Report Writing for Digital Forensics: Part II

This blog post is a second edition and follow-up to Intro to Report Writing for Digital Forensics., which you’ve taken the time to review, digest, and dissect. How the digital forensic practitioner presents  digital evidence to his/her intended audience (Regardless, of why we are preparing a digital forensic report), establishes proficiency of the digital forensic examination.  Let’s take it even a step further, how will you present your findings? Effectively reporting what you found during your forensic examination will aid you in presenting your report and the digital evidence to whomever your intended audience will be, which ultimately may be a jury in a criminal or civil proceeding. In this blog post, we are going to tackle some more report writing issues.  Remember, YMMV depending on what hat you wear in digital forensics and who you will be reporting the findings to from your digital forensic examination. So how can you be effective at completing your forensic report and presenting your findings? Depending on where you fall as a digital forensic examiner/analyst, you have to win in the field to win in the courtroom! This is your time as the examiner/analyst (Maybe expert witness?) to tell a story (Are you creating a timeline or super-timeline during your forensic analysis?) of the digital evidence or even lack thereof and how it relates to the details of the case. This is your time to shine and communicate your work product to your audience! Stick to the facts and be straight-forward with the evidence.

If you fail to effectively report your findings, your analysis will quickly be forgotten as your reader is left to draw their own conclusion or worse, turn elsewhere for the answer. Your forensic report should be a balance of technical detail, presented in a simplistic fashion, and tailored for your audience. Avoid link dumping or, “I used ABC automated forensics tool, exported SAM registry hive, exported all e-mail & pictures, and burned the report to a CD”. How much of that data is relevant to the case? Recently, Benjamin Wright, Esq. wrote a great article titled, “Investigators: How To Write A Report and Store Digital Evidence“. Benjamin states, “As an educational exercise, I have developed a prototype, online investigation report and evidence container.   Part check-list, part demonstration, this prototype could be useful for many kinds of non-criminal investigations. Using the Zoho online notebook application, I created the prototype as a teaching tool for my SANS course on the law of investigations.” Take some time to read his blog article and take a look at the Zoho online notebook if you haven’t. As Benjamin points out this could be a useful tool in non-criminal investigations.

When you are preparing your report your first section as I discussed in Part I, will be an “Overview/Case Summary”. In this section, remember you are defining your role handling the digital evidence and why a forensic examination is being conducted. This is an abstract/synopsis of your forensic examination and straight-forward.You will include the technical details in the “Findings and Report (Forensic Analysis)”. In some cases, a case summary may be sufficient for what your client/prosecutor/attorney is requesting. It is also good to keep a detailed forensic report for your records (per your department/company policy) in anticipation of legal proceedings. Your case summary should be written to the level where the non-technical reader will grasp and understand your findings. Lars Daniel with Guardian Digital Forensics blogged about presenting technical data to a non-technical audience here and here. Corey Harrell has a good blog post here on the Digital Forensic Investigation process. I mention this because you have to know where you are to get where you are going with your investigation and reporting is an integral part of this process.

Secondly, we discussed, “Forensic Acquisition & Exam Preparation”

Can you explain the forensic acquisition process in layman’s terms to your audience?

Figure 1

Source: Guardian Digital Forensics (Reprinted with Permission)

Next, we discussed, “Findings and Report (Forensic Analysis)

What about webpage and browser artifacts that you just recovered for an internal investigation on your corporate network?

Figure 2

Source: Guardian Digital Forensics (Reprinted with Permission)

How about the deleted document containing sensitive data, that you were able to carve out of unallocated space?

Figure 3

Source: Guardian Digital Forensics (Reprinted with Permission)

Lastly, we discussed formulating the “Conclusion”.

These are basic processes during the forensic examination. Explaining certain forensic terminology in a non-technical manner can be difficult even for the most seasoned examiner. Remember, find out who your intended audience will be that will be reading your forensic report. A case summary or abstract may be sufficient if that is what your client/audience expects. Depending on what form of case you are involved in, I would strongly recommend completing a formal & complete forensic report at least for internal documentation and reference. An engagement/incident response/criminal matter could go to court at any time for any number of reasons. Seek advice from your legal department/attorney/district attorney on retention policies & requirements for your company/agency.

Resources: Forensic FocusSample Reports and Links

NASA’s Glenn Research Center: Guide to Research and Report Writing

 

SANS Digital Forensics Blog Reader’s Survey Results

Thank you to all of our readers that took the time to complete our blog reader’s survey. Your participation was very much appreciated and we will use this information to better serve our our readers and the forensic community. Our blog has been successful because of you and it is important that we share the results with you. Not every question was answered by everyone that took the survey, so we had a tangible 111 responses (thank you).

Here are the results:



Under “Other (please specify)”, there were a lot of responses for the SANS Institute website, so thank you for including that with your response.

5. Digital Forensic Case Leads is published weekly to share tools both new and old, interesting reads, news items, and more. If you have suggestions or newsworthy items for the Digital Forensic Case Leads posts, please e-mail them to caseleads-at-sans.org. Would you like to see any changes to Case Leads? Please list any comments and recommendations that you have for the Digital Forensic Case Leads here.

From the feedback to this question, our readers enjoy the content that DF Case Leads delivers weekly and felt the current format and frequency was sufficient. Remember, send those stories and digital forensic nuggets to caseleads-at-sans.org.


Under “Other (please specify)”, the common theme was RSS feeds (e.g. Google Reader) and LinkedIn.


“Digital Forensic Tools & How-To’s ” were off the charts! Under “Other (please specify)”, malware forensics, live incident response, encryption, remote forensic tools, and case examples were the most mentioned.


Under “Other (please specify)”, email, Yahoo! Groups, and phone were specified.



12. What can the SANS Computer Forensics blog do to improve how we serve the digital forensic community and you as the reader? We enjoy reading your comments and your feedback is always welcome. Please take a minute and let us know what we are doing wrong, what we can do better, and where we can further serve the community.

The survey results will be shared directly with our blog team. There were many of you that took the time to write lengthy comments and feedback, which was fantastic (thank you)! A denominator among some of the comments were more “how-to’s” and topics for everyone from beginner to advanced. Several readers mentioned the tool agnostic and un-biased approach to digital forensics is what makes the blog successful (thank you). You’ve told us how much we ROCK, but if there is an area or topic that needs to be addressed let us know! Tell a colleague about the SANS Computer Forensics blog! If you have any further comments or suggestions and you would like to contact me directly, you can e-mail me at info-at-computerforensicsource-dot-com.


Mr. Brad Garnett, CCE, GCFA is a computer forensic examiner and law enforcement officer. You can follow Brad on Twitter @bgarnett17 and his blog at www.computerforensicsource.com

SANS Digital Forensics Blog Reader’s Survey

The contributors to the SANS Digital Forensics Blog want to say “thank you,” and to get some feedback from you on the future direction of the blog. Please take a few minutes to complete our reader survey.

The blog has seen a 606% increase in traffic over the last year (Thank You!!), logging over 255,000 unique visits, and 67% of those being new visitors! Those are some great numbers that we are very proud of and we continue to strive to be a leading contributor to the digital forensics community. Our blog authors and contributors come from all walks of life in the digital forensics profession and are leading practitioners in their organizations.

Some of our most viewed articles include:

Recovering Deleted Text Messages from Windows Mobile Devices by Eoghan Casey

Windows 7 Computer Forensics by Rob Lee

Decrypting a PointSec Encrypted Drive Using Live View, VMWare, and Helix by  J. Michael Butler

Digital Forensic SIFTing: SUPER Timeline Analysis and Creation by Rob Lee

Google Chrome Forensics by Kristinn Guðjónsson

The SANS Computer Forensics blog was nominated and won the award for the ” Best Digital Forensics Blog” at the 2010 Forensic 4cast Awards, which was streamed via the internet from the SANS Forensic Summit 2010 in Washington D.C., July 8, 2010. A great honor to win an award that was voted on by those that makeup the digital forensic community.

It has been a great year for the SANS Computer Forensics blog and we want to continue to educate and share information with the digital forensics community. The SANS Computer Forensics blog has been successful because you as the reader hold the blog to a high standard to ensure that we deliver on content. We value your input and feedback. Calling all digital forensic practitioners!!

Please take a few minutes to complete our reader’s survey and tell a colleague (a.k.a. fellow forensicator)! http://www.surveymonkey.com/s/sansforensicsreadersurvey.

Mr. Brad Garnett, CCE, GCFA is a computer forensic examiner and law enforcement officer. You can follow Brad on Twitter @bgarnett17 and his blog at www.computerforensicsource.com

Intro to Report Writing for Digital Forensics

So you’ve just completed your forensic examination and found that forensic gem or smoking gun in your case, so how do you proceed? Depending on where you fall as a forensicator (e.g., law enforcement, intelligence, criminal defense work, incident response, e-discovery) you will have to report your findings. Foremost, find out what type of work product you are going to be required to produce to the client, attorney, etc. This will be your guide for completing your report. While the report writing part of the digital forensic examination process is not as fun as the forensic analysis, it is a very important link in the chain as Dave Hull summed it up here in a tweet.

As digital forensic examiners/analysts, we must report and present our findings on a very technical discipline in a simplistic manner. That may be to a supervisor, client, attorney, etc. or even to a judge and jury who will read and interpret your report after it has been cross-examined. Are you prepared to explain your findings? When the case goes to trial and you are called upon to testify a year or more in the future will you be able to remember the case based simply from the details you included in your report?

You’ve probably found yourself at some point diving right into an exam, completing your forensic analysis and theoretically going back to the beginning of the exam when it comes time to begin your report because the lack of note-taking during the forensic examination. A solid forensic examination requires detailed notes along the way. What exactly are good notes? Taking screenshots, bookmarking evidence via your forensic application of choice (EnCase, FTK, X-Ways Forensics, etc.), using built-in logging/reporting options within your forensic tool, highlighting and exporting data items into .csv or .txt files, or even using a digital audio recorder vs. handwritten notes when necessary. Jim O’Gorman provides some good tips for taking good notes during a digital forensic examination. As Jim discusses, there is no wrong way to take notes, nor a standard. Every examiner approaches the note-taking process differently, the important piece is to document, document, document. The more notes you take, the easier your report will be to prepare and finalize.  Speaking of notes, Joe Garcia has provided an excellent review and walk-through of using CaseNotes during digital forensics.

Now we take our detailed notes to complete the forensic report to tell the story of what the presence or absence of the digital artifact indicates, regardless, if it is inculpatory or exculpatory in nature. Your report may include something similar or a slightly different flavor to: an overview/case summary, forensic acquisition & exam preparation, findings and report (i.e., forensic analysis), and a conclusion.

Overview/Case Summary

Example:

  1. On today’s date, John Doe contacted my office in regards to imaging a stolen laptop computer running Windows® XP Professional that had been recovered. Doe is requesting a forensic examination to see what company documents may have been stolen by the suspect(s) and is requesting a full forensic examination and report for possible criminal charges & civil litigation.

This section will vary in length. You will include any relevant information regarding what led to you as the forensic examiner/analyst becoming involved with the digital evidence. You may be just receiving the forensic image and someone else conducted the forensic acquisition and this is a good place to document that as this will correlate with your chain of custody information that you immediately started once you came into contact with the digital evidence. Remember, this is an overview and a summary of how the case was initialized and where you as the examiner/analyst became involved.

Forensic Acquisition & Exam Preparation

Example:

  1. On today’s date I began the forensic acquisition/imaging process of the stolen laptop. Prior to imaging the stolen laptop, I photographed the laptop, documenting any identifiers (e.g., make, model, serial #), unique markings, visible damage, etc. while maintaining chain of custody.
  2. Using a sterile storage media (examination medium) that had been previously forensically wiped and verified by this examiner (MD5 hash value: ed6be165b631918f3cca01eccad378dd) using ABC tool version 1.0. The MD5 hash value for the examination medium yielded the same MD5 hash value as previous forensic wipes to sterilize this media.
  3. At this point, I removed the hard drive from the stolen laptop and connected it to my hardware write-blocker, which is running the most recent firmware and has been verified by this examiner. After connecting the hardware write blocker to the suspect hard drive, I connected the hardware write blocker via USB 2.0 to my forensic examination machine to begin the forensic imaging process…
  4. Etc, etc.

This section is very important, as you must detail your interaction with the digital evidence and the steps taken to preserve and forensically acquire the evidence. Any additional steps that you take (e.g. forensically wiping storage/examination media, etc.) should be notated in this section of your report. Remember, this section of your report is usually where you as the examiner/analyst came into contact with the digital evidence and thoroughly documenting what you have done is very important to the integrity of the digital evidence and your chain of custody.

Examiner’s Tip: You should have a digital camera in your forensic toolkit. Take a picture of the evidence and document each step of the forensic acquisition and preparation process. Regardless, if you include the picture in your report or as an exhibit, this picture is a perfect field note for you as the examiner to reference when completing your report.

  • You will also need to include that you verified your forensic image and notate the hash values (e.g., MD5, SHA-1).
  • You will also need to briefly describe the process you used when making a working copy from the forensic image of the original evidence.

Findings and Report (Forensic Analysis)

Example:

  1. After completing the forensic acquisition of the stolen laptop I began analyzing the forensic image of the stolen laptop with Forensic Tool
  2. I used the following tools for forensic analysis, which are licensed to this examiner:
    • Guidance® Software’s EnCase® 6.17
    • SANS Investigative Forensic Toolkit (SIFT) Version 2.0
    • Internet Evidence Finder v3.3
    • RegRipper by Harlan Carvey
    • Microsoft®  Excel 2007
  3. A review of the Internet history using Internet Evidence Finder, the following data was recovered from sector 117004, which shows a Facebook email between John Doe and Jane Doe. Further analysis shows that a John Doe logged into his Google Mail account. See screenshots below:

E-mail between John Doe and Jane Doe.

John Doe logging into Google Mail account.


This is the most detailed section of your investigation. You will include all artifacts that you find during your analysis relating to the case.

Examiner’s Tip: A very good practice when you are including your evidence into your report is to include hyperlinks within your report to link to pictures, documents, etc. Make sure you test and validate that the hyperlinks work properly so when your report is being reviewed, the reader can navigate easily to the evidence that you are including in your report.

Conclusion

In this section, you are basing your conclusion off the forensic evidence. Remember, the goal of the forensic examination is to report the facts, regardless if the evidence is inculpatory or exculpatory in nature. A successful forensic examination is one that is very thorough and one in which you “leave no stone unturned”.  In the scenario that I provided using a recovered stolen laptop, what else might you include besides e-mail and browser forensics in your analysis to put the suspect in possession and at the keyboard of the stolen laptop? What about registry analysis to see what IP addresses the machine connected to in the SYSTEM hive: \CurrentControlSet\Services\{Adapter}\Parameters\Tcpip key? Where else would you look and what would you look for?

This post is for informational purposes and a guide for the new forensic examiner. Your report will vary in length and format. A forensic examination report could be just a few pages in length or maybe 20+ pages, depending on the type of case, department/ company expectations, and policy & procedure.

Mr. Brad Garnett, CCE, GCFA is a computer forensic examiner and law enforcement officer. You can follow Brad on Twitter @bgarnett17 and his blog at www.computerforensicsource.com

Internet Evidence Finder Part II: Intro to IEF v3.3

I had an opportunity earlier this year to interview Jad Saliba of JadSoftware.com discussing his Internet Evidence Finder tool. You can view that interview here. Hopefully, SANS Computer Forensic Blog readers enjoyed the 15% discount that Jad offered exclusively to SANS CF blog readers and have taken the time to implement this tool into your forensic toolkit. This post is part of a series and will introduce functionality of IEF v3.3. You can download the most recent version (v3.5.1 at time of this article) from JadSoftware.com. Just a brief recap of what IEF will search for on a mounted drive/folder. Facebook chat, Yahoo! chat (IEF must have chat username to decode), Windows Live Messenger chat, Google Talk chat, AIM logs, hotmail webmail fragments, yahoo! webmail fragments, etc. For a full listing of supported artifacts and limitations visit http://www.jadsoftware.com/go/?page_id=141.

Internet Evidence Finder
Internet Evidence Finder

IEF has a nice step-by-step wizard to guide you through the process of selecting your source drive/file, your output folder, other options, etc. The great thing about IEF is that if you only have a live memory dump, the hiberfil.sys or the pagefile.sys you can use it as your source file to search for that forensic nugget.  If your forensic image is an .E01 you will need a mount image utility (i.e. Mount Image Pro) to mount the forensic image and then point IEF to that drive letter.

IEF Source Selection
IEF Source Selection

We can view the results in the directory C:\\Documents and Settings\\CF\\Desktop\\IEF Output\\IEF Output\\IEF – March 19 2010 192620\\

03/19/2010  07:26 PM    <DIR>          .

03/19/2010  07:26 PM    <DIR>          ..

03/19/2010  07:26 PM    <DIR>          AIM chat

03/19/2010  07:26 PM    <DIR>          Bebo Chat

03/19/2010  07:26 PM    <DIR>          Facebook Email Snippets

03/19/2010  08:52 PM    <DIR>          Facebook Live Chat

03/19/2010  07:26 PM    <DIR>          Facebook Pages

03/19/2010  07:26 PM    <DIR>          Gmail

03/19/2010  08:52 PM    <DIR>          Hotmail Webmail

03/19/2010  07:26 PM    <DIR>          IE8 InPrivate and Recovery URLs

03/19/2010  11:54 PM             1,335 IEF – Log.txt

03/19/2010  08:52 PM    <DIR>          Messenger Plus! chat

03/19/2010  07:26 PM    <DIR>          MySpace Chat

03/19/2010  07:26 PM    <DIR>          Windows Live Messenger Chat

1 File(s)          1,335 bytes

13 Dir(s)  93,659,459,584 bytes free

IEF Output
IEF Output

IEF also creates a text log file that shows what items were searched and a brief summary of the results once IEF is complete. You will notice in the log start and abort times. (Author’s Note: Process aborted for demonstration purposes)

Start time: Mar 19, 2010 19:26:20

Aborted at: Mar 19, 2010 23:54:53

— Start of log —

Internet Evidence Finder v3.3.0 Copyright © 2009 JADsoftware

Search items selected:

  • Hotmail® Webmail fragments
  • Messenger Plus!® chat logs
  • AIM® chat logs
  • Bebo® chat
  • MySpace® chat
  • Gmail® email fragments
  • Windows Live Messenger® chat
  • Facebook® chat
  • Facebook® Email “Snippets”
  • Facebook® web page fragments
  • IE8® InPrivate/Recovery URLs

Search options selected:

————————

Save Windows Live Messenger/MSN® chat logs to a CSV/TSV report file

Selected Source:

—————-

C:\\  –   [XP Pro]

Output folder:

————–

C:\\Documents and Settings\\CF\Desktop\\IEF Output\\IEF – Mar 19 2010 192620\\

———————————

Start time: Mar 19, 2010 19:26:20

———————————

Final results of search:

  • Facebook chat messages found: 2
  • Facebook Webpage fragments found: 0
  • Windows Live Messenger/MSN chat messages found: 0
  • Gmail email fragments found: 0
  • IE8 InPrivate/Recover URLs found: 38
  • AIM chat logs found: 0
  • Messenger Plus! chat logs found: 1
  • MySpace chat messages found: 0
  • Bebo chat messages found: 0
  • Hotmail Webmail fragments found: 1
  • Facebook Email “Snippets” found: 0

———————————

Aborted at: Mar 19, 2010 23:54:53

———————————

— End of log —

Let’s take a look at the output: C:\\Documents and Settings\\CF\\Desktop\\IEF Output\\IEF – Mar 19 2010 192620\\IE8 InPrivate and Recovery URLs\\ IE8 InPrivate and Recovery URLs Report.csv

IEF IE InPrivate Browser Artifacts
IEF IE InPrivate Browser Artifacts

Let’s take a closer look at row# 30: C:   119827947   http://www.tech-recipes.com/rx/780/execute-system-restore-from-the-command-line-safe-boot/   *** None found **

Using your favorite hex editor let’s take a look at sector 119827947 and we see the IE 8 InPrivate Browsing URL.

E48DBD600   D6 00 14 00 1F 00 80 53  1C 87 A0 42 69 10 A2 EA   Ö     €S ‡ Bi ¢ê

E48DBD610   08 00 2B 30 30 9D C0 00  61 80 00 00 00 00 68 00     +00À a€    h

E48DBD620   74 00 74 00 70 00 3A 00  2F 00 2F 00 77 00 77 00   t t p : / / w w

E48DBD630   77 00 2E 00 74 00 65 00  63 00 68 00 2D 00 72 00   w . t e c h – r

E48DBD640   65 00 63 00 69 00 70 00  65 00 73 00 2E 00 63 00   e c i p e s . c

E48DBD650   6F 00 6D 00 2F 00 72 00  78 00 2F 00 37 00 38 00   o m / r x / 7 8

E48DBD660   30 00 2F 00 65 00 78 00  65 00 63 00 75 00 74 00   0 / e x e c u t

E48DBD670   65 00 2D 00 73 00 79 00  73 00 74 00 65 00 6D 00   e – s y s t e m

E48DBD680   2D 00 72 00 65 00 73 00  74 00 6F 00 72 00 65 00   – r e s t o r e

E48DBD690   2D 00 66 00 72 00 6F 00  6D 00 2D 00 74 00 68 00   – f r o m – t h

E48DBD6A0   65 00 2D 00 63 00 6F 00  6D 00 6D 00 61 00 6E 00   e – c o m m a n

E48DBD6B0   64 00 2D 00 6C 00 69 00  6E 00 65 00 2D 00 73 00   d – l i n e – s

E48DBD6C0   61 00 66 00 65 00 2D 00  62 00 6F 00 6F 00 74 00   a f e – b o o t

E48DBD6D0   2F 00 00 00 00 00 00 00  A2 00 00 00 45 00 78 00   /       ¢   E x

E48DBD6E0   65 00 63 00 75 00 74 00  65 00 20 00 53 00 79 00   e c u t e   S y

E48DBD6F0   73 00 74 00 65 00 6D 00  20 00 52 00 65 00 73 00   s t e m   R e s

E48DBD700   74 00 6F 00 72 00 65 00  20 00 66 00 72 00 6F 00   t o r e   f r o

E48DBD710   6D 00 20 00 74 00 68 00  65 00 20 00 43 00 6F 00   m   t h e   C o

E48DBD720   6D 00 6D 00 61 00 6E 00  64 00 20 00 4C 00 69 00   m m a n d   L i

E48DBD730   6E 00 65 00 20 00 2F 00  20 00 53 00 61 00 66 00   n e   /   S a f

E48DBD740   65 00 20 00 42 00 6F 00  6F 00 74 00 20 00 7C 00   e   B o o t   |

E48DBD750   20 00 57 00 69 00 6E 00  64 00 6F 00 77 00 73 00     W i n d o w s

E48DBD760   20 00 7C 00 20 00 54 00  65 00 63 00 68 00 2D 00     |   T e c h –

E48DBD770   52 00 65 00 63 00 69 00  70 00 65 00 73 00 01 00   R e c i p e s

E48DBD780   00 00 00 00 00 00 FF FF  FF FF 00 00 00 00 00 00         ÿÿÿÿ

E48DBD790   00 00 00 00 00 00 00 00  00 00 C0 46 00 00 24 00             ÀF  $

E48DBD7A0   00 00 02 00 00 00 00 00  00 00 FF FF FF FF 20 69             ÿÿÿÿ i

E48DBD7B0   33 25 F9 03 CF 11 8F D0  00 AA 00 68 6F 13 D6 00   3%ù Ï Ð ª ho Ö

E48DBD7C0   00 00 14 00 1F 00 80 53  1C 87 A0 42 69 10 A2 EA         €S ‡ Bi ¢ê

E48DBD7D0   08 00 2B 30 30 9D C0 00  61 80 00 00 00 00 68 00     +00À a€    h

E48DBD7E0   74 00 74 00 70 00 3A 00  2F 00 2F 00 77 00 77 00   t t p : / / w w

E48DBD7F0   77 00 2E 00 74 00 65 00  63 00 68 00 2D 00 72 00   w . t e c h – r

Internet Evidence Finder is a good, inexpensive forensic tool to assist the examiner/analyst with parsing internet artifacts that are an important piece of the computer forensic examination. If your examinations include searching for internet artifacts, IEF will help you streamline the process and give you a nice output for reporting and presentation purposes. In Part III of the IEF series, we’ll take a closer look at artifacts of what IEF is reporting and how we validate our findings. Stay tuned…

Mr. Brad Garnett, CCE, GCFA is a law enforcement officer specializing in computer forensics. You can follow Brad on Twitter @bgarnett17 and his blog at www.computerforensicsource.com

Computer Forensic Examiners: PI Licensing Requirement Revisited

Do computer forensic examiners have to be licensed as private investigators? Well, that varies by state.  Benjamin Wright has discussed the PI requirement here and Texas PI legislation hereScott Moulton provided some insight to Michigan and the CISSP requirement here. I do not plan to regurgitate their research or viewpoints, but rather continue the discussion and provide some additional information in regards to another state and the PI licensing requirement. I want to thank Larry Daniel of Guardian Digital Forensics for providing his North Carolina legislation model, which I used as a framework for my position paper that I completed and sent to the Indiana Private Investigator Licensing & Security Guard Board earlier this year.

According to Indiana law, IC 25-30-1-2

(1) “Person” means an individual, a firm, a company, an association, an organization, a partnership, or a corporation.

(2) “Licensee” means a person licensed under this chapter.

(3) “Private investigator firm” means the business of:

(A) making, for hire or reward, investigation or investigations for the purpose of obtaining information with reference to:

(i) a crime against the state or wrongs done or threatened;

(ii) the habits, conduct, movements, whereabouts, association, transactions, reputation, or character of a person;

(iii) credibility of witnesses or other persons;

(iv) the location or recovery of lost, abandoned, unclaimed, or stolen property;

(v) the causes, origin, or responsibility for fires or accidents or injuries to real or personal property; or

(vi) the truth or falsity of a statement or representation;

(B) securing, for hire or reward, evidence to be used for authorized investigation committees or boards of award or arbitration or in the trial of civil or criminal cases; or

(C) providing, for hire or reward, undercover investigators to detect and prevent fraud and theft in the workplace or elsewhere.

(4) “Board” refers to the private investigator and security guard licensing board established under section 5.2 of this chapter.

(5) “Licensing agency” refers to the Indiana professional licensing agency established under IC 25-1-5-3.

(6) “Business entity” means a firm, a company, an association, an organization, a partnership, or a corporation.

In my position paper, I clearly outlined the distinct differences between roles of a private investigator and a computer forensic examiner. While there are some roles that both professionals share such as gathering evidence and preparing reports anticipating courtroom presentation, a computer forensic examiner applies a technical expertise using scientific methodology. Therefore, if Indiana were to get involved in regulating computer forensic examiners, a separate governing board handling licensing and requirements should be created instead of classifying computer forensic examiners as private investigators.

Those in law enforcement that practice computer forensics, from small to medium-size jurisdictions wear multiple hats, juggling the duties of both the investigator and forensic examiner. Having the ability to separate the duties of the investigator and the forensic examiner aid in maintaining a neutral viewpoint when it comes to examining digital evidence. A colleague and I while recently discussing a case shared our views in regards to neutrality when it comes to a computer forensic examination.  It doesn’t matter if we are in the business of bad guy suppression (thank you Rob), defending the bad guy, e-discovery, or incident response it is important to remember that we are examiners/analysts/fact finders. At this point in time, Indiana has decided NOT to get involved in regulating computer forensic examiners practicing computer forensics.

The Private Investigator Licensing & Security Guard Board concluded that as long as the computer forensic work being completed does not qualify as Private Investigator or Security Guard work then no PI license would be required. The board also stated, “Neither the Board nor the Indiana Professional Licensing Agency (for a variety of reasons) has an interest in establishing license requirements for Computer Forensic Examiners, or pioneering a new professional board for Computer Forensic Examiners. I appreciate the research you’ve done for the presentation provided to this board. We will continue with the present requirements for firms to obtain a private investigation license whose principal qualifier must meet certain experience requirements which may include, but not limited to specific computer forensics.” So let’s tie it all together. Do computer forensic examiners have to be licensed to practice PI & SG work in Indiana? Yes! Do computer forensic examiners have to be licensed to practice “computer forensics” in Indiana? No! As always consult with an attorney for legal advice and guidance. I commend Indiana’s Professional Licensing Agency and the Indiana Private Investigator Licensing & Security Guard Board for deciding not to regulate computer forensic examiners at this point, but feel this is still vague in several facets and will only need to be revisited in the future. I believe it is imperative for computer forensic examiners/practitioners to know the law in their state(s) of operation and get involved. Contact your legislature or your state’s licensing board (if applicable). I chose to get involved because of the influx and demand for our expertise and the increasing number of times I’m contacted outside the law enforcement community for private sector engagements.

**Disclaimer: This information is being provided “AS-IS” on an informative basis and SHOULD NOT be considered legal advice. Always consult with an attorney for legal advice.**

Mr. Brad Garnett, CCE, GCFA is a law enforcement officer specializing in computer forensics. You can follow Brad on Twitter @bgarnett17

Internet Evidence Finder (IEF): interview with Jad Saliba of JADSoftware.com

Editor’s note: Brad Garnett recently had an opportunity to interview Jad Saliba, of JADSoftware about how he got started in computer forensics and about some of his company’s products. Please note that JADSoftware has offered a discount to readers, see the details below.

Q: Jad, Take a minute to introduce yourself and give us some insight into your background. How did you get involved in computer forensics and software development?

I’ve been involved in software programming on and off for a long time, going back to my teenage years. I’ve always had an interest in system tools and figuring out what’s going on behind the scenes in a computer. I went to college and studied computer networking and programming, and worked in the industry for a short while before getting into law enforcement, which is another passion of mine. I didn’t want anyone to know about my computer skills when I first got hired! But a few years later I was diagnosed with cancer and after being off for a year fighting with that, I started to think that something a little less stressful and with a better schedule would be a good thing for my family and my health. I approached the head of the Technological Crimes Unit, Eugene Silva, who needed an extra hand and graciously brought me into the unit and has kept me there so far!

Q: You have developed several software tools that can assist computer forensic professionals during the analysis phase of a forensic exam. Tools like Internet Evidence Finder (IEF), FChat (FCT), Encrypted Disk Detector (EDD), and Facebook® JPG Finder (FJF) are all great for the forensic examiner’s toolkit. We are going to focus on IEF. Explain how IEF is used during media analysis and its capabilities/limitations.

JADSoftware's Internet Evidence Finder
JADSoftware's Internet Evidence Finder

IEF is simply a tool that searches for Internet related artifacts on a disk or in a file and parses them out into a readable format. It currently supports 19 different types of artifacts, including things like Facebook chat, Yahoo! Messenger chat, MySpace chat, Hotmail and Yahoo webmail, Limewire searches, and many more. IEF can be run in a number of different ways. You can run it directly against a drive that is connected via a write-blocker, or on a mounted image (mounted by Encase’s PDE or a program like Mount Image Pro). If there are specific files or areas you want to search (pagefile.sys/hiberfil.sys files, or unallocated clusters), you could copy these out and point IEF to the specific files or to a folder containing files. As IEF searches the specified item(s), the results are saved to CSV/TSV report files or individual files, depending on the format of the artifact. Statistics are displayed during the search to keep you updated on the progress.

Q: There have been several updates recently to IEF. What are some future enhancements and capabilities in development for IEF?

I hope to add things that include greatly improved reporting features, an option to search unallocated space only, Unicode support, more searches, and a portable version of IEF that could be run on a live system. There’s a long list that I hope to start tackling in the near future.

Q: What programming language did you use when you wrote IEF and why?

I use a mix of Visual Basic and other code, depending on the process. I try to use as many low level system calls as possible to make things run as quickly as the hardware and/or medium will allow. I’m comfortable with Visual Basic and it enables me to easily put my ideas into code while keeping the processes manageable, optimized and running fast.

Q: Do you have any future plans for IEF to be a cross-platform application (i.e. Linux, Mac)?

I don’t have any plans for a cross platform application at this time. However, IEF can search drives formatted in Linux and Mac systems if they are mounted on or directly connected to a Windows system. The drive will appear as a PhysicalDrive(#) without a drive letter and IEF can search that raw drive (point it to the PhysicalDrive# that appears).

Q: You stated that there are plans for developing a portable edition of IEF to be used forensically on a live system. As live forensic acquisitions continue to grow, this would be a great tool for the incident responder/forensic analyst. Explain.

I think IEF is very well geared towards memory dump files created by tools such as ManTech’s MDD and HBGary’s Fastdump PRO. A lot of the testing I do when adding support for new artifacts is with memory dumps. I also have plans for an “IEF Portable” that will run from a thumb drive and could be used with a Windows FE (Forensic Edition) boot disk or other forensic boot disk that would allow IEF to run forensically on the live system. I’m also planning to add a “Quick Search” option for the searches that would only search common areas and things like the pagefile.sys file to give the investigator a quick look or preview of the drive.

Q:  Do you have any additional tools in development that you would like to share with the SANS Computer Forensics blog audience?

I’m currently working on an application that will take a list of URLs (or import URLs from a CSV file, such as an Internet history report file) and then visit each URL, taking “scrolling screenshots” of each page and saving them all to an indexed, easy to browse HTML report. I think it will be useful for preserving or visually displaying a portion of a user’s web browsing history, and to show what they may have seen when they visited those URLs. It would be especially useful in situations where no Internet connection is available, such as courtrooms.

Q: What can the forensic community do to make IEF better? Do you have a mailing list or a way users can submit issues or provide feedback on IEF?

I’m always open to suggestions for new features (although I won’t always be able to make them happen!) and bug reports. I just want IEF to be as easy to use, feature rich, and bug-free as possible. I do have a mailing list that folks can sign up on to receive updates when new programs or releases come out. Comments and suggestions can be sent either through the contact page on my website or directly to my email address, jad-at-jadsoftware-dot-com.

IEF Discount
IEF Discount: use code SANS15 through 2/28/2010

Jadsoftware.com is offering an exclusive 15% discount to SANS Computer Forensic Blog readers when you purchase Internet Evidence Finder (IEF). The coupon will be good for the month of February 2010 only. The code is “SANS15”. To claim your discount, go to the IEF purchase page (http://www.jadsoftware.com/go/?page_id=214) and enter the code in the “Enter discount code” box just above the Buy Now button and click “GO”.

Mr. Brad Garnett, CCE, GCFA is a law enforcement officer specializing in computer forensics. You can follow Brad on Twitter @bgarnett17