Question 1 – Packaging a thumb drive for shipment to the lab
Preservation and insulation of a flash drive is a key requirement of its transfer to the forensic laboratory for a subsequent examination. The primary method at the ‘evidence acquisition’ stage is to ensure that the files on the driver were not modified, changed or hidden in any manner.
The first step is to make a label to the drive. The label should include information about serial number of the storage device, model type, capacity, and color, country of production and name and surname of a person, who packed the drive. The next step is to place a special ‘blocker’ on the drive, which prevents it from being inserted into a computer, and thus, which prevents potential modifications.
Finally, in order to identify who might have had contact with the drive, a device should be placed in a special evidence preservation bag, which is made from plastic or paper (Coalfile Systems, 2015). The key idea behind these actions is to preserve fingerprints of a potential violator of law. The practice shows that in some cases, there is no possibility of identifying, who was responsible for the actions by forensic means, and the only option of finding out, who committed the actions, is to examine dactylographic evidence (Kim, 2014).
Question 2 – Making Questions to the Laboratory Staff
Having arrived to the laboratory it will be important to get clarifications to the following questions:
What kind of data is on the flash drive?
The clarification of this question will be helpful for understanding whether intellectual property policies of the company have been indeed violated, and whether Mr. Yourprop has stolen confidential information. The practice demonstrates that in the majority of cases the digital thieves are so careless, that they fail to erase or hide evidence, using encryption or other methods of hiding files from the eyes of unintended recipients.
Has any data been removed from the drive? If so, is there a possibility of retrieving this data?
In some cases, feeling that they may be caught by the company security officials, a thief may try to erase data from the flash drive. However, the practice shows that there is always a possibility of restoring the data from a file, especially if it has not been re-written. Even though a thief may put a ‘filler’ on the drive, contemporary forensic techniques allow to under which type of files were on the drive. By comparing size of a file, which is thought to be stolen and the one, which was written on the drive, a forensic expert can make a conclusion whether the file was copied.
Clarifications of these issues will be helpful for understanding whether the company policies were violated or not.
Question 3 – Places, Where Pertinent Digital Evidence May Be Found
The practice reveals that in many cases, an employee, who tries to steal sensitive corporate information, may hide it in other than his immediate workplace locations (Federal Judicial Center, 2011). First of all, it is important to emphasize that such data is rarely transmitted by mail or by storing the files in cloud stores. Once the file was stolen, both the thief and the customer are interested in minimizing potential contact between the file and other people, who may receive it inadvertently or ‘steal from the thief’. For example, the members of the company staff, who are aware about the operation, may decide to obtain it and re-sell to the third parties. It is natural to assume that the masterminds of the operation will not go to the police.
The practice shows that the most popular locations, where flash USB drives or other digital devices are sometimes stored in the private apartments of the employees, their private vehicles, as well as in the premises of their close friends and intimate partners. In the cases, when the security companies have suspicions that such situation may take place, the law enforcement authorities should be immediately contacted. The police, in its turn, will solicit a search warrant or an injunction, which will be used to search the locations in question.
Question 4 – Protection of the Flash Drive, Before Creation of the Image
In order to protect integrity of the data contained on the USB flash drives, it is important to use an external tool (known as ‘blocker’). Once placed inside this blocker, the data can be copied from the flash drive, but it prevents all possibilities of erasing or changing it (Chwan, 2013). These blockers are openly available for civil use, and may be purchased by the company security staff to protect the data in question.
It is important to protect this data because of the two basic reasons:
The perpetrator of theft may attempt introducing modifications to the data, stored on the system. When he has any suspicions, that the action was taken by the company administration or the law enforcement, the chances that he will try to avert the chances of being caught are high (Lee, 2015).
Another employee or member of the forensic team may inadvertently erase data or metadata. For example, by simply inserting the drive into a PC or a laptop will change the latest user profile, and thus, it will be harder to understand, who was the last to copy the filed (Chwan, 2013; Singer & Friedman, 2014).
Question 5 – The Tool, Used for Forensic Examination of the Flash Drives
Nowadays, a great variety of various solutions to make a forensic examination of the flash drives exists on the market.
The first one is CheckFlash, developed and maintained by Raymond Tech Resources. The key feature of this solution is that it allows understanding who introduced the most recent modifications to the flash drive, and what software was used to make those modifications.
The second solution, which popularly used by the government and private security companies, is RMPrepUSB, developed by RMPrepUSB, Inc., the security company based in the United States. This solution is more advanced, helping to identify web ID of the computers, which were used for modification, creation and changes of the files, contained on the drive.
Thirdly, H2testw is solution developed by the amateurish security experts, which, helps to identify the last time the flash drive was modified. This tool is especially advantageous, because it helps to check hidden files located on the thumb drive, and which cannot be seen by traditional methods.
In general, the combination of these three tools of forensic examination significantly facilitates investigation progress. By applying all these tools concurrently, the forensic team will be capable of identifying who copied the files, what sort of data is stored there, and when the latest modifications to the files were introduced.
Question 6 – Hashing, and its Application to the Present Scenario
The concept of hashing refers to the process of changing a string of character into shorter value, which has the characteristics of the original string. Nowadays, the main purposes of using hashing technology is indexing and retrieving different files of items from a database, because when the database is hashed, finding the necessary information takes less time. Hashing is also used in encryption and decryption of the files (Kim, 2015).
As far as the present case is concerned, hashing should be used if the suspect encrypted the data on the flash drive, making it impossible to get it via traditional means. Hashing allows decrypting the data, making it possible for the investigators to understand whether the flash drive indeed contains privileged data (Singer & Friedman, 2014).
Question 7 – Reporting Crime to the Law Enforcement
The scholars, as well as the government officials emphasize that reporting all types of crime to the authorized authorities is one of the most important obligations of a law-abiding citizen. Although liability for non-informing the law enforcement varies from state to state, the practice shows that the report rates for different types of computer hacking, computer fraud and other forms of internet-related crimes are high. In this case, there is a clear violation of copyright privacy law, and the complaint should be forward to the two institutions: the local office of the Federal Bureau of Investigation and the Internet Crime Complaint Center.
Although the problem may be resolved by the internal security service of the company, reporting the situation to the law enforcement is necessary because of the following reasons:
It is only the state or federal law enforcement, which are authorized to start official investigation and submit the case for judicial review and sentencing (Lee, 2015). All forms of lynch law and employer retaliation are strictly prohibited in the United States, and if the company, after discovering that the suspect has indeed stolen privileged data, decides to punish him in any form, these actions will not be legally acceptable.
In addition, the practice also shows that the federal law enforcement authorities, especially the FBI have more technological resources and better specialists than the private companies do. Hence, the chances are high that the outcomes of the final investigation will be more accurate.
Question 8 – Difference between Expert and Fact Witnessing
There are substantial differences between ordinary (“fact”) and expert witnessing in courts of law. The first one refers to the situation, when a witness possesses information, which somehow relates to the perpetrated crime. In contrast, the concept of expert witness means a person, who has sufficient education, skills, training and experience, and who has been accepted by the judge to provide technical or scientific opinion about facts or evidences discussed in the court. Expert opinions may be challenged and rebutted by other experts. Thus, the main difference between the two types of witnesses is that while the first type (fact witnesses) simply informs the court about particular circumstances and specific characteristics of those circumstances, expert witnesses help the judge and the jurors to understand evidence, which is complicated from scientific or technical point of view.
The importance of expert witness presence in courts can hardly be overestimated, especially in the age of global digitalization. Not only these witnesses help to understand complicated technological issues, but also in many cases, they are helpful for distinguishing relevant information from mere data.
Question 9 – Prevention of the Corporate Bias
If a ‘police hack’ question is asked by the opposing counsel, this judge should sustain the objection to this question, because it does refer to factual or procedural aspects of the case. If, however, it is necessary to answer stating that reporting this crime was in the best interests of a company and the community. In addition to the social reasons, reporting the crime is justified by pure mercantilist interests of the company – the FBI and other law enforcement agencies have better resources to investigate the situation and find out who should be really held liable.
References
Chwan. (2013). Introduction to computer networks and cybersecurity. Boca Raton: CRC Press/Taylor & Francis Group.
Coalfire Systems, Inc. (2015). Digital Forensics Analysis Report. Web. Retrieved from http://operationrescue.org/pdfs/283100242-Planned-Parenthood-Forensic-Analysis-Report.pdf
Federal Judicial Center (2011). Reference manual on scientific evidence. Washington, D.C: National Academies Press.
Kim, P. (2014). The hacker playbook: practical guide to penetration testing. North Charleston, South Carolina: Secure Planet, LLC.
Lee, N. (2015). Counterterrorism and cybersecurity: total information awareness. Cham: Springer.
Singer, P. & Friedman, A. (2014). Cybersecurity and cyberwar: what everyone needs to know. Oxford: Oxford University Press.
