HTCIA: A retrospective journey

Today’s post is a guest article written by one of our longest term members, Fred Cotton of our Northern California chapter. This year has marked 25 years since our organization was founded, and we appreciate the opportunity to learn about how we got to where we are — especially given our strategic plan for coming years. Thank you, Fred, for taking the time to write out your perspective!

The High Technology Crime Investigation Association has grown into the largest association of its kind in the world and it has been my honor and privilege to be a member of this organization since it was a single chapter located in Los Angeles, CA.

At that time (around 1988) it was an organization comprising law enforcement, prosecutors and corporate security personnel from high-technology firms fighting the rising tide of component theft across California. I was the Director of Training for SEARCH, the National Consortium for Justice Information and Statistics in Sacramento, CA and was developing a training course for law enforcement on computer crimes investigation. The members of the HTCIA were the ones on the front line of the battle against technology crimes in California. They graciously shared their experiences, techniques, successes and failures with me and helped shape the curriculum which grew to encompass the entire nation and many countries around the globe.

Early HTCIA members like John C. Smith, Jim Black, Abigail Abraham, Ken Citarella, Walker Lane, Joe Chiramonte, and Don Ingraham, to name just a few, gave of their time and experience to help develop training and technical assistance for investigators from across the nation. This in turn helped them fight the ever-increasing plethora of technology crimes.

It soon became apparent that this type of organization was a success and more investigators, prosecutors and corporate security personnel joined the team. The Los Angeles chapter grew and in 1989 the Silicon Valley Chapter was formed. The Northern California chapter followed the next year and soon chapters were being formed across the nation as word spread about the benefits of this cooperative model.

During the ensuing years, most of the investigators and investigation teams who successfully broke the most famous and complex cases of the day were proud members of the HTCIA. They developed innovative investigative and prosecutorial techniques as well as influenced the manufacturers of utility software to pursue the development of specialized tools for computer forensics. Their suggestions and requests helped shape the forensic software we all take for granted today.

As the technology advanced, the job of the individual HTCIA members became more complex and required more sophisticated training and more advanced software. It also became apparent that no single agency, no matter how large, was able to take the problem on alone. The cooperation and teamwork displayed between HTCIA members helped solve hundreds if not thousands of cases around the world.

Our corporate partners stepped up and helped our members learn about the new technologies being used in criminal enterprises and how attacks were being perpetrated against corporate enterprise systems. Our law enforcement partners worked tirelessly to investigate the facts of these cases and combine forensic science and computer science to recover critical evidence from deep within computers and networks. Our prosecutors fought to change antiquated laws, to counter defense arguments against computer evidence, and to see that justice was served. Our training organizations developed curriculum based on these success stories and brought up a whole new generation of members who proudly carry on the traditions of the HTCIA organization. Our software partners continue to develop software tools which are critical to the collection and preservation of computer evidence.

Today, the organization is global and boasts a membership in the thousands. Our members constitute the core of professionals who struggle daily with the ever-increasing tide of computer fraud and abuse. Cell phones and PDA’s have been added to the already complex mix of communications technologies spawning new and innovative investigative protocols and techniques. This knowledge is shared among our members through chapter meetings and training conferences. As a result, HTCIA members continue to impact the safety and security of our nations.

Our creed has spread around the industrialized world and we have set the standard for cooperation and success. I am confident that the organization will continue to grow and stand at the forefront of technology crimes investigation for many years to come. Personally, it has been a wonderful experience to be a small part of it. The highest professional honor I have ever received has been the receipt of the first “Lifetime Achievement Award” from my peers at the HTCIA. I look forward to my continued participation in the HTCIA and the benefit I receive through association with the talented professionals who make up its membership.

Image: Jon Kristian via Flickr

Learning about solid state drives: 2 perspectives

In Indian Wells come September, our Cyber Investigations/Forensics lecture track will feature two presentations on the next major trend in data storage: solid state drives, which are much more like memory than they are like conventional hard drives, and therefore much more volatile for forensic examiners.

On Monday, Sept. 12, James Wiebe of CRU-DataPort/WiebeTech (Bronze sponsor of the conference along with the 1st annual HTCIA Golf Classic) will present “Solid State Storage for Forensic Investigators.” The following day, Scott Moulton of My Hard Drive Died, LLC will present “Solid State Drives & How They Work for Data Recovery & Forensics.” We talked a little with James and Scott about their presentations and what examiners can expect:

HTCIA: How is a SSD physically different from a hard drive, and what does this mean for forensics?

JW: SSD uses silicon chips (integrated circuits) and is neither organized nor erased like conventional rotating media. As a result, investigators have new challenges in obtaining information (evidence) from SSDs.

SM: The main difference between a USB thumbdrive and a Solid State Disk (actually they are both Solid State Disks but the term has lost some of it meaning like a Gateway and a Router have) is that a thumbdrive is a host based device meaning that it uses your CPU, where a SSD has its own processor.

There are many smaller differences such as where the responsibility lies for doing management functions. The SSD drive is responsible for processing this data with only power applied and since it has a processor it can, however, a USB thumbdrive can’t because it requires your host processor to accomplish the task. For forensics, this has a great impact on how data is handled because the SSD can start running software routines on the data when only power is applied.

HTCIA to JW: What is the advantage of a SSD over conventional platters? What are the disadvantages?

JW: SSD advantages include fast start, because the drive doesn’t have to spin up, and fast random access, because there is no physical search across the drive. Parallel reads and writes are possible. There are no moving parts, so it’s silent and doesn’t consume as much power. SSDs have immunity from both shock and magnetics, and they are much smaller than conventional hard drives.

Disadvantages are more complicated. The cells have a limited lifetime, so special file systems or firmware designs can mitigate this problem by spreading writes over the entire device, called wear leveling. However, this process introduces its own issues. Wear leveling on flash SSD has encryption implications, and causes fragmentation; defragmentation is harmful because it causes additional use of the drive, wearing it out with no benefit. And for forensic exams, wear leveled sectors are outside of accessible space.

Aside from issues with wear leveling, secure wipe is difficult or impossible on flash SSD. SSDs present significant asymmetric read and write performance. SATA SSDs have writing slowness amplification, because of large block sizes. Extra commands (EG: TRIM) require additional OS overhead for best support. And SSDs are expensive.

HTCIA: Mobile forensic examiners are using “chip off” techniques to recover data from NAND solid state memory. Will this technique become common as more SSDs are adopted for PCs as well?

JW: Probably!

SM: Removing NAND chips to recover the data, I believe, will become much more complex as we continue forward. I am already seeing a large number of chips starting to use encryption to store the data on the NAND.

It is more likely in the future that we will “convince” certain companies to add diagnostic functions to allow us to read raw data. Currently, since SSDs are in their infancy, we are running into a lot of “intellectual property” issues, which might diminish over time as several companies become the winners in the industry. [At that point] they will improve their techniques, allowing better results for higher end devices, giving access to the raw data.

[At this time] none of this is really possible, but I am doubtful we will be able to continue using the RAW read techniques in the future we are using now [owing to the wear leveling process described above].

I also think it is more likely that cell phone will start using more of the SSD technology.

HTCIA: What do you project as being the timeframe for widespread adoption?

JW: I expect to see SSDs in widespread use in almost all portable computing products within the next 18 months.

SM: I think that SSDs will take over all mobile platforms over the next two years. I think that desktops and servers will remain mostly the way they are, with little change in the direction to SSD. It makes sense that SSDs will move more towards complete laptop domination, just due to their resilience to movement that often damage laptop drives.

HTCIA: What is the best way for forensic examiners to prepare for these eventualities?

JW: Why, by attending my lecture, of course! 🙂 One big theme is that forensic examiners need to have the understanding that SSDs are far more easily erased than rotating media: Plan on acquisition quickly.

SM: My data recovery class is a great way for forensic examiners to prepare, but in addition to that I think that forensic teams will need to focus more on electronics and soldering techniques for future repairs and data collection. It is becoming very common to have to solder or desolder devices in order to repair or collect data from these devices.

HTCIA to SM: Your perspective is as a data recovery expert. Will computer forensic examiners need to take more of a “recovery” approach to data than “forensic,” as they do with mobile devices? Will this mean challenges to describe their methodology in court?

SM: I think that a forensic examiner can be greatly enhanced by understanding the media not only for acquiring the data, but for explaining it in court. I hear a number of times how much they think they know about the media and often are surprised when I start talking about items such as firmware and bad block tables how they work. These devices are completely misunderstood.

A second important fact is that most forensics begins with good data; however, without getting any data you have no case at all. Being able to acquire that data is extremely important or you are limiting your job in the future.

One example I can state is about all those forensic imaging software packages. FTK Imager or Encase will pad bad blocks with 0’s, but in data recovery we can often acquire some — if not all — of the content from a bad sector. Instead of having 0’s, we will get a more accurate image than forensic packages do.

It is very important to understand what a long read is, or what [error correction codes] do to the sector in order to get and use that data, but our result is much better than the current forensic tools that acquire images. Not understanding data recovery and relying on forensic only means puts forensic investigators at a distinct disadvantage.

As for the challenges in actual court cases, the truth of the matter is that anything we are describing is very difficult and I find that most of the time much of what we are doing will not be included in a case due to the complexity. Lawyers have often looked at the data, and the investigation components that point to how something occurred, but they will eliminate the items they think are too complex, only using the finest picture they can develop to be less confusing to make their case.

Thanks to both James Wiebe and Scott Moulton for your insights — we look forward to seeing your presentations in Indian Wells this coming September! Readers, to attend these lectures, please register for the conference here: https://www.htciaconference.org/registration.html

Image: Andres Rueda via Flickr

Call for Speakers: 2011 International Training Conference & Expo

In just about eight months, we’ll be gathering at the Renaissance Esmeralda Resort, Indian Wells, CA for our annual International Training Conference & Exposition. As always, the object of our organizing committees is to provide the best possible training on the latest topics in high technology crime, by the best speakers available. To this end we are looking for speakers for the conference in the following areas (not an exhaustive list):

• Cloud computing
• Mac Forensics
• Memory acquisition and analysis
• Live Forensics
• Cell phone Forensics
• Windows 7 Forensics
• Imaging
• File structures
• Your latest successes
• Social Networking
• E-Mail analysis
• E-Discovery
• Legal issues
• Lock picking
• GPS analysis
• Artifacts of any kind
• Linux Forensic tools
• Linux System Analysis
• Tape Forensics
• Photo Forensics
• Printer Forensics
• Accounting packages
• SQL Analysis
• Network and TCP/IP
• Social Networks for Law Enforcement (Twitter, MySpace, Face Book)
• Managing Incident Response/Investigations
• Vehicle black Box forensics
• Emerging Laws re: eDiscovery-ESI
• eDiscovery – new legal issues/ Working with Attorneys
• Advance Issues of Email & Web Mail
• Collecting internet evidence
• Investigation of social web sites (MySpace, Face Book, Twitter etc.)
• Managing Investigations – criminal and civil
• Network Device Forensics (Log Files from network device) Router
• Court Room Testimony techniques
• Financial Crimes – Tax Evasion & Money laundering
• International Trends – Situations – experience
• White Collar & Corporate Investigations
• Legal Issues – Civil & Criminal
• Legal Mock Trial
• Memory – court decisions
• Human Resources Department Internal Investigations
• Case Studies – criminal investigations (breaches, identity theft)
• Case Studies – civil
• Report Writing for Forensic Examiners
• Report Writing for Investigations

If you would like to lecture on any of the above topics, or have one of your own, please contact Program Chair Jimmy Garcia at jrgarcia@da.lacounty.gov.

Bronze Sponsor Passware: Tools Every Digital Forensic Examiner Needs

At some point, every forensic examiner will encounter a password-protected file or computer system, or even an encrypted drive. That’s where Passware comes in. With tools that reduce time associated with password recovery, decrypt hard disks and files, and now even acquire memory images, Passware has developed must-have software for those involved with high-tech crime investigation.

Nataly Koukoushkina, Passware’s marketing manager, talked a little with us about her company’s sponsorship of our conference, the latest version of Passware Kit Forensic, and what you can expect when you visit her booth in September:

HTCIA: How long has Passware sponsored the HTCIA Conference? Why opt to sponsor rather than simply exhibit?

NK: We’ve been sponsoring since 2008. Certainly, by sponsoring we get better “brand visibility”, but the main point is that we share the HTCIA values, and we are happy to provide support for HTCIA members (discounts, free consultations, etc.).

HTCIA: Tell us about the new product features and benefits. Will conference attendees get to see a demo at your booth?

NK: Passware Kit Forensic is an all-in-one password recovery and encrypted evidence discovery software. The latest version recovers passwords for RAR and TrueCrypt in record time, thanks to GPU and TACC acceleration, and it also decrypts BitLocker To Go. More information can be found on our website.

At our booth we’ll be demonstrating all the new product features and will be happy to show the software in action. All attendees will get product brochures and CDs with evaluation version. As usual, this free CD will also include a fully-functional version of one of our products.

HTCIA: Any other specials you will be running at your booth?

NK: We will be offering a special discount for all HTCIA attendees. And a prize drawing, by tradition 😉

HTCIA: In general, the customer stories on your website don’t include investigators. Without naming names, what do you hear from law enforcement and corporate investigators who use the software?

NK: There are some stories, but it is usually difficult to get those published. Here’s one of the stories that was published, though [CNet: Child porn defendant locked up after ZIP file encryption broken] The child pornography case was resolved using our password recovery software – Zip Key.

HTCIA: As the person who works the booth, what are your favorite aspects of a conference? What do you like to see from the people who stop by to visit?

NK: My favorite aspect of the conference is to communicate with our customers and with the “target audience” in general face to face. It’s always interesting to know what computer forensics need, and how our company meets their expectations. I’m happy to see their excitement when we demonstrate our software at the booth.

There’re so many interesting people at the show! For example, at the last HTCIA show I met one computer forensic guy and it turned out that we’ve been exchanging emails on technical support several years ago. He remembered my name 🙂 And I was pleased to meet him personally!

Questions for Nataly? Please let us know in comments!

What’s happening on the HTCIA listserv?

From time to time, we plan to publish information here regarding topics on our listserv. Although we can’t give you the details about who said what and when (we figure we should abide by the same rules we make the members go by), we do want to be a bit less mysterious about what you’ll find there.

Here are five topics we’ve been seeing in the last week or so:

• Best practices for getting at evidence through low level access to USB devices.
• Imaging an Apple iPhone so the evidence can be used in court.
• Viewing disk clusters.
• Successful forensic methods for detecting Motorola i465 SMS (text) messages.
• The hottest and best computer forensic tools and equipment.

To join the listserv, login on the HTCIA Members’ page!