Qualifying An Expert Using Open Source Information

November 2, 2010

“Knowledge is of two kinds. We know a subject ourselves, or we know where we can find information upon it.” – Samuel Johnson

Those that have heard me speak on electronic forensics know well the distinction that I make between data forensics and information forensics (“inforensics“).  The distinction is very clear:  data is a stream of unevaluated symbols, and information is the point at which the symbols become useful.

The inforensics approach also encompasses the use of relevant information and evidence that extends beyond the hard drive and can be used even when there is no hard drive or direct electronic platform available.

Take for example researching experts.  Using “open source information (OSI)”, sometimes referred to as “Publicly Sourced Information”, one can research a retained or opposing expert very effectively.

What Are Your Sources?

Google is a great place to start, and for purposes of this post we will focus primarily on Google – although the attachments to this post include other resources that you may explore as well.  There is definitely “life after Google” and you should explore it.  Possible research sources can include:

  • Newsgroups
  • Social networking sites (Facebook, Myspace, LinkedIN, etc.)
  • Blogs
  • Online news resources
  • Registration databases (websites, public records, etc.)

What Types of Information Are Out There?

In general you will be working with two main categories of information on the web:

  • Indexed Information.  This is information that has been picked up, searched and indexed by a search engine.
  • “Deep Web” or “Dark Web”.  This sounds mysterious, but really just means information that is usually in a database and has not been indexed by a search engine.  The location of a particular database can be found using a search engine, but the information contained within the database is usually accessed directly via the site that provides it, not a search engine.

Registration databases tend to fall into the”Deep Web” category, whereas many newsgroups can be searched directly through Google or a search engine.

What to Look For?

You might start with making a list of information you want to know about your expert, or an opposing expert:

  • Areas that indicate bias.
  • Published works.
  • Attributed quotes.
  • Other activities.
  • Work history.
  • Multiple versions of a CV.

These are just some examples.

Where Do I Start?

Start with the “Google Cheatsheet” PDF document that I have linked to this post.  For life beyond Google you can look at the “Deep Web Cheatsheet” that is attached.

Google Cheatsheet rev. 201011

DeepWeb Cheatsheet rev 201011

Last Minute Tips

If you are not already comfortable doing so, learn how to use “Browser Tabs” in your internet browser.  This will help you organize information you find and will allow you to conduct multiple-threaded searches.

Good luck!  As always, if you are an attorney or member of law enforcement and want to contact me to ask questions feel free to do so.  This post is actually a distillation of a 1.5 hour CLE training, and an 8 hour training that has been done for TCLEOSE credits.  If your law firm, legal association, or branch of LE is interested in the full training, I am happy to help.

Leave a Comment » | Forensics Beyond the Hard Drive, Tools and Tips | Tagged: , | Permalink
Posted by inforensics

New Tricks: Data Mining With Google Spreadsheets

March 22, 2010

Happily, I stumbled across the following link:

Now You Can Mine Data With Google Queries Too

The interesting bit is below the comic where they actually reveal a method I hadn’t thought of: 

Using a query embedded in Google Spreadsheets to mine and graph data in Google’s engine.

While the actual instructions are terse, I was able to get things up and running by visiting the actual example, and then copying and pasting the individual cells for examination.

Here is the blow by blow:

First, decide what you want to mine.  One of the examples is for income, we will use this one.

Open up Google spreadsheets and in cell A2 put (complete as printed here):

=””””&”I make $”&B2&” per year”””

[NOTE:  WordPress jacks up the quotes, so you are going to have to replace all of the quotes in the above with double quotes, or it won’t work!]

Initially it is gonna look like this “I make $ per year”.

Now in B2 put a dollar amount: 45,000.

You should see your number populate in B1 now.

Finally, the magic that actually gets the query info.

Put the following in C2:

=importXML(“http://www.google.com/search?num=100&q=”&A2,&#8221://p%5B@id=’resultStats’%5D/b%5B3%5D”)

[NOTE: Same problem here – WordPress tries to mess with the multiple quotes.  Replace all double AND single quotes manually and you will be fine, otherwise you will get an Error.]

After a brief load time you should see a number returned.  This is the number of returns that included your statement in cell A2.

Now copy and paste A2 and C2 down the line and change your values accordingly as you move down.

To create the graph, simply open “Insert->Chart” and choose your graph type.

To populate the graph with your data, make sure to clear the box right under “What Data?” and then click and drag down column C on your spreadsheet.  Make sure to remove Column C as labels.  You should see your data represented in the preview.

That’s it!  The world is now your oyster!  I can’t wait to apply this in some cases I am working on, I am still mulling over where this can be most useful, but the possibilities boggle the mind.

4 Comments | Tools and Tips | Tagged: , , , | Permalink
Posted by inforensics

Open Source and the Digital Forensics Lab

March 18, 2009

A while back I wrote an article for Evidence Technology magazine entitled “Seven Uses of Open-Source Software for the Digital Forensic Lab.” The article was primarily targeted towards law enforcement agencies that were having trouble getting funding for their labs.  In addition to building the case regarding cost savings, I discussed other advantages to running open sourced tools.

At recent conferences I have been increasingly approached by law enforcement as well as corporate investigation teams for advice on dealing with budgetary constraints, so it seems time to resurrect the topic.

Here is a summary of the “Seven”, the original article is here:

  1. Case Management: Although designed for CRM functions, SugarCRM actually makes a great inexpensive case management system.  It has the added advantage of allowing you to maintain a local copy instead of “the cloud”.
  2. Acquisition: The flexibility of “dd” for everything from imaging to memory and file carving makes it the number one contender in this category.  If you must have a MS based solution then you can also try FTK’s Imager lite (not mentioned in the original article).
  3. Analysis: Brian Carrier’s work on The Sleuth Kit with the optional graphical front-end of Autopsy is very worthy of support (tip of the hat to Dan Farmer and Wietse Venema for their original work on “The Coroner’s Toolkit”).  TSK has the added benefit of being scriptable (I use shell or PERL to get the job done).  You can check out TSK here.
  4. Miscellaneous: Stegdetect for dealing with steganography, Ophcrack for system passwords, Foremost or Scalpel for scriptable file carving.
  5. OS support: Linux.  You have access to libraries for NTFS, HFS++, etc. as well as everything you need for MS documents via OpenOffice 3.0. I have had great success with Ubuntu and variations (Mint).
  6. Virtual Platforms: At the time I wrote the article VMWare was offering their player and pre-made virtual systems for download.  If you are running off of a Mac you can use Parallels (not free, but very inexpensive) to run various pre-builds of Linux.  Even more compelling is Live View, which allows you to virtually mount and run a dd image without modifying the underlying image.  You can find Live View here.
  7. Mobile Acquisition and Analysis: Helix is no longer free, but those guys at e-fense  have given so much value to the rest of the world for so long via Helix that I say “Good on them!”.   You can also check out Backtrack 3 – just be aware that you run the risk of altering data if you boot up incorrectly with Backtrack.

What are some other “Can’t miss tools”?  Drop a comment in and tell the rest of us.

1 Comment | Tools and Tips | Tagged: , , , , , , , | Permalink
Posted by inforensics

Firewire Target Mode and Other Apple Goodness

March 5, 2009

When performing information forensics on Apple platforms we have a few options for acquisition:

  • Firewire Target mode
  • BackTrack or Helix 3 (tested on intel platforms – works great, some caveats, though)
  • Pull the drive and do your thing!

Here is an article that describes yet another use for Firewire target mode.  It is good to be reminded of the flexibility available through some of these features:

Macworld: “Firewire target disk mode to the rescue

While I am at it, here is some more wonderful Mac goodness:

TUAW: “Keyboard Shortcuts During Mac OSX Startup

Somewhat related to the Firewire target mode discussion above.

Download YouTube (in HD as well) using Safari or FireFox

(Also useful for other streams).  Make sure to use the “HD” format so you can get .mp4 format in iTunes – otherwise you will need an FLV player.

Teleport: Control Multiple Macs With One Keyboard Mouse (Mac-centric Synergy-like program)

I have long used Synergy, but if you watch your logs you quickly realize that Synergy on a Mac is very “chatty”.  This is a good stand in for Mac only control.  If you need multiple OS support, then Synergy is for you.  Here is a Synergy version that is friendlier to Macs.

Are there any “Can’t live without them” features I have left out?

Leave a Comment » | Tools and Tips | Permalink
Posted by inforensics

Have Cellphone, Will PDF

January 13, 2009

From Twitter: “http://twitter.com/vidocrazor/statuses/1109866285

This is another Gina Trapani “Upgrade Your LIfe” tip I found that has been HUGE for me.

I am a major whiteboard fanatic – if it were up to me all surfaces of every wall in my life would be covered with whiteboard.

The folks at Qipit.com will take a photo of a page , whiteboard, etc. and convert to PDF.  This service works straight from your mobile phone (assuming that you have a camera and email – you DO have that, right?), requires no software install, and is absolutely free – a killer combination.

As an example:  I have registered my number with Qipit and placed the “copy@qipit.com” email address in my contacts as “Qipit”.  Now when I need notes from a whiteboard I simply snap a shot with my iPhone 3g and email it to user “Qipit”.  Within seconds I have a PDF version of my whiteboard.

Occasionally the transmogrification will fail, simply realign the shot and repeat – it takes seconds.

The website is here: http://www.qipit.com/

Leave a Comment » | Tools and Tips | Permalink
Posted by inforensics

Lifehacker Goodness

January 13, 2009

From Twitter: “http://twitter.com/vidocrazor/statuses/1108280366

I discovered Lifehacker not too long ago – there are some incredible gems mixed in amongst some of the cruft.

Gina Trapani’s book “Upgrade Your Life” is essentially a Best of… for the site and well worth the price of admission.

Some of my favorites from the book:

Quicksilver: Has sped up the use of my Macbook considerably.

Email and File Management: Includes some advanced uses for Spotlight.

Firefox Add-ons: Some of the add-ons recommended by the book have completely altered my management of investigative information gleaned from the web.

Time Management: Several tips from the book have increased my daily output.

Leave a Comment » | Tools and Tips | Permalink
Posted by inforensics

Next Entries »