Narrated Screencast Assures Investigator's Personal Accountability
The collection of cloud evidence vexes investigators, whether they be police, auditors or consumer watchdogs. As more and more social and commercial interactions occur in the Internet cloud, new methods are needed for proving what happened.
Traditional digital forensics emphasizes an investigator gaining access to data stored on a computer, such as in a hard drive, where records show what happened through the computer (web surfing, email writing). Yet our digital lives are becoming centered less in our computers and more in the cloud, where we mingle by way of numerous, increasingly mobile, disposable, interchangeable devices. An investigator may never get access to the relevant user or service provider device(s), even though he can witness a live online event by connecting to it through his own computer.
Online content is ephemeral. A Facebook Wall can show one thing now and something different a minute later. A chat session or an online game can transpire in a flash. Granted, an investigator can take a screenshot or make a log file of activity, but such a record can be sketchy.
A better record would capture a stream of all the text, images, motion and sounds in a online activity — what's known as a screencast.
Still, a record is like a rumor. It's worthless unless a credible witness can explain and vouch for it.
So I propose a recording that unites a screencast with compelling, eyewitness testimony. It's a split-screen video record simultaneously showing what an investigator sees and his real-time narration of events. Let me demonstrate with this video posted on Youtube:
The video depicts an investigator memorializing what he sees in a live interaction with another party, in this case a thief hawking stolen product plans. It shows him explaining through his webcam as he chats, clicks and observes. He reads directly into his video report his identity, his purpose, and his authorization. At the end he takes responsibility by formally signing and vouching for his record, in a way that would appeal to a skeptical audience, such as a jury, a judge, a journalist or a panel of lawmakers.
The rich detail captured in the video facilitates later review of the investigator's work by a third party.
Compare Log File
In the video, the exchange with the thief occurs through Windows Live Messenger, which does allow for creation of this activity log.
But notice the log misses much of the action. It shows no images or mouse movements. It completely ignores Scooter Montgomery's dramatic visual display of the stolen document.
Is a better way to record online investigations really needed? Have online investigations ever been discredited due to poor records? Yes.
In one series of cases, the Recording Industry Association of America hired MediaSentry to find copyright infringers sharing music on peer-to-peer networks. MediaSentry said it identified some infringers and produced logs and screenshots as evidence. But an expert criticized the credibility of MediaSentry's evidence in court, and a leading critic sounded authoritative when the Wall Street Journal quoted him calling MediaSentry's evidence collection "sloppy." RIAA terminated its relationship with MediaSentry.
In another case, the district attorney for Collin County, Texas, dropped charges against alleged pedophiles on account of weak evidence of online activity. Investigators for a public-interest group named Perverted Justice claimed to have engaged the suspects in incriminating chat sessions, but police lacked confidence in the trustworthiness of the logs Perverted Justice produced to show what happened in the sessions.
The split-screen video demonstrated above compiles a more complete and credible record.
I'd be honored to hear your comments.
Mr. Wright teaches the Law of Data Security and Investigations at the SANS Institute.