SANS Digital Forensics and Incident Response Blog

How to Preserve Cyber Investigation Evidence | Screencast Tool

Witness Signature

Commonly, a cyber investigation examines how a digital resource — like an app, a hyperlink or a web search box — works. Example: Investigator observes that when mouse clicks on hyperlink X, browser goes to web page containing content Y.

As an investigator observes how a resource works, he wants to record what he sees and hears. He wants the recording so he can establish to someone such as a court what the resource did at the time of the investigation. Without a recording, valuable evidence can disappear. A web page or a Facebook wall, for instance, may display one thing now and something different five minutes later.

How can an investigator preserve a competent recording of what he sees and hears?

The following video demonstrates a way to record how digital resources looked and performed at a particular time. It makes a screencast record of what emerges from the investigator's browser as he invokes digital resources like hyperlinks. It further demonstrates how to authenticate that record as the verifiable, legally-signed work and testimony of the investigator.

The video yokes together two simultaneous video records: (a) a screencast of what appeared through the investigator's browser as he clicked and typed, and (b) a webcam image of the investigator observing and talking in realtime as the screencast was captured. The split-screen video product makes for compelling, easy-to-understand evidence. It virtually constitutes a legal affidavit by the investigator.

To capture these two records into a single movie, I used software called BB Flashback.

Content of Investigator Report

Notice details about the demonstration movie. The movie depicts the investigator (John Smith) reading prepared remarks (i.e., his testimony as a witness) on camera, as he looks at written notes off to his right. This seems odd because he is not looking into the camera the way Hollywood teaches us to look into a camera. But this is not Hollywood. This is legal evidence. The investigator is reading and recording his testimony.

Notice that the investigator looks to his left briefly to confirm time on a clock before he speaks the time.

I have previously blogged on how to write a forensics investigation report, where I suggested contents for such a report. In the demo above, the investigator incorporated many of those contents (such as the words "confidential, attorney-client communication and attorney work-product") directly into the spoken words of the movie.

No Digital Signature

Notice that the demo movie achieves its status as a verifiable, authenticated, legally-signed digital record without relying on additional, future performance by the investigator himself.

What do I mean by "without relying on additional, future performance by the investigator himself?" I am alluding to an existing conventional practice in computer investigations. After an investigator captures a record as a file, under conventional practice she applies her "digital signature" to authenticate the file as evidence she has secured.

In the demonstration above, I did not use a digital signature because a digital signature can be problematic, as I explain here:

In classic implementations, digital signature relies on public key infrastructure (PKI). Digital signature involves the investigator holding, using and protecting a private key.

Verification of a digital signature after it is created depends on lots of stuff, such as proof that the investigator did possess the private key, did possess the relevant training for use and protection of the private key, did possess the considerable resources needed to protect the private key and did in fact protect the private key. Often in practice all of this proof requires the existence of a substantial and expensive infrastructure, which typically includes extensive records and a certification authority. This infrastructure raises numerous problems, such as:

1. The infrastructure can be corrupted.

2. The certification authority can make mistakes.

3. The certification authority can go out of business before its work is done (i.e., the certification authority can go bankrupt and stop supporting verification of the investigator's report before that report is used and verified in court).

Additionally, a digital signature depends on sustained work and cooperation by the investigator after the signature is applied to the investigation report. For the digital signature scheme to work, the investigator must continue to support the security of her private key. That requirement for continued support is risky.

For example, suppose the investigator works for XYZ Corp. at the time she creates the investigative record and signs it with a digital signature using her private key. Then suppose XYZ Corp. fires her for unrelated reasons. The investigator may be angry at XYZ. She may stop protecting her private key and/or corrupt the historical records related to her key and its protection. She may refuse to provide any cooperation or testimony on behalf of XYZ when needed at a future lawsuit or arbitration hearing. If she is really ticked off, she might compromise the security of her private key by publishing it on leaflets she distributes in Times Square.

(Granted, there are ways to mitigate some of these risks, but they themselves are expensive and entail their own risks.)

Webcam Legal Signature

So . . . instead of a digital signature, the demonstration movie above employs a webcam signature. I have previously blogged about webcam legal signatures. A webcam signature captures realtime testimony by a signer and links it to some evidence. In the demonstration above, the evidence to which the webcam signature is linked is all the activity in the entire demo movie (activities in web browser, vocal observations by investigator, facial expressions by investigator and so on).

A webcam signature captures visually and auditorially persuasive evidence of authentication. In the demo above, it records the human investigator vocalizing his intent through the unambiguous words "I hereby sign and affirm this recording . . ." A jury will know what the investigator meant when it sees those words emerge from his lips.

Contrast a digital signature; it does not articulate words. It does not explicitly express the intent of a human (the investigator). A digital signature is just cold, machine evidence that a certain key was used in the execution of a certain algorithm. A jury could have a hard time understanding the meaning of a digital signature.

E-mail for Integrity

A good webcam signature could benefit from a bit of extra security that is not apparent in the movie above. When I created that movie, the extra security I had in mind was that the investigator would send the whole movie record as an attachment to email addressed to multiple people. Those addressees would include (but not necessarily be limited to) the investigator himself, the investigator's boss and the attorney (Bill Williams) who is advising the investigation. In that way, multiple copies of the movie would be created and spread around.

A webcam signature, supported by the records, controls, passwords and reliability typically in email makes for a record of authentication, the integrity of which is reasonably well assured.

Furthermore, a webcam signature is complete as soon as it is emailed. A good webcam signature involves the signer (the investigator) stating on camera a date and time that match up with the timestamp on the email. In typical email systems, that timestamp, supported by all logs and audit trails related to it, is well outside the control of the multiple parties to which the email is addressed. They can't change or manipulate the timestamp.

[In the movie above I did not demonstrate how to email the investigator's record, though I could have. The BB Flashback software has a command for the user to email the final movie record as an attachment through Outlook. I published the movie on Youtube so it would be easy to link in this blog. ]

Hence, the webcam signature creates a trustworthy record that does not rely on future performance by a certification authority or the investigator herself. The webcam signature is direct, recorded video/audio testimony by the investigator.

Thus, the movie record becomes a reliable, freestanding asset belonging to and fully exploitable by the investigator's employer. The final record is roughly equivalent to an old-fashioned affidavit written on paper and signed in ink by the investigator. In other words, the webcam signature secures the testimony of an expert witness so that the testimony is available in the future, regardless of whether the witness is available or cooperative.

Despite what I just said above about the webcam signature, the investigator could still sign the file of her movie report with a digital signature if she wanted to.

What Do You Think?

I believe what I have demonstrated here is novel, practical and kinda pioneering. But I don't know everything. I'd be honored to hear comments and criticism. What do you think, dear blog reader?

Benjamin Wright is a practicing member of the Texas Bar Association, Mr. Wright teaches the Legal 523 course (Law of Data Security and Investigations) at the SANS Institute.

This blog post presents ideas for general public discussion. Like all public statements by Mr. Wright, this post is not legal advice for any particular situation. There is no assurance of any particular legal outcome in any particular case. If the reader needs legal advice, the reader should consult the reader's own lawyer. This blog post is not part of an attorney-client relationship between Mr. Wright and the reader.

15 Comments

Posted January 30, 2011 at 2:28 AM | Permalink | Reply

Craig S Wright

The process of imaging users is fine. However, you also want to ensure you capture network traffic.
If you also incorporate a part of the solution that captures and signs the traffic to/from the host so as to see what the process embedded into the system was doing at each phase, you would have a much better offering.
Not a big change, just grab and capture the network traffic and associated this with the session.
Regards,
Craig Wright, GSE/M/C

Posted January 30, 2011 at 4:07 PM | Permalink | Reply

Benjamin Wright

In reference to the post above, a colleague asked me: >>how many times does the other side challenge the way the evidence was collected?

Posted January 30, 2011 at 5:24 PM | Permalink | Reply

Benjamin Wright

Craig Wright: Capturing network traffic is a good idea. ''"Ben

Posted January 31, 2011 at 7:44 PM | Permalink | Reply

Benjamin Wright

Following are the comments by Giovanni Masucci, 132-CI,MPSC,CCITP,CCPE,CLWE, President/CEO, Sr.Digital Forensic Examiner, National Digital Forensics,Inc. He gave me permission to quote his comments here:
[begin quote] I read your blog and watched your video and could truly see the scenarios where this type of application recording the Digital Forensic Investigator and validating his/her investigation would be beneficial among affirming he/she actually did what they would of said as if in an Affidavit or Testifying in Court. Yes agree the jury would see an actual person rather than a piece of paper or an Expert Testifying on how he/she went about the investigation to find the evidence. And of course this would also show the methodology and the forensic tool utilized. I would mention the forensic tool the Forensic Investigator is utilizing, version, serial number and any Forensic Workstation identifiers. Having this process as another avenue for testifying and validating is definitely viable.
However it may not be applicable in all scenarios to video tape the Forensic Examiner/Investigator but I could definitely see applications for this especially with Acquiring on-line data for a case or when performing Cell Phone/ Smart Phone Forensic Examines in the Lab and of course depending on the type of case. To wrap this all in besides the actual investigator being seen and explaining as he goes along is a good licensed forensic software tool that records all data, IP Address, hashes each webpage and more. Currently I utilize Webcase by Verasoft which records my voice, web-site information, my connection from the Forensic Workstation, records and documents, creates MD5 and Sha Hashes among many other great processes, and then places all data in an easy to use Report for the Client review. I do think this is one more validation that may be vital in cases along with the validation and verification of Digital Forensic Tools being utilized and the process by a Digital Forensic Investigator/Examiner follows.
You're definitely on the right track Ben and on to something big! Keep up the great work! [end quote]

Posted February 2, 2011 at 4:39 AM | Permalink | Reply

Jamal Bandukwala

Ben:
Very interesting post. I think a webcam legal signature that shows what the investigator is doing is a brilliant idea. Do you see a webcam signature as something to complement an incident handler's notes, or if the process to put a webcam signature is well documented, something that can replace the notes altogether?
Do you think the opposition may challenge a webcam legal signature as being too novel and untested/ untried technology? Additionally could the opposition challenge the investigator's system (ie accuracy of date and time), on the video?

Posted February 2, 2011 at 1:53 PM | Permalink | Reply

Benjamin Wright

Jamal asked: >>Do you see a webcam signature as something to complement an incident handler's notes, or if the process to put a webcam signature is well documented, something that can replace the notes altogether?Do you think the opposition may challenge a webcam legal signature as being too novel and untested/ untried technology? Additionally could the opposition challenge the investigator's system (ie accuracy of date and time), on the video?

Posted February 2, 2011 at 4:06 PM | Permalink | Reply

Benjamin Wright

Some of my replies to Jamal's questions got lost in the comment above. So here are my answers to Jamal's first questions:
I think the webcam video can either complement the incident handler's notes or replace the notes entirely. The best use of the webcam depends on the situation. One possibility is that the investigator keeps voluminous notes, but then captures the most critical stuff in an easy-to-view split-screen movie as demonstrated in the post above.
Jamal asked about opposition challenges to the webcam legal signature as "too novel and untested/ untried": My reply is that in some cases, the opposition will challenge absolutely everything that a forensic investigator does. All computer forensic tools (including well-known things like digital signatures, MD5 hashes, network analysis programs, etc.) are relatively new in the law. All forensic tools are potentially subject to challenge.
One of the advantages to webcam evidence is that it naturally appeals to human sensibilities. Judges and jurors naturally understand what is going on when they see a video of an investigator talking and recording his work in realtime.
''"Ben
[This is not legal advice for the reader.]

Posted February 2, 2011 at 7:31 PM | Permalink | Reply

Benjamin Wright

Comments on the post above published by attorney Sharon D. Nelson: http://ridethelightning.senseient.com/2011/02/screencast-tool-to-preserve-cyber-investigation-evidence.html

Posted March 8, 2011 at 6:47 PM | Permalink | Reply

Brian

Excellent post ''" I was wondering if it may prove beneficial, at least if connected to the net, to have a separate web browser tab/window pointing to http://www.time.gov. One could display it (the actual time) when prudent, perhaps at the beginning of the investigation/webcast and at the end ''" or throughout.
Thanks for the thought provoking work,
Brian Wilson, EnCE, CCE
High Tech Crime Unit / Louisiana Dept of Justice

Posted March 10, 2011 at 2:14 PM | Permalink | Reply

Benjamin Wright

Brian: I like the idea of capturing data from time.gov. Consistent with that idea, let me state a general principle: The more accurate and relevant data that the investigator puts into the video report, the better. Accurate, relevant information like data from time.gov contributes to the overall credibility of the report and helps to refute any allegation that the report was forged, corrupted or mistaken. ''"Ben

Posted April 12, 2011 at 3:16 AM | Permalink | Reply

Calvin

The idea of a webcam signature isn't all that new. I know prenuptial agreements (especially involving people of high net worth) are often recorded to show the signees aren't under duress and that they explicitly agreed to something (as opposed to a lawyer shoving a bunch of papers and having them sign it).
So I don't think a webcam signature can hurt but wouldn't a simple affidavit of an investigator agreeing to the integrity and truthfulness of a video playback accomplish the same thing?

Posted April 12, 2011 at 6:52 PM | Permalink | Reply

Benjamin Wright

Calvin: The thing that makes the webcam signature novel is that the signing/execution/affirmation occurs all in the video itself. That's different from the typical video of the execution of a pre-nuptial agreement, where the signature is an autograph written in ink on paper and the video simply records images of the signer (her body, her arm, her hand) as she grasps the pen and uses it to write her autograph onto the paper. See http://masscases.com/cases/sjc/436/436mass18.html
Calvin asked: "wouldn't a simple affidavit of an investigator agreeing to the integrity and truthfulness of a video playback accomplish the same thing?" Yes it would accomplish the same thing, but then you would have two separate records that have to be linked together. If the affidavit is on paper, then you need a record system (which may need to be in place for years) that shows the link between the paper and the video.
The split-screen video I discuss above is more neat and compact, in that it unites all of the evidence into a single, persuasive unit. ''"Ben

Posted April 18, 2011 at 1:33 PM | Permalink | Reply

Benjamin Wright

To close off an allegation that the investigator's report was mistaken, corrupted or incompetent, multiple video reports, recording the same web activities, could be made by different investigators, operating with different equipment from different locations. ''"Ben

Posted January 22, 2013 at 3:32 PM | Permalink | Reply

Joyce

Did he purposely record the time in central time rather than the time shown in the screencast on his computer? He recorded the time as 11:13 or so and the screencast showed 9:13.

Posted January 25, 2013 at 7:12 PM | Permalink | Reply

Benjamin Wright

@Joyce: You ask a good question. Thank you for paying close attention! It has now been two years since I created the video. I do not remember why there was a difference between the time shown on the video and the time stated by my voice. (It probably had something to do with the computer I was using. If I recall correctly, I was using my son's laptop because it had a better webcam. My son is not known for being precise with things like the clock on his laptop :-) Obviously, an investigator would like to align date and time reasonably closely.
However, in many investigations, the precise hour and minute . . . or even day . . . of recording may not be very important. What is more important is month and year.
Important investigations often take years to play out. Very often, the allegation will be that the video was doctored or fabricated many months after the claimed date.
The fact that the time stated by voice is off by a mere two hours will often be immaterial.
I have recently published more on how to corroborate date/time of recordings like the one discussed above. http://hack-igations.blogspot.com/2012/12/corroborate-record.html I would love to hear comments!
''"Ben Wright
SANS Instructor: Law of Data Security and Investigations