MOBILE DEVICE FORENSICS 101: A GENERAL OVERVIEW OF SMARTPHONE INVESTIGATIONS

Transcription

1 MOBILE DEVICE FORENSICS 101: A GENERAL OVERVIEW OF SMARTPHONE INVESTIGATIONS Course Description, Objectives, Agenda and Presenters Mobile Device Forensics is the extraction, processing and analysis of information stored on smartphones and tablet devices. Understanding this process, its uses and limitations is essential for attorneys in counseling their clients on discovery issues. This course has been approved for Minimum Continuing Legal Education Credit by the State Bar of Texas Committee on MCLE in the amount of 1.5 credit hours.

2 MOBILE DEVICE FORENSICS 101, GENERAL OVERVIEW OF SMARTPHONE INVESTIGATIONS COURSE DESCRIPTION: Mobile devices have become key in communication on both a personal and business level. Often, there is no separation between business and personal with the two melding together onto one source of key communication the mobile device. Recent political scandals often involve a digital component which includes s, text messages, images and social media (i.e. Facebook, Instagram and Twitter, etc.) High profile criminal cases often use computer and mobile device forensics to look for everything from pictures, images and s to Google search terms. All communication in the modern world takes place on computers and mobile devices (smartphones and tablets). This communication leaves a trail of digital data that can contain discoverable information. The ability to extract the data and analyze it in a forensically sound manner is crucial in both civil and criminal cases. Mobile device forensics focuses specifically on smartphones and tablet devices. While these devices are similar to their laptop and pc counterparts, there are distinct differences in their operating systems that require expertise specific to those devices. Mobile devices have emerged as key sources of data in cases such as: Family Law Contentious Divorce, Child Custody Employment Law Non Compete Enforcement Intellectual Property Law Theft of Intellectual Property, Trademark Disputes Bankruptcy Law Fraud and Hidden Assets Criminal Law Embezzlement and Fraud COURSE OBJECTIVE: This course provides a general overview of the mobile device forensics process to help attorneys counsel their clients on relative discovery issues. At course completion, attorneys should have a basic understanding of the types of data that can be extracted and analyzed, methods for obtaining data, typical smartphone operating systems and the limitations on data recovery specific to those operating systems. AGENDA (90 MINUTE PRESENTATION) 1.5 HOURS CLE CREDIT General overview of computer and mobile device forensics The forensic imaging process What types of mobile devices can be analyzed What types of data can be extracted and analyzed Issues and problems with the extraction of data in a fluid technology landscape Question and answer session 1 P age

3 PRESENTERS: BRETT DEARMAN, COMPUTER FORENSICS EXAMINER Brett Dearman has performed or participated in over 200 internal investigations of varying complexity from 2002 to present in the role of digital forensics examiner. These include alleged corporate espionage, theft of intellectual property, illegal trading practices, possession and distribution of pornography, and Human Resources related issues. Many of the collections were performed after normal working hours or by covert action. Mr. Dearman performed or assisted with numerous e-discovery initiatives including probable cause for reasonable termination. This includes the preliminary examination of personal computers and/or network servers as part of e- discovery. In the course of these investigations, interaction with attorneys, federal agents and law enforcement officers was common. Case Highlights: Mr. Dearman participated in the role of digital forensic examiner during a Department of Justice investigation regarding illegal natural gas trading practices. Mr. Dearman worked with lead investigation coordinator on direction of the investigation based on relevant evidence as it was discovered. Due to the nature of the employee s work as a commodities trader, the collection of evidence had to be done covertly. The employee took measures to obfuscate activities; however after an exhaustive examination of the collected evidence, a number of key files were recovered from unallocated disk space (deleted files), AOL Instant Messenger conversations and s. Evidence provided lead to a number of indictments and ultimately, one conviction. (UNITED STATES OF AMERICA v. MICHELLE M. VALENCIA (False Reporting; 7 U.S.C. 13(a)(2) and Wire Fraud; 18 U.S.C. 1343). Mr. Dearman worked with investigators on the matter involving the Securities and Exchange Commission and three Dynegy executives accused of securities fraud. The investigation started with a limited scope, but soon grew to include the collection and examination of a significant number of employee computers. The preponderance of evidence came from a plethora of spreadsheets and other documents, all of which were turned over to investigators. The three executives were then charged and later convicted. (SECURITIES AND EXCHANGE COMMISSION v. GENE S. FOSTER, JAMIE OLIS, HELEN C. SHARKEY) Mr. Dearman performed initial investigation and evidence collection on alleged child pornography case. Over 5,000 graphic images were discovered during a routine digital forensic examination of a personal computer. Once files were identified as child pornography, the FBI was contacted as required by law. Because there was no evidence that the individual was selling or otherwise trafficking in child pornography, the case was turned over to the local police department. Evidence collected was then turned over to the local authority where an arrest was made and charges were filed for the possession of child pornography. 2 P age

4 Mr. Dearman performed initial investigation regarding an employee sending proprietary source code to their personal offline storage account from his workstation. Once the activity was detected, it was documented and presented to the corporate security investigator who approved a deeper examination. At that time, it was discovered the employee being investigated had in fact transferred nearly 500 megabytes of source code and in one case, a text file containing the login ID and password of a bank account file transfer site belonging to the company. Mr. Dearman assisted corporate security investigator with the interview of the employee. The results of the interview were reviewed, resulting in the employee s termination. Mr. Dearman performed initial investigation of a potential network intrusion and attempted theft of intellectual property. Mr. Dearman assisted with the digital forensics exam of the laptop suspected of being the source of the activity. It was determined the employee s laptop had inadvertently been infected with a Trojan Horse during a recent visit to a construction site in mainland China. The Trojan allowed Chinese hackers to access the laptop remotely and ultimately, the entire enterprise network. They had been in the process of uploading a number of proprietary engineering drawings when the intrusion was discovered. Evidence gathered by examination exonerated the employee or any wrongdoing while allowing investigators to pursue the hackers. Mr. Dearman created Dynegy s digital forensics lab in 2002 in response to investigations being conducted by the Department of Justice as well as a number of pending civil suits. With the assistance of former FBI and law enforcement officers, he developed the processes and procedures for digital forensic examination including proper evidence collection, processing and storage, chain of custody documentation, examination and reporting. During this process, he was trained on the forensics examination system EnCase (Guidance Software, Inc.) and ultimately obtained their Encase Certified Examiner certification. Certifications: CNE (x2) Certified Netware Engineer COE Certified OS/2 Engineer COLE Certified OS/2 LANServer Engineer MCP Microsoft Certified Professional MCP+I Microsoft Certified Professional + Internet MCSE Microsoft Certified Systems Engineer CMA Certified Metaframe Administrator (Citrix, Inc.) EnCE (x2) Encase Certified Examiner (Guidance Software, Inc.) CISSP Certified Information Systems Security Professional (International Security Certification Consortium) CPE Certified PGP engineer (PGP Encryption) ACE AccessData Certified Examiner - Forensic Toolkit (AccessData, Inc.) 3 P age

5 DANIEL WEISS, MANAGING PARTNER Mr. Weiss began his career in the security industry while in graduate school at Northeastern University, where he worked at a maximum security prison in Massachusetts, Walpole State Prison. Mr. Weiss left the public sector and entered the private security sector. During the past 15 years, Mr. Weiss has held managerial positions at Wells Fargo and Chubb. Mr. Weiss was also founder and CEO of EPS Security and Infrastruct Security. Mr. Weiss is the founding Texas partner of McCann Investigations, LLC, a Texas Corporation. Mr. Weiss has been interviewed as a subject matter expert on security by ABC, NBC, CBS, Security Director News, SDM, and Security System News. In addition Mr. Weiss has been featured in the Houston Chronicle and Houston Business Journal. Mr. Weiss brings extensive experience as a security professional in the area of private investigation, computer forensics, loss prevention, electronic security system design, and surveillance. As an industry entrepreneur, Mr. Weiss brings his wealth of knowledge in business with extensive experience in due diligence, private equity and venture capital, and financial controls. Mr. Weiss background supports the unique balance between business and former law enforcement that is a unique hallmark of McCann Investigations. For over 15 years, Mr. Weiss has held a qualified managers license in State of Texas. Mr. Weiss has been directly responsible for hundreds of security assessments for Fortune 1000 companies and government agencies. In addition, Mr. Weiss has had the pleasure of providing investigative services for scores of middle market commercial, industrial and direct to executives. In addition, Mr. Weiss has been utilized as an expert by law firms involving complex civil and criminal matters. During his career in the public and private sector Mr. Weiss has been personally instrumental in: Case Highlights : For the Plaintiff: Peak Completions Mr. Weiss was the lead investigator in a case which involved the theft of intellectual property and non-compete violations. The case involved two current employees in collusion with a former employee who were using Peak s plans and designs to build fracking equipment which was to be used to start a competing company. McCann Investigations facilitated a complex investigation that included computer forensic, mobile forensic, digital surveillance, traditional surveillance, and undercover investigations to gather evidence for Peak. o Peak Completions and Summit vs. Steve Jackson, Everest Completion Tools and Team Oil Tools, LP (pending in Midland, TX) o Peak Completions and Summit vs. Daniel Rojas, Kevin Kippola, Romer Bracho, et al. (pending in Houston, TX) For the Plaintiff: NTTA (North Texas Transit Authority) Mr. Weiss was the lead investigator in an embezzlement, fraud case, and data breach. NTTA discovered that files with customer information that included credit card billing information was being transferred to an unknown location. McCann Investigations first pass of the IT network indicated that the source was an 4 P age

6 individual in the accounting department. A more in depth investigation revealed that perpetrator was a senior member of the IT staff and was in fact the person who created a false digital trail leading to the accounting department. Mr. Weiss led McCann Investigators in a complex investigation that included computer forensic, and network vulnerability analysis for NTTA. o NTTA referred the case to Dallas County District Attorney For the Trustee: Tax Masters Mr. Weiss was lead investigator for the trustee overseeing the Estate of Tax Masters. The case involved the imaging of over 100 computers, servers, and laptops and the forensic wiping of over 800 electronic storage devices including desktops, printers, IP phones, servers, and other electronic devices. o The case in pending in the Southern District Bankruptcy Court For the Plaintiff: ESP Resources, Inc. - Mr. Weiss was the lead investigator in a case which involved the theft of intellectual property, non-compete violations, and product tampering. The case involved three employees in collusion who were using ESP s plans and designs to reverse engineer a competing chemical that was to be used to start a competing company. McCann Investigations facilitated a complex investigation that included computer forensic, mobile forensic and traditional surveillance to gather evidence for the plaintiff. o ESP Resources, Inc. vs Cottrell Over 500 site security assessments ranging from: o Financial Institutions o Jewelry and Precious Metals Vaults and Storage o High Profile Residences Including Former Government Officials o Petrochemical Facilities o Defense Sector Providers o Public/Private Critical Infrastructure: Dams, Nuclear Power Plants, and Pipelines Investigations: o Network Intrusion: Identification and forensic documentation of a network intrusion of a municipal government agency involving credit card and personal information being stolen. o Non-Compete Enforcement: Numerous cases of forensic documentation of downloaded customer data, conspiracy with current and former employees, and direct theft of company materials. o Intellectual Property Theft: Numerous cases of current and former employees and competitors stealing and damaging company intellectual and physical property. o Harassment and Cyber Stalking: Investigation and forensic documentation of inner company based harassment and attempt to cover up activity. o Digital Wiretapping: Numerous investigations of cyber wiretapping of servers, desktops, laptops and mobile devices conducted by unwanted parties. o Background Investigations: Provided executive background investigations for management teams for Private Equity and Venture Capital firms. 5 P age

7 Mr. Weiss also believes in the importance of law enforcement and the private sector working together. Examples of this commitment are found in various committees and associations that he currently serves: Crime Stoppers American Society for Industrial Security Energy Security Council Entrepreneur Organization (EO) 6 P age