ABA Issues Opinion on Social Media Ethics

May 7, 2014

The most common question in cases involving Open Source Intelligence (OSI) to support an electronic investigation, is: “To what extent may an attorney ethically use social media during case investigation and discovery?”

The question is not at all surprising.  The extent to which we can develop and use information from social sites, and other types of OSI, has a really high “creep factor”.  My answer has always been:  “If a person has given up information and made it publicly available to anyone with a browser and knowledge of where to look, then what’s the question?”.

Two weeks ago, the ABA agreed… mostly.  In the ABA’s “Formal Opinion 466”, issued on 4/24/2014, the ABA states, in part:

A lawyer may review a juror’s or potential juror’s Internet presence, which may include postings by the juror or potential juror in advance of and during a trial.

In summarizing, the opinion states:

In sum, a lawyer may passively review a juror’s public presence on the Internet, but may not communicate with a juror. Requesting access to a private area on a juror’s ESM is communication within this framework.
The fact that a juror or a potential juror may become aware that the lawyer is reviewing his Internet presence when an ESM network setting notifies the juror of such review does not constitute a communication from the lawyer in violation of Rule 3.5(b).

While this opinion is specific to jurors, might it also apply to witnesses, attorneys, and other parties to a case?  I would think so.

Link to the ABA Journal’s Final Opinion PDF

Deepweb and Google Cheatsheets Updated

If you are interested in researching OSI (Open Source Intelligence), and are an attorney, you will want to request a login to Vidoc Razor’s RazorSuite.  The RazorSuite includes a connector to conduct your own OSI searches in a fraction of the time, and with more information, than manual techniques.  You can request a login here.

If you prefer to do your own manual work, I have been maintaining two “Effective Internet Search” cheat sheets since 2009. The cheat sheets cover the best sites for developing information manually, as well as how to use Google’s advanced features effectively when performing online searches of people, places, and companies.

Link to the updated DeepWeb Cheat Sheet

Link to the updated Google Search Cheat Sheet

1 Comment | Forensics Beyond the Hard Drive, Inforensics News, Reading, Tools and Tips | Tagged: , , , , , , | Permalink
Posted by inforensics

Open Source Intelligence (OSI) and Your Case

April 2, 2014

Open Source Intelligence (OSI or OSINT) is intelligence collected from sources that are available publicly.  Much of the information fed to the internet by users, collected by advertisers, or otherwise left behind during a person’s interaction with electronic systems (or with retailers and advertisers that store such information electronically and the resell it) can be identified through “deep-“, or “dark-“ web research.  OSI is important enough of a research methodology that many law enforcement agencies, especially Federal, have dedicated resources to OSINT analysis and gathering. 

In civil litigation OSI is an invaluable resource for:

  • Research of retained and opposing experts
  • Information regarding opposing attorneys
  • Witness and litigant information
  • Uncovering other emails, social site accounts, properties, activities, and repositories of information not disclosed

Consider a recent case that I was involved with: The opposing party had disclosed certain online accounts that contained relevant information regarding their corporate history, communications via web mail, and travel.  An OSI search revealed two alternate web mail addresses, as well as a connection with a competing firm, travel information (previously undisclosed), and some “known associates” that had information relevant to the case.  Metadata analysis of documents and photos contained on the newly discovered sites yielded even more information.  None of this information was contained on the hard drive submitted for inspection.

OSI, on the web, is broken down into two main categories: Direct indexed information, and Dark web (or Deep web) information.

Direct indexed information is the category most familiar to practically anyone that uses the web.  It is information that has been picked up and indexed by a search engine and, with the correct search techniques, can be narrowed down to particular people, places and things.  Indexed information typically ends up on the web through three different paths:

Deliberate – Deliberate information is information that is on the web because of the direct interaction of an entity with a web resource.  This could be information that is publicly available because of social sites, website registration, or signing on to public newsgroups and forums. 

Accidental (Through fault of the information Owner) – Often times information is deliberately provided, but the provider of the information didn’t realize that the information would be publicly searchable.  Facebook is a perfect example of where, by not understanding ALL the privacy implications of use, users (or their friends) often provide way more details, photos, or location information than is intended, desirable, or realized.

Accidental (Through fault of the information Custodian) – Very large data breaches are far too common these days.  The reality is that they have been very common for years and years, but focus has only recently been turned towards the size, and frequency of breaches.  Aside from breaches, however, “information leakage” is not at all uncommon.  Information leakage is where a website or internet resource unintentionally will provide more information than the user, or the owner, realize. There are teams of people, advertisers, and intelligence gathering entities that  look for information leak and harvest the results.

Dark (or Deep) Web information sounds very “techie” and mysterious, but in reality simply describes the large portions of the web that contain information that is not indexed by search engines.  Typically these are databases of information that are accessible from a website, registration information, attendance and membership databases and information of that nature.

The challenge with OSI is to compile information both from direct indexed resources and dark web resources, and then correlate and narrow the information so that it accurate to the particular entity that is being researched.  A thorough manual search can be performed using the “cheat sheets” provided with this book.  The challenge is that aggregation, correlation and verification can take many hours.  There are tools available to an attorney that speed up the process.  LexisNexis offers access to a static database through the Accurint tool (http://www.Accurint.com), and Westlaw (http://www.Westlaw.com) also provides static database information as well.  There are any number of smaller sites that offer various degrees of information through static databases. 

Static information can quickly become inaccurate or stale, and there are tools that fill the niche for automated research.  Vidoc Razor maintains such a tool (If you are an attorney, you can request a login at: http://www.vidocrazor.com/RSInfo.php) that actively mines “live” social information, media and publications, photos, as well as location and known relations and associate information.  The information is then aggregated, correlated, and a baseline validity check performed.  The information is available for filtering and refining from a single point, and custom reports can be generated.

Whether using manual techniques, static databases, or automated approaches, the nature of OSI is important to keep firmly in mind:  it is fluid.  The information “lives” and changes as people live and change.  It is also contradictory; some OSI is incredibly volatile and can “evaporate” without warning, while other OSI is incredibly persistent, and will stay available through harvesting techniques even when the information owner is actively trying to remove it.  Any information derived from any of the harvesting techniques discussed must be verified before action is taken on it.

Leave a Comment » | Cases, Forensics Beyond the Hard Drive, Investigation, Tools and Tips | Tagged: , , , , , , | Permalink
Posted by inforensics

Google and Deep Web Search Cheat Sheets Updated

July 18, 2012

The “Deep Web Search” and “Google Search” cheat sheets have been updated to reflect new information and capabilities in conducting your own research on people, places, companies, and other matter-related information.  The links to the newly updated sheets are located below.

Using “open source information (OSI)”, sometimes referred to as “Publicly Sourced Information”, one can research a variety of information related to a case: Retained or opposing experts, litigants, other witnesses, company information, etc.

Effective use of this type of research can uncover bank accounts, holdings, affiliations, activities, locations, social network accounts and a host of other information that would otherwise remain unknown.

Some Background

In mid-2010 Vidoc Razor published free cheat sheets, as well as a blog post on how to use the sheets to research people involved in a matter: Expert witnesses, places, companies, etc. It is worth it to re-read that post to refresh your memory on how to use the sheets.

The original post can be found here: https://inforensics.vidocrazor.com/2010/11/02/qualifyanexpert/

Since then, the sheets have been very popular, and I have updated the sheets on a yearly basis.

Where Do I Start?

Start with the “Google Cheatsheet” PDF document that I have linked to this post.  For life beyond Google you can look at the “Deep Web Cheatsheet” that is attached.

Google Cheatsheet rev 201207

DeepWeb Cheatsheet rev 201207

Leave a Comment » | Tools and Tips | Tagged: , , , , , , , | Permalink
Posted by inforensics

A Simple Plan to Ruin Your Boss: Plant Child Porn On His PC

August 10, 2010

A simple plan to ruin your boss: plant child porn on his PC.

This occurred in the UK in 2006 (it is just now working its way through the courts), and seems extreme.  The reality is that planted evidence can occur in many different forms:  Planted documents, images, and even emails.

While the deception in the UK case was broken through cell phone activity (the perpetrator made an “anonymous” phone call, and had been heard bragging about his exploits at a BBQ), a good forensic examiner goes beyond simple modified, accessed and created times to review other system information that backs up the method of arrival of the information on the system itself:

  • The insertion of USB devices: USB devices can leave quite a trail on a system, including the device manufacturer, type, even sometimes serial numbers.  Further activity supporting the insertion of the device can sometimes be correlated between file history analysis and searches for activity surrounding the specific device ID.
  • Metadata contained within the purported documents: Images, videos, audio files, PDF documents and other file types often have information regarding the date of creation (not necessarily introduction to the system), authorship, serial or license numbers of the product used, sometimes even information about the system that created them.
  • System files: Sometimes the introduction or generation of a file triggers other supporting files on the system.  Examination of these files can tell an investigator whether the file information matches up with what the system knows about the file.
  • Surrounding activity: Other activity on the system related to usage can be an indicator as well.  For example: If a file was supposedly downloaded from the internet, one would expect to see certain other activity surrounding the download if it was generated by the user.

A lot of these same techniques can be used to attack or defend other claims of the so-called “trojan defense” (aka “A Virus must have done it”).

Researching deliberate obfuscation CAN be a challenge, but in situations similar to the UK case a client is not at all dead in the water if an information forensics analyst is competent and able to look at the “Evidence Beyond the Hard Drive”™.

Leave a Comment » | Cases, Investigation | Tagged: , , , , | Permalink
Posted by inforensics

Open Source and the Digital Forensics Lab

March 18, 2009

A while back I wrote an article for Evidence Technology magazine entitled “Seven Uses of Open-Source Software for the Digital Forensic Lab.” The article was primarily targeted towards law enforcement agencies that were having trouble getting funding for their labs.  In addition to building the case regarding cost savings, I discussed other advantages to running open sourced tools.

At recent conferences I have been increasingly approached by law enforcement as well as corporate investigation teams for advice on dealing with budgetary constraints, so it seems time to resurrect the topic.

Here is a summary of the “Seven”, the original article is here:

  1. Case Management: Although designed for CRM functions, SugarCRM actually makes a great inexpensive case management system.  It has the added advantage of allowing you to maintain a local copy instead of “the cloud”.
  2. Acquisition: The flexibility of “dd” for everything from imaging to memory and file carving makes it the number one contender in this category.  If you must have a MS based solution then you can also try FTK’s Imager lite (not mentioned in the original article).
  3. Analysis: Brian Carrier’s work on The Sleuth Kit with the optional graphical front-end of Autopsy is very worthy of support (tip of the hat to Dan Farmer and Wietse Venema for their original work on “The Coroner’s Toolkit”).  TSK has the added benefit of being scriptable (I use shell or PERL to get the job done).  You can check out TSK here.
  4. Miscellaneous: Stegdetect for dealing with steganography, Ophcrack for system passwords, Foremost or Scalpel for scriptable file carving.
  5. OS support: Linux.  You have access to libraries for NTFS, HFS++, etc. as well as everything you need for MS documents via OpenOffice 3.0. I have had great success with Ubuntu and variations (Mint).
  6. Virtual Platforms: At the time I wrote the article VMWare was offering their player and pre-made virtual systems for download.  If you are running off of a Mac you can use Parallels (not free, but very inexpensive) to run various pre-builds of Linux.  Even more compelling is Live View, which allows you to virtually mount and run a dd image without modifying the underlying image.  You can find Live View here.
  7. Mobile Acquisition and Analysis: Helix is no longer free, but those guys at e-fense  have given so much value to the rest of the world for so long via Helix that I say “Good on them!”.   You can also check out Backtrack 3 – just be aware that you run the risk of altering data if you boot up incorrectly with Backtrack.

What are some other “Can’t miss tools”?  Drop a comment in and tell the rest of us.

1 Comment | Tools and Tips | Tagged: , , , , , , , | Permalink
Posted by inforensics