Open Source and the Digital Forensics Lab

March 18, 2009

A while back I wrote an article for Evidence Technology magazine entitled “Seven Uses of Open-Source Software for the Digital Forensic Lab.” The article was primarily targeted towards law enforcement agencies that were having trouble getting funding for their labs.  In addition to building the case regarding cost savings, I discussed other advantages to running open sourced tools.

At recent conferences I have been increasingly approached by law enforcement as well as corporate investigation teams for advice on dealing with budgetary constraints, so it seems time to resurrect the topic.

Here is a summary of the “Seven”, the original article is here:

  1. Case Management: Although designed for CRM functions, SugarCRM actually makes a great inexpensive case management system.  It has the added advantage of allowing you to maintain a local copy instead of “the cloud”.
  2. Acquisition: The flexibility of “dd” for everything from imaging to memory and file carving makes it the number one contender in this category.  If you must have a MS based solution then you can also try FTK’s Imager lite (not mentioned in the original article).
  3. Analysis: Brian Carrier’s work on The Sleuth Kit with the optional graphical front-end of Autopsy is very worthy of support (tip of the hat to Dan Farmer and Wietse Venema for their original work on “The Coroner’s Toolkit”).  TSK has the added benefit of being scriptable (I use shell or PERL to get the job done).  You can check out TSK here.
  4. Miscellaneous: Stegdetect for dealing with steganography, Ophcrack for system passwords, Foremost or Scalpel for scriptable file carving.
  5. OS support: Linux.  You have access to libraries for NTFS, HFS++, etc. as well as everything you need for MS documents via OpenOffice 3.0. I have had great success with Ubuntu and variations (Mint).
  6. Virtual Platforms: At the time I wrote the article VMWare was offering their player and pre-made virtual systems for download.  If you are running off of a Mac you can use Parallels (not free, but very inexpensive) to run various pre-builds of Linux.  Even more compelling is Live View, which allows you to virtually mount and run a dd image without modifying the underlying image.  You can find Live View here.
  7. Mobile Acquisition and Analysis: Helix is no longer free, but those guys at e-fense  have given so much value to the rest of the world for so long via Helix that I say “Good on them!”.   You can also check out Backtrack 3 – just be aware that you run the risk of altering data if you boot up incorrectly with Backtrack.

What are some other “Can’t miss tools”?  Drop a comment in and tell the rest of us.


Kwame Kilpatrick Asks Skytel for $100M

March 10, 2009

It is being reported that Mayor Kwame Kilpatrick is going after Skytel for the release of the text messages that led to the settlement of the police whistleblower lawsuit against him.

(source: The Detroit News)

It appears that the grounds for this action is the Stored Communications Act.  As a non-attorney I am guessing that this will boil down to a few factors:

  1. Was the police department involved in the production of the text messages (4th amendment),
  2. Was the contract with Skytel to provide messaging services, or storage/retrieval and reporting?

The Stored Communication Act does differentiate between a provider of services, and a provider of storage, so the Skytel contract wording will likely make a difference.

With all of the Kwame Drama aside, this could actually be interesting for providers, contract attorneys, e-discovery and forensics folks as well.

Here is a reference to another case with similar characteristics:

Quon v. Arch Wireless


The Fifth Amendment and Sebastien Boucher: Beyond Knee-Jerk Response

February 27, 2009

In December of 2006, Sebastien Boucher was crossing the US border when he was stopped and his laptop was reviewed by ICE officials.   The laptop was in his backseat and, according to documents, the drive containing the child pornography was accessible without requiring a password.

Mr. Boucher was Mirandized, but waived his rights and continued to talk to the agent.  During this conversation Mr. Boucher told the agent that he sometimes accidentally downloaded child pornography but would then delete the files when he realized what they were.  The agent requested that Mr. Boucher show him where he stored the files that he downloaded and Mr. Boucher directed him to a drive “Z”.

The agent continued to search the laptop and found several more instances of child pornography.  Mr. Boucher was subsequently arrested and the laptop seized (it was shutdown).

Nine days later a forensic bit image was made of the drive and the drive “Z” was found to be encrypted by PGP, and the content unaccessible without the encryption key which, curiously enough, Mr. Boucher has refused to turn over.

In November 2007 Judge Jerome J. Niedermeier granted Sebastien Boucher’s motion to quash the subpoena directing him to turn over his encryption key for the drive, citing his fifth amendment rights.

An appeal was filed and U.S. District Judge William Sessions in Vermont ruled this week that Mr. Boucher does not have a fifth amendment right to keep the files encrypted.

What motivates me most to write about this case is the knee-jerk response that will surely follow by those that only read news releases and not the actual filings in the case.  Both judges have raised some fascinating issues regarding the fifth amendment and this specific case, and both the granting of the motion to quash and the subsequent reversal hinged on specific facts in this case, and NOT a blanket decision as some blogs will have you believe.

Judge Niedermeier weighed issues regarding compulsion to testify (subpoena) and the various components that make up a valid fifth amendment argument. In pondering these points the judge notes:

Both parties agree that the contents of the laptop do not enjoy Fifth Amendment
protection as the contents were voluntarily prepared and are not testimonial. See id. at 409-10 (holding previously created work documents not privileged under the Fifth Amendment). Also, the government concedes that it cannot compel Boucher to disclose the password to the grand jury because the disclosure would be testimonial. The question remains whether entry of the password, giving the government access to drive Z, would be testimonial and therefore privileged.

The state evidently agreed to “not use the production of the password against Boucher.”  In so doing the state felt it would remove the testimonial aspect of entering the password.  Judge Niedermeier rejected this outright, citing United States v. Hubbell, 530 U.S. 27 (2000).

In rejecting further arguments, Judge Niedermeier pointed out that the password was something in Boucher’s mind, and further stated:

This information is unlike a document, to which the foregone conclusion doctrine usually applies, and unlike any physical evidence the government could already know of. It is pure testimonial production rather than physical evidence having testimonial aspects. Compelling Boucher to produce the password compels him to display the contents of his mind to incriminate himself.

In his reversal, Judge Sessions notes that neither side questions the fact that “the contents of the laptop were voluntarily prepared or compiled and are not testimonial, and therefore do not enjoy Fifth Amendment protection.”, but notes that the root of the issue is the production of the password that in effect causes the accused to “‘disclose the contents of his own mind’”.

He also mentions the “compelling” aspect of the subpoena and notes that there are two scenarios under which the act of production in response to a subpoena may communicate incriminating facts:

(1) ‘if the existence and location of the subpoenaed papers are unknown to the government’; or (2) where production would ‘implicitly authenticate’ the documents.” Id. (quoting United States v. Fox, 721 F.2d 32, 36 (2d Cir.1983)).

Drawing from this the judge concludes that because Boucher already let the Government see the drive and the contents (unencrypted) and because the Government does not require Boucher’s production of the unencrypted drive to link him to the files on his computer, then the production is not considered incriminating and so the fifth amendment protection is not valid.

I have to say that without reading the opinions I would assume that because Mr. Boucher was Mirandized, willingly volunteered information regarding the existence and contents of the drive (prior to shutdown and encryption) and willingly allowed a Government agent to browse his drive I would have assumed that he had rung a bell that could not be unrung.

[  Copies of the opinions will be uploaded soon]