We make a multitude of assumptions every day, at times without giving them much thought. Assumptions are a part of our daily lives and how we interpret the world around us. They also impact our decisions, large and small.

Digital forensics is based on science, not magic. It’s not just pushing a button or running a tool and getting results. In forensics and e-discovery cases, assumptions can lead to mistakes, duplication of work and/or deliverables, and tension between you and a client. We live in a world of assumptions, but in these matters, you cannot assume.

Why do we make assumptions? It’s easy; it’s safe. It’s a habit derived from familiarity and performed out of safety. We’ve done or seen this before, so this must be what will happen. We expect or predict certain outcomes based on what has happened in the past. It serves as a form of protecting ourselves or in some cases, placing us in control of a situation. It’s a way of convincing ourselves that how we act or what do or say is right.

In his book The Seven Habits of Highly Effective People, Stephen Covey discusses paradigms, or how we see and interpret the world around us. Paradigms are often the basis of assumptions. Covey explains that these come from conditioning and habit, and that they influence our actions and behaviors. He observes that “we simply assume that the way we see things is the way they really are or the way they should be” (Covey 32).

Below are several types of assumptions and scenarios that arise often in forensics and e-discovery cases:

1) Access
Do you have access to the device or account you are collecting? Do you have the credentials? The presence of encryption or password protection on a device can hinder forensic preservation in some cases. For instance, if a custodian has their Apple device encrypted with FileVault, you will need to provide the pass phrase in order to decrypt the drive and image it with a tool such as MacQuisition. This also pertains to encryption or passcodes on other devices.

2) Visibility
Do your forensic tools parse the data properly? What types of files are present on your device? Are they operating system-specific files – only viewable on a Macintosh, Windows, or Linux operating system? Do you have the necessary tools to view and/or convert them if you need to provide them to a client? Will you need third party tools to parse or analyze certain types of files? Does a newer version of your tool parse your data in a way that an older version did not? Newer versions of forensic tools can support and collect more models of phones and parse more file systems. For example, EnCase 7 accurately parses the file and folder structure of Windows 8/8.1 devices, but EnCase 6 shows the F: partition, which contains much of the operating system and user data, as unallocated clusters and does not accurately parse the folder structure.

3) Authorization
Do you have authorization – legal or otherwise – to perform a collection, examination, and/or analysis? In civil litigation matters, no collection or analysis can be done until permission is granted by the attorneys or ultimate client. In criminal cases, this is typically applied via a search warrant. In child exploitation cases, do you have legal authorization to collect or seize devices? Do you have legal authorization to view pictures?

4) Authenticity/Accuracy
How do you know your data has not changed during the forensic preservation and/or replication processes? This is where hashes and verifying file integrity are important. If providing counts of files, how do you know you’ve accounted for everything on a system or within a data set? If providing native files, are you providing them to a client in a readable format?
– – – – – – – – – – – – – – – – – – – – – – – – – –
In confronting the dangers of assumptions, here are a few techniques that I have found useful in my personal and professional lives:

-Pull yourself back from the situation and ask yourself “why?” Why are you feeling like this? Why are you thinking this way? What is causing you to feel this way? Why are you jumping to this conclusion?

Try to do this not as a form of rationalizing or justifying your own behavior but as a means of understanding how and why you tend to make assumptions. Use this as a starting point to become more aware of your own thought process and to curb these habits.

-If unsure about something, ask before going forward (or perhaps making a statement or decision that could land you in hot water). This applies to personal and professional matters. Clarify issues with a client or project manager ahead of time.

-Acknowledge and learn from your mistakes.

Covey, Steven R. The Seven Habits of Highly Effective People. New York: Simon & Schuster, 2004.

Kivu’s digital forensic professionals are seeing an ever-increasing number of Apple devices being used within organizations. Our forensic professionals have extensive Apple experience and have provided expert testimony on a number of legal cases involving Apple devices.

The Challenges of Collecting Data

Mac computers are known for having a secure delete function built into the system. This allows a user to overwrite the computer’s free space 1 time, 7 times or 35 times, making it impossible for forensic examiners to recover deleted data.

Mac computers also come with a built in encryption feature called “File Vault.” If the user enables File Vault, examiners cannot image or access the contents of the computer until the encryption is bypassed, either with the user’s password or by extensive workarounds involving memory analysis to extract possible passwords. Some vendors claim to decrypt File Vault passwords, but the cost of this method is very high and may not provide the needed results.

iOS devices, such as iPhones and iPads, also present imaging challenges. Physical images are bit for bit copies of a device, which includes deleted data. Physical acquisition of certain iPhone models is not possible, due to Apple’s encryption. To bypass the encryption, an examiner would need to “jailbreak the device.” This is a risky approach, since jail breaking a device could lead to destroying current evidence and making the device unusable and inaccessible.

If physical acquisition of a certain iOS model is not possible and jail breaking is not feasible, a logical acquisition may suffice. The primary issue with logical data acquisition is that certain data cannot be extracted for analysis, including: deleted data, emails, cache files, and geo-locations. This, of course, causes a major issue for forensic examiners.

Apple Forensic Tools

The digital forensic professionals at Kivu Consulting are experts in forensically imaging and preserving Apple device data. Our forensic analysts are trained and certified in the industry leading tools used to image and analyze Apple devices, such as MacQuisition, Encase, Cellebrite, FTK Imager and Black Light.

For Mac computers, MacQuisition allows for live data acquisitions, targeted data collections, and forensic imaging. This tool can acquire over 185 different Macintosh computer models and provides a built in write-blocker to maintain data preservation.

Kivu uses tools such as Encase, FTK Imager and Black Light to analyze Macintosh forensic images, as well as image and analyze iOS mobile devices. Our forensic experts hold the Encase Certified Examiner and Certified Black Light Examiner certifications, offered by Encase and Black Bag Technologies.

Selected Kivu Engagements and Expert Testimony

  • Kivu Consulting has worked on and testified in various nationwide cases involving Macintosh computers and iOS mobile devices:
    A construction company was investigating a sexual harassment claim. The client was using an iPhone and iPad. These devices were collected, imaged, and analyzed for evidence of communication between the user making the claim and the client, as well as any inappropriate photos that may have been taken using the devices.
  • Kivu assisted multiple law firms with cases involving theft of Intellectual Property. These law firms reached out to Kivu to assist with iPhone acquisition and forensic analysis to determine device activity, such as applications used, browsing, text messages and calls within a specific timeframe.
  • Kivu investigated and analyzed multiple MacBook Pro devices for an accounting firm, to determine if unauthorized users gained access to the devices and exfiltrated data.
  • Kivu has testified in a federal class action suit involving Apple. Multiple people claimed that Apple billed them twice for the same iTunes songs. They said that the songs they originally downloaded were not accessible in iTunes, so they downloaded the songs again and were billed a second time. Kivu conducted forensic analysis on all Apple devices provided in the case to determine if multiple instances of the same songs were present on the computers and if the originally downloaded songs were, in fact, inaccessible to the users.
  • Kivu investigated multiple Mac devices for educational institutions to determine if students hacked the schools’ computer systems to acquire better grades.

About Kivu

Kivu Consulting combines technical and legal expertise to deliver investigative, discovery and forensic solutions worldwide.  Author, Thomas Langer, EnCE, CEH, is an Associate Director in Kivu’s Washington DC office. For more information about malware trends and what your company can do to better protect its environment and data, please contact Kivu.

Chinese hackers steal 4M federal personnel records: Here’s what the breach means for insurance

Latest OPM cyber attack highlights growing need for cyber insurance.

June 05, 2015 | By Patricia L. Harman, PropertyCasualty360.com

The latest high profile cyber attack involves over 4 million records of former and current government workers.

The U.S Office of Personnel Management said Thursday that it recently became aware of an incident where the records had been breached, including names, addresses, birthdates and social security numbers. From June 8 through June 19, OPM will be sending e-mails to the individuals whose personally identifiable information was compromised. The office says e-mails will come from opmicio@csid.com and will contain information about credit monitoring and identity theft protection services available to those affected by the breach.

According to its website, OPM is offering credit monitoring services and identity theft insurance with CSID, a firm that specializes in identity theft protection and fraud resolution. Individuals will receive, at no cost, a comprehensive, 18-month membership that includes credit report access, credit monitoring, identity theft insurance and recovery services.

“Monitoring credit histories seems woefully inadequate in the wake of the scope of this breach,” says Yanai Z. Siegel, director of operations for Your House Counsel. “The issue may become whether centralizing all such records into a single widespread network has become a greater risk, and whether better data record practices such as data encryption generally, [and] splitting records up into multiple databases so that more sensitive information is separated (and separately encrypted)” offers greater protection in the event of a system compromise.

OPM battles 2.5B attacks each month

Concern is data could be used to target workers with sensitive information who could be subjects of traditional blackmail tools.

OPM said it receives approximately 2.5 billion attacks in an average month. According to the FBI, Chinese hackers are believed to be behind this latest attack, which follows an attack by North Korea on Sony, and Russian attacks on the White House, State Department and the IRS. In February, health insurer Anthem revealed that close to 80 million of its records had been hacked.

“Governmental agencies are particularly vulnerable to cyber-attacks because: (1) they have the data bad guys want (including financial and health information); and (2) budgets and expertise for data security are far lower than at private sector companies,” explains privacy lawyer Bruce Raymond CIPP/US of Raymond Law Group LLC, a privacy boutique.

The information stolen can be used to create new identities or at the very least apply for credit cards and other forms of credit such as opening bank accounts. Winston Krone, managing director of Kivu, a national technology firm specializing in the forensic response to data breaches and proactive IT security compliance, says “the government should act to make social security numbers, a government creation, less valuable to cyber thieves by mandating multi-factor authentication in credit applications and IRS transactions.”

Read the full article here