Airline boarding passes are full of personal data that you might not want total strangers to know. Many travelers simply toss their used boarding passes in the trash, or leave them in the pocket of the seat in front of them when they fly, unaware that the information stored in their boarding pass barcode could leave them open to identity theft. While some airlines, like Southwest, scramble the information on the barcode, others, like United, currently do not.

Recently, Kivu was asked by KPIX-TV in San Francisco to help research the type of information that a data thief could glean from a typical commercial airline-boarding pass. Kivu was provided with three sample boarding passes. The specific information available from each boarding pass barcode depended on the airline. Kivu looked at barcodes for three major airlines – United Airlines, Southwest Airlines, and Virgin America. Here’s what we uncovered.

What’s on the Barcode?

Barcodes are technically easy to decipher. With a good scanner app, information that is not available in plain text on a boarding pass can be uncovered. There are several different types of barcodes that one can find on a variety of items. Boarding pass barcodes are encoded as PDF417 barcodes. This barcode type contains multiple modes to represent text, numeric, and binary data.

If a customer purchases a flight using a Frequent Flier account or with Frequent Flier miles, (depending on the airline), their personal frequent flyer information is displayed when the barcode is scanned. If the customer did not purchase or reserve the flight using Frequent Flier miles, that information is not available by scanning the barcode.

For example, with her permission we decoded the QR Code and identified the Frequent Flyer number used by a recent traveler on United Airlines. With this information, we were able to log on to the passenger’s United Airlines account. We then knew her address, personal email, and telephone number. Going further, we knew when her next flights were scheduled and had the option to cancel them or change her seat. We also knew her date of birth, middle name, and the username for her account. Lastly, we could access her Miles Rewards and have them transferred to our own personal account in the form of cash.

All of this easily available information leaves travelers open for further data hacks. If we wanted to try to get into her personal bank account, this information would have provided a great start.

Less data is available if a passenger is not using a Frequent Flyer number. Still, a data thief could learn from a boarding pass barcode the passenger’s name, where they flew, the date and the airline.

For airline passengers, this should be a wakeup call. One solution to this problem is to keep your boarding pass on your phone rather than print a copy.

Kivu’s forensic investigators are experienced in protecting organizations against compromise of data, theft of trade secrets and unauthorized access to data. Author, Katherine Delude, is a Digital Forensic Analyst at Kivu Consulting in San Francisco, California. For more information, please contact Kivu.

Data quality is not a glamourous subject. It is not the type of topic that headlines a conference or becomes front-page news. It is more typically suited for help guides and reference manuals that few individuals relish reading. However, organizations that acknowledge the importance of data quality and have strong data quality programs significantly reduce privacy and security risks. They also lower the potential costs associated with data breaches, the legal risks, and potential size of business interruptions.

Data quality issues start when information is created. This includes incorrect information, data entry errors, and inaccurate document conversion such as conversion of text contained within image files (e.g., a screen shot from a patient management system). Data quality issues also arise as data is being processed, transferred or stored.

1. Build a foundation of knowledge and fluency about data.

“Understanding data” means moving deeper than simply understanding that a database stores records or that a file contains information. Knowledge of data means taking the time to understand that data exists in different layers and structures and can be readily transformed. Additionally, data can be defined as discreet elements (e.g., a data element that stores date time information) and have assigned roles and restrictions. Investment in the language of data can improve control over data and enable better decisions on information security and privacy.

2. Don’t leave data design and quality decisions to the development team or an IT group.

This could place data at significant risk including possible loss, misuse and insecurity. Development teams are often provided with high-level requirement such as “design a secure form to collect user data”. While this directive may appear clear, privacy and security risks reside in the implementation of this directive. To achieve better security and privacy, more attention must be directed to clarify the method of data form collection, transmission and storage of data. Further validations should be provided so that data is corrected before it is stored.

3. Articulate security and privacy concepts in terms that assist developers integrate better security.

Regulations and policies concerning privacy and information security often address data from a systems perspective. Terms such as “protect the perimeter” articulate protection of a network and the systems and data within the network. “Protect the perimeter” does not clearly translate design into a more secure system.

Developers and analysts work with data in the context of business and user requirements. Developers also work under tight budget constraints and significant systems complexity where one requirement may consist of several steps. As security and privacy requirements continue to mature, understanding the needs and workflow of developers will facilitate better “baked in” security and privacy.

4. Extend security and privacy requirements to how data is created, changed, stored, transmitted and deleted.

Security requirements typically speak at a high level and leave a substantial gap in clarity with respect to data. As an example, a business may have a requirement where social security numbers (SSNs) are encrypted at rest. At the same time, the company may display SSNs in a web application where the SSNs are partially hidden by form design but otherwise are present and unprotected.

5. Embed security analysis into the QA process.

Security testing is often the purview of InfoSec groups and external consultants who evaluate software that exists in an operations environment (also referred to DevOps or Production). This includes the use of tools and the knowledge to locate and remediate vulnerabilities. The pitfall with this approach to security testing is that vulnerabilities are not identified before software is released. Using tools such as Seeker (which analyzes software for vulnerabilities during the QA process) can improve overall application security by reducing the number of possible vulnerabilities in software design.

CASE: Data at Risk (by Design)

Organizations are at increased risk of security incidents due to un-defined or poorly specified software requirements. One such example is inadequate articulation of secure password storage. Poor design is initiated when developers or an IT group receive a directive to secure user passwords. However, securing passwords can mean many things including:

  • Storing clear text passwords in a secure database.
  • Using well-known mathematical formulae to convert passwords into what are called hash values.
  • Storing software code or algorithms to secure passwords in the same data file or directory as the password data.
  • Storing password hints with passwords.
  • Forgetting to secure the folders where data is stored (which leaves the door open to the risk of exfiltration)
  • Not requiring strong password rules for the creation of passwords.
  • Not validating passwords prior to storing passwords.
  • Leaving administrative passwords in the same location as customer data.
  • Creating a backdoor for developers as an easy means to administrate or perform corrections.
  • Not requiring or allowing time for developers who wrote the code for securing passwords to create documentation that explains the code.
  • Leaving design implementation to a developer who may not be available or reachable after code implementation

Accountability for data design, use and quality should exist across an organization. With less of a technical divide, organizations can improve the conversation on how to better protect data with the appropriate use of security to balance risk and cost. Attention to detail at the bottom (the data level) may also deliver secondary benefits such as cleaner customer data, reduction in time to resolve customer issues, or better disaster recovery.

Hidden Identity Dangers On Your Discarded Boarding Passes

SAN FRANCISCO (KPIX) — Next time you fly here’s some advice: be careful about what you do with your boarding pass.

Obtaining a boarding pass is usually the first order of business when you get to the airport to catch a flight. But once you go through the gate, your boarding pass is often the last thing on your mind.

“If it’s a paper pass, I normally leave it in the bin in the back of the seat in front of me. Or it ends up in my pockets, in the wash — nowhere secure, that’s for sure!” said Tyler Potretzke of San Francisco.

“If I was traveling, I might have tossed it in the trash in my hotel room,” said Debbie Caporuscio from Denver.

People leave them on the plane or toss them at baggage claim.

But, aside from the printed information, there’s something potentially much more revealing on those slips of paper: the barcode.

Barcodes are technically easy to decipher. All you need is a good scanner app. We used one from Manateeworks.

KPIX reporter Betty Yu downloaded one to her cellphone, then, holding the phone over the ticket reveals the barcode data. Many baggage claim tickets have similar barcodes.

KPIX scanned three boarding passes and two baggage claim tickets and handed what we found over to cyber forensic security consultant Winston Krone.

“Each of the airlines we looked at was different,” Krone said.

While some, like Southwest, scramble the information on the barcode, others, like United, do not.

“On the ticket itself, it listed her air miles number but they had redacted out certain digits. If you look at the barcode the entire number is listed.”

With permission from the owner, a KPIX 5 employee, Winston and his team went to work and found it all too easy. Unlike other airlines that send a link to your e-mail for password recovery, United just asks for an answer to your security question.

“We simply had to guess her favorite sports team,” said Winston.

Once logged in “we could see her prior flights, her future flights, we could also see her home address, her personal telephone number, her e-mail address — all great stuff for further attacks. If we wanted to try to get into her personal bank account, this would have been a great start,” Winston told us.

In a statement to KPIX 5, the International Air Transport Association says “each airline makes its own decisions with regard to security protocols for accessing member frequent flyer accounts.”

And IATA confirms “there is no industry requirement that frequent flyer numbers be included in the BCBP (bar code), although there is a data field to include it at the airline’s option.”

For passengers, it’s a wakeup call.

“It’s scary, because it seems like people make a living out of hacking, so yeah, I think that is a real scary thought, that someone could find my information that quickly, all of it! Pretty personal,” said Denver traveler Debbie Caporuscio.

Her solution is to keep the boarding pass on her phone.

“Mobile is much easier. It’s always on my phone, the worst thing would be if I lost my phone,” Caporuscio said.

A United Airlines spokesperson says the airline takes customers’ privacy seriously and sends customers an alert when their password gets changed. Our employee did get one. But the spokesperson wouldn’t comment on why United chooses to put the full account number on the barcode.

Listen to the CBS Broadcast

Krone: “There’s an awareness that trusting the IT department won’t hold up with regulators.”

Cyber Rules: What to Guard Against

October 28, 2015 | By Rayna Katz

NEW YORK CITY—As the world-at-large grows more aware of cyber security—which will be the topic of conversation at a conference here in December—new mandatory requirements from financial industry oversight organizations, as well as strongly worded advice, concerning preparedness and the means to address a breach are becoming more prevalent.

The rise in guidance, of course, would impact investment banks with commercial real estate divisions, and will likely trickle down to other types of companies. And while some companies leave the matter of cyber security in the hands of information technology departments, this increased crack down has led some executives to question that strategy.

“More and more, with company directors facing liability, there’s an awareness that trusting what the IT department is saying isn’t sufficient and it’s not going to hold up with regulators,” says cyber security expert Winston Krone, managing director of Kivu Consulting. “We’re getting more calls from general counsels who want a better investigation.”

Those corporate lawyers have reason to be paranoid, he notes. Earlier this year, the NYS Dept. of Financial Services issued a letter to CEOs, CIOs and general counsel officers stating that the organization “has expanded its information technology examination procedures to focus more attention on cyber security.”

The letter goes on to demand of each organization a 16-part detailed report that, in part, outlines specific systems in place to safeguard information, describes an entity’s ‘incident report program’ and even includes the job description or resume of the CIO or person overseeing cyber security.

Rules such as these likely will spread to more states, asserts Krone. “Other states will simply copy what New York is doing. Regulation only will increase, it’s not going to go down.”

Other oversight organizations, including the Financial Industry Regulatory Authority and the Securities and Exchange Commission, have been conducting surveys and—in reports issued throughout the year—are urging members to take numerous proactive steps to guard cyber security.

Meanwhile, in its annual survey of mid-market companies, Deloitte notes a hefty rise in both the cost of a cyber security breach and some concerning new cyber attack trends.

“The average cost of a data breach increased by 23% between 2013 and 2015, with an average price tag of nearly $3.8 million per breach,” the report says, citing data from Ponemon Institute. Further, Deloitte & Touche partner Adnan Amjad, who leads Deloitte’s cyber threat management practice, says in the report, “An issue of particular concern for mid-sized companies is enacting training to spot the types of attempts to get information.”

Hackers are becoming increasingly sophisticated with a number of techniques, he adds, “including personal details about employees that convince even the most skeptical employees within organizations to divulge proprietary information or even write a check.”

Also of note, according to the research, is an increased risk faced by firms that allow employees to access and send information remotely. “It’s relatively easy to exploit and harder to cope with from an IT perspective,” Amjad reveals. “Organizations are well-served if they have the ability to remotely delete files on devices that are lost or otherwise exit the company.”

 

Read the full article here

The misnomer of HIPAA compliant software is prevalent in the health care industry. Too often, HIPAA-regulated entities rely on vendor controls and claims of compliance as a substitute for their own HIPAA security programs. While the vendor software itself may meet the requirements of HIPAA compliance for the discrete functions it performs, the truth of the matter is that no software or system that handles Protected Health Information (PHI) is HIPAA compliant until it has undergone a risk assessment by the regulated entity to determine the efficacy of its security controls in the user’s environment.

Adherence to HIPAA required risk management processes and industry-best practices should protect organizations from attacks. HIPAA requires that both covered entities and business associates maintain a security management process to implement policies and procedures to prevent, detect, contain, and correct security violations. The foundational step in the security management process is the risk assessment, which requires regulated entities to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the entity.

HIPAA compliant risk assessment

NIST Special Publication 800-66 identifies a protocol organizations may use for conducting a HIPAA compliant risk assessment. 800-66 generally identifies nine steps an organization should take in this regard. Significantly, the first two steps of the risk assessment process should be read together to identify all information systems containing PHI and ensure that all PHI created, maintained, or transmitted by the system is being maintained appropriately and that security controls are applied.

In the context of third party software and systems, the risk assessment process should be used to identify hidden repositories of PHI where unintended business functions or improper implementation cause PHI to be located outside of an organization’s secure environment. If third party software and systems are not identified within the scope of a risk assessment, and a disclosure or audit occurs, the government may impose penalties for not conducting a thorough risk assessment. Additionally, there is potential for third party lawsuits if a disclosure results. In a data breach dispute, the argument usually boils down to whether the controls the organization had in place were reasonable to protect PHI. In many cases, the plaintiffs use HIPAA as a standard of care, so that if an organization was not in compliance, the plaintiffs will argue the organization did not take reasonable steps to protect PHI.

While not conducting an accurate and thorough risk assessment may result in regulatory enforcement or litigation risk, failing to identify hidden repositories of PHI may also result in other HIPAA violations. If data is stored outside of its intended repository, it is unlikely that an appropriate data classification and associated security controls have been applied to the hidden repository. The result is that it is unlikely the HIPAA regulated entity is meeting the required technical implementation specifications of the HIPAA Security Rule with regard to the information contained in the hidden repository. In such situations it is unlikely that an organization has appropriate access and audit controls in place on systems that are not intended to store PHI.

Common vulnerabilities in electronic medical record (EMR) software

Software is developed for a specific purpose, such as managing patient information or insurance billing. Software’s core functionality is created during the development cycle, and security may be incorporated into the development process, or it may be an afterthought. Security is optimal when it exists within a software application and the environment where the application is hosted.

  1. At the device level where the software is installed, software integrates with its host operating system, file system and network environment. The intersection between an application and its host environment could create significant PHI exposure risk.
  2. Software, particularly database software, is often vulnerable due to poor security upgrade practices and loose configurations.
  3. Even when security features are established, those features may be changed to appease users or to simplify IT tasks.
  4. Delayed software upgrades or improper upgrade installation may increase the potential for compromise.
  5. External communication channels are often incorporated into software applications to enable functionality, such as transmitting faxes/emails, or to allow access by outside administrative support. These communication channels are often left unsecured with default configuration settings and administrative credentials.
  6. Audit logs are typically developed to support a specific software application, but use of audit logs may be disabled or ignored.

A recent recent data breach investigation

In a recent data breach investigation, Kivu encountered an integrated EMR software solution that stored patient records, including social security numbers (“SSNs”), on a Windows server. While the EMR application had protected access with unique credentials assigned to users, the server itself was accessible to all employees with domain credentials. The EMR software offered complete practice management capability in a single offering (such as patient management, prescriptions ordering and tracking, patient communications and billing).

The EMR software and the server housing the EMR software lacked appropriate controls to secure PHI. The presence of EMR login credentials in text-searchable files potentially negated the use of encryption for the EMR database. Unsecured directories provided the opportunity for any user to browse the server and potentially locate files containing patient data.

The audit capabilities of the EMR software were limited to the EMR database. As a result, externally stored files with patient data were outside the reach of the EMR software. PHI could have been exfiltrated without leaving evidence of file activity. For example, on a Windows computer, a hacker could use a Robocopy command to copy files, and the use of this command would leave no evidence of file access.

Using sophisticated search tools employing data pattern recognition, Kivu was able to identify numerous instances of PHI on the compromised server. The client was surprised by the result because they believed the EMR system was secure and HIPPA compliant. This was a painful lesson in the numerous (and dangerous) ways that sensitive data can leak from an otherwise secure system.

Kivu is a nationwide technology firm specializing in the forensic response to data breaches and proactive IT security compliance. Headquartered in San Francisco with offices in Los Angeles, New York and Washington DC, Kivu handles assignments throughout the US and is a pre-approved cyber forensics vendor for leading North American insurance carriers.

For more information about HIPPA data leakage and HIPAA compliant risk assessments, please read the full paper: Forensic Analysis Reveals Data Leaks in HIPAA Compliant Software or contact Kivu.

Some of the worst and most costly data breaches occur because an organisation doesn’t know what and how much data they have stored, says Winston Krone Managing Director, Kivu Consulting. In many cases, businesses have simply been unaware that they hold sensitive data such as healthcare or financial information, and “…haven’t purged data, they haven’t taken it off line; they’ve treated old data…as being necessary to be instantly accessible,” Krone, a computer forensics expert, argues in an interview for Hiscox Global Insight.

What’s in an email?

Part 1A particular area of exposure, Krone says – and this is particularly the case for professional services companies – is with the storage of unstructured data such as email. “It’s been the driver in many of the most expensive data breaches. The most common is email or a file server where you have attachments, spreadsheets, word documents. In a lot of these cases you don’t know what you’ve got. You may not even know that someone has sent you an attachment with a thousand names, dates of birth, social security.”

Krone adds: “Trying to determine how many mail boxes have been raided [following a breach] can be the work of weeks and then determining what data is inside those mail boxes can take 30-40 days. This pushes up the response time [and] the response costs.”

Part 2

For many businesses, even if an attempted data breach is unsuccessful, the impact can be just as bad as a successful breach, explains Krone. “In most cases the attackers are stopped or seen. But the real problem for us, and it’s probably a problem in half our cases, is that the organisation was not logging or monitoring its own system sufficiently to allow us to disprove the hack. Unless we can prove what they did and what they’ve taken…that will be a defacto data breach with enormous costs and implications to the organisation.”

Part 3

Given that it’s virtually impossible to protect against a data breach happening, however, Krone says that the best risk management happens well before a breach. “If you haven’t set up in advance your system so it’s recording evidence, so it’s logging evidence, data of who is coming in, where they’re coming in, what they’re doing, what they’re taking out of your system – you can’t go back in time and work that one out. That’s a crucial preparation to put in advance.” A good incident response plan is also important, Krone adds, as well as having a good understanding of what data an organisation holds.

Insurance sector can drive better risk management

The growth in cyPart 4ber insurance is also playing a role in improving awareness of the cyber threat. “Just having the discussion about cyber insurance has required organisations to rethink their risk and how they’re mitigating these problems,” says Krone. “We see a huge difference between companies who have a cyber risk policy – or at least have gone down the road in deciding whether they should have one – and those who haven’t thought about it. It’s a huge educator and the more enlightened insurers are asking companies to really answer some deep questions. It’s a great way for disparate groups [in an organisation] – legal, risk management, HR, IT – to come together when they think about cyber insurance.”

Data choicePart 5

In such a fast changing environment however, where data breaches hitting the news become ever more significant in scale, Krone says that the real differentiator between good and bad businesses from an information security perspective, will be the way in which they deal with their data. “If you look at the example of financial institutions and healthcare – two [sectors] that are very regulated in the US and have got their act together – [a business] is either going to take [its] data and start heavily encrypting it and segregating it and making sure that nobody can get into it, or they’re going to take their data and say we’re not in the data storage business; we’re going to put it off to security accredited vendors. It’s really a question of whether smaller organisations are going to have the means and the budget to go down those two different roads.”

Hiscox image

Some of the worst and most costly data breaches occur because an organisation doesn’t know what and how much data they have stored.

How Do You Limit the Exposure of a Data Breach

September 2015 | By Hiscox Global Insight

Some of the worst and most costly data breaches occur because an organisation doesn’t know what and how much data they have stored, says Winston Krone Managing Director, Kivu Consulting. In many cases, businesses have simply been unaware that they hold sensitive data such as healthcare or financial information, and “…haven’t purged data, they haven’t taken it off line; they’ve treated old data…as being necessary to be instantly accessible,” Krone, a computer forensics expert, argues in an interview for Hiscox Global Insight.

What’s in an email?

A particular area of exposure, Krone says – and this is particularly the case for professional services companies – is with the storage of unstructured data such as email. “It’s been the driver in many of the most expensive data breaches. The most common is email or a file server where you have attachments, spreadsheets, word documents. In a lot of these cases you don’t know what you’ve got. You may not even know that someone has sent you an attachment with a thousand names, dates of birth, social security.”

Krone adds: “Trying to determine how many mail boxes have been raided [following a breach] can be the work of weeks and then determining what data is inside those mail boxes can take 30-40 days. This pushes up the response time [and] the response costs.”

For many businesses, even if an attempted data breach is unsuccessful, the impact can be just as bad as a successful breach, explains Krone. “In most cases the attackers are stopped or seen. But the real problem for us, and it’s probably a problem in half our cases, is that the organisation was not logging or monitoring its own system sufficiently to allow us to disprove the hack. Unless we can prove what they did and what they’ve taken…that will be a defacto data breach with enormous costs and implications to the organisation.”

Given that it’s virtually impossible to protect against a data breach happening, however, Krone says that the best risk management happens well before a breach. “If you haven’t set up in advance your system so it’s recording evidence, so it’s logging evidence, data of who is coming in, where they’re coming in, what they’re doing, what they’re taking out of your system – you can’t go back in time and work that one out. That’s a crucial preparation to put in advance.” A good incident response plan is also important, Krone adds, as well as having a good understanding of what data an organisation holds.

Insurance sector can drive better risk management

The growth in cyber insurance is also playing a role in improving awareness of the cyber threat. “Just having the discussion about cyber insurance has required organisations to rethink their risk and how they’re mitigating these problems,” says Krone. “We see a huge difference between companies who have a cyber risk policy – or at least have gone down the road in deciding whether they should have one – and those who haven’t thought about it. It’s a huge educator and the more enlightened insurers are asking companies to really answer some deep questions. It’s a great way for disparate groups [in an organisation] – legal, risk management, HR, IT – to come together when they think about cyber insurance.”

Data choice

In such a fast changing environment however, where data breaches hitting the news become ever more significant in scale, Krone says that the real differentiator between good and bad businesses from an information security perspective, will be the way in which they deal with their data. “If you look at the example of financial institutions and healthcare – two [sectors] that are very regulated in the US and have got their act together – [a business] is either going to take [its] data and start heavily encrypting it and segregating it and making sure that nobody can get into it, or they’re going to take their data and say we’re not in the data storage business; we’re going to put it off to security accredited vendors. It’s really a question of whether smaller organisations are going to have the means and the budget to go down those two different roads.”

Click here for the video

#1. Anti-virus programs are generally ineffective

#2. Your firewall faces the wrong way

#3. You are the weakest link in the Cloud

#4. Advising your employees not to open emails from “strangers” is counter-productive

#5. Encrypting your company’s portable devices isn’t enough

Many small-to-medium (SMB) sized businesses believe that they aren’t important or large enough to be targeted by hackers. Unfortunately, that’s not the case. Smaller companies in general have fewer resources to spend on defending their networks, yet they have substantial assets that hackers can take. As larger organizations adopt better cyber defenses, many hackers specifically target SMBs as easier targets.

If a hacker targets an SMB, the risks are great. When a hacker intrudes into a business network, they may be able to steal and illegally use customer data, lift employee information (including social security numbers and payroll information) and empty the company’s bank account. In addition to these direct losses, a hacker can use the SMB’s network to attack other targets such as the SMB’s business partners and customers. These consequential third party losses can obliterate goodwill and expose the SMB to costly litigation.

Hacking is becoming an increasingly serious threat to every type of business. Computer virus source code is readily available on the Internet, sometimes for free, making new malware easier to create by professional cyber criminals and “wannabe” hackers alike. New malware is appearing at an estimated rate of 80,000 instances per day.

To learn more read the full white paper.  We’ll talk about the five things hackers don’t want SMBs to know.  We’ll pinpoint what hackers look for when choosing a company to attack. We’ll reveal the damage that they can do. Then, we’ll offer some practical steps that SMBs can take immediately to protect their organizations from outside intrusion.

We make a multitude of assumptions every day, at times without giving them much thought. Assumptions are a part of our daily lives and how we interpret the world around us. They also impact our decisions, large and small.

Digital forensics is based on science, not magic. It’s not just pushing a button or running a tool and getting results. In forensics and e-discovery cases, assumptions can lead to mistakes, duplication of work and/or deliverables, and tension between you and a client. We live in a world of assumptions, but in these matters, you cannot assume.

Why do we make assumptions? It’s easy; it’s safe. It’s a habit derived from familiarity and performed out of safety. We’ve done or seen this before, so this must be what will happen. We expect or predict certain outcomes based on what has happened in the past. It serves as a form of protecting ourselves or in some cases, placing us in control of a situation. It’s a way of convincing ourselves that how we act or what do or say is right.

In his book The Seven Habits of Highly Effective People, Stephen Covey discusses paradigms, or how we see and interpret the world around us. Paradigms are often the basis of assumptions. Covey explains that these come from conditioning and habit, and that they influence our actions and behaviors. He observes that “we simply assume that the way we see things is the way they really are or the way they should be” (Covey 32).

Below are several types of assumptions and scenarios that arise often in forensics and e-discovery cases:

1) Access
Do you have access to the device or account you are collecting? Do you have the credentials? The presence of encryption or password protection on a device can hinder forensic preservation in some cases. For instance, if a custodian has their Apple device encrypted with FileVault, you will need to provide the pass phrase in order to decrypt the drive and image it with a tool such as MacQuisition. This also pertains to encryption or passcodes on other devices.

2) Visibility
Do your forensic tools parse the data properly? What types of files are present on your device? Are they operating system-specific files – only viewable on a Macintosh, Windows, or Linux operating system? Do you have the necessary tools to view and/or convert them if you need to provide them to a client? Will you need third party tools to parse or analyze certain types of files? Does a newer version of your tool parse your data in a way that an older version did not? Newer versions of forensic tools can support and collect more models of phones and parse more file systems. For example, EnCase 7 accurately parses the file and folder structure of Windows 8/8.1 devices, but EnCase 6 shows the F: partition, which contains much of the operating system and user data, as unallocated clusters and does not accurately parse the folder structure.

3) Authorization
Do you have authorization – legal or otherwise – to perform a collection, examination, and/or analysis? In civil litigation matters, no collection or analysis can be done until permission is granted by the attorneys or ultimate client. In criminal cases, this is typically applied via a search warrant. In child exploitation cases, do you have legal authorization to collect or seize devices? Do you have legal authorization to view pictures?

4) Authenticity/Accuracy
How do you know your data has not changed during the forensic preservation and/or replication processes? This is where hashes and verifying file integrity are important. If providing counts of files, how do you know you’ve accounted for everything on a system or within a data set? If providing native files, are you providing them to a client in a readable format?
– – – – – – – – – – – – – – – – – – – – – – – – – –
In confronting the dangers of assumptions, here are a few techniques that I have found useful in my personal and professional lives:

-Pull yourself back from the situation and ask yourself “why?” Why are you feeling like this? Why are you thinking this way? What is causing you to feel this way? Why are you jumping to this conclusion?

Try to do this not as a form of rationalizing or justifying your own behavior but as a means of understanding how and why you tend to make assumptions. Use this as a starting point to become more aware of your own thought process and to curb these habits.

-If unsure about something, ask before going forward (or perhaps making a statement or decision that could land you in hot water). This applies to personal and professional matters. Clarify issues with a client or project manager ahead of time.

-Acknowledge and learn from your mistakes.

Sources:
Covey, Steven R. The Seven Habits of Highly Effective People. New York: Simon & Schuster, 2004.