video.  The police later asked that witnesses keep their pictures so that they may be available to help the police identify culprits. Several citizens started public web pages to collect the images and the comment of witnesses.*

Analysis

For the investigator, crowdsourcing is a force multiplier. Furthermore, it invests the public in the investigation, as well as the investigator.

In the two examples of crowdsourced investigations above, the investigator asks for citizens to send evidence directly to the investigator, so the investigator can review it in private. The public web sites in Vancouver can facilitate a more free-form exchange of information among witnesses. But those sites were created by citizens, not official investigators (the police).

Were an official investigator to open a web site or forum where citizens could post publicly-viewable photos and comments, two problems might arise. One, suspects identified on the site might claim that their privacy had been violated. Two, suspects might be defamed when citizens post false or unsubstantiated allegations against the suspects. Some pranksters would be tempted to post photoshopped images.

Anti-Surveillance Laws

Could recordings by citizens violate the privacy of those recorded?  Anti-surveillance laws are complex and vary from one place to the next.  Generally speaking in the US, the laws do not prohibit the recording of images of people in public view.  But they sometimes forbid audio recording of private conversations.  (Remember that video cameras often record both images and audio.)

In disputed cases a key question is whether the subject of a recording had a reasonable expectation of privacy at the time.

What about recordings of the police themselves?  There are many reports of police officers taking offense when citizens record them.  But generally the courts have ruled in favor of citizens and held that anti-surveillance laws (wiretapping and eavesdropping laws) do not prohibit the recording of police officers on duty.

[Update: A New York prosecutor is taking a novel approach to the question whether police officers can be recorded.  The prosecutor has indited a citizen for "obstructing government administration."  The citizen, standing in her front yard, video recorded a night-time traffic stop as it unfolded on the street.  A police officer told her to go inside her house because he did not feel safe with her presense.  When she refused, he arrested her.]

Admissibility of Evidence

If a citizen violates law to capture evidence, it might not be admissible in court.  In Connecticut, for example, electronic evidence gathered by illegal means is inadmissible.  See the Connecticut rules of evidence, Sec. 52-184a states: "No evidence obtained illegally by the use of any electronic device is admissible in any court of this state."

Illegal gathering of evidence might include using deception in violation of terms of service for a web site or social media service.  How might such deception occur? Here’s an example: a citizen impersonates another person on Myspace (contrary to the Myspace’s terms) so that a suspect will “friend” the citizen and then reveal incriminating details about himself.

–Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

*Update August 2011: Citizens are using publicly-accessible photographs and facial recognition technology to identify rioters in London.

Mobile Evidence Collection

Dual-Camera Android Devices

Tablets and smart phones are coming equipped with two cameras, one on the back and another on the front.  These two cameras make it easy for an investigator to gather and authenticate audio-visual records about physical evidence  -- such as graffiti on a fence or the appearance of a murder scene.

The integrity of audio, video and photographic records is easy to enhance if the investigator's device enables multiple files to be attached to outgoing email.  Android devices normally do allow multiple attachments to email.

Experience shows that records of email (especially email in an enterprise) are reasonably protected from tampering.  This is one reason that email evidence is routinely accepted and relied upon in court.

Therefore, a pretty good technique for an investigator to collect evidence is to (1) make a video record with the back camera, (2) sign and authenticate the first record with a second video, made with the front camera, showing a statement of affirmation by the investigator and (3) send both videos as attachments to a single email addressed to multiple people.

Here is a demonstration:

The investigator can further enhance the integrity of records by speaking date and time directly into the videos made with the mobile device.  The spoken date and time should approximately match the timestamp on the email to which the videos are attached.

Is the second video, which signs and authenticates the first video, required?  Not necessarily.  However, it is useful.  It can be persuasive to a judge or jury, in that it visually and auditorily depicts an identified witness confirming a record and taking responsibility.  It helps make the email and its attachments more like a formal, legal affidavit.  An affidavit may be accorded special weight in an investigation or courtroom hearing.

--Benjamin Wright

Mr. Wright teaches the law of data security and investigations at the SANS Institute.

Related Posts:  1.  How to make a Gotcha! video

 2. Undercover Cops Collect Web Evidence

Does Data Integrity Promote Privacy?

Consumer Privacy Bill of Rights

Some codes of privacy say that the holder of personal data must take steps to ensure the “integrity” or “accuracy” of the data.

Why?  Such a requirement seems to interrupt the privacy of individuals.

Data Integrity Requirement

Consider Section 303, the “Data Integrity” section of the “Commercial Privacy Bill of Rights”  announced April 12, 2011 by US Senators John Kerry and John McCain: “(a) IN GENERAL – Each covered entity shall attempt to establish and maintain reasonable procedures to ensure that personally identifiable information that is covered information and maintained by the covered entity is accurate in those instances where the covered information could be used to deny consumers benefits or cause significant harm.” (emphasis added)

This Section 303 would give the holder of data an affirmative duty to keep its information about an individual up-to-date. To fulfill that duty the data holder would need to pester or check up on – or search for or track -- the individual. Pestering, checking, searching or tracking seems antithetical to an individual’s desire to be left alone.

In this age of information, each individual has relationships with thousands of commercial entities – merchants, websites, clubs, charities, magazines, advertisers, social networks, mobile app operators, online game impresarios and many others.  Technology is causing the number commercial entities having a relationship with any given individual to grow rapidly.  The growth will continue as new technologies like social media are invented.

Let the Relationship Come to an End

Very often, after establishing the relationship the individual is no longer interested in it and just forgets about it.  The individual desires to take no steps to terminate or opt-out of the relationship because those steps take too much time and attention. And very often today, the individual never hears about the relationship again.   The individual and the commercial entity just leave one another along . . . which achieves the goal of privacy.

Until now, in the US, the commercial entity has no obligation to keep its records accurate and up-to-date.

Still, the commercial entity maintains a record of the relationship.  The reasons for maintaining the record are numerous, including compliance with tax, warranty, customer service and consumer protection interests.

As a holder of the record of the relationship, the entity is ready to acknowledge the relationship and support it should the individual ever return. “Hello, Ms. Smith!” says the online game host. “Our records show that you have played cyberspace bingo with us in the past.  We are so glad you have returned to test your skills and luck.”

Proactive Updating of Records

But look what Section 303(a) purports to do.  It says the commercial entity must keep its records accurate, which means up-to-date. To do that, the entity must be proactive.  It must do something, such as send a periodic email, or place a phone call, or conduct some kind of Internet search. Imagine the automated phone call that says, “We are calling you today to update our files.”  Are not inquiries like this an annoyance and an encroachment on privacy?

Inaccuracy Promotes Privacy!

Oftentimes for an individual, outdated/inaccurate records actually promote privacy.   If Ms. Smith changes her email address and fails to notify a merchant with which she has a relationship, then the merchant cannot bedevil her with emails offering “discounts” and “sales” and “membership privileges.”

Granted, Section 303(a) does have limitations. One of the limitations is that it only applies if the inaccurate information would cause the individual to be denied consumer “benefits.”  Yet that is a meaningless limitation. Most any commercial entity will believe that the relationship it has with the consumer provides her “benefits.”  Among other things, the relationship enables the entity to reach out (via email, text message, postal mail, Skype chat or who-knows-what-is-the-next-medium-of-communication) to Ms. Smith and urgently notify her that next week cyberspace bingo winners will be given Kewpie Doll avatars that they can post on their Myspace pages!

The drafters should rethink Section 303.

–Benjamin Wright

Mr. Wright teaches the Law of Data Security and Investigations at the SANS Institute.

Related:  Influence of consumer privacy bill of rights on professional investigators

Social Network Insecurity | Disclosing the Vulnerabilities

White Hat Computer Crime?

Does a well-intentioned security researcher commit a crime by probing a social network for vulnerabilities?

Some observers have feared the answer is yes. They have speculated that the researcher might enter a computer without authority and thereby violate an anti-hacking law like the federal Computer Fraud and Abuse Act.  

The validity of those fears is debatable.   And by tradition some web site owners have taken offense to researchers who test their sites for security holes. Tradition suggests that the less discussion of security the better. [For a rough example, see the FBI investigation that emerged after self-proclaimed researchers announced they had acquired sensitive information from AT&T about new iPad owners (although I do not know whether the investigation came as a consequence of a complaint from AT&T).]

But Facebook is pioneering a fresh approach. Facebook feels it can benefit from tests by independent researchers.  Rather than forbidding security interrogations, it encourages them, provided they meet some conditions.  Facebook says it will not seek punishment of someone who finds a security flaw and then reports it to Facebook a reasonable time before disclosing it to the public (provided the person makes a good effort to avoid abuses like identity theft or data destruction). 

[Facebook doesn’t say what it will do if it catches a good researcher who is probing its network, but not finding anything to report.]

Facebook’s strategy suits our modern, networked age. Facebook candidly admits that it can make a mistake. Facebook’s attitude is that while it cannot know everything about its systems, it wants to learn as much as it can, as fast as it can. Thus, it encourages the multitudes on the Internet to find and reveal information Facebook craves. When Facebook opens itself to scrutiny, the cost is low, but the payoff in tips can be high.

These days, being open to talking about dangerous topics can help an enterprise win friends and propel it on a course of constant improvement.

–Benjamin Wright

Mr. Wright, a practicing attorney, teaches the law of data security and investigations at the SANS Institute.