Forensics | Bach Seat

Tag Archive for Forensics

RB | April 8, 2010

Comments Off

Update Email Policy

A court case coming out of New Jersey could impact most firms’ privacy and security practices according to an article on DarkReading. The New Jersey Supreme Court recently ruled in Stengart v. Loving Care Agency, Inc., 408 N.J.Super. 54, 973 A.2d 390 (Superior Ct., A.D. 2009) that an employer can not read email messages sent via a third-party email service provider, even if the emails are accessed during work hours from a company PC.

The court found the company’s policy on email use to be vague, noting it allows “occasional personal use.” “The policy does not address personal accounts at all,” the decision said. “The policy does not warn employees that the contents of such emails are stored on a hard drive and can be forensically retrieved.”

The ruling written by Chief Justice Stuart Rabner in part states that the employee could, “reasonably expect that emails she exchanged with her attorney on her personal, password-protected, web-based email account, accessed on a company laptop, would remain private.” Rabner continues that the employee, “Plainly took steps to protect the privacy of those emails and shield them from her employer. She used a personal, password protected email account instead of her company email address and did not save the account’s password on her computer.”

The law firm of Jackson Lewis provides a legal overview of the case on their blog, The Workplace Privacy Data Management and Security Report recommends that employers consider modifying their existing electronic communication policies to include:

Clear notice that personal, web-based emails accessed using company networks and stored on company networks or company computers can be monitored and reviewed by the company (of course, care should be taken here to avoid concerns under the Electronic Communications Privacy Act and the Stored Communications Act);
Definitions of the specific technologies and devices to which the policies apply;
Warnings that web-based, personal e-mail can be stored on the hard drive of a computer and forensically accessed;
No ambiguities about personal use.

Rb-

I am no lawyer, be sure to consult your attorney about this and all legal issues, in my opinion, this ruling is new law-making. The new laws are applicable only in New Jersey for now. However, unless the U.S. Supreme Court overturns this new law it will be the starting point for all other ligation. Firms should begin reviewing and updating their technology policies to protect themselves from this new law.

An interpretation of the ruling suggests that employees have to be specifically warned that it is possible to forensically retrieve data from the firm’s computers. In this ruling, the Court found, “the Policy does not warn that the contents of personal, web-based e-mails are stored on a hard drive and can be forensically retrieved and read.”

Sounds like another shot in the arm for the content filtering firms.

Related articles

Your Email Is Not Private (On One Side of the Hudson) (dailykos.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2010, Computer, Electronic Communications Privacy Act, email, Forensics, Legal, Policy, SCOTUS, Security

RB | March 19, 2010

Comments Off

Keyboard Crud Fingers Suspects

Researchers have developed a new technique to identify individuals by the hand bacteria they leave behind on their personal computers keyboard and computer mice. Researchers at the University of Colorado (CU) at Boulder have shown that “personal” bacterial communities living on the fingers and palms of individual computer users that were deposited on keyboards and mice closely matched the bacterial DNA signatures of users.

The development of the technique is continuing, but it could offer a way for forensics experts to independently confirm the accuracy of DNA and fingerprint analyses, says CU-Boulder Assistant Professor Noah Fierer, chief author of the study. “Each one of us leaves a unique trail of bugs behind as we travel through our daily lives,” said Fierer, an assistant professor in CU-Boulder’s ecology and evolutionary biology department, ” … we think the technique could eventually become a valuable new item in the toolbox of forensic scientists.”

The team used gene-sequencing techniques to match bacteria DNA swabbed from individual keys on computers to bacteria on the fingertips of keyboard owners. Fierer said in the article that bacterial DNA from the keys matched much more closely to bacteria of keyboard owners than to bacterial samples taken from random fingertips and from other keyboards. In a second test, the team swabbed nine keyboard mice that had not been touched in more than 12 hours and collected palm bacteria from the mouse owners. The researchers were able to successfully match the owner’s palm bacteria and the owner’s mouse from a group of 270 randomly selected samples.

The study showed the new technique is about 70 to 90 percent accurate, a percentage that likely will rise as the technology becomes more sophisticated, said Fierer. The CU-Boulder team used a “metagenomic” survey to simultaneously analyze all the bacteria on the fingers, palms, and computer equipment, said co-author Rob Knight. The effort involved isolating and amplifying tiny bits of microbial DNA, then building complementary DNA strands with a high-powered sequencing machine that allowed the team to identify different families, genera, and species of bacteria from the sample.

Another reason the new technique may prove valuable to forensic experts is that unless there is blood, tissue, semen, or saliva on an object, it’s often difficult to obtain sufficient human DNA for forensic identification, said Fierer. But given the abundance of bacterial cells on the skin surface, it may be easier to recover bacterial DNA than human DNA from touched surfaces, they said. “Our technique could provide another independent line of evidence.”

Once further research is completed, Frier says the new technique may be useful for linking objects to users in cases where clear fingerprints cannot be obtained – from smudged surfaces, fabrics and highly textured materials, he said. The new technique would even be useful for identifying objects touched by identical twins since they share identical DNA but they have different bacterial communities on their hands.

The study was published March 15, 2010, in the Proceedings of the National Academy of Sciences. Co-authors included Christian Lauber and Nick Zhou of CU-Boulder’s Cooperative Institute for Research in Environmental Sciences, Daniel McDonald of CU-Boulder’s department of chemistry and biochemistry, Stanford University Postdoctoral Researcher Elizabeth Costello, and CU-Boulder chemistry and biochemistry Assistant Professor Rob Knight.

rb-

Fierer states that this new technique brings up bioethical issues to consider, including privacy. “While there are legal restrictions on the use of DNA and fingerprints, which are ‘personally identifying’, there currently are no restrictions on the use of human-associated bacteria to identify individuals,” he said. “This is an issue we think needs to be considered.”

It would be my recommendation that firms get ahead of this issue and review their employee privacy policies to deter the “expectation of privacy” until the courts decide if bacteria growing outside of an individual is eligible to be classified as “personally identifiable information” (PII).

Category: Uncategorized | Tags: 2010, Biometrics, Computer, DNA, Expectation of privacy, Forensics, Keyboard, PII, Security

RB | November 11, 2009

Comments Off

Microsoft Cop Tool Leaked

I recently wrote about Microsoft’s COFEE computer forensics tool here. Three weeks later, Yobie Benjamin at SFGate writes that Microsoft COFEE, “One of the most important tools in computer forensics and law enforcement,” was apparently uploaded to bit torrent site What.CD on November 09, 2009, and is now available on the Internet.

What.CD management issued a statement, “Suddenly, we were forced to take a real look at the program, its source, and the potential impact on the site and security of our users and staff… And when we did, we didn’t like what came of it. So, a decision was made. The torrent was removed (and it is not to be uploaded here again).”

DarkReading says that COFEE was so sought after in the computer underground that an enormous bounty of 1.6 terabytes of capacity was offered to the first one who would upload the software. Robert Graham on DarkReading explains that the version on COFEE om BitTorrent has only Microsoft tools, so I don’t know for certain what other tools it might run. Yet similar forensics toolkits all run the same sorts of programs. They run standard tools for grabbing the browser history (from Firefox and IE). The tools can run versions of “pwdump” to grab the password hashes for offline cracking. The browser cache can be captured by these types of tools. They look for recently changed files. They might scour the hard drive and take an MD5 hash of all the files. Similar tools look for unique device IDs, such as your MAC address or built-in hard drive ID.

Who took my COFEE

One of the worries is that now that the tool is public, criminals can now defend against it. This is nonsense according to Graham. Police forensics are already well-known, and criminals already know how to defend against them. Graham, concludes that tools like COFEE don’t do anything extra that is unknown or secret. What makes them dangerous (to criminals) is that law enforcement agents can run them without much training, in an automated fashion.

Category: Uncategorized | Tags: 2009, Computer, Forensics, Hack, Microsoft, MSFT, Security

RB | October 17, 2009

Comments Off

Microsoft Serves COFEE to Cops

According to an article on the Seattle Post Intelligencer website, Microsoft has teamed up with the National White Collar Crime Center (NW3C) to distribute a computer forensics tool to U.S. police for free.

The Computer Online Forensic Evidence Extractor (COFEE) makes it easy for any officer, not just digital forensics specialists, to record the current processes of a suspect’s computer. An officer can plug in a COFEE-formatted USB thumb drive, run COFEE, and download data that would have been lost if the computer were turned off for transit to the police station according to the article.

COFEE can be used to identify parts of a computer’s hard drive that a criminal might use for identity theft, online fraud, child pornography or other crimes. It can speed up the forensics process when a computer-crime specialist takes over the investigation. COFEE requires Windows XP for configuration and works best at downloading data from machines running XP or earlier. However, it does have some Windows Vista support. Microsoft plans to release a new version of COFEE next year that fully supports Vista and Windows 7, a spokesperson said.

“It’s a rather straightforward tool and it uses a lot of off-the-shelf technology already,” said Richard Boscovich, a senior attorney for Microsoft’s World Wide Internet Security Program. “That’s the beauty of the tool – that you don’t need that forensics expert at the scene.” Michael Merritt, assistant director of the U.S. Secret Service told an audience at Microsoft’s Digital Crime Consortium, “The difference now with technology is that many companies like yours house valuable information … And that now has become the target of many criminals.”

Boscovich said Microsoft is offering the tool for free because it helps police cut down on the larger problem of high-tech crime. Microsoft software, because of its ubiquity, is usually considered the most at-risk for digital attacks.

Category: Uncategorized | Tags: 2009, Forensics, Microsoft, Security

S	M	T	W	T	F	S
			1	2	3	4
5	6	7	8	9	10	11
12	13	14	15	16	17	18
19	20	21	22	23	24	25
26	27	28	29	30

Bach Seat

Tag Archive for Forensics

Update Email Policy

Keyboard Crud Fingers Suspects

Microsoft Cop Tool Leaked

Microsoft Serves COFEE to Cops

Meta