Summary of the Case Against Mr. Didid
This report is for the evidentiary file of Mr. Isure Didit. The five contraband images previously discovered on Mr. Didit’s laptop were matched by using hash values by the National Center for Missing and Exploited Children (NCMEC) to those of known child pornographic images (previously tied to known underage victims) Because of this discovery, Mr. Didit’s company exercised its right to monitor employee activity at all times and to take company property back into its possession. Thus, we instigated an investigation into the contents of Mr. Didit’s office. In the office, the digital evidence was : three computer towers (Dell Dimension 3100 Tower Computer P4 HT 8 GHZ 80 GB; D79A Dell Optiplex 960 Core 2 Duo C2D 3.0 GHZ 500 GB; Dell Optiplex 330 Tower PC Computer Intel Core 2 Duo 26B). There were also three loose hard-drives (ST9250315 AS Seagate Momentus 250 GB; H 264 Standalone 4-channel DI Network CCTV DVR Hard Drive Recorder; Standalone 16CH Home Surveillance Video Recorder CCTV DVR System 1 DVR System), two flash drives (one on the desk: Sandisk Xbox 360; one found in the pencil holder: 32 GB Samsung Chip Blue), three Maxell CD-ROM R/W discs, and the digital telephone (Northern Telecom Meridien Telephone M7324BAX). The digital evidence was separated from the non-digital evidence, stored in special forensic anti-static bags and placed in a safe place.
On the desk were many scattered papers, some with notes on them, one of which read “3:00 Thursday 21.” The writing tablet on the desk had an entire page of impressions from the last page written with a ball-point pen, and was sent to the police labs for analysis. One piece of printed literature on the desk was a travel folder for Amsterdam, and the one on the other desk, a local laminated roadmap of the restaurant menu type. All computer peripherals, papers, coffee cup, pencil holder, box of small tools, and everything on the surface of the desk and in its drawer were confiscated as potential non-digital evidence. All evidence was handled with great care and precision, and the chain of custody was maintained all the way through the process.
There were fingerprints in eight locations on the faces of the monitors at the scene, four useable fingerprints on the mouse, and ten useable fingerprints on the keyboard. The Monitors were two Sony SDM-H373 19” TFT LCD Flat Panel Monitors. A Maxell DVD-ROM R/W disc, of the same brand as the two discs found on top of the desks, was found taped under the left side of the desk. It was carefully photographed and then removed. A second flash drive was found in the pencil holder on the left “L” of the desk: this was a 32 GB Samsung Chip Blue USB 2.0 Memory Stick Flash Mini in excellent condition.
Police lab investigation of all the evidence retrieved revealed one file on the Maxell CD-ROM W/R disc that had been taped underneath the desk. This file contained twenty images of a pornographic nature, utilizing young girls as the subjects. This was the only file extant on the disc, but the disc was an older one with some light scratches on it. This was all the evidence that was retrieved from all digital sources confiscated. No other relevant evidence was revealed by the non-digital evidence that was collected. All fingerprints were Mr. Didit’s own, the papers revealed nothing unusual, and the back of the tablet with the writing impressions turned out to hold impressions from a draft of a work-related email.
Digital Evidence Collected, and Nature of Evidence That Might be Found:
Three computer towers potentially revealing: websites, individual photos, communications via email and other means, chatroom records, social networking records, files, cookies showing films and other material watched in the past, and telephone numbers.
Three loose hard drives (same as above)
Two flash drives (same as above)
Three CD-ROM type discs (same as above)
Digital Phone (digital phone calls, missed call messages, incoming and outgoing call records, phone directory)
Non-Digital Evidence Collected and Nature of Evidence That Might Be Found:
Two monitors (fingerprints, fabric fragments, hair)
One keyboard (fingerprints, skin from fingers, fabrics)
One corded mouse (fingerprints, skin from fingers, fabrics)
One set of AV cables coming from right monitor (perhaps to hook up a video player?)
One plastic box of small parts—mostly small tools like mini-screwdrivers, and push pins.
One pad with apparent writing impressions on the paper
Scattered papers and post-it notes, some with writing, one with “3:00 Thursday 21” written on it
One piece of printed matter on each desk: one a travel folder for travel to Amsterdam, the other a laminated local road map with local advertising.
One pen/pencil holder—second flash drive found in holder
One hub with multiple USB ports—could have fingerprints, skin fragments, hair
One coffee pot or large coffee mug—fingerprints, DNA evidence around the rim and handle
One device marked “DK” with a slot
Plastic sleeves for discs in drawer to the right—fingerprints, hairs, etc.
Locations outside the desk where digital evidence might be found: one or more shared office printers, digital telephones in proximity to the suspect’s desk, flash drives placed anywhere, like a colleague’s desk drawer or USB port on some else’s computer. Evidence obtainable might be: hard-copy photographs from printer(s), digital photos from flash drives, email, digital files, phone messages, call records, etc.
Digital Evidence: How is it processed?
Create identical new images as necessary, and place original devices in anti-static digital forensics bags. All digital media must be kept away from radio transmitters, magnets, and other potentially damaging devices.Collect instruction manuals, documentation and notes to go along with the digital equipment seized. Document all steps used in the seizure to create a chain of command. Note that all of these procedures were followed carefully in the confiscation of the Didit-related evidence.
Tools Used in Digital Evidence Analysis
Mem Marshal, an NIJ-supported tool, makes live memory analysis forensic functions available to law enforcement. “This portable memory forensics software tool kit automates the recovery of information that exists while live in memory, visualizes this information graphically and provides the investigator with reporting features at the crime scene. The tool is expected to extend existing forensic techniques to volatile (live) memory, provide context for string-search results and enable in-memory filecarving.” (NIJ. Digital Evidence Investigative Tools: Analyzing Live Memory).
Memory analysis is of special utility in malware (malicious software used to break into a system) analysis and incident response, because it is able to analyze computers which contain subverted operating systems.
NIJ is funding the development of a tool at WetStone Technologies, Inc., that can be used at crime scenes, prior to shutdown of computer devices, to:
- Gather information about the device's (or multiple devices’) hardware and peripherals, such as portable hard drives and printers.
- Acquire important information about networking, storage, and contents of the memory of the device.
- Determine whether there is need for a "live image," which is an exact replica of the device's contents that will be stored on a secondary storage device.
This new software tool is called the “USB Live Acquisition and Triage Tool (US-LATT),” and it resides on a customized USB device that can start applications. US-LATT automatically captures and stores evidence from the computer of the suspect(s).
Other functions of this tool are that it is:
- Used in conjunction with currently available and evolving technologies.
- Run with minimal specialized training, so first responders can use it.
- Almost entirely automated, without much need for investigator interaction.
- Adjustable to include other digital forensics tools such as "Trait Analytic Program Search" (TAPS).
The Cyberinvestigation Law Enforcement Wizard (CLEW), increases the capabilities of law enforcement to gather and analyze digital evidence. This application can be downloaded to a portable USB flash drive and uploaded to computers right at the crime scene. Its interface provides easy-to-follow steps for gathering digital evidence, because the tool's primary users are not computer experts. The tool also has triage capabilities to help law enforcement personnel determine the next step to take in the investigation, providing different options for collecting and analyzing digital evidence.
CLEW performs the following functions, among others:
- Executing live forensics at crime scenes prior to shutting down computers and the supporting of onsite evidence collection.
- Assisting investigators in handling the most common e-mail, instant messaging and social networking issues.
- Capturing volatile data that normally might be lost after powering off device.
- Easily uploading evidence so that data can be secured for subsequent, more detailed analysis.
- Creating a concise summary of the evidence, suggesting possible correlations.
- Analyzing online social networking information such as Facebook as well as virtual world online applications such as Second Life.
Answers Given During Courtroom Interrogation
Question: Under what instrument or authority were you able to search Mr. Didit's workspace?
We entered under the rule that “we have full rights to monitor our employees as we feel” and “seizure is legal under company policy which states that we may ask for equipment back from employees at any time.” The motivating factor in this case was that five contraband images had previously been found on the suspect’s laptop.
Please explain to the court what is meant by a hash value and how it is used in digital forensics?
“Hash Value is the result of a calculation (hash algorithm) that can be performed on a string of text, electronic file, or entire hard-drive contents. The result is also referred to as a checksum, hash codes, or hashes. Hash values are used to identify and filter duplicate files (email, attachments, and loose files).
“Each hashing algorithm uses a specific number of bytes to store a “thumbprint” of the contents. Regardless of the amount of data fed into a specific hash algorithm or checksum, it will return the same number of characters. For example, an MD5 hash uses 32 characters for the thumbprint whether it’s a single character in a text file or an entire hard drive.” (http://pinpointlabs.com)
Question: “How do we know you were not just a "police hack" in this case, choosing to report only what would help law enforcement and your company's bottom-line in this case?”
I have great professional integrity, while I may have personal opinions of my own as well. I am dedicated to doing my job correctly and fairly and without bias, and I would never sway evidence in one direction or the other. I look at the evidence and the evidence alone. I have 35 years in this business and no one has ever reported that I have returned biased reports. To do so would be illegal, and outside of the parameters of my own personal values.”
References
Cameron, S. (2011, August). Digital Evidence. FBI Law Enforcement Bulletin.
National Institute of Justice. (2010, November 5). Digital Evidence Analysis; Data Carving and Search String Tools. Retrieved on 12/12/2014 from: http://www.nij.gov/topics/forensics/evidence/digital/investigative-tools/pages/data-loss.aspx
National Institute of Justice. (2010, November 5). Digital Evidence Investigative Tools: Analyzing Live Memory. Retrieved on 12/12/2014 from: http://www.nij.gov/topics/forensics/evidence/digital/investigative-tools/pages/memory.aspx
National Institute of Justice. (2010, November 5). Digital Forensic Investigative Tools: Enhancing “At-the-Scene” Digital Analysis Capabilities of First Responders. Retrieved on 12/12/2014 from: http://www.nij.gov/topics/forensics/evidence/digital/investigative-tools/pages/crime-scene.aspx
Pinpoint Labs. (Created 2010, December). What Is a Hash Value?. Retrieved on 12/12/2014 from: http://pinpointlabs.com/2010/12/what-is-a-hash-value/
