Transcription
Digital Forensic OverviewSpring TrainingApril 2019Yazen AswadDigital Forensic SpecialistMSPD
Yazen AswadTRAINING AND CERTIFICATIONSCCPA (Cellebrite Certified Physical Analyst)CCLO (Cellebrite Certified Logical Operator)CMFF (Cellbrite Mobile Forensic Fundamentals)Digital Forensics EnFuse trainingCCPA (Cellebrite Certified Physical Analyst) - RecertifiedCCLO (Cellebrite Certified Operator)- RecertifiedDigital Forensics EnFuse (opentext) trainingMobile Device InvestigationsCasting the Digital FootprintDigital Forensics EnFuse (opentext) training2015201520152016201720172018201920192019
Explain discoveryFrom tech language to English ConsultancyDiscuss digital evidence with attorneys. Examine cellphones (NO CP DIGITAL MEDIA CAN BE EXAMINED IN-HOUSE) In-house Lab FBI/Highway Patrol PD/Sheriff Examine hard drives (NO CP DIGITAL MEDIA CAN BE EXAMINED IN-HOUSE) In-house Lab FBI/Highway Patrol PD/Sheriff Plot Cellphone detailed records (CDRs) from Telco Co on the map Testimony
Equipment:CellebriteUniversal Forensic Extraction Device “UFED”UFED Physical AnalyzerDigital IntelligenceForensic Recovery of Evidence Device “FRED”EnCase Forensic
IDEHDDSSDEIDEATASATAATAPISASFirewireUSB hard drivesCompact FlashMicro DrivesSmart MediaMemory StickMemory Stick ProxD Cardsand Multimedia CardsHard DrivesFREDGuidanceEnCase Forensic
FASTBLOCFastBloc hardware and software is used to connect EnCase Forensic to ahard drive to which investigators have physical access. FastBloc hardwareacts as a middleman between the operating system and the hard drive andphysically blocks any hard drive write requests.
Cellphones/TabletsCDMA/GSM Smart phones Basic phones Memory cards SIM Card Memory CardsFlash DrivesGPSDronesCellebriteUFED Touch/ UFED Analyzer
UFED Touch27,141 device profiles – 7,187 Apps (Dec 2018)
ExtractionsLogicalFile l logsCall logsMediaMediaAudioAudioFilesHidden FilesOS SpecificCall logsMediaAudioFilesHidden FilesDeleted data
ExtractionsJTAGChip-Off
Who has access to UFED UFED/FRED Not connected to the network. No one has access to it other than myself. Cellphones (Evidence) stored in a locked cabin in my office.
Sources of location data Cellphone device - ExtractionProvider – Ref retention periodGoogle takeout – https://takeout.google.com/settings/takeoutGoogle location timeline - https://myaccount.google.com/activitycontrols
Google location timelinewww.maps.google.comMenu Your timeline
Retention period of cellular service providers
Cellular Telephone and Social Media Subpoena Guide – updated June 2018
Cellphone details records CDRs plottingRecords received from T-Mobile in spreadsheet.
Cellphone details records CDRs plottingRecords received from T-Mobile in spreadsheet.
Records plotted on the map
Hash value?A hash value is a numeric value of a fixed length that uniquely identifies data.a5038e044add1c3417436fa2643020edPicture source: 5038e044add1c3417436fa2643020ed
Deleted items does not mean; That the data is gone forever That the data cannot be recovered That the Law Enforcement Agencies cannot find thedata and use it against your clientHow about Formatting the Hard Drive/Cellphone?NO, That is the equivalent of burning the whole card catalog,but all the books are still on the shelves. MSPD surpluses computers; DoD standard killdisk
Peer to Peer Networks (P2P) Network built and sustained by resources of each participant(peer) Peers act as both client and serverAres, Kaza, Bearshare, Limewire, Napster, Gnutella, Bittorrent, eDonkey, uTorrent
How Law enforcement agencies locatepictures/videos?Cyber Crime Taskforce CyberTip from other countries. P2P Networks Common used words Hash Values Email Provider Social Media IndividualIP Address Identified: IP Address lookup(American Registry for Internet Numbers) Subpoena ISP for details Name Address Account details Other activitiesSearch Warrant
Some questions; Why this type of extraction?CP: How many adult porn files found?Where is the forensic report?Where is the tip report?ALWAYS REVIEW EVIDENCE!Was a write-blocker used?Was the device password protected?Who is the user of the device?Who has access to it?Other devices that did not reveal useful data to charge defendant?What is the timezone in the forensic report?2018: March 11 – Nov 42019: March 10 – Nov 3
Child Porn digital and non-digital evidence Can NOT be on MSPD system – Statutes 573038 and 2252AIf found, discuss it with Ellen Blau, keep me updated.Media could be but not limited to:(CD/DVD, Flash Drive, hard drive, cellphone, hard copyand any type of media)
Requests Action Items NO Child pornography Charger Fill Chain of Custody form PIN/Password Time frame Charger/cables Power off device (Cellphone) CONFIDENTIAL SHIELD (Cellphone) Yazen Aswad Attorney UPS Tracking number
QUESTIONS?Tel: 1-573-777-9977 Ext 286Email: yazen.aswad@mspd.mo.govMailing address:Office of State Public Defender1000 W Nifong, Building 7, Suite 100Columbia MO 65203
Digital Forensics EnFuse (opentext) training 2018. Mobile Device Investigations 2019. Casting the Digital Footprint 2019. . hardware and software is used to connect EnCase Forensic to a hard dr
