The Beacon Bulletin: Your Firm's Email and YouTube: Computer Forensics 101

This Week; Focus On: Recovering Your Firm's Email: Computer Forensics 101

Email originating from your firm's computer is at once your property and your liability. An employee may think it amusing to YouTube a hilarious water cooler moment or participate in an intra-industry user generated site to discuss work issues or situations. A routine sweep, while perhaps viewed by some as an invasion of privacy, is actually good housekeeping. One is expected to maintain a general awareness of what is brought in to or taken out of one's home. Workplace Internet protocols call for an even higher monitoring level given the potential for creating a harmful environment and revealing company information.

This week's Bulletin will focus on the nuts and bolts of recovering computer evidence data utilizing procedures that would minimize the chance that the extracted evidence could be compromised.

To insure the integrity of the computer evidence, all data files should be copied onto write once only Read Only Memory (ROM) disks. Alternately one can "clone" the computer hard drive. There are, however, some problems involved with cloning. All hard drives are by their very definition read and write media. That means once information is cloned onto a hard drive, it can be altered. It is virtually impossible to alter data on a write once ROM disk. Also, if you clone a hard drive, you will be copying everything, including the OS (operating system). This can occupy a large amount of memory when the evidence is usually found on data files. Data files typically account for a much smaller portion of the hard drive's space and would therefore be easier to deal with. (In the event that time or circumstance dictates cloning the hard drive, do so with the intention of subsequently copying the data files to ROM disks.)

Phase I - Preliminary Procedure - Obtaining Log-Ons and PINS

1. Obtain all log on names and passwords (or PINS).

2. Obtain email log on names and passwords (PINs).

3. Obtain evidence computer encryption codes, passwords and software for the applicable data files.

Phase 2 - Evidence Access and Duplication

1. Identify all data files including hidden and deleted files. Identify e-mail message files.

2. Copy identified files onto CD-ROM write once only disk.

3. After all the copies are completed, certify that each file was copied from the evidence computer.

Phase 3: Software Identification

1. Identify all software used in the evidence computer.

2. Identify e-mail account client and provider.

3. Have available another computer (called Computer No. 2). Load the software on this secondary computer that has been previously identified.

4. Load the CD-ROM disc (previously recorded with data files) into Computer No. 2.

5. Review and print all or selected evidence data files as required.

Phase 4: E-Mail Evidence Discovery

1. Identify e-mail provider.

2. Request any available e-mail files from e-mail provider's server.

Phase 5: Review of Evidence

This is the final phase of the evidence discovery from the evidence computer. All evidence files are now on CD-ROMs and Computer No. 2 has the requisite software loaded to view and evaluate the evidence.

The attorney may now want to search on a key phrase or name(s) contained within all the files to quickly sort out any specific evidence. Or, the attorney may want to sort files by date and review a chronology of events

Towed, Moved or Stolen? Finding/Recovering a Missing Vehicle in NYC

(Who would you call - A or B?) But seriously...

It's 6 a.m. You've circled the block several times, almost certainly during a torrential downpour or unexpected snowstorm and finally you've come to the conclusion that your vehicle is gone. This happens to hardcore City dwellers and unsuspecting visitors alike. Unlike an intriguing "how did this happen" Lost episode, rarely is this situation amusing. Our purpose this week is to cut through the labyrinthine process of vehicle location and redemption in NYC.

The first thing you need to determine if your vehicle was towed, removed for parade or dignitary detail... purposes or stolen.

Towed: Go online to: NYC Serv - New York City On-Line Payment Services. Check for both outstanding parking and red light tickets. The information is in real time and will tell you if your vehicle has been towed and to which impound.

If your vehicle has been towed, it is important for you to know whether it was a Violation Tow or Judgment Tow:

Violation Tow: (by the NYPD): If your vehicle was booted or towed because it was illegally parked and you owe no unpaid parking tickets in judgment, simply redeem your vehicle directly from the NYPD. If however your vehicle was illegally parked and you owe more than $101 in outstanding tickets that have gone into judgment, your tickets must be paid to the Department of Finance Paying a Parking Ticket before your vehicle can be redeemed. When you have resolved your outstanding parking debt, obtain a Vehicle Release Form. Take this form to redeem your vehicle to an NYPD impound lot. There is a City impound lot in every borough except Staten Island.

Judgment Tow: (by Sheriff or City Marshal): The vehicle's registered owner has outstanding parking tickets of $350 or more on any vehicle registered to his/her name. To redeem a vehicle towed by the Sheriff, pay the outstanding debt online at the NYC Finance Center NYC Serv - New York City On-Line Payment Services. If the vehicle was towed by a Marshal, go to the Marshal's office and pay the tickets. City Marshals

Moved or Stolen: If you do not locate your vehicle through this system, it has either been moved by the NYPD (for a parade, motorcade, safety... detail) or stolen. Contact the NYPD.

There are also situations wherein a vehicle is removed and secured by the NYPD for evidentiary purposes in criminal investigations. This requires a more specialized search. Consult with an experienced investigator - she should know the more direct routes of cutting through the bureaucratic red tape and not only locate the vehicle, but the reason for seizure.

Park legally. Be safe.

A Real Surveillance Pic

Doubleclick the pic. Recently, a new client asked BNI to help out with a surveillance. He sent the above as reason for firing his last pi. I think the client also objected to being billed 4 hours for surveilling this subject. Dupont. No more clues.

7 Investigative Trends for '07

7 Investigative Trends For '07

To best serve the quickly evolving informational needs of the trial law community, today’s investigator must have broad technical and up to date operational skills. The following 2007 trends list was compiled after analyzing the past several years of client service and data requests.

1. Identity theft research. Aside from preventing ID theft or assisting those who have become victims of identity fraud, we are aware of rising cases of real “fake” ids (using a real person's information in the commission of a crime – ranging from white collar theft to altered driver’s licenses).
   
2. Surveillance. While this is a traditional private investigation service, the trial lawyer’s needs have become more sophisticated as workplace surveillance has not only become common but for liability reasons, essential. Oftentimes issues such as corporate integrity, workplace standards and employee accountability become integral focal points in corporate complaint matters.
   
3. Computer Forensics. There is no such thing as erasing information on a hard drive unless one literally has the drive wiped clean with professional software (and even then, ghosts may remain) or by replacing the entire drive. From evidence pointing to extramarital affairs to employee harassment, computer forensics is an investigative specialty that is growing faster than any other private investigation discipline.
   
4. GPS Vehicle Monitoring. As the cost of GPS units continue to decline and the tracking reliability improves, this monitoring resource is now standard service in investigations requiring surveillance.
   
5. Security Consulting. Not a surprise given our now super-security conscious world, we've experienced a massive increase is requests to analyze building security and employee backgrounds. Employers are taking a much more proactive approaches to securing the safety of their employees as well as that of their clients.
   
6. Wireless Hotspot Security. States (including NY ) have begun to pass legislation requiring owners of wireless routers to secure them from routine public access. One may think his company’s digitally maintained proprietary information is secure. It would take several minutes of driving or walking around an area, with a cheap WiFi hotspot finder, to test the signal for access security. Add 2-3 minutes to triangulate the signal to an owner and one can then secure their wireless LAN. From a midtown Manhattan Starbucks, we were able to quickly identify 10 unsecured WiFi ports in range! And this leads directly into…
   
7. Competitive Intelligence. Competitive intelligence is the legal method to gain information on a client's competitors in an effort to give them the edge in the marketplace. The best way to obtain operational and customer information on competitors is to monitor their businesses. In researching a successful company, the investigative specialist should be able to obtain marketing materials, products and services offered, pricing and, if legally available, client lists. This information can be used to improve or implement one’s own business practices and significantly increase revenue.

Focus On: Aftermarket Vehicle Modifications

The trend towards commercial individualism continues to evolve and intensify in America as never before in our nation's history. From the old standby of customized logos, slogans, photos... on T-shirts purchased along the Village's Bleecker Street shops or online (at same store's website) to the newly announced design-your-own-sneakers from Nike iD, the marketplace today has reacted quickly to broaden the commercial avenues for self-expression, thus moving greater quantities of unique product.

While generally encouraged, this individualism can result in serious or fatal injury to oneself and others in the aftermarket vehicle modifications market. Drivers may make after-market adaptations to their cars, without regard for the laws or vehicle safety regulations and, all too often, lack the knowledge or anticipation of the consequences of these enhancements. Sometimes the modifications will diminish the safety of their vehicle, will impede their ability to properly observe the roadway, or will increase the danger to others as a result of collision. Excessively bright headlights or foglights, for example, can blind oncoming drivers. Where after-market modifications are performed by a company, that company may also face liability if the modifications contribute to an accident or injury. It can not be stressed enough: during the investigation and reconstruction phases of serious injury/fatal accidents, that the investigator must get to know the vehicle(s) involved.

- Determine if the involved auto a specialty vehicle (Monster truck, low-rider, sidecar...)

- Does any of the vehicle's critical function equipment appear modified, enhanced or otherwise changed, post-market?

- What is the vehicle sale, warranty, maintenance and modification history?

And, very importantly, a good investigation should include a comprehensive media search for that particular vehicle modification; including safety reports, product defect complaints, accident involvements...

Good starting media research destinations are:

- Carfax (www.carfax.com)

- DMV (www.dmv.org)

- National Highway Traffic Safety Administration (www.nhtsa.dot.gov)

Be safe.