Quick Tips For Preserving Social Media

June 6, 2011

There is no arguing that social media sites are a boon for information related to a case, and not just for Family law, but also for corporate litigation as well.  We have had tremendous success with using social sites to tie component pieces of  a hard drive or cell phone investigation together.

The proliferation of social websites like Facebook can create discovery issues, though: How do you properly preserve a social site?  How do you deal with the opposing side arguing that the request to preserve is “overly burdensome”?

In this article I will walk you through three of the most popular social media sites and some techniques to preserve them easily.

1: Facebook (www.FaceBook.com):  Facebook is probably the easiest site to preserve.  The user can simply go to “Account Settings”, scroll down to “Download Your Information”, and click on “learn more”.  From the Facebook description:

“This tool lets you download a copy of your information, including your photos and videos, posts on your Wall, all of your messages, your friend list and other content you have shared on your profile. Within this zip file you will have access to your data in a simple, browseable manner.”

Once the user clicks “Download”, FaceBook will aggregate the information and email a link to the download.  Depending on how much information is there, this can take several minutes or even hours.

2: LinkedIn (www.LinkedIN.com):  LinkedIN is a site geared more towards a professional profile than Facebook.  We have been successful in using it to uncover additional email addresses, business documents, associations and affiliations primarily in Corporate cases, but it has factored into family law cases before.

The good news is that, while the Facebook preservation method is only useful if you are the specific user, LinkedIN can be documented for the profile information of other users.  The bad news is that it is slightly more complex than Facebook to preserve (but not much more!).

The easiest way to archive a LinkedIN account is to already have one yourself, or to create one.  NOTE: If the person you are archiving has LinkedIN’s upgraded service, or has agreed to let others see when they view a profile, they will be able to see that you viewed their profile.  I’m not going to encourage you to break the Terms of Service by creating an archive account, but that is one way to get around this.

Next, you will want to navigate to Profile-> Profile Organizer.  This is actually a paid service offered by LinkedIN, but usually it has a free 30-day trial.  More importantly, the free trial does not require a credit card.

Once you sign up for the Profile Organizer, you will be able to search for specific individuals, companies, etc.  When you find a profile you can save it to your organizer, archive it, and print it to a PDF.

3: Twitter (www.Twitter.com): Unlike the others, Twitter doesn’t have an actual built-in archiving functionality.  Twitter DOES have a great advanced search function that you can access at: search.twitter.com

Once on the Twitter search site, look for the “Advanced Search” link.  This will allow you to drill into searches by user, dates, topics, specific words or phrases, locations, etc.
Once you have search results, you can print to PDF, save the list, or use the nifty RSS link in the upper right called “Feed for this query”.

Leave a Comment » | Forensics Beyond the Hard Drive, Tools and Tips | Tagged: , , , , , , | Permalink
Posted by inforensics

Eight Strategies To Control Information Forensic Costs

April 12, 2011

I’m often told that the biggest barrier to introducing information forensics to a potential case is the cost of doing so, and I believe it.  It is hard to explain to a client that they may expend resources with no return on the expenditure, and yet effective use of information forensics can be a valuable part of case strategy.  Here are eight strategies to effectively control information forensic cost:

  1. Prioritize Systems. In cases where there are multiple computer systems, hard drives or electronic devices involved, try to identify which ones are more likely to contain key evidence or facts in the case.  Your expert should be willing and able to help you do this, based on the facts of the case and the role of the devices involved.
  2. Image and Hold. Perform forensic imaging of the systems and devices involved to preserve them, but unless there are other factors involved you may not need to do analysis on ALL the systems at once.  Start with the high priority systems, and then see if there is likely to be value on the other systems or devices involved.  “Image and Hold” can also be an effective early strategy for a single computing device as well.
  3. Be Selective. We are often approached with multiple cell phones and hard drives.  One of the first questions I ask is if the cell phones were potentially backed up on one of the computer systems.  If so, then we can often process the backup (or “synch”) of the cell phones just as though we had the cell phone itself.  This helps to prevent duplicating cost.
  4. Evaluate Before Analyze. Full disclosure: This is a self-serving statement, in that Vidoc Razor runs a flat-rate evaluation service, but that doesn’t make it any less true.  Your expert must be able to provide an evaluation of the computer systems involved to identify which devices are useful to a case, versus ones that are redundant or don’t contain case useful information.  Make sure that the evaluation is  in context with the case, and not a simple cookie-cutter print-out of log files.
  5. Look for Flat-Rate Services. I have heard many complaints of forensic costs that run wild because of hourly rates.  It isn’t hard for a forensic service to provide cost-effective, flat rates that still provide high-quality results.  Your expert should be interested in looking for a long-range relationship as part of your legal arsenal, rather than getting rich off of a single big case.
  6. Understand the Differences Between Data, Information, and Intelligence. This seems like semantics, but it really isn’t.  Data is a stream of un-evaluated, un-interpreted symbols.  Information is what data becomes once it is useful (in context).  Intelligence is what information becomes once it becomes fact.  Once you stop thinking about “data forensics” and start utilizing “information forensics” you can find all three in a variety of places beyond the hard drive, or as a supplement to the evaluation or analysis performed on a hard drive or cell phone.
  7. Know Your End-Game. It is easy to get caught in the flood of information that can open up in the effective use of information forensics.  It is equally easy to chase down information that doesn’t necessarily support your overall case strategy.  For each new  tributary that opens up to you, ask yourself if it is actually something that supports your end-strategy, or potentially alters it.  If not, then why spend resources to chase it?
  8. Take a Deep Breath. If I had a nickel for every time I have heard the phrase “I am completely computer illiterate”, I would be living on easy street.  In a Yogi Berra-esque way: “This ain’t rocket surgery.”  For some reason the mere exposure to electronic investigation causes people to shut down.  While information forensics can be very technical, I promise you that the average attorney has dealt with much more complicated issues.  Take a deep breath and enjoy the new strategies and brand new streams of information that open up to you and your client and augment your ability to argue your cases.

Next Post:  Effective Information Forensic Strategy

Leave a Comment » | Forensics Beyond the Hard Drive, Inforensics Opinion, Tools and Tips | Tagged: , , , , , , , | Permalink
Posted by inforensics

Stripping Anonymity From the Internet

January 13, 2011
Stripping anonymity is like peeling an informational onion. It is about tying together otherwise benign pieces of information that, in the aggregate, allow you to identify, uncover, and infer the existence of other pieces of information. 

Pieces of information across the internet can be pulled in from so-called “Dark web” sources (sounds sexy, right? It actually just refers to information that is contained in databases that are not indexed by search engines), public records, search engine indexed information, metadata information contained in posted documents (photos, PDF docs, various graphics formats, etc.), online newsgroups, social media sites to name a few.

Using these pieces of information to uncover locations, associations, activities, behaviors and motives is entirely possible (and, in fact, is done every day in active investigative work), but not in every case. As you may imagine, it is easy for the thread to get broken and for a logical disconnect to occur. The trick is to combine inductive and deductive reasoning with the real information you find, and then to develop theories about other possibly available pieces of information and test those theories.

At a certain point any investigation, electronic or otherwise, will likely require “boots on the ground” to verify assumptions.

For your reading pleasure I’ve provided a link to a popular story back in 2006 about the accidental release of “anonymous” search results by AOL and the subsequent work done by a NY Times reporter in using aggregated information about search queries to strip anonymity.

http://select.nytimes.com/gst/abstract.html?res=F10612FC345B0C7A8CDDA10894DE404482

Wikipedia entry on the same incident:

http://en.wikipedia.org/wiki/AOL_search_data_scandal

Leave a Comment » | Forensics Beyond the Hard Drive, Inforensics Opinion, Tools and Tips | Tagged: , , , , | Permalink
Posted by inforensics

Qualifying An Expert Using Open Source Information

November 2, 2010

“Knowledge is of two kinds. We know a subject ourselves, or we know where we can find information upon it.” – Samuel Johnson

Those that have heard me speak on electronic forensics know well the distinction that I make between data forensics and information forensics (“inforensics“).  The distinction is very clear:  data is a stream of unevaluated symbols, and information is the point at which the symbols become useful.

The inforensics approach also encompasses the use of relevant information and evidence that extends beyond the hard drive and can be used even when there is no hard drive or direct electronic platform available.

Take for example researching experts.  Using “open source information (OSI)”, sometimes referred to as “Publicly Sourced Information”, one can research a retained or opposing expert very effectively.

What Are Your Sources?

Google is a great place to start, and for purposes of this post we will focus primarily on Google – although the attachments to this post include other resources that you may explore as well.  There is definitely “life after Google” and you should explore it.  Possible research sources can include:

  • Newsgroups
  • Social networking sites (Facebook, Myspace, LinkedIN, etc.)
  • Blogs
  • Online news resources
  • Registration databases (websites, public records, etc.)

What Types of Information Are Out There?

In general you will be working with two main categories of information on the web:

  • Indexed Information.  This is information that has been picked up, searched and indexed by a search engine.
  • “Deep Web” or “Dark Web”.  This sounds mysterious, but really just means information that is usually in a database and has not been indexed by a search engine.  The location of a particular database can be found using a search engine, but the information contained within the database is usually accessed directly via the site that provides it, not a search engine.

Registration databases tend to fall into the”Deep Web” category, whereas many newsgroups can be searched directly through Google or a search engine.

What to Look For?

You might start with making a list of information you want to know about your expert, or an opposing expert:

  • Areas that indicate bias.
  • Published works.
  • Attributed quotes.
  • Other activities.
  • Work history.
  • Multiple versions of a CV.

These are just some examples.

Where Do I Start?

Start with the “Google Cheatsheet” PDF document that I have linked to this post.  For life beyond Google you can look at the “Deep Web Cheatsheet” that is attached.

Google Cheatsheet rev. 201011

DeepWeb Cheatsheet rev 201011

Last Minute Tips

If you are not already comfortable doing so, learn how to use “Browser Tabs” in your internet browser.  This will help you organize information you find and will allow you to conduct multiple-threaded searches.

Good luck!  As always, if you are an attorney or member of law enforcement and want to contact me to ask questions feel free to do so.  This post is actually a distillation of a 1.5 hour CLE training, and an 8 hour training that has been done for TCLEOSE credits.  If your law firm, legal association, or branch of LE is interested in the full training, I am happy to help.

Leave a Comment » | Forensics Beyond the Hard Drive, Tools and Tips | Tagged: , | Permalink
Posted by inforensics

Please Disseminate:  Abused Women and Electronic Trace Information (in memory of Sandy B)

February 12, 2010

As many of you know, I recently had a case that ended tragically in a murder/suicide.

My client was an incredible woman who was trying to escape an abusive situation.  She had already fled her home and was working with a safe house.

It is my opinion that her husband used a specific electronic method to obtain information and identify her location.  He then followed her and waited until she came out of a store, ran her down with his vehicle and then took his own life.

Since this occurred I have spoken with a few safe house organizations and have come to realize that, while there is a marked increase in the use of electronic means to track an abused spouse, there is not a corresponding level of information on how to “Cut The Electronic Cord”.

In a recent Houston Chronicle article (Mary Flood, ”Till Texts Do Us Part”, Houston Chronicle, Front Page, 12/17/2009) I covered with Ms. Flood a few of the areas that can be abused on cell phones and mobile devices.  While the article was helpful to a number of people, for some of them it was helpful in a way we had not intended — they were planning to use the information to further their own nefarious ends.

Realizing all of this, I have developed a web seminar that I will offer free to safe house organizations, divorce and family attorneys and abused women to attempt to share my knowledge base in the area of cutting electronic trails.  The webinar is entitled “Cutting the Electronic Cord: Managing Electronic Trace Information” and runs approximately 30 minutes.  I will provide the web seminar facility, call in number, and other resources to make this available.  There will also be a facility to handle live questions.

The seminar is NOT a marketing ploy and there will be absolutely NO commercialization or pitching of any products.

I have chosen my cause – and this is it.

If you are a family attorney or safe house organization you may contact me and schedule the webinar on your timetable.  Please be ready with at least three dates and times so that we can correlate calendars more efficiently.

On a go forward basis, I invite attorneys, safe house organizations and abused women to contact me free of charge for consultation.  I will supply safe house organizations with my direct cell phone for emergency events regarding questions related to electronic tracking means.

I am asking my business contacts, Facebook and Twitter contacts to disseminate this information, as well as my contact information, to appropriate sources so that we can start an education program in earnest.

With regards,

Aaron Hughes, CISSP
Vidoc Razor, LLC
Aaron.Hughes@VidocRazor.com
713-474-2286

1 Comment | Forensics Beyond the Hard Drive | Tagged: , , , | Permalink
Posted by inforensics

Forensics Beyond the Hard Drive: Kindle 2 Logging

June 26, 2009

Platform: Kindle 2

Artifact Type: Log

Information Type: GPS Location

Caveats: Debug mode and 611 logging must be on.

Usefulness: Very Limited

I was interested in what information was available via a Kindle 2 to assist in investigations.  In poking around to see what work others have done I found two sites that were really in depth and had great information:

Kindle Hacking: http://kindle2hacks.com/

Igorsk Blogspot: http://igorsk.blogspot.com/

These two sites do a great job dissecting the Kindle and Kindle 2.

Because inquiring minds want to know, I did a cursory review via FTK and Encase of a brand new Kindle 2, and did not find a whole lot that was very interesting.  Based on my reading of the two blogs above, it seems the more useful bits occur once you have access to the actual filesystem.

One item caught my attention: the “611 Log”.  Upon activating debug mode and turning on this log, one thing immediately stood out:  Latitude and Longitude information.

It is important to say that this log is going to be limited in an actual investigation, but it is worthy of note just the same.

The primary items that limit its usefulness are:

  • It is not on by default
  • It only logs GPS coordinates when the Kindle 2 is actually turned on (screensaver is not “On” for our purposes)
  • The readings are from cell towers, and not actual queries to GPS satellites, so the information is definitely not as accurate.

*** Important Note:  I am not forcing you to do stuff to your Kindle 2, if you do and mess your device up you have no one to blame but yourself.  These steps worked great for me, you take the life of your Kindle 2 in your own hands if you decide to play along. ***

Now that I have doused you with cold water, here is how you actually turn the logging on:

Follow the excellently written directions found on the Kindle2 hacking blog here. Look for the “Enable Debug Mode” section.  Do not continue on through the USB networking section… unless you just want to!

Next, type:   ‘help

That is a single hash, found near the “}” under the Sym menu, followed by the word help.  All of your commands from here on out will be prefaced with that character.  You should see an informational pop-up that looks like this.  Take a moment to enjoy some of the possibilities of what you are seeing.

Next, close the pop-up and type the following: ‘log611

There will be a short hesitation, a screen blink and that is it.  When you plug your Kindle 2 into the USB cable and attach to your system you will find a folder called “611″ and a log that is formatted: YYYY.MM.DD.HH  (Hour in military time).  Open that log and peruse to the “1xRTT” section.  In this section you will find “Latitude” and “Longitude”.  These are the coordinates supplied by the cell tower.

If you turn off the Kindle 2 (ie. hit the slide button so the screensaver comes on) and travel, this log will not add information until you hit the slide again and it has a chance to hop back on the network.

To turn off the logging:  Go to “Menu”> “Settings”.  Then hit “Menu”>Restart.

3 Comments | Forensics Beyond the Hard Drive | Permalink
Posted by inforensics

Follow

Get every new post delivered to your Inbox.