Making Sense of Complex Digital Evidence
We learned from this past week’s Cyber Risk Report that inane Facebook status updates may in fact have value after all. Rodney Bradford mildly teased his pregnant girlfriend in front of his friends on the social networking site: “On the phone with this fat chick… where my IHOP.” If there was any chance that his “fat chick” was going to be upset about being left out of Rodney’s trip to get some pancakes, or even for being called “fat chick”, I’m betting she’ll give him a pass on this one.
Using this Facebook posting to corroborate an alibi, Rodney’s attorneys were able to convince the district attorney’s office to dismiss an armed robbery case against Bradford. Based on timestamp evidence provided by Facebook, and further alibis provided by Bradford’s family, the DA’s office was certain that Rodney could not have gotten from Harlem to Brooklyn in time to commit the robbery that took place one minutes after he made his now-famous posting.
In the Cyber Risk Report, we touched on the importance of digital forensics to the investigative process. Once incriminating or exonerating evidence is found, anything from child pornography to a “Facebook alibi”, it is necessary to be able to support the claims using the proper tools and techniques. If an organization does not have such capabilities available internally, they should have an external resource identified within their incident response plans if they feel outsourcing the task fits their risk tolerance.
Social networking provides a new facet to digital investigation because so much of what is communicated now includes metadata of human action. Where is an employee? What has just happened? Who is in the vicinity? Who is in a picture, video, or sound file that was posted (including the owner of the device)? Was an update posted from a computer, or from a phone? And if a phone is involved, does the organization own the phone / service plan, or does the employee?
Cybercriminals have also been rapidly advancing their capabilities, techniques, operations, and anti-forensic capabilities. How will your organization respond if it has an employee collecting illegal material on company computers? Does your company now own that illegal content? Can you validate a claim that it was downloaded by a virus? Can you determine if that virus was placed by an outsider who is remotely hosting or sharing this content? Can you determine if the virus was placed by the computer’s primary user in addition to the user downloading the same content, in order to disguise their own illegal activity?
This may also mean that the value that forensic services pose to an organization may have changed. Because digital footprints made by all kinds of actions are larger, it may be more cost effective than before for organizations to build and maintain their own internal teams, or to hire external teams. People microblog about activities, carry phones everywhere (which may record nearby wifi hotspots, etc.), use electronic payments more than cash, and do much more on their computers than ever before. What was not worth investing in previously may be more enticing to pay for today. How does digital forensics play a role for your company?