hello I am Lars Daniel the practice leader of digital forensics at in Vista forensics here I lead a team of exceptional experts with backgrounds in law enforcement including Homeland Security the Secret Service and high-tech crime task forces my role is to ensure that the division remains at the Forefront of digital forensic capabilities through Innovative technological solutions and the continuous growth and development of worldclass experts on the co-author of two books in the field of digital forensics digital forensics for legal professionals understanding digital evidence from the warrant to the courtroom published by sress and digital forensics trial Graphics educating the jury through effective use of visuals published by Academic Press I have testified in both state and federal courts across the United States and internationally in the state courts of Singapore I've qualified and testified as an expert in various domains including digital forensics computer forensics cell phone forensics video forensics photo forensics and audio forensics I've testified for both the defense and prosecution in criminal cases and the plaintiff in defense in civil cases I've trained thousands of attorneys and claims professionals delivering over 400 continuing legal education classes and continuing education classes across the United States and internationally I hold a range of certifications in digital forensics such as the ink certified examiner which relates to computer forensics I'm also a sellbrite certified operator and a sellbrite certified physical analyst both which relate to cell phone forensics and I also hold certifications in in telecommunications including the certified telecommunications Network specialist certified Wireless analyst certified Internet Protocol telecommunications specialist and certified telecommunications analyst designations collectively my team and I have testified as expert witness in state and federal courts over 400 times and the quiet heartart of witch talk Kansas is Shadow loon for over three decades Dennis Raider better known by his self-appointed moniker beat TK bind torture kill embodi this Darkness you see between 1974 and 1991 Raider executed a terrifying spree of murders each marked by a signature modus operandi taunting the police leaving a community Locked In Fear And Cold cases on the books you see after 1991 there was then silence a sensation of communication that left the monster in the shadows his identity a mystery well after alluding capture for over three decades the resolution of one of America's most chilling murder sprees hinged not on witness accounts or traditional detective work but on a single critical mistake by the killer himself in 2005 Raider attempted to taunt law enforcement with a floppy disc believing his technological misdirection would maintain his anonymity instead this act precipitated his downfall forensic experts quickly Unearthed metadata within the document saved on the disc tracing it back to a computer at Christ Lutheran Church in Witchita where Raider was a prominent member the document was last Modified by Dennis a clue that shattered Raider cloak of invisibility this digital slip up marked a turning point in the criminal investigation showing how technology could become the undoing of those who sought to exploit it for nefarious ends Raiders arrest not only brought closure to a saga of Terror but also heralded a new era of Investigations one where digital Footprints often speak louder than words the capture of the BDK killer through digital evidence is a testament to the evolving landscape of forensic science in a reminder that even the most cunning wrongdoers can be exposed in the digital age in the world of electronic evidence data is any piece of digital information that electronic devices handle data is the foundation of digital evidence because it forms the core of every electronic device and platform when a digital device is used it generates or manipulates data that can be stored or transmitted data can be thought of as the building blocks of digital evidence yeah data is like building blocks it comes from different types and formats just like building blocks come in different shapes and sizes some data needs to be processed before it can be used while other data is ready to be used right away data can also be organized in different ways like structured semi-structured or unstructured structured data refers to information that is highly organized and formatted in a way that is easily searchable by simple straightforward search engine algorithms or other search operations this type of data is characterized by its rigid structure usually presented in tables with rows and columns that clearly Define the data type like names addresses and phone numbers in essence structured data is like a well-organized library where books are arranged alphabetically based on the author's last name and each book's information is stored in a catalog system financial data customer information and inventory records are some examples of structured data an example of how structured data is used in our daily lives is when we search for a book on Amazon the website has a structured database that stores information about millions of books when we search for a book the databas is queried and relevant results are displayed the data is organized in a specific format and each book's information is stored in a well-defined data model making it easy to find what we're looking for in this case the structured data helps us to quickly find and purchase the book we want structured data as digital evidence can include databases from seized computers logs from servers or any digital record where evidence is stored in a predefined format as evidence this data is relatively easy to query and review by an examiner compared to other two forms of data it also has a limited need to have the data formatted or produced in such a way where an attorney or expert can review it this data can include things like call detail records which are like a super phone bill that you can subpoena from a cellular provider and these detailed logs provided by these telecommunication companies include information such as the call origin where the call is coming from and the destination where it's going to the duration or how long the call was the date and time of the call and even the cell tower used the call detail records are typically stored in relational databases meaning data inside of a database that talk to one another or connect to one another and are helpful for investigating a user's activity over time and determining historic location where they were at a particular time in the past another example would be accounting software many accounting software programs maintain detailed record of transactions including withdrawals deposits transfers and point of sale transactions these logs are stored in structured form formats making it easier for investigators to trace Financial movements identify suspicious transactions or follow a money Trail in financial wrongdoing investigations further these databases typically in financial accounting software have the ability to have petrified audit logs meaning that the audit logs that cannot be changed showing who accessed what documents and what activities were performed at what time next up we have semi-structured data and they can be found in email headers system logs and web pages that examiners might analyze for forensic evidence the semi-structured nature allows for some level of automated processing and Analysis however it often requires more sophisticated tools and approaches than fully structured data when you think about semi-structured data as digital evidence you have things like email headers while the body of an email might contain unstructured text the header is semi-structured and contains a wealth of information such as the sender of the message the recipient or who received the message the date and time the message occurred in the email servers that were used to transmit the message and this data this metadata is invaluable in many investigations such as tracing the origin of an email or mapping Communications in complex civil litigation you also have things like system logs many devices and applications generate logs that record user activities system errors configuration changes data transfers Network requests and more these logs are semi-structured often in data serialization formats which are formats that allow the exchange of data across different devices and operating systems for example data serialization formats allow for an Apple Android and Windows devices to all understand the same information system logs provide insights into user Behavior security incidents data transfers Data Theft if you're looking at an employee wrongdoing type case and investigators can parse these logs to uncover evidence of unauthorized access ma infections and Insider threats finally we have unstructured data unstructured data refers to data that has no predefined format or organization and it's not easily searchable this data type includes a wide range of different formats such as images videos social media posts and audio files unstructured data represents the most significant volume of data generated in today's digital world and it's the most challenging to analyze and process if the unstructured data can be compared to a messy kids room where everything is scattered around without any true order finding what you need in this room can be be difficult because you must search through piles of clothes books toys and other items as mentioned text messages and social media posts are primarily unstructured data now there's some elements that are structured but most of it is unstructured these text messages and social media posts are largely unstructured consisting of plain text possibly with embedded website addresses URLs or media without any predefined format the forensic analysis of this content can reveal connections between individuals provide context or motives or uncover incriminating statements then there's digital photos and videos multimedia photos like photos and videos are prime examples of unstructured data they contain crucial digital evidence and investigations from capturing recording illegal activities to placing a person at a specific location at a specific time often an examiner must review thousands of videos or images by I to locate relevant evidence well now that we understand the three form structured semi-structured nonstructured we're now and explore the various States and locations in which data resides data exists in different states and locations on devices we're going to cover that now we're going to look at the different types and ways that data exists on devices and in the internet these include active data archival and backup data residual data metadata encrypted data cloud data and system generated data active data is the data you can see while using your electronic device this includes your files programs and system information access through your device's operating system or the software you're using so if you opened a Word document and you edit it and you saved it that file is active data active data would also be the different pictures that you can open and see on your device and so forth active data is stored on the local storage media like the hard drive or solid state drive the actual storage place where data is saved that's connected to the device itself or inside of the device okay it doesn't include any data not stored on the local device such as cloud-based data while that cloud-based data can be saved locally to the device it doesn't always mean that that's all the information so if you think about like your Dropbox or other account that you use to save data from the cloud to your local device that may not be all of it I for example have some data saved locally and active data on my computer that is not everything because it would just be too much data so partially that data is saved on my local device the rest is in the cloud so I can access it when I need it so my most relevant files the stuff I use all the time I have saved on my local device even though it's coming from the cloud and is saved also in the cloud archival and backup data refer to storing copies of important digital information in a secure and separate location archival data often refers to historical records that have been selected for long-term preservation due to their value these can include emails documents data dat bases digital images of intellectual property that are not actually used but need to be retained for legal compliance or historical research purposes archival data is typically information that's not required for daily use but still essential for keeping for long-term preservation for example an employee might begin their day by sorting through their inbox and identifying emails that are no longer immediately relevant but need to be kept for recordkeeping such as project updates completed task summaries and client Communications these emails are archived sign defly reducing the inbox size and making focusing on their new and ongoing tasks easier later in the day the same employee works on report and needs historical data from a project completed months ago so they access their email archive to retrieve email Communications and attachments relevant to that project efficiently Gathering the necessary information without sifting through hundreds of current emails then we have backup data which on the other hand is an exact copy of important information that is regularly used and is kept as a safety net in case the original data is lost or compromised whether from data deletion corruption or system failures these backups are typically part of a regular backup schedule uh by your it Department ensuring that the recent versions of data are available for recovery backup data is not only used by it departments and large organizations though for example an employee might quickly review a document for work presentation on their personal laptop that document along with others is autom only backed up overnight to an external hard drive connected to the laptop this employee has set this up to ensure work work done from home doesn't get lost to an accidental deletion or hardware issues note that this backup also has created a copy of work material on external drive outside of the company's Direct Control in a situation such as that so if you have an employee leave a company or something like that and you're concerned about data has been taken that they shouldn't necessarily have taken uh it may exist on a backup drive that was connected to the computer residual data refers to the traces of data left on your devices even after you've attempted to delete them like clearing your browsing history it can also relate to data that's been automatically deleted by the operating system so this can include your recent documents list on your computer that shows files you've opened in the past or even cookies which store information about you when you visit a website that track your online activity while they're not immediately visible this data can reveal much about a person's usage patterns and preferences you see residual data is like digital Footprints you leave behind when you use electronic device imagine writing a letter on a piece of paper and then deciding to erase it because you didn't want anyone else to read it even though you erase the words in the letter bits of pencil marks might be still visible as someone looks closely enough in the digital world something similar happens you see when you delete a file from your device it might seem like it's gone forever but that's not always the case the device usually just marks the space where that file was using is available for new data but it doesn't immediately remove the file's data so just like the erase letter parts of the delet a file are still there hidden until they are overwritten by new data and this leftover data is what we call residual data digital forensics experts can often recover this data with forensic tools and techniques that's why simply deleting sensitive information from a device doesn't guarantee that it's completely gone we're going to cover that more when we talk about deleted data later on in this class metadata is data about data like metacognition is thinking about thinking you can understand metadata as the label on a soup can that tells you what's inside when it was made and its nutritional content in the digital world metadata provides information about a file or document such as when it was created by whom with what device and possibly where it was created as well it's the background details that offer insights into the history and characteristics of digital content without necessarily revealing the content itself metadata is used by the operating system or brain of electronic devices to organize search and retrieve digital files efficiently it helps users locate and identify information quickly without opening each file moreover metadata can be used to verify the authenticity and integrity of data by providing details about the source of the history of a file we will address metadata in Greater detail in this class specifically to understand the difference between file system metadata and file metadata encrypted data is information that has been encoded for security purpose and requires a specific key to access access when you use messaging apps that offer endtoend encryption your messages are examples of encrypted data encrypted data is like a secret message that only certain people can read imagine you wrote a note to a friend but you didn't want anyone else to read it if they found it so instead of writing in plain language use a special code that only you and your friend know how to translate that's what encrypted data is like it's information that has been turned into a secret code and the only way to understand what it says is if you have a key to decode it kind of like having a secret decoder ring this helps keep the information safe from anyone who isn't supposed to see it like a letter that only the person that's addressed to can open and read for example modern cell phone encryption Works similarly many modern cell phones and tablets offer built-in encryption that automatically scrambles the data on the device when it's not in use when you set a password pin pattern or use your fingerprint or face to lock your phone you're essentially locking your data from unauthorized access and this lock doesn't just keep people out it scrambles all the information on your phone without the correct key in this case your password or biometric data nobody can read your data unless they have sophisticated digital forensic tools and training that can decrypt that information see no system is entirely foolproof digital forensics excerpts might find vulnerabilities in the encryption method or implementation that can be exploited to gain access to the encrypted data experts use specialized tools designed specifically to deal with encrypted data and these tools help them to get past lock screens on cell phones or to decrypt computer hard drives without needing the secret key for example at our lab we have the same technology as the government does in the capabilities to crack passcodes on locked smartphones the cloud refers to a network of remote servers hosted on the internet and used to store manage and process data in contrast to local servers or personal devices this technology enables users and organizations to store files and use applications without installing calling them on their computers or maintaining their own data centers you can think of the cloud as a giant invisible storage locker you can access from anywhere as long as you have an internet connection imagine you have a backpack full of books but it's too heavy to carry around all day instead of lugging it everywhere you leave it in a locker at school and take out books whenever you need them the cloud Works similarly but you're storing data like documents photos and even software programs instead of books in essence the cloud serves as a virtual storage space and Computing resource users can access their stored data including documents photos and videos as well as utilize software applications from any device capable of connecting to the internet this is facilitated by data centers operated by cloud service providers like Amazon Google Microsoft and Apple which manage the storage and accessibility of data one of the benefits of cloud data is that it's often backed up regularly reducing the risk of data loss due to Hardware failure or other disasters additionally because cloud data can be accessed from anywhere with an internet connection it can be more convenient for people who frequently work on multiple devices or need to share files with others from an investigative standpoint cloud data can be particularly important because it's stored remotely it can contain information unavailable on any physical device further since the cloud allows a user to access files on multiple devices evidence created originally on a cell phone can be recovered from a computer because the cloud synced it across devices indigital forensics are specialized tools and technology that can be utilized to capture cloud data often requiring the user's credential their username and password that data can be collected or pulled down from the cloud and saved into a forensic file container that is tamper proof system generated data is information that computer systems applications or devices automatically create while they operate and this can include cell phones and other devices not just computers unlike data intered directly by users like typing a document or filling out a form system generated data doesn't require human inter vention is produced automatically as part of the system's normal functioning for instance on your cell phone a bunch of information is created and saved by the phone itself without you doing anything this includes details like who you called for how long and your text it can also track which apps you use and how long you use them if an app stops working or there's an error your phone can record this plus your phone has sensors that measure things like where you are in the world and how many steps you take can even keep track of unique words you have taught your phone in a hidden dictionary system generated data can be valuable source of evidence for digital forensics examiners because by analyzing the data examiners can reconstruct the events leading up to a particular incident uncover specific user activity and more for example suppose a computer system has been compromised in that case forensic examiners can use system logs and network activity to track a hacker's movement and identify the methods used to gain unauthorized access similarly in data the sabotage cases investigators can use system logs to determine what data was accessed when it was accessed by whom and what device the data was saved to when it was exfiltrated out of your company or organization one of the most important concepts for you to understand is the difference between file metadata and file system metadata okay you can think of file metadata is the label on a soup can in the grocery store remember the label doesn't tell you how the soup tastes but it gives you important details like what kind of soup it is the ingredients the expiration date and who made it in the same way metadata for a digital photo doesn't show you the picture itself but tells you when it was taken by which camera and sometimes where it was taken if GPS was on if file metadata is like the nutritional label on a soup can providing detailed information about the contents inside then file system metadata is like the shelving system in a grocery store that organizes and categorizes every product including the Soup cans based on type brand and other criteria the shelving system system enables store employees and customers to find any items quickly understand its General category and see how it relates to similar items as the grocery store layout directs you to the soup aisle where soups are further organized by type chicken noodle vegetable tomato and brand file system metadata organizes files in directories and subdirectories it helps manage the file structure of your computer or storage device making it possible to locate a specific file like finding the right kind of soup and know when it was placed there so to reiterate file metadata provides details and information about a specific file it includes detailed information about the content and characteristics of a particular photo document song or video it's useful for users and applications and managing and searching for specific files examples of file metadata include digital photo metadata when you take a picture with your cell phone the metadata is like a hidden node attached to the photo it includes the details such as the date and time you took the picture the type of phone you use the location and more so if you have a photo from your birthday party the meditata could tell you exactly when you blew out the candles and it was taken at your home or at Chuck-E-Cheese if you have a collection of songs on your computer or phone each song's metadata acts like a mini bio telling you the song's name the artist who performed it the album is from and the year it was released this way if you're looking for that one hit song from your favorite artist in 2020 the metadata helps you find it without listening to every song for document metadata when you create a report or a presentation on your computer the file saves metadata along with your work this includes the date you created the document the last time you made changes to it and the author's name now to go into file system metadata a little deeper to use another analogy file system metadata acts like the organizing system for the digital world similar to how a librarian organizes books in a library just as a librarian uses a catalog to track where books are and when they were checked out file system metadata keeps track of all the details about files on your computer cell phone or external drive ensuring everything can be found and accessed when needed here are examples of the types of information recorded in file system metadata they include file name and types just as every book has a title every file on our computer has a name the file system metadata includes the file name and its extension such as txt for a text file. jpg or jpeg for a image file.pdf or a PDF and so forth which tells the computer what kind of file it is and what program should open it for example a document might be named vacation plans.pdf indicating it's a PDF file with your vacation plans to Europe it also includes the directory structure this is like the layout of the library showing you which files are shell and where in digital terms it's the folders and subfolders on your device for instance you might have a main folder are called photos with subfolders for each year and within those more folders for specific events or trips also can tell you the file size like knowing the size of a book can help a librarian decide where to store it similarly file system metadata includes the size of each file which helps manage storage space a file might be 2 megabytes indicating how much room it takes up on your hard drive or cell phone it also has creation modified and access dates just as a library stamp can show a book was added to the collection or last checked out file system metadata records when a file was created last accessed and last modified for example a Word document be created on April 15th last modified or edited on April 17th and last viewed accessed on April 19th there are also permissions you know libraries have rules about who can check out books or access special Collections and the digital world file system metadata includes permissions that control who can open it edit or delete a file for inance the work document might be set that only certain team members can make changes to it finally it shows you the location on disk this detail tells the operating system on the electronic device exactly where the file's data is stored on the physical hard drive or cell phone much like a librarian uses a catalog to find the exact shelf and position for a book it ensures the system can quickly retrieve and open files when you click on them to understand metadata as digital evidence we're going to use a scenario here okay and we're going to see the difference between file system metadata and file metadata and the differences they play so here we go a company suspects one of its employees of stealing sensitive intellectual property the suspected employee John allegedly accessed confidential documents stored on the company's server and transferred them to an external USB drive to uncover the truth digital forensic experts analyze the file system and file metadata on John's work computer by examining the file system metadata examiners identify recently accessed files and directories they discover that John access a folder containing sensitive documents just before his departure from the company further analysis reveals a series of files copied onto an external device around the same time here the file metadata of those sensitive documents includes digital artifacts related to John's copying of those files onto an external USB drive corroborating the suspicion of data theft so let's do a technical breakdown the file system metadata analysis the file system metadata includes information about the file creation last access and modified dates as well as the details about the file sizes and location by examining this metadata forensic experts can identify which files were recently accessed or modified discovering that John accessed a folder containing sensitive documents just before his departure provides a significant lead this part of the investigation is crucial for establishing a timeline of events and identifying potential unauthorized access then we have evidence of files being copied to an external device when files are copied from a computer to an external USB drive certain digital artifacts and file metadata can indicate this action for example the file system might log events related to the USB devices being connected and disconnected including the timestamps of these events additionally file metadata might reveal changes in the last access times that align with the timing of the USB device's connection suggesting that the files for Access for the purpose of copying to the external drive so to corroborate the data theft the combination of the file system metadata showing recent access to sensitive files along with evidence of files being copied to an external device around the same time provides a strong basis for corroborating suspicion of data theft in the digital forensic context establishing this connection is essential for moving forward with legal or disciplinary actions against the suspected individual in our digital world where everything from photos to important documents exist in electronic form the notion of deleting data seems straightforward hit delete and it's gone forever yet the truth behind data deletion is often far more nuanced and complex than the simple action implies you see when you delete a file be it a photo a document or an email you're essentially telling your device I don't need this anymore you can use this space for something else on the surface it may seem like the file vanishes and the space it took up becomes available for new data the file disappears from your view however beneath this digital veneer the file's data often remains intact on the storage medium be it a hard drive a solid state drive an external hard drive or a cell phone it is unseen and forgotten but still there until new data overwrites it it's important to understand that data is stored in different ways on hard drives like the ones with spinning platters the older ones you may have seen versus solid state drives those smaller ones that are more damage proof because they don't have moving Parts uh or on chips that are directly embedded on cell phones for storage they do store data differently however there are similarities in how that data is recovered the different devices and how they store the data is outside the scope of this class and gets extremely technical but for an overview let's look at where data can reside in different places and how it can be potentially recovered as mentioned when files are deleted from storage devices be it a computer cell phone or external drive the data often remains intact and recoverable until it is overwritten by new data you see digital forensic experts leverage various techniques and specialized forensic tools to recover this deleted data and we're going to look at some of those fruitful places the most common places where deleted data lingers and is recoverable so first we have unallocated space when a file is deleted the operating system simply marks the space it occupies as available for new data while leaving the original data untouched this area is known as unallocated space and is a gold mine forensic analysts specialized tools can scan unallocated space to piece together and recover deleted files unveiling potentially crucial information about a user's activity imagine a library where books are never truly thrown away when a book is deleted from the catalog it's simply taken off the shelf and put in a back room the space on the Shelf is now considered unallocated and ready for new books but the old book still exists in the back room until it's replaced forensic analysts are like specialized Librarians who can go into the back room and recover these deleted books for example in an employee wrongdoing case a company suspected that a former employee had stolen Trade Secrets before leaving for a competitor forensic experts analyzed the unallocated space of the employees company issued laptop and revealed fragments of deleted confidential documents proving that the employee had accessed and likely copied these sensitive files before their departure then we have slack space okay and that refers to the unused storage areas on digital media you see when a file is saved on a storage device like a computer hard drive or a cell phone the operating system allocates space in fixed size blocks or clusters if the file doesn't completely fill the last allocated block the remaining space becomes slack space this slack space can contain leftover data and can be a treasure Trove for digital forensics experts data can end up in slack space through various means you see when a file is deleted its contents often remain in slack space until it's overwritten by new data similarly when a file is modified and become smaller the excess data May linger in slack space in digital forensics experts employ specialized tools to recover data from slack space that process involves identifying and isolating slack space area scanning those areas for remnant of files or data fragments and then reconstructing and analyzing them to better understand slack space consider the following analogy you have a library with a book Return system using fixed siiz bins each bin represents a cluster on a hard drive while books represent Files The Librarian acting as the operating system places each returned book in a bin a large novel might fill an entire bin while a small poetry book placed in the next bin doesn't fill it completely the remaining space in the bin is analogous to slack space if someone accidentally leaves notes in the bin with the poetry book those notes are like data in slack space even after the poetry book is removed simulating a deleted file the notes might still be there waiting to be discovered by a curious investigator we've already discussed file system metadata but when it comes to deleted data it's important to note that even when a fil is deleted traces of its existence can remain in the file system's metadata this can give information related to the timestamps and establish when files are deleted or modified so for for an analogy imagine a detective investigating a missing person's case even if the person has disappeared the detective can still find clues about their existence by examining their home the person's name might be on the utility bills or mail their fingerprints could be on the furniture and their daily routines could be inferred from items like a worn pair of shoes or a frequently used coffee mug in a similar fashion file system metadata leaves behind traces that can tell a story of a deleted file's existence and attributes even if that file cannot be recovered or is truly gone many applications create temporary files and caches or caches as it's commonly called in the forensics world to improve the performance of your device these files often contain Snippets of user data and they can contain that data until they're overwritten they can be recovered and provide insights into application usage and user actions things like web browser caches for example may contain deleted images multimedia and even sensitive to data from visited websites I want you to imagine a painter working on a canvas as they work they mix colors on a palette and make sketches on scratch paper these temporary materials help the painter work more efficiently but they are discarded once the painting is complete however if someone were to dig through the painter's trash they might find clues about the finished work like color swatches or preliminary sketches in a similar fashion temporary files and caches can provide glimpses into a user digital activities even after the main files have been deleted so for example in a murder case the an analysis of a suspect's browser cache could reveal evidence of deleted search queries the actual terms typed into say the Google search engine and the websites that were visited after those searches were performed this information could help establish a pattern of obessive behavior and provide ke evidence for the prosecution or could provide an alibi for the defense Shadow copies and backups you see operating systems and applications May create automatic backups or Shadow copies of files at various points and times these backups can retain copies of files that were deleted from the main file system so you have your computer you delete a file however that same file could exist in one of these backups forensic experts can mine these resources to recover deleted data and even reconstruct past versions of modified files Shadow copies and backups are like having a time machine for your Digital Life imagine you write a daily entry every day in a diary but you decide to tear out a page because you're embarrassed by what you wrote how however unbeknownst to you a magical copy of your diary is made each night preserving all the pages even the ones you removed forensic tools can access these magical copies to recover deleted data and reconstruct past versions of events so what is a page file well operating systems use page files in Windows or what are called swap files in Apple Computers to temporarily store data from your Random Access Memory that is the memory on your computer that stores things short term okay that data and the short-term memory usually goes away when you restart the device but a page file or a swap file attempts to save data to the computer while it's still on from the memory to create more room in your memory okay these files contain fragments of data from running processes including data from files that were open at the time but have since been deleted so imagine your computer's memory is a desk and the page file is a filing cabinet when your desk gets two clutter with papers data you move some of the less immediately needed papers into the filing cabinet to make room on your desk even if you later Shred the original papers fragments of them might still exist in the filing cabinet forensic tools can examine these filing cabinets these page files to recover data fragments that might have been deleted from the main desk your memory in a criminal case where we were retained by the defense it was a felony hacking case fragments of deleted chat logs were recovered from the page file of the defendant computer they reveal discussions about how and when a Cyber attack against a government website would take place you see these recovered fragments played a crucial role in demonstrating that the defendant was guilty but not as guilty as first believed the chat logs demonstrated that he and others in the message group were the Pawns of an unknown hacker the true Mastermind behind the attack who was issuing the instructions on what they were to do and how they were to do it so we also have printer spooler files you see when a user prints a document the print job is temporarily stored in a spooler file file before being sent to the printer if the user deletes the original document fragments of the data may still reside in the spooler files you see forensic analyst can sometimes recover these remnants to gain insights into printed documents you can imagine a printer as a chef and the spooler file as their notepad before preparing a dish printing a document the chef jots down the recipe the document data in their notepad even if the original recipe card is thrown away the chef's notes might still contain key information about the dish forensic tools can examine these notepads the spooler files to uncover data about deleted documents that were printed in an embezzlement case that we worked on fragments of deleted Financial reports were recovered from the printer spooler files on the suspect's work computer these fragments reveal discrepancy in the company's Financial records and provided evidence of the suspect's attempts to cover up their fraudulent activities electronic devices and applications generate thumbnail images or preview files for quick viewing of documents or media files so if you open your computer and you're in a picture album and you tell it to show you the little thumbnails instead of showing you big pictures for each one you're looking at thumbnail or preview files these thumbnails and previews can remain on the system even after the original file's been deleted so let's say you have 10,000 pictures you delete all 10,000 it's possible all 10,000 of those will still exist in the small version as a preview or thumbnail they provide a visual reference that can guide further investigations or recovery efforts you can imagine it as a photo album where each page has a small version or thumbnail of the larger photograph if someone removes a photo from the album the small version might still remain on the page providing a clue about what the missing photo contained or showing it outright forensic tools can examine these photo album Pages those small versions to see what photos were on the computer or on the phone even after those original pictures they relate to have been deleted now it's important to note that often with those thumbnail photos and so forth they're difficult to date so while you may have the actual content of the picture itself it's possible you may not have the dates and times associated with it because that belonged to the file it was referencing in the thumbnail and not in the thumbnail itself finally what about cloud storage and sync devices deleted files May Linger on sync devices or cloud storage Services even after being removed from the primary device so if a sync device was offline during deletion it may retain a copy of the deleted data until it reconnects so you have your phone okay and on your phone you have data that's connected to the cloud you download data from the cloud and then you power your phone off or you put it into airplane mode okay later on you go and delete data from the cloud well those deleted files May Linger on that sync device that phone or in cloud storage Services even after being removed from the primary device you see if a sync device was offline during deletion like a powered off phone or a phone and airplane mode it can retain a copy of the deleted data until it reconnects to that Cloud Server and then syncs up okay similarly cloud storage providers may keep backup copies or maintain deletion logs that can Aid it in recovery efforts or show the files that have been deleted even if you can't recover those so you get the names and times that those files were deleted so you can imagine a group of friends who share a digital photo album when someone deletes a photo from the album it disappears from everyone's devices however if one friend's device was offline during the deletion they may still have a copy of the photo that can be recovered and shared with the group in a similar fashion sync devices and cloud storage can sometimes retain copies of deleted files that can be used for forensic analysis in a trade secret misappropriation case we worked on a former employee claimed to have deleted all company files from their personal devices before leaving and going to a competitor however forensic analysis of the employees cloud storage account compared to their devices themselves Prov that the deleted files were still present in the cloud even though they weren't on the local device because they had synced to the cloud and turned off the sync function after doing so so they still lived in the cloud they had not been deleted because they had not synced to delete they hadn't received that command so to speak and those recovered files provided evidence of the employees misconduct and allow the company to take legal action finally to wrap this section up we need to talk about digital forensics data recovery versus Information Technology data recovery okay digital forensic tools and information technology data recovery tools are both used to retrieve lost data data from digital devices but they serve different purposes and have distinct capabilities digital forensic tools are primarily used to find and analyze digital evidence understanding that they could go to court so it's for legal cases these tools are designed to ensure that the data remains unchanged during the recovery process which is crucial for maintaining the Integrity of evidence in court it data recovery tools on the other hand are used by individuals and businesses to recover data that has been accidentally deleted or lost due to hardw failures or software issues these tools are designed to be userfriendly and focus on quickly restoring files from various storage devices while they are effective for everyday data recovery needs they don't have the same level of deep analysis data recovery or data Integrity checks as forensic tools further it tools typically lack the advanced capabilities needed to recover data from complex scenarios like encrypted files or corrupted storage media in short digital forensic tools can recover more data than it tools second forensic tools ensure that the data remains unaltered during the recovery process by using right blocking technology and creating forensic images encapsulated data inside of a file format that has digital DNA checks against it so you have a perfect snapshot in time of the data as it was created this preserves the Integrity of the data making it admissible in court it tools do not typically include these safeguards which can result in data being altered during recovery and represents a real challenge sometimes in trying to take that data to court okay okay finally digital forensic software is highly specialized to recover data from different types of devices and to parse and analyze that data okay so that could be a cell phone forensics investigation Network forensics database forensics examining computers at a really deep level and so forth because these tools are designed to handle specific challenges and recover data from a wide range of devices and scenarios and to get the data about the who what when where and why of what a person was doing so I like to say that as a digital forensics expert we know a tremendous amount about technology and computers but the stuff we know isn't going to help you fix anything we know a lot of stuff about what people were doing at a particular time and how to establish The credibility of evidence we know stuff that it people don't know and they know stuff that we don't know okay and while there's a lot of cross between the disciplines in some ways we have to specialize as digital forensics experts on Forensic artifacts that tell stories that have no relation to fixing anything and it experts are experts at fixing stuff they get your printer back up and running they make sure your network runs smooth they can remove viruses from your systems they're different fields imagine tuning into your favorite crime show like CSI where the scene is set with detectives arriving at a crime scene they collect fingerprints from a glass a strand of hair for DNA analysis and a bullet casing all tangible clues that remain unchanged over time this type of evidence familiar to us from countless TV episodes and movies has been the Cornerstone of forensic science for decades these physical pieces of evidence offer a static glimpse into the events of a crime scene an unchanged snapshot in time their properties are fixed from the moment they are collected digital forensics is like entering a whole new dimension unlike the stable nature of a fingerprint or DNA digital evidence is constantly on the Move changing evolving as technology advances think back on Old crime shows where detectives would listen to answering machine tapes to get leads nowadays they need to know how to forensically extract data from cell phones and have the tools and expertise to gain access to encrypted messaging apps in traditional forensic science the objects that are analyzed such as DNA fingerprints or ballistic evidence have properties that remain constant over time for example a fingerprint found at a crime scene retains its identity indefinitely a fingerprint is a fingerprint while advancements in sci May improve the accuracy speed or non-invasiveness of the analysis the essential characteristics of the evidence under examination does not change the nature of digital evidence is quite different from traditional forensic evidence as it is susceptible to change and remains in a state of constant flux the digital world is always evolving with new updates and Innovations being introduced regularly which can alter the landscape of digital evidence overnight this Dynamic environment presents significant challenges for forensic examiners who must stay up to date with all these changes to efficiently gather and analyze evidence consider a mobile application that is frequently used for communication one day it might offer basic text messages Ming capabilities and next get introduced in to end encryption fundamentally altering how messages are stored and transmitted for forensic examiners this means that the techniques and tools used to extract data from this app today may be obsolete tomorrow additionally apps might change how they log activities or store user data with each update requiring examiners to continuously update their methodologies and technology for extracting and interpreting this information in a similar way updates to phones or computer operating systems can have a profound impact on digital forensics oper opting systems updates often include new security features such as enhanced encryption or new forms of device locking an update might also alter how data is stored on the device or introduce new types of data altogether for example a new smartphone operating system version might include improved location tracking capabilities offering forensic examiners new types of evidence to collect I really want to make sure we understand this point in traditional forensic evidence collection involves direct physical sampling of the crime scene or subjects involved this could be gathering blood samples for DNA analysis lifting finger from a surface or collecting bullet casings the process from collection to analysis is relatively straightforward because the evidence itself doesn't require intermediary steps to make it accessible or interpretable further the methods used to analyze traditional forensic evidence are well established and consistent for example DNA analysis follows a specific set of procedures that have been refined but fundamentally unchanged over time similarly fingerprint analysis involves comparison techniques that while benefiting from technological advancements like digital databases remain consistent in their basic approach in short traditional forensic evidence types are less affected by technological advances while advancements in technology can enhance the resolution speed and efficiency of analysis the basic nature of the evidence doesn't change a fingerprint remains a fingerprint and DNA remains its genetic information regardless of technological progress this stability represented in traditional forensic Sciences stands in stark contrast with digital forensics when software updates new ion methods or entirely new types of digital devices enter the market they can alter the very fabric of digital evidence each update or new technology can change how data is stored accessed or encrypted directly impacting the methods forensic analysts must use to collect and interpret this evidence couple that with the fact that digital evidence is ever increasing less than two decades ago digital forensics focused primarily on extracting data from desktops and laptops fast forward to today and we find ourselves navigating a complex digital landscape filled with smartphones tablets wearable technology and even smart home devices each of these devices can store vast amounts of digital information presenting New Opportunities and challenges for forensic examiners for instance consider a smart home device that controls the lighting Heating and security cameras such a device could provide a detailed account of a person's movements within the house offering critical insights into an investigation the future is digital as technology advances the scope of digital evidence is set to expand dramatically becoming even more complex and integrated into our daily daily lives future technological innovations particularly in the Realms of medical inestables and wearables promise to introduce new forms of digital evidence that forensic experts will need to navigate wearable technology already popular for fitness and health tracking is becoming increasingly sophisticated future wearables are expected to go beyond counting steps or monitoring heart rates they might analyze sweat for stress markers use embedded microt trips for identity verification or even monitor neurological activities or signs of cognitive impairment in legal context wearables could offer insights into a person's mood movements physiological responses or even emotional states at specific times open up whole new avenues for establishing timelines corroborating testimonies or anything else you could imagine we're also in the early stages of things like medical ingestibles digital pills a new frontier and Healthcare technology these are small inestable devices equipped with sensors that will monitor various aspects of a patient's Health from within the body once swallow they could transmit data on medication adherence monitor the gastrointestinal tra and even measure biomarkers for diseases in the context of digital forensics this could mean access to an unprecedented level of personal health data for instance in cases involving poisoning or drug overdoses data from medical inestables could provide crucial evidence regarding the substance ingested by the victims and their effects over time even today we are seeing attorneys utilizing data coming from CPAP machines to determine if a driver was fatigued at the time of the incidence because they were not in compliance with the device because those devices the cpad machines are recording information and that information is being sent to application and to Medical providers you can get that data related to compliance from a phone and to round all this out there's the expert challenge when it comes to digital evidence and its difference okay I'm the leader of a nationwide digital forensics practice with a team of Highly qualified experts who possess extensive experience in investigations and in providing expert testimony even with an incredibly capable team I knew years ago that it would be necessary to specialize experts to handle a selection of the subdisciplines in digital forensics there are too many types of digital evidence out there for a single expert to know it all and this will only become more true over time as the Myriad of existing and new technologies become more embedded in our lives the types of digital evidence available to forensic experts will continue growing in volume and complexity each new device or technology could potentially introduce unique data types proprietary formats and new encryption methods this expansion of digital evidence underscores the need for forensic experts to specialize in digital forensics to stay AB breast of technological developments further as digital evidence becomes more intricate and personal Illustrated well by medical inestables wearables and other future Technologies the field of digital forensics will need to evolve accordingly developing new tools techniques and ethical guidelines to meet these challenges that's why digital forensic Specialists must constantly adapt by learning new skills and devising Innovative methods to keep up with technological advancements the dynamic nature of digital evidence highlights the complexity of the digital era emphasizing The crucial significance of continuous education and vigilance for digital forensics examiners in the world of digital forensics evidence is often a double-edged sword a one-handed offers unparalleled insights into the activities intentions and interactions of people and between people on the other hand it's inherently fragile and prone to alteration or destruction understanding the volatile nature of digital evidence is crucial for anyone involved in its collection preservation and Analysis digital forensics which is the process of uncovering and interpreting electronic data is an essential component of modern legal investigations but despite its critical role to fi characterized by two inherent and interrelated challenges volatility and fragility in today's world attorneys need to understand the complexities of digital evidence because how it's collected protected and utilized can make or break a case you see digital evidence unlike physical evidence is incredibly easy to alter consider a murder weapon like a gun or a knife once secured at a crime scene its physical properties remain unchanged in un it's subjected to extreme conditions or intentional manipulation digital evidence however exists in a realm where even the act of viewing it can change its state when we talk about digital evidence being both fragile and volatile here's what we mean volatility means that Digital Data can be altered or erased quickly through normal system operations user actions or even automated process it's like riding in sand that is easily washed away by the waves and when we mention fragility that refers to the ease with which Digital Data can be corrupted lost or destroyed through through physical damage to the storage devices themselves that contain the data logical errors in the data human error and activity or even malicious activity you can think of it like handling a delicate antique vase that can shatter with a single mishandling this dual nature necessitates immediate and precise measures to effectively preserve and analyze digital evidence while we can't cover all the ways that digital evidence is both fragile and volatile we are going to talk about a couple here so we can bring the point home one such way that digital evidence can be easily changed or altered can be through standard system operations modern operating systems such as Windows or the Mac operating systems and the applications that we use like word processors or web browsers or dynamic environments that constantly write and rewrite data even have things like system logs which record events happening on the computer temporary files used to store intermediate data and cache data both of which are used to speed up your computer to make it run better but that data doesn't exist forever and the ongoing use and that ity of a device even if you're not accessing particular types of files related to a case can delete that other information that's created as a part of the normal use of a computer cell phone and that data that is potentially lost relates to the who what when where and why you could think about what files were accessed what was searched for on the internet what other extraneous information was looked up regarded a particular topic that's the type of data that can be lost the actual timelines and other information that can put somebody behind the keyboard or say who was doing it and also create a more holistic view of what actually occurred during a particular time so instead of being able to tell whether or not a person accessed a file copied it to an outside drive and then researched something related to it on the Internet you may only have the file itself that ongoing activity the ongoing use can overwrite or erase potential evidence and this volatility extends to cell phones as well many modern smartphones such as those running iOS the Apple operating system on a phone or Android continually managed data phone system logs record various events temporary files store intermediate data and cache data helps speed up the retrieval of frequently used information on your cell phones just like on computers these elements are frequently updated or deleted which can quickly overwrite or erase potential evidence that's why it's critical to preserve evidence as soon as possible understand that this can have a profound impact on the evidence in a case if you're a trucking attorney for example some of the information you care about is what fingers were doing at a particular time what were you touching on the phone what were you using it for were you using it just for GPS or was somebody browsing the internet and then on Netflix watching a show or were they routing their audio from their speaker phone to their Bluetooth headset what applications were open at a particular time all that type of information can be lost as a some of the most temporal data on a phone if it's not collected and protected as it should be according to digital forensics best practices another way that data can be changed or lost is through simple user actions and that does doesn't have to be intentional users can inadvertently or deliberately alter or delete Digital Data simple activities like saving new documents clearing browsing histories or installing software can overwrite critical evidence I worked on a civil litigation case where we were retained by the defense to assist in the collection of electronic data we were brought in late not due to the attorney's fault but because the client initially underestimated the need for experts assuming their it Department could handle all the collections the client also viewed the requests as over Broad and unnecessary failing to grasp the gravity of the situation you see the casee was in federal court in the United States but the company was based in Canada where privacy and Discovery expectations differ significantly the IT department was not complying with their attorney's request to preserve data partly due to privacy concerns and partly due to the executives outright hostility at the company I witnessed this firsthand during conference calls where the attorneys brought me in to explain the importance of complying with the Court's orders initially the scope of data collection was limited to specific cloud and server data however the court escalated the situation due to the client's non-compliance the judge ultimately ordered the most comprehensive data collection possible including personal devices servers networks and cloud data this meant full forensic Acquisitions of all personal and work devices for the custodians including the recovery and review of deleted data what could have been a straightforward case with a simple data collection taking a few days turned into a multi-month ordeal and the Catalyst for all this occurring was rollover backups the IT department had not set to save the oldest back backups and they waited so long the oldest backup the backup that related to the date and time of the incident was overwritten and lost as the new backups were created by that it Department preserving digital evidence is vital for ensuring its integrity and admissibility in court as attorneys you understand the importance of evidence preservation in building a solid case and digital evidence is no different though it comes with its own unique set of challenges as I've Illustrated digital evidence is both volatile and fragile which makes timely and careful preservation essential to preserve digital evidence forensic experts use forensic Imaging this process involves creating an exact copy of the digital storage device and capturing all the data in its current state without altering the original at all think of it like taking a high resolution photograph of a crime scene before any evidence is collected or disturbed along with this a digital DNA is created a hash value that allows you to say that this is a perfect snapshot in time of the evidence that is tamper proof for inst Imaging is covered later in this class in the foundation section but for now I want us to consider the role experts play from a Consulting perspective in digital evidence preservation digital forensics experts are your allies in navigating the complexity of digital evidence uh we can help draft precise preservation orders specifying what types of data need to be preserved and how to do so and our role extends Beyond technical tasks we can help bridge the gap between the technical world and the legal realm ensuring you understand the significance of the preserved data as well as other stakeholders in the case you see when you involve a digital forensics expert early in the process we can effectively guide the preservation efforts this includes taking those initial forensic images or forensic copies securing evidence devices and monitoring compliance even with preservation orders the involvement ensures that all potential evidence is maintained correctly and remains intact for analysis here's how experts can help in each stage of the process experts can act as translators one of the most critical roles that forensic experts play is in translating between it professionals attorneys and Executives with than a company each group has its own language priorities and expertise and forensic experts help bridge these gaps to ensure seamless communication and effective data preservation this extends to criminal cases as well sometimes you're having to deal with law enforcement examiners who have evidence that you need access to having an expert who can understand what they possess how we need to access it uh and what types of evidence could be recovered and speak the same language as those law enforcement examiners can assist in getting access to that evidence and helping law enforcement understand and be assured that it will be handled in a way that will not damage the original evidence items as well so what exactly are the benefits of having an expert act as a translator between these various parties whether that be law enforcement or a company well thinking of from a company perspective uh one aspect is understanding technical jargon uh it departments often use technical jargon that can be confusing for attorneys and Executives you see forensic experts can translate this jargon into plain language explaining the technical aspects of data preservation in a way that non-technical stakeholders can can understand see this helps ensure that everyone is on the same page and that legal requirements are clearly communicated to the IT staff experts can also help clarify legal requirements forensic experts help it professionals understand the legal implications of their actions specifically when it comes to handling data they can explain why certain data must be preserved the potential legal consequences of failing to do so from a forensic perspective and the specific requirements outlined in preservation orders as it relates to the data by clarifying these legal requirements forensic experts ensure that it departments take the necessary steps to comply with preservation orders experts can also help Executives at a company understand how this preservation and doing it correctly aligns with business objectives you see executives are often focused on broader business goals and may not fully grasp the importance of detailed data preservation forensic experts can explain how preserving digital evidence aligns with the company's legal strategy and overall business objectives like reputation protection they can also highlight the potential risks and costs associated with failing to preserve evidence making a compelling case for executive support and investment in proper data preservation measures finally experts can assist in facilitating collaboration see effective data preservation requires collaboration between it legal and executive teams forensic experts can facilitate this collaboration by assisting attorneys in meetings coordinating efforts and ensuring that everyone understands their roles and responsibilities they can also assist attorneys in mediating any conflicts that arise helping to find solutions that meet both Technical and legal requirements so far we've we've been talking about what is digital evidence primarily now we're going to talk about specifically what is digital forensics including the foundations behind it the subdisciplines within it with case examples and how it can actually be used how you put boots on this data and make it work in your cases and finally the different specializations with in digital forensics so you can choose the right expert for the right type of case so what is digital forensics well it involves the identification preservation analysis and presentation of digital evidence in an legally admissible manner initially known as computer forensics the field now includes smartphones tablets cloud services iot devices and much more digital forensics is crucial in both criminal and civil cases helping prove or disprove Alize identify suspects and resolve disputes the process involves key steps we're going to cover those key steps in the foundations but to understand digital evidence and in our digital age we have to understand that our devices create fingerprints these fingerprints left by human activity have evolved from physical traces like fingerprints and Footprints to digital traces such as emails text messages and browser histories digital forensics often referred to its early days as computer forensics is a branch of forensic science focused on the recovery and investigation of material found in digital devices initially the field was primarily concerned with computers hence the term computer forensics however it technology has advanced and diversified the sources of digital evidence expanded far beyond traditional computers see the scope of forensic investigations has grown with the Advent of mobile phones tablets and other digital devices modern digital forensics now encompasses a wide range of devices and data types including smartphones tablets cloud services Internet of Things devices wearable technology and even our vehicles with the in vehicle infotainment systems this Evolution necessitated a broader term that could cover all these sources of evidence leading to the adoption of digital forensics this terminology better reflects the comprehensive nature of the field today including computers and any device capable of storing digital data digital evidence can play a crucial role in a wide variety of cases in criminal law digital forensics can help prove or disprove alibis identify suspects and understand criminal activities and motives in civil law digital forensics can assist in cases of intellectual property theft employment disputes personal injury and fraud as our Reliance on technology grows so does the importance of understanding and correctly handling digital evidence I started in digital forensics back in 2009 to this day I remember my first expert testimony clearly it was my first exposure to how significant digital evidence can be in a case and how much the legal Community had to learn about digital evidence at that time this experience solidified my interest in digital forensics as a career and planted the seede for what would become my professional passion of educating legal Professionals in digital evidence you see my first expert testimony was in a sexual assault case I was appointed by the public defender to act as a cell phone forensics expert the public defender only needed me to testify to authenticate the data from the cell phone and their theory of the case was that this was not sexual assault Instead This was a case of mutually consensual relationship gone bad and the photos on the phone would demonstrate that the defendant and the alleged victim were in a sexual relationship for months prior to the allegation that led to the charges on testimony day I went through the vadir process qualified as an expert and the defense attorney proceeded with a short direct examination to authenticate the evidence which was successful on cross- examination the prosecutor had a series of questions about the pictures it was clear they were attempting to challenge the timeline asserting that the photos could not be dated and therefore I could not tell if the photos were taken over a series of month or if they had been taken over a few days you see the prosecutor was asking questions they didn't know the answer to when they asked if I could tell the dates of the photos I said yes much to their surprise at first glance the photos appeared to be randomly named with a series of numbers however what looked like a random series of numbers was anything but the numbers were a naming convention used by the application and these numbers could be converted into exact dates and times that testimony along with supporting evidence proved that the photos were taken over a series of months consistent with the defenses theory of the case so as we covered digital forensics is the application of forensic science to electronic evidence in illegal matters however digital forensics is used in different ways by experts who work in cyber security litigation and in ecovery and this could create confusion for those unfamiliar with these different specializations when researching digital forensics you may come across the term DFI which stands for digital forensics and incident response this can be confusing because the objectives of a dfir investigation are not exactly the same as those in litigation or eisc Discovery cases the digital forensics Community has adopted dfir digital forensics and instant response as a way to self-identify who we are and what we do yeah the need for digital forensics emerged as computers and digital evidence became ubiquitous in the 1980s and 90s and law enforcement and corporate security teams began developing methods to recover and analyze data from digital devices for use in investigations and legal proceedings the term digital forensics itself began prominence in the late 1990s and early 2000s as the field formalized incident response grew out of the necessity to respond to cyber security incidents such as breaches malware infections and other forms of cyber tax as organizations increasingly relied on digital infrastructure the importance of structured responses to these incidents became clear the term incident response began to solidify in the cyber security lexicon around the same time as digital forensics particularly with the growth of internet connectivity and the rise of sophisticated cyber threats so yes there is an overlap between incident response and digital forensics still the datto DAT cases and deep expertise differ among professionals working in cyber security or incident respon resp digital forensics in litigation and digital forensics in ecovery so yes dfir is a recognized term adopted within the digital forenses Community it's helpful shorthand to explain what experts do to other tangential experts in other fields like information technology and Security Professionals but I find it unhelpful and confusing when communicating to attorneys and Executives and those who actually utilize digital forensic Services as mentioned while researching you will find dfir content but not much on DF or dfid these are acronyms I have created to explain digital forensic specializations to my clients feel free to use dfl and dfid I'll take all the help I can get to popularize them for the benefit of the market and the legal community in particular so first what is digital forensics and incident response digital forensics and incident response is a critical component in cyber security where the primary focus is on identifying investigating responding to security incidents these incidents can range from malware infections and data breaches to sophisticated Cyber attack orchestrated by nation states or criminal organizations dfir Specialists are like digital firefighters called in to extinguish a security incident's flames and uncover the breach's origin and extent so when is the dfir specialization the correct one in a particular type of case well you could have a ransomware attack on a financial institution a large financial institution discovers that several of its critical systems have been locked by ransomware the attackers demand a substantial cryptocurrency payment to release the decryption key the institution's operations are severely disrupted with customer transactions halted and sensitive data at risk of being exposed so why would you use dfir well in this scenario the financial institution needs DF Specialists to respond to the incident quickly the DF team would first identify the scope of the attack determining which systems are affected and how the ransomware infiltrated the network in the first place then containment measures will be implemented to isolate the infected systems and prevent the ransomware from spreading further eradication would involve removing the ransomware and any Associated malware from the system systems and in some instances negotiating with a threat actor to make the cryptocurrency payment in order to recover the affected data recovery would focus on restoring operations possibly using backups to uncover the encrypted data and finally a post incident analysis would provide insights into the attack vector or method of attack used and recommended improvements to the institution's security posture to prevent future incidents the primary objective is to get the business operational as quickly as possible and then to implement policies plans and infrastructure to reduce the chances of a repeat incident next we have one of my created term digital forensics in litigation digital forensics in litigation or dfl is the application of forensic techniques to gather and analyze digital evidence for use in legal proceedings this specialization requires a deep understanding of both Technical and legal aspects as the Integrity admissibility of digital evidence are Paramount in litigation DF professionals play a crucial role in Bridging the Gap between complex technical data and the legal requirements of evidence in dfl the process begins with identifying and preserving potential evidence this involves securing digital devices ensuring that no data is altered or destroyed and creating exact copies or forensic images of the data for analysis this preservation phase is governed by strict protocols to maintain the chain of custody ensure that the evidence is handled in a manner that upholds its integrity and authenticity understand that with digital forensics and litigation the goal and the understanding is that everything that you're going to do could potentially go to court the objective of a DF expert is to assist attorneys and their clients when it comes to collecting preserving and presenting digital evidence in court and a lot of times this is on systems or devices after the fact so an event has happened this could be a crime or intellectual property theft or something like that in a civil litigation case and you need a digital forensics and litigation expert to come in analyze all of that data and to make determinations on what actually happened the who what when where and why also a DF expert understands that they could be going to give expert testimony at any time so in Dil these are experts who understand that they are going to be given expert testimony quite often related to what the digital evidence means in cases in dfl it's critical that our explanations and our work be clear precise and easily understandable by non-technical stakeholders such as attorney judges and juries tryers a fact forensic examiners often serve as expert Witnesses explaining their methods and findings to a court this requires technical expertise and the ability to communicate effectively that's because the examiner's testimony can significantly influence the outcome of a case making their role critical in the litigation process so in what kind of case scenario would you want a digital forensics and litigation expert well we can think about an intellectual property theft case a technology company suspects that a former employee has stolen proprietary code and confidential business information to start a competing business the company files a lawsuit against a former employee alleging intellectual property theft and breach of non-disclosure agreements in this scenario a dil Specialists are essential for collecting and analyzing the digital evidence that can support the company's claims they will be Again by preserving relevant digital devices and creating forensic images to ensure the Integrity of the evidence the analysis phase would involve examining emails file access laws recovering deleted data and metadata to uncover any unauthorized transfers of proprietary information the findings will be documented in detailed reports and the DF Specialists will be prepared to testify as expert Witnesses explaining their methods and conclusions in court their expertise would ensure that the evidence is admissible and persuasive bolstering the company's case and finally we have digital forensics and ecovery when it comes to digital forensics and ecovery dfid Specialists and legal teams collaborate closely during the review and Analysis phases using Advanced ecovery platforms they search filter and analyze the day to identify relevant documents to communication this phase often involves keyword searches metadata analysis and the application of analytical techniques to uncover patterns and relationships within the data one of the unique aspects of digital forensics need Discovery is that it's not just a technical expertise it also involves significant project management skills ecovery projects can be vast involving terabytes or more of data and numerous stakeholders dfid professionals must manage timelines coordinate with legal teams and ensure the process aderes to Technical and legal standards they also have to stay up to date to the latest ecovery tools and methodologies as the field continually involves with technological advancements and changes in legal requirements another of the critical challenges in dfid is balancing thoroughness with efficiency see the vast amounts of data involved in modern litigation can lead to significant time and cost burdens dfid Prof professionals must employ strategies to streamline the process such as predictive coding and machine learning algorithms to prioritize and categorize documents further dfid professionals need to understand the legal implications of their work so in what situations would you want a dfid expert well that would be in a large-scale corporate litigation you could say a multinational corporation is involved in a complex litigation case involving allegations of Anti-Trust violations the case requires a review of millions of emails documents and other electronic records to identify relevant information that can support the cour corporation's defense so why dfid well in this scenario dfid Specialists are crucial for managing the vast amounts of data involved in the discovery process they would begin by identifying all potential sources of relevant ESI including email servers document repositories and cloud storage The Collection process would ensure that the data is extracted in a forensically sound manner preserving its integrity and metadata and often those dfid experts are focused on collecting digital evidence in a way that limits the impact on the businesses while ensuring they gather the relevant ESI and data while digital forensics who work in litigation are often attempting to recover everything they possibly can and examine forensic artifacts that point to specific user actions who what when where and why digital forensics and eisc Discovery or dfid experts are focused on collecting and calling massive data sets for relevancy in other words dfid is good at casting a large net and collecting the data in a way that's forensically sound and it's especially useful when you're not worried about getting deleted data or other forensic ARS that point to the who what when where and why of a person what you're looking for are responsive documents and responsive information related to a legal matter so in conclusion for this section digital forensics is a dynamic in multifaceted field with each specialization serving a distinct purpose within the broader context of digital investigations for attorneys understanding the difference between dfir DF and dfid is essential for leveraging digital forensics expertise effectively in legal matters we talk about the foundations of digital forensics we need to look at both foundational principles that underpin everything that we do in the field as well as the methodologies or the actual actions that we take that both adhere to those foundational principles but also get us from the points of where we are identifying evidence to reporting in the courtroom and that's what we're going to cover in this section so the foundational principles that underpin digital evidence examinations the first of those is integrity the Integrity of digital evidence must be maintained from the moment of collection through its presentation in court the entire process in the beginning this involves using right blocking technology to protect evidence when it's being forensically copied or acquired to prevent any modifications for example if this is not done a hard drive let's say it's connected directly to a computer without a right blocker like a USB drive or an external hard drive the computer's operating system might alter the timestamps or other information related to those files compromising the evidence whereas if it was was protected and the integrity was protected using right blogging technology that would be impossible then we have repeatability the forensic process must be repeatable other experts should be able to replicate the analysis and arrive at the same conclusions using the same methods and tools while opinions May differ the actual underlying data that we're looking at and presenting in court should not so if I perform an examination it should be documented in such a way whereas another examiner can do the exact same examination if this is not done you can't prove the background information related to what the analysis encompassed and that you protected it which could ultimately lead to that evidence being contested in court or its outright dismissal we also have adherence to Legal standards digital forensics must comply with relevant laws and regulations for law enforcement this could include obtaining proper authorizations and search warrants to collect digital evidence and civil litigation this could be the need to have consent forms signed before accessing a phone or cracking his passcode for example example or if a locked file or a password protected file is found during a discovery phase it would require additional justification on the need to get through that locked door so to speak even if forensic tools would allow it finally we have thorough documentation as you've seen it really matters that we understand what happened in the examination process the acquisition process all of that so every step at the forensic process must be meticulously documented this includes maintaining a chain of custody log that records who handled the evidence and when because without proper documentation the other side can argue that the evidence may have been tampered with or mishandled whether that's intentional or unintentional through ineptitude now there is much that can be said under each one of these subheadings within the methodologies and digital forensics however we're going to do a quick overview of them otherwise we'd be here for a very long time I will stop in a few of these to give a few points that relate specifically to what you do as attorneys and as a consultant things that I think are the most helpful however we're going to run through these and attempt to understand them first and I'll come back to a couple to provide some more insights before we move on to the final section where we're going to talk about the digital forensics subdisciplines so first the digital forensics process follows a systematic methodology designed to ensure thoroughness and accuracy uh these methodologies are essential in ensuring that experts are adhering to foundational principles the foundational principles are the why these methodologies are the how first we have data recovery digital forensics data recovery differs significantly from traditional it data recovery while it data recovery focuses on restoring lost data for continued use forensic data recovery aims to retrieve data while maintaining its Integrity for legal proceedings digital forensics has data recovery capabilities far exceeding those of traditional it tools and expertise then we have identification the first step in any case is to identify the relevant sources of digital evidence this includes identifying the relevant people who may have digital evidence on their devices and the devices themselves so that could include computers and mobile devices storage devices Network logs and cloud services the specifics of the case determine the scope of the search missing a key storage device or network log can result in incomplete evidence collection potentially leaving out crucial information preserving digital evidence involves creating a forensic image of the data or forensic extraction which is an exact copy or the most data that can be captured from that evidence device this process ensures that the original data remains unchanged and can be verified against the forensic copy now I want you to understand that under each one of these headings are multiple sub points that need to be captured to understand them completely but for our purposes we're talking about preservation and acquisition the acquisition part is capturing the data and the preservation part is encapsulating in forensic file formats and giving it that digital DNA running a mathematical hash algorithm against all the captured data that produces a unique fingerprint or unique DNA signature if that forensic image file is tampered with or modified in any way it will produce a totally different number allowing you to know that it is no longer in its original state and potentially cannot be trusted as evidence so that digital DNA acts as our verification as well that the evidence is good that has been acquired preserved and it has been verified in such a way that it meets forensic best practices and Industry standards this will allow you to take that piece of evidence to court with confidence in its reliability and that it will hold up to scrutiny so in digital forensics the examination analysis phas begins with experts using various tools to analyze data during the examination this can include keyword searches pattern recognition carving out deleted data and metadata analysis to uncover relevant information in a case thorough examination techniques are essential to uncover all the relevant data and to ensure that no critical evidence is overlooked the examination phase is where forensic experts s through large volumes of data to identify and extract information that is pertinent to the case it also involves further analysis okay and that's the interpretation of that data collected to reconstruct events identify patterns and establish timelines this step often involves correlating different data sources to provide a comprehensive understanding of the case such as data from phones computers call detail records for historic location and more accurate analysis is vital for drawing correct conclusions from the evidence and it requires a deep understanding of both the data and the context in which it exists forensic experts must be meticulous in their approach to ensure that their findings are based on solid evidence and logical reasoning especially when and combining data from multiple evidence sources the final step is presentation and that is taking those findings and making sure that they are clear and understandable to the triers effect this involves creating detailed reports and if necessary providing expert testimony in court the presentation must be ready to withstand scrutiny and cross-examination effective presentations of findings ensures that the evidence is clearly communicated understood by all the parties involved including the judge and duri the ability to translate technical findings into comprehensible information for Lay people is crucial for the impact of the evidence uh forensic experts must be able to convey their findings in a manner that is both accurate and accessible to non-technical audiences if they are unable to do so there are potential liability in your case instead of being a benefit if you don't know and can't trust what they're going to say or how they're going to say it on the stand now with many of these methods we have covered they will be handled by a forensic expert so if you find one a competent expert who can handle these processes you're good to go however I want to take a deep dive into a couple of these and first we're going to talk about identification and the reason being is that this is one area where you need to work closely with an expert and it involves a lot of issues that are outside of the forensic realm because it deals with people uh remember identification is both identifying people and their devices and that can bring some unique challenges so we understand the people involved we call these custodians so first let's cover custodians and their devices a custodian refers to anyone with possession control or responsibility over devices containing relevant digital evidence these individuals can be suspects Witnesses victims or even third parties identifying custodians is often the first step in a forensic process as their devices are the primary repositories of the Digital Data we care about consider a scenario where a company suspects one of the employees of embezzling funds the digital forensic investigation Begins by identifying all potential custodians within the organization these custodians might be the suspect themselves immediate supervisors a CEO colleagues with access to Financial systems and more each identified custodians devices such as computers smartphones and external storage devices become critical targets for evidence collection the forensic team must clearly understand the custodians roles and their access to various systems what they can access what they can open what they can see this involves interviewing employees reviewing access logs and examining Network permissions once the custodians are identified their devices are forensically imaged or copied ensuring that the original evidence remains unaltered and this is one area digital expert can really help and that's with the interviews involving digital forensics experts in interviews with custodians and it professionals can be highly beneficial the expertise we have can help identify sources of digital evidence that might otherwise be overlooked and ensures the correct questions are asked to gather critical information some ways an expert can assist are providing technical expertise forensic experts can provide technical insights that attorneys might lack ensuring that all potential sources of evidence are considered uh you may become aware of evidence sources you didn't even know existed that are Poss possible for Recovery of relevant digital information in a case they can also assist with detailed questioning experts can ask detailed technically specific questions to uncover hidden data sources and understand the nuances of an organization's it infrastructure for example and finally there's efficient data collection the presence of an expert can streamline the data collection process by immediately identifying relevant devices and accounts reducing the risk of missing critical evidence and preventing delays in the collection of that evidence that could compromise its Integrity or result in data loss but one of the real challenges a human challenge custodians are people dealing with custodians in the process of identifying relevant evidence sources presents unique challenges largely because custodians are people each with their own perspectives emotions and potential biases these human factors can significantly impact the effectiveness of evidence identification and collection that's why the interviews and information gathering from custodians are such critical steps but they must be approach with sensitivity and skill for several reasons first is stress and reluctance cust may find the legal process stressful especially if they feel their actions are under scrutiny this stress can make them reluctant to share information either because they fear potential repercussions or because they are unsure about the significance of the information they hold further they may have co-mingled personal and Company data on their electronic devices and are concerned about the Privacy a skilled expert can help their attorney in explaining to the custodian in plain language how digital forensic tools and methods can keep their private data private during an investigation then we have memory inaccuracies human memory is fallible a custodian's recollection of events May Be inaccurate or incomplete especially if the events in question occurred some time ago good interview techniques including asking open-ended questions and using documents or other evidence to jog memory are crucial for minimizing the effects of memory inaccuracies this is why Council and digital forensic expert should work closely in the identification phase other potential leads can be discovered by examining documents timestamps messages and other information that has been determined relevant these leads can be used for follow-up interviews with custodians to assist them in accurately recall activities or to jog their memory on where or how they might have accessed or stored relevant data and then there's the challenge of bias and misinterpretation custodians may have unconscious biases that affect how they interpret and relay information they may also have personal or professional relationships influencing their willingness to disclose information fully and accurately interviewers must be aware of these potential biases and craft questions to minimize their impact an example is fear of Technology some custodians may have limited understanding of the technology involved in a case or fear that they lack of technical knowledge could reflect poorly on them this Fear Can hinder open communication alternatively their lack of technological sophistication may lead them to believe that the efforts by Council and experts to identify and collect relevant evidence are less like how it is in real life and more like a high-tech crime show they watch on weekdays or the latest Apple or Google conspiracy theory they read on social media interviewers must reassure custodians that their role is not to assess technical expertise or to do anything outside of a particular case's limits instead the only objective is to gather facts and that all information regardless of how technically involved it is has limited scope and use to the case at hand and there are also legal religious and ethical concerns custodians might have objections on religious ethical or legal grounds they may be concerned about the implications of disclosing certain information or have certain perspectives they hold as foundational beliefs for example an employee who identifies as a sovereign citizen might argue that there are not subject to the same rules and regulations that govern the company and its employees they might present documents filled with legal jargon and citations of obscure laws to exempt themselves from participating in the audit another example could be an employee with strong religious beliefs who is torn between complying with legal requests for documents and adhering to the Privacy principles of their Community these complex situations are best handled on a case- by case basis and under the guidance of pre-identified and vetted digital forensic experts who have excellent interviewing and interpersonal skills who can work in conjunction with the attorney to give ease to that custodian as much as possible so you can get the relevant information and compliance as needed the last human element we need to talk about is interviewing it professionals the IT department is the gatekeeper to much of an organization's relevant digital evidence and their expertise can reveal the digital Pathways custodians have traversed including email Communications network access logs and electronic document storage by Consulting it examiners can uncover a custodian's digital footprint including the device usage history changes in equipment and access to servers and cloud-based resources this technical Insight is critical in navigating the digital evidence landscape interviewing it professionals within the organization is crucial in determining where custodian data is stored and how it can be accessed IT staff have detailed knowledge of the organization's Network architecture data storage practices and security protocols a digital forensics expert is going to have an understanding of it and what they do and knows the right questions to ask it is difficult to stress the importance of this when you're talking about any type of collection at a facility that has a dedicated it department or even uses a third party it Department because so much can be Lost in Translation as they are talking Technical and you are talking legal that is why a digital forensics expert acting as an inet and a translator in both directions can be so incredibly beneficial in these types of cases but what about situations where the IT professional themselves are the ones in question or are a custodian of interest for example if there's a concern that the IT professional might be involved in some form of employee wrongdoing their access and know of the systems may make them a unique liability in these cases it's best to rapidly limit their access to the organization systems both physical and via remote access until the relevant data is forensically copied and preserved since an IT professional has advanced technical knowledge including the ability to obis skate or truly delete data a digital physic expert should be a part of this process from the outset to a council in ensuring relevant data is located protected and preserved in these situations now there's much more that could be said about identification how to ask the right questions if you'd like you can send me an email and I'd be happy to provide you with some sample questionnaires for it professionals and for custodians so at this point we've covered many of the foundational elements of digital forensics from what is data what is digital evidence down to what are the speciations inside the field itself now we're going to talk about the subdisciplines what are the different things the different types of evidence we examine as digital forensics experts now I think you have an understanding at this point that there there's a tremendous amount of Digital Data out there and that digital evidence truly is everywhere and each subdiscipline has many facets that make it unique however I find the best way to explain these is through case examples so we're going to go through these sections and we're going to look at some different cases to see how we put boots on this data and make it work for us I like to start with this case example in particular because what we're going to see are Snippets from the plff experts report and this one we were retained by the attorney representing the trucking company to assist in this case and the expert the plane have brought to bear to try to say an accident was caused by the driver distraction on the behalf of the truck driver okay so the evidence they used to say that the driver was distracted and the reason I start with this one was they used evidence from multiple sources a holistic approach is what they attempted to do one they used call detail records which are like a super phone bill okay then they also used the driver's logs combine those together which we'll see in a minute to do what's called a lifestyle analys is and then data extracted directly from the cell phone itself now we're going to start with the data from the cell phone itself okay the first claim they made was that the driver was on the phone and actively using it at the time of the accident the reason they said this was because the album cover changed from one artist to another in iHeart Radio leading up to the accent moments before now let me ask you a question if You' used Spotify or Whatsapp or iHeart radio or any type of apple music any any music application what happens when it switches from one artist to another did you have to make the album cover change or does it do it automatically when it switches from one artist to the next it happens automatically right so we showed that we tested it we proved it that goes out the window they can't use that that's shown to be an automated function of the app and has nothing to do with a user next though they took the driver's logs like you see here combined those with the phone records in an attempt to create the following a driver's log versus phone records analysis to create this which is a sleep Gap analysis for the dve dri so for example on Sunday here June 8th we would see that the largest Windows of time the driver could sleep according to the plane if would be 2 hours and 23 minutes an hour and 30 and an hour and 16 minutes so this odd phasal sleeping system which would be highly problematic right you don't need a truck driver on the road with that little bit of sleep and a phasal sleeping system like that however with digital evidence and in digital forensics a lot of times the devil truly is in the details and that is the case in this particular example because this PL of expert included incoming activity is activity you have to be awake for now let me ask you a question how often have you gone to bed to wake up to a bunch of emails and text messages perhaps even emergency messages or whatever else you are not awake for that you cannot include incoming activity as a part of this analysis only activity that is user generated or something a user is doing from the phone so when you pull all that out all that incoming activity this driver had a completely normal sleep schedule completely in compliance with how he needed to be doing uh so this was an out good outcome for the defense in this case understand the phone is more than just the data generated by your phone it's a data repository for everything you have connected to it if you have your cpat machine that you need to have connected to it and you need to be able to show compliance that you're using it at night for your sleep apnea if you're a truck driver the data from that machine if it's a Philips dream MPP or air reses Med or these other ones are creating data on your phone in an application that shows your compliance did you use it it'll send you text messages if you're not in compliance it'll send you emails if you're not in compliance hey remember to use your machine that is evidence a plaintiff can use or a defense could use if it's the other way around it's a plff in cases like that it's also getting wearable biometric data and other information this is a case that I consulted on where you had a cyclist going down a hill they hit a truck okay they hit a truck head first brain sharing a lot of damage to the cyclist now the plane of said the truck pulled out in front of the cyclist there's no way you could avoid it and that's why they hit the the defense was not sure of this particular scenario because it's a wideopen intersection kind of like a California stop right like you could see it as far as I can see you can see all directions so people just kind of slow down and go through it right uh I'm not recommending that that's just uh what I've heard anyway about the old California stop but in this situation the question is like how did he hit it how did he not see it well he had really highend cycling equipment a heart rate monitor the Phoenix wash that you see here and a vector 33s we're going to focus on the vector 33s that actually goes on the crankshaft of the bike like where you pedal to measure wattage output really cool data so all this Fitness technology wearable stuff has really really good precise data because it's made for Fitness nerds and a lot of it's really expensive uh really expensive stuff especially in the cycling World some of the stuff can get super complicated and and pretty profound data but what we're going to see here in this situation is three different devices overlaid on top of each other doing the same type of test so we have that Garmin we just looked at and then a power tap and a power two Max two other devices so all I'm showing you here is that see how close these lines are all on one bike in the testing very accurate data independently verified by two other devices so to speak okay now I can't show you the actual Maps or the actual data maps from this for the wattage out put from this case but I want you to see is that you can zoom in to like a 30 second Sprint here we can zoom in to 10 seconds we can zoom in really close the important part in this particular case is that that cyclist was haul and tail all the way down that never hit The Brak never slowed down until the point they hit that truck now what could be the scenario here um I hope certifications like personal training and some other stuff like that I'm I'm interested in that kind of world and my lay person with some expertise in these things opinion is that most likely what probably occurred is that he sees as an empty intersection he's training for triathlons he gets aerodynamic over the front of that bike cuz he's timing himself and never looks up hits that truck head on uh a lot of damage to him but it it was an issue most likely of simply not seeing the truck because he had his head down now this was a good outcome for the defense with that data that additional information about those wearables and in this one we were contacted by an SIU team uh in order to analyze the data in this one okay so the scenario and this is a real case none of this is made up I know this is going to sound like it's not but it is a real case we get some weird ones out there so we have an executive he's on a business trip in Europe and the last night of his State decides to go explore the town so he wants to walk around see what's going on out there okay well when he returns to work his company notices these very large transactions on his card and when he's questioned about it he says that he was kidnapped of all things well furthering this scenario he says that his card was compromised but not lost meaning that the people who kidnapped him took the card spent a bunch of money on it and then returned it to him before he left okay said he was held hostage tied up to a chair for 8 hours there's very Vivid details about the kidnapping and the event like think Born ultimatum John Wick it's it's very action uh very cool story that he had but interestingly enough he never made a report to law enforcement in the local country or when he got back and he made no reports to his company about what occurred either and there over $100,000 in charges were made on that company card now first of all that's a heck of a company card uh but second that's an interesting plot here that we have well we were contacted like I said by the SIU team and We examined both his Apple watch and his iPhone XR in this case well the first things that we recovered were related to the fitness wearable that watch he had okay that Smartwatch and this is from forensic software what you're seeing here this would be one piece of data out of many thousands of location data that were recorded of steps and distance okay so he's moving miles of distance in the time that he's allegedly tied up okay so while he's supposed to be tied up held hostage there's miles worth of movement that occur so that's the first in the story here well second we find this interesting artifact so this is a Google Translation artifact that he's attempting to do on his phone where he's translating from English into the local language in the country in Europe that he was in and he says last night you said you can't find a man I promise one day you'll find someone you like and be it will be perfect look for someone that likes what you like I want you to know that you deserve better you are beautiful American perfect I really am going to miss you okay so what actually happened here what happened here is that he had an epic date thought he was on a show of The Bachelor or something like that and spending that company money uh so this was an insurance frog case Cas and we were able to prove that conclusively with this digital evidence on your phones today and this is all from cell phone forensic software what we're seeing is data that's recovered by actually recovering the data from the phone itself so we have to have physical access to the phone to do these okay we can see what your fingers are doing at a particular point in time so what we see here and I'll explain this as we go to go down the line I got my mouse curs here I'm going to wiggle it around so you can see it your phone is in your hand you phone your lock your phone is locked the display turns off then the display turns on you've unlocked your phone you're in your Mobile SMS that's your messaging you're in your messaging applications here then you're switching over to YouTube then you go to your preference preferences on your iPhone you're selecting which speaker output you want to be and you're connecting your jam boox earpiece okay so we can see little what you're doing down to the second here's from an actual case example demonstrating how this can be used all right well what we have here is the plainest phone that we exam we're retained by the defense we're examine the plane's phone to see if the plane if was one distracted in this vehicle accident Trucking accident case and as we go through here we can see exactly what they're doing on the phone so we have the ways apps is exited that's a navigation app they open their messaging they send a message they open ways again they exit ways they open Iron tribe Fitness they exit that then they open ways again they get a notification from Iron tribe Fitness that you've been removed from the class on a particular date waist is exited iron tribe fitness app is opened again and then 9 seconds after they open that the Collision occurs perhaps they were trying to sign up for that class again perhaps they were reading that notification okay but 9 seconds prior to the accident we have human activity physically touching the phone fingers on the device after that they disconnect the cable turn the display off and on exit the app and lock the phone in this case retained by the trucking company on the defense this is the plainest phone we're examining and if we look here I'm circling with my mouse cursor okay these three pictures toward the bottom uh we have that first picture taken and what's happening here is that you have the plth riding behind an 18-wheeler with their phone in their hand trying to take a picture of their pill bottle so they can upload the picture to refill their prescription okay so that first picture's blurry no good the second picture little blurry no good third picture is perfect and then they go to click upload to upload that to their application and at the same time they go into the back of the 18-wheeler are decapitated and die instantly so sad case but was the truck driver distracted no it was the plan of this was a fire origination case that we did okay and in this one and we did were able to show that it was an arson cuz we were able to recover the video from this burned up surveillance system so how does that work well this is interesting and that it's a little different than some forms of digital forensics if you're familiar with this when you're recovering surveillance video especially when that's on a hard drive like this what has to happen is you can't just simply take that hard drive and make a forensic copy and load it into forensic software and look at it in many cases what has to happen is you have to take that damage unit let's say it's been burned up you have to take it pull the hard drive out a lot of times the data on that hard drive is just fine okay may the controller board on the back may be damaged so you had to go find a hard drive of the exact same type exact same making model in year usually replace the controller board from the working hard drive to the damag hard drive then you make a forensic copy then you extract the data forensic copy onto a a hard drive like it's normal data again then you have to install that hard drive into an Exemplar or the exact same CCTV or DVR digital video recording unit that the original was so you had to go find one that's exactly the same a lot of times you have to find them on eBay or the rest especially if you've got like a surveillance uh system in a gas station or or a mom and pop store where they're buying some like at Costco or or off the internet so you go find that Exemplar unit put the drive into there and then you have to export the video from the software interface uh that's designed for that product okay because a lot of times these are based upon proprietary file systems and more okay here's another example of a case right here this is Two Gentlemen walking back to burglarizing place right but what are they caught by they're caught by the neighbors's doorbell camera you can see it right here and even if someone tries to destroy that video and modern video systems today which is really great cuz we're able to pull this down with this the credentials and get the video and secure it in a forensic file format that's tamperproof from the rest this is a gentleman who's broken into a home and he's sees that he's being recorded by this camera system so what does he do he goes in and he tries to smash It smash the camera well that may work in Hollywood but it doesn't work here because that video is being recorded and uploaded to the cloud immediately so even if for example this house was burned down that video footage would still be recoverable if they have an account where that data is being sync to the cloud within a certain time frame this is critical for both the the the hard drive based system and for cloud-based systems most of these are on a rolling basis of time so you have perhaps 30 days or two weeks sometimes to get that video footage before it's gone I know we're talking forensics and deleted data recovery in the rest of day and yes we can do that on some of those systems but many of them working this way okay you have that video that's written and as new video is recorded it records over top that okay an overriding data with new data is true deletion so it can truly delete that video footage so it's not recoverable it's actually completely gone so it's imperative that if you think there is a camera in the vicinity or in the property or around the property or someone had a had a um a doorbell camera that's nearby whatever like that that you try to get that video preserved as soon as possible cuz it will go away your car can act as a data repository so data from your phones when you cook it up when you hook it up uh backups from that online accounts vehicle information can all kind of get sucked in to your car so you have your Smartwatch recording data that then goes to your phone that can end up on your car you have camera data that can be in your phone that ends up in your car computer phone to car in the same way it kind of acts as a big repository in a lot of ways and it's very hard to delete this data to get this data off of a phone right now you pretty much have to take it to a dealer and get a factory reset there's really another way to do it and this is from a rental car right here and we can see in this Rental Car in the forensic software we have for uh vehicle ivi or infotainment vehicle forensics we have Aaron's phone an iPhone Jennifer's phone Lexi's phone Sarah Lee's phone will J's herend Del's phone all these phones that have be connected if we expand out those little check boxes you see we're going to see data like this from each phone 70,000 track points of location activity 70,000 points of where you're at at a specific time how fast you're going and more so that's location data coming out your ears with these cars right now it also is recording where you're traveling and the location even if you have no location set it's just recording as you go on many models of vehicle and we can animate those track logs and see the speed and where you're going and the rest in forensic software just like this we had to examine the plaintiff's computer retained by the defense in this one because the gentleman got really sick from some insulation that was installed in his home but there were some concerns by the EV so we examine that computer and here's the timeline of events that we saw from its internet history okay first he researches this illness to see what it is then he's looking at like the court cases related to it then he's looking up like what are the symptoms you get from it then he's looking up the best PL if attorneys who support it then he has the installation installed after all that then he gets sick then he files the claims and all the stuff like that right total insurance fraud he planned the whole thing lining the stuff up to try to get a Payday out of that particular issue but we saw it all for from the deleted recovered stuff on that computer this is an arson case that we worked on uh in this particular case the SIU team contacted us because they were concerned about where the husband was when this fire happened they wanted to know was he in the area of the house and this is using self site location information so call detail records right those super phone bills which have the date and time calls and messages occurred also contains the cell tower you're connected to now this doesn't put somebody in a driveway you can think of it like this I'm going to draw a picture with my hands here on my little screen you can think of it like a peace sign right so you have like the circle you get the the peace sign marks in it you can put somebody with typically within one sector of a cell tower so you that peace sign it's one of those wedges so we got a wedge right here and that's the sector pointing toward the house of this particular gentleman okay and why was the SIU concerned well here's why the SIU was concerned he sends his wife and her best friend on a cruise okay while they're on the cruise the house burns down the wife was a cat collector and had about 200 some OD cats in the house I really had to watch my jokes here I love cats I have three cats um I'm very fond of my cats so they were concerned that he burned the house down because of the cat cat infestation or whatever you want to call it and what were we able to show we were able to say yes his phone was connected to the cell tower that would cover his house the rest has to be done by you right we we can put them in a general location with this if we had a phone it would have been more with the cell side stuff we can say a general location where someone was at at a particular time like this now if you had multiple locations this gets even better like multiple spots where there might have been a fire and you can put the phone to all those that really correlates evidence but if he said no I was across the state I was in a different city I was down the street like down the highway or something like no you weren't your phone at least wasn't your phone was connected to the cell tower covering your house uh here's an example of Google location data okay so you see these pins in here uh this is someone in place he's not supposed to be for criminal reasons but all these pins are super precise putting somebody at a particular location if we clicked on them we see dates and times and all the rest of the information that goes with it one more example here too this is a a accident case an alleged accident case because someone's claiming they were hit by an 18-wheeler damaged to their vehicle and they were hurt yet when that occurs the truck is 24 miles away in New York City okay uh I don't know if you've been to New York much but I don't know if you're going 24 mil in 5 minutes distance traveled in New York City and anything but a a rocket one final one this is a lift driver assault case we worked on uh and this particular case they're saying that it was a actual lift vehicle lift driver that committed a sexual assault on a lady who got in the vehicle but we see where the vehicle is at in this one the first second sale see the incident location kind of in the Middle where the assault is right here well the vehicle is using the first cell in the second cell over here towers and over on the side and you can kind of see where the vehicle's at if you look at the screenshot so we see that over here I'm kind of circling with my pointer the big purple arrow is where the vehicle's at when the incident happens uh the car is way in a different spot okay so what actually happened is somebody pretending to be a li a lift driver uh who got an unsuspecting young lady in the vehicle and then assaulted her we've done multiple Uber and lift cases where it's alleged it was the driver doing the sexual assault I've never had one of those where it actually was it's usually somebody pretending to be an Uber lift driver so check the license plate I use them all the time liftting Uber great Services just check license plates okay and make sure the driver is the same person who was supposed to be well in this case I was retained by the criminal defense attorney whose client was charged with four charges of assault the primary source of evidence used by the prosecution to substantiate these claims was an audio recording between the defendant and his girlfriend well the defendant claimed that the audio recording had been edited and his attorney contacted me to analyze it when I listen to the recording with my ears alone some of the transitions sounded off uh meaning the context changes in the conversation seemed in congruous they didn't fit together but sometimes conversations are like that right they don't always all flow perfectly sometimes they're choppy and the rest but there were no other anomalies that I could pick up by listening alone that would give me sufficient reason to doubt that authenticity of the recording and if I canot hear them using Studio grade equipment and there's no way the judge and attorneys heard anything in the courtroom quality speakers on the defendant's first court date which occurred before I was brought onto the case well in my analysis the first thing I noticed was that the audio file was an MP3 file format on a iPhone audio files were recorded in m4a format so this means that the audio was changed in some way even if it was just a simple conversion of the audio file from M4 a to MP3 well that doesn't mean that the audio was manipulated to change the context or contents of the actual word set back and forth it was the first red flag so to speak well first let's Jump Ahead in time to the trial and then I'll come back to explain my analysis in detail the alleged victim testified on the stand that the audio recording was created using her iPhone was she had set to record and hidden in her pocket she stated that she transferred the recordings to a computer and then burned it to a CD which she then provided to law enforcement well when asked in Cross examination she stated emphatically that she in no way edited or changed the original audio file now let's back up in time to my analysis see even if you cannot hear manipulation with your ears you can see audio manipulation with your eyes you can see evidence of tampering through a spectrogram analysis I loaded the audio recording into an audio analysis software and examined the spectrogram and I was able to pinpoint 80 different points where the audio had been manipulated let's dive into the details and see how spectrogram analysis played a crucial role in uncovering these edits so first what is a spectrogram let a spectrogram is a visual representation of the spectrum of frequencies in a signal as they vary over time so in other words a spectrogram is a visual representation of auditory data you are seeing what you would hear it displays frequency on the vertical axis time on the horizontal axis and the intensity of the frequency is shown using color or brightness you see this tool is incredibly useful in audio forensics for identifying anomalies that are not easily detectable by a alone a good way to understand a spectr is to compare it to a musical score I want you to imagine that you're looking at a sheet of music each note on the sheet represents a specific pitch played a specific time now let's break this down and how it relates to a spectrogram the time axis that's the horizontal lines on a musical score represent the progression of time the horizontal axis on a spectrogram shows how the sound evolves over time and each moment is time is captured just like each beat in a piece of music The Frequency Axis or the y AIS on a musical score that vertical position of a note indicates his pitch with higher notes placed higher on the staff similarly the vertical axis on a spectrogram represents different frequencies with lower frequencies at the bottom and higher frequencies at the top well we have a third dimension we're talking about a spectrogram analysis and that is the same as in music where you have Dynamics or loudness of a note where it's indicated by symbols like a p for piano or soft or F for Forte or loud and a spectrogram that intensity or loudness of a frequency at a given time is shown by the color or brightness uh see the brighter colors or more intense Shades indicate louder sounds all right so just one quick analogy and then we're going to get to the actual examination so let's imagine that we're analyzing a bird song Right a song of a bird the time axis that left to right progression shows the sequence of the bird song just like reading music from left to right so the bird is chirping and over time you see those chirps go across the frequency axis the bottom to top range shows the differ pitches of the bird calls right the higher the pitch the higher it will be the lower the pitch the lower it will be just like notes on a musical staff then the color intensity how bright or how strong those color indicate how loud each chir is just like those musical dynamics we talked about earlier so now on to the examination so I'm going to show you the actual file in a minute so you can see this for yourself but once the audio file was loaded I began a visual inspection of the spectrogram okay the key indicators of edits in the spectr were hard cuts and empty sound floors see these are areas where the audio waveform abruptly changes indicating that a section has been removed and the remaining parts have been spliced back together in the spectrogram the edits were clearly visible is sharp vertical lines where the frequency content suddenly stopped and then started again you can think of these as like digital tool marks and these hard cuts are a Telltale sign of splicing see additionally in this particular case the sound floor was absolutely empty at these points meaning there was no background noise or ambient noise uh which is extremely unusual in a continuous recording you see I meticulously went through the entire audio file marking each point where these hard cuts and empty sound floors appeared and total identifying 80 different spots where it occurred okay and the level of detail is crucial in forensic analysis that we're looking at here with like a spectrogram analysis as it provides concrete evidence of tampering without this analysis the recording was have passed as the real thing all right so let's take a look at the actual spectrogram analysis that I performed so as you watch this video this was a demonstration I had ready for trial the video I made where you're going to see the spectrogram going across in time and then every spot where there was an edit I have a red arrow pointing up to that section okay so let's take a look at that I'm going to play it in fast speed so keep your eyes glued to the screen so you can spot all the edits and then I'm going to tell you what happened at trial so I gave expert testimony in this case explaining what we've already covered right the splicing and the studying the spectrogram analysis and the rest and as a part of my report I created the video that you're watching right now showing all 80 points where the audio had been cut and spliced together and edited yeah the video was necessary to translate a complex technical concept the visual representation of auditory data to the court see often words alone are not enough to explain technical Concepts without this video the impact of my expert testimony would have been severely diminished in my estimation and on cross-examination the prosecution asked me how this could have occurred in the normal course of creating an audio file and even posed a few scenarios and most of the scenarios were impossible and only one was possible but extremely improbable after my testimony the court excused me and the next day the defense attorney let me know that the defendant was found not guilty on all four counts of assault see that spectrogram analysis proved to be an invaluable tool in this case allowing me to identify and document the edits with precision and this method not only helped in detecting tampering but also provided a visual representation uh to present this evidence in a legal proceeding