Teleconference Notes 2/25/04 3:30pm - 5:00pm w/ Det. Brian Palmer of King Co. Sheriff's Office in MRCI Conference Room regarding Forensic Proceedures This is not a transcript, but a detailed recollection from notes taken during the teleconference Q: How does an investigation get started? A: Investigations begin in a number of ways, one can be a direct complaint from citizens, or a request from a detective from another unit, or a request for assistance from another source entirely, such as the National Center for Missing and Exploited Children. Q: How many investigations does your dept. do a week? A: About 1 a week. There are 3 examiners in our department, which is alot compared to other departments which have no forensic examiners, but there are some departments which have many - depending on the work they do. Q: Do you usually go to the scene to collect evidence, or is the evidence brought to you for examination and analysis? A: Our preference is to go to the scene because we can better establish the chain of custody. Also, we want to be able to collect everything at the scene, computers, monitors, keyboards, and all software, commercial or private. We have to be able to show that the media contains evidence, and the suspect had access to it. We must also show that the machine was capable of the alledged incident, including looking at modems, and software. Q: Do you use checklists/formal proceedures when you collect the evidence? A: Yes, but the problem with checklists is that it precludes you from thinking on your feet. But there are proceedures that need to happen, goals we're trying to accomplish. Q: What are the things that need to happen before you go to the scene? A: Firstly, make sure the search warrant covers digital evidence. Next, find out as much about the case/crime so that evidence doesn't get ruined. An example of this would be a child rape case where you would want to make sure that any evidence on a keyboard/mouse, such as body fluids, is not contaminated. Then determine what type of evidence to collect. Q: What is the first steps when you arrive at a scene? A: First and foremost is officer safety, make sure that any suspects have been located and secure. Second, make sure evidence is safe, that no suspects are going to threaten it with fire/gunshot, etc. Then work your way to the computer area, we are usually the last ones in to a scene. Then, make sure that no wipe program is running, we can see this by looking at the screen, look at HD lights and listen for HD sounds to detect any serious HD activity. Then disconnect any network that may be connected. Its important to do as little examination on scene as possible, but the most important evidence is sometimes what is on the screen. Q: What are the steps to take control of the machine? A: If its a windows machine, just remove the power cord - that is standard proceeduretaught by most courses. First, document what is on the screen, whats around the computer, what applications are open, whats on the task bar - take pictures, and make sketches. If its a server, it is probably backed up. If the suspect is the system administrator,it is a different investigation. Normally, we need to solicit the system admin for help, find out if there is in information on the server or is it stored on client machines, reset the suspect's password, then get the logs from the administrator. If the machine is Linux, if the machine is not doing anything relevant to the investigation, just pull the plug, if the machine is doing something that is related, do a regular shutdown. Make sure you document any 'footprints' that you may leave, such as the time of the shutdown - so that when the logs show another event, you can testify that it was your team which caused it and that it was documented. Q: What if the user is computer savvey and might have put something in the machine, such as encryption or a format program? A: We cn get some witness to say that they saw them do the illegal activity, or we can get a witness to cooporate and tell us what they know is on the machine and how to get to it. Otherwise, we can get the data from the machine via USB or Firewire. Q: Do you need a warrant to install or use spy software? A: Its determined by the person's privacy expectation. If they are using a public terminal, then no, but if it is their private machine then they can expect that no officer will inspect their machine. If the person is on the internet, then Title 3 applies because you are intercepting telephone communications. Q: Does the 5th Amendment apply to giving a password to unencrypt files? A: There is no obligation on the part of the suspect to give the password on their personal machine, but we can use coorborating witnesses and their passwords if they have access. Q: What are your steps after you take custody of the machine? A: First, we package everything and mark it as evidence. Second, we transport it securely to a place where it can be stored until analysis. We store the evidence to keep it away from the elements, radio waves, magnetics, etc. Q: How do you proceed with your forensic analysis? A: First, everything that is not digital evidence, such as the computer case, keyboard/mouse, goes to the crime lab. Second, image all recordable media onto forensically sterile media. Then, use a tool to analyze, but never use just one tool. We use encase primarily. But we also use the forensic toolkit from www.accessdata.com. The problem with windows is that when you mount it, it wants to examine everything, and goes to touch all the media connected. Q: How do you split up work between the 3 examiners in your office, do you mount everything on a network and everybody works on it? A: We use our own workstations, and we dont usually split up a case unless its unusually large, but its usually one investigation per examiner. Q: What do you think of encase, what do you think are its largest weakness? A: It works on almost all filesystems, but its limitations are that alot of people use it as a push-button foresnics tool while not understanding the actual operation of the computer. The problem with that is that you have to know, so that you can testify that the data encase finds is actually there. If you understand the DOS filesystem, it gets you far. Q: When you search for files, do those searches need to conform to the warrant? A: You can search anywhere that might contain the data, but you can only look where the common person would hide the evidence, and it must be specific and must deal with the crime. Q: What are the usual types of people you are investigating? A: Normally, they are novices or people who think that they know alot more than they do; such as forgettting to overwrite the swap file. We find alot of information in the swap files. Q: What types of cases are the most difficult to investigate? A: All cases are about equally difficult when it comes down to forensic analysis, however, the most difficult cases involve online auctions because of the sheer number of IP addresses involved, and because a search warrent is required for each. Another difficult one is white collar crime, and searching for relevant data. The absolute hardest is when we have no idea what we're looking for, or there is a very large amount of data to analyze. Some of the most difficult involve online auctions when suspects use public terminals. But, all the time, you must prove that the crime occured when the suspect was sitting at the computer. Q: What are the common mistakes when collecting evidence? A: The most common mistake is people overlooking what is evidence. People forget to collect disketts in drawers, cellphones, PDAs, and compact flash cards. Another thing is when people ignore proceedures and start looking at evidence, like looking through files at the scene. Q: How difficult is it to get digital evidence thrown out? A: Its actually difficult to get evidence thrown out if documentation was kept. But, some reasons for it would be if the warrant was not specific enough to include computers. Generally, defense attorneys usually attack our proceedures, methodology, and training.