Data Forensics Expert Witness: Facebook Exposes Personal Data!

Unfortunately, this is not the first time Facebook has been in the news for its poor handling of data. In July 2012, there was a similar breach where a private security consultant used a piece of code to gather information on over 100 million profiles. This was not seen as a hot topic issue because the information gathered was not secured by the user, and therefore in the public domain. But, it does brings up some interesting points which many users seem to forget when they surf or post to social media.

For any social media sites, you should follow these rules:

Rule #1: Do not post private information on the internet, regardless of security or visibility options. If you are not comfortable with sharing your location with 1.1 billion users, it is strongly recommended you avoid posting that information. Be wary of who might use your profile against you.

Rule #2: Try to keep separate social media profiles for work and personal. LinkedIn and Facebook are perfect examples. LinkedIn, while useful for businesses, is not geared towards someone looking to keep in touch with friends and family. Facebook, is useful for both business and personal. But, keep in mind it is first and foremost a personal website.

Rule #3: Check your privacy settings. Facebook in recent years has really stepped up their game on how best to protect personal user data. One can now determine which posts and pictures can be seen by whom. You may decide you want your friends to see your new car, but do not necessarily want your jealous ex to know. This is done by simply changing the visibility setting on each post. It can also be done globally if you prefer.

Rule #4: The internet does not forget. Remember the ‘accidental’ drunken photo you posted online and thought you deleted? Odds are: somewhere out there remains a copy someone snagged before it was taken offline. This and other posts you might have created, could be used against you in a malicious manner. Think before posting. In other words: ‘Never post anything you don’t want printed on the front page of the paper.’

An amusing case to end on. A Wisconsin man claimed he could not pay child support. Yet he posted several pictures on his Facebook page showing him with several hundred dollars in cash. Needless to say, he is likely re-examining how best to protect his data as the judge at his hearing was not amused. He probably takes the phrase “think before you post” a little more seriously now.

Home-Brewed Data Destruction

Law around the subject of electronically stored information (ESI) and computer forensics is ever-evolving. In a lawsuit, it’s treated just like paper documents. If you shred or burn the paper evidence, you’re in trouble – and if you’re caught deleting or wiping electronic evidence, you’re in the same boat.

But in some cases, it can be easier to get busted for destroying ESI, both because electrons have a way of proliferating as digital copies of files and pictures and documents, and because the process of destroying data usually leaves detectable digital traces.

Just yesterday, a fellow (I decline to call him a gentleman) called me up to ask if he could consult with me on an hourly basis about how to destroy data (evidence) on his computer for an upcoming potential divorce. I actually found myself offended and explained to him (trying to keep the disdain from my voice) that destroying evidence is the exact opposite of the service I offer.

We don’t wreck evidence – we find it.

I further suggested that he might want to look into the Federal Rules of Civil Procedure, Sections 26 & 34 and how they apply in his state. I told him that I am not an attorney (and so can’t advise him on law), but that if he went about destroying evidence, the judge in his case could sanction him in a way that could be devastating to his side of the lawsuit.

But I could be wrong. While there is generally a requirement under common law to preserve evidence, and while some judges will take unkindly to the destruction of any potentially relevant evidence, others have held to a deadline of 20 days after a complaint is filed, or not until the party is served with court papers. This guy hadn’t yet been served, although his interest in the destruction of data would lead a reasonable person to infer that there was something on that computer that would lead his wife to start the process!

In more than twenty years in the computer forensic business, we’ve found that people rarely manage to erase all traces of a file, or of their acts of destruction of files. When a file is deleted, it just remains sitting there for someone with the proper tools and skill set to uncover it. It’s not gone until it has been overwritten by something else. There are utilities designed to overwrite files in order to completely get rid of them, but often references to the file remain in an old directory, the Master File Table, or in shadow volume automated backups. The file-destroying software usually leaves tracks of itself having been used, and may even provide the forensic investigator a log of its activities.

Even if the file is completely overwritten and its attendant directory entries, etc “sanitized,” many files, such as MS-Word, make Autorecovery backup copies while the user is typing away. These are deleted when the user closes his document, but as we have seen, what’s deleted is not gone. Such remnants can be valuable evidence.

So these kinds of activities are detectable and the intended target of data destruction may survive the efforts. Then of course, there is the question of ethics. Even if, in some jurisdictions, the destruction of data before certain other documents are filed is not prosecuted, the idea of destroying evidence and/or lying about it is reprehensible and is certainly unethical.

To misquote a famous sportsware company, just don’t do it.

Computer Forensics, Data Recovery and E-Discovery Differ

What’s the difference between data recovery, computer forensics and e-discovery?

All three fields deal with data, and specifically digital data. It’s all about electrons in the form of zeroes and ones. And it’s all about taking information that may be hard to find and presenting it in a readable fashion. But even though there is overlap, the skill sets require different tools, different specializations, different work environments, and different ways of looking at things.

Data recovery generally involves things that are broken – whether hardware or software. When a computer crashes and won’t start back up, when an external hard disk, thumb drive, or memory card becomes unreadable, then data recovery may be required. Frequently, a digital device that needs its data recovered will have electronic damage, physical damage, or a combination of the two. If such is the case, hardware repair will be a big part of the data recovery process. This may involve repairing the drive’s electronics, or even replacing the stack of read / write heads inside the sealed portion of the disk drive.

If the hardware is intact, the file or partition structure is likely to be damaged. Some data recovery tools will attempt to repair partition or file structure, while others look into the damaged file structure and attempt to pull files out. Partitions and directories may be rebuilt manually with a hex editor as well, but given the size of modern disk drives and the amount of data on them, this tends to be impractical.

By and large, data recovery is a kind of “macro” process. The end result tends to be a large population of data saved without as much attention to the individual files. Data recovery jobs are often individual disk drives or other digital media that have damaged hardware or software. There are no particular industry-wide accepted standards in data recovery.

Electronic discovery usually deals with hardware and software that is intact. Challenges in e-discovery include “de-duping.” A search may be conducted through a very large volume of existing or backed-up emails and documents.

Due to the nature of computers and of email, there are likely to be very many identical duplicates (“dupes”) of various documents and emails. E-discovery tools are designed to winnow down what might otherwise be an unmanageable torrent of data to a manageable size by indexing and removal of duplicates, also known as de-duping.

E-discovery often deals with large quantities of data from undamaged hardware, and procedures fall under the Federal Rules of Civil Procedure (“FRCP”).

Computer forensics has aspects of both e-discovery and data recovery.

In computer forensics, the forensic examiner (CFE) searches for and through both existing and previously existing, or deleted data. Doing this kind of e-discovery, a forensics expert sometimes deals with damaged hardware, although this is relatively uncommon. Data recovery procedures may be brought into play to recover deleted files intact. But frequently the CFE must deal with purposeful attempts to hide or destroy data that require skills outside those found in the data recovery industry.

When dealing with email, the CFE is often searching unallocated space for ambient data – data that no longer exists as a file readable to the user. This can include searching for specific words or phrases (“keyword searches”) or email addresses in unallocated space. This can include hacking Outlook files to find deleted email. This can include looking into cache or log files, or even into Internet history files for remnants of data. And of course, it often includes a search through active files for the same data.

Practices are similar when looking for specific documents supportive of a case or charge. Keyword searches are performed both on active or visible documents, and on ambient data. Keyword searches must be designed carefully. In one such case, Schlinger Foundation v Blair Smith the author uncovered more than one million keyword “hits” on two disk drives.

Finally, the computer forensics expert is also often called upon to testify as an expert witness in deposition or in court. As a result, the CFE’s methods and procedures may be put under a microscope and the expert may be called upon to explain and defend his or her results and actions. A CFE who is also an expert witness may have to defend things said in court or in writings published elsewhere.

Most often, data recovery deals with one disk drive, or the data from one system. The data recovery house will have its own standards and procedures and works on reputation, not certification. Electronic discovery frequently deals with data from large numbers of systems, or from servers with that may contain many user accounts. E-discovery methods are based on proven software and hardware combinations and are best planned for far in advance (although lack of pre-planning is very common). Computer forensics may deal with one or many systems or devices, may be fairly fluid in the scope of demands and requests made, often deals with missing data, and must be defensible – and defended – in court.