SANS Digital Forensics and Incident Response Blog: Author - benjaminwright

Investigators: How to Write a Report and Store Digital Evidence

A wise investigator assumes an attitude of professionally skepticism. She recognizes that any piece of evidence may not be what it seems to be, and might in the future be interpreted in a different way or be refuted by other evidence.

Consider for example one of the most famous and thorough investigations in American history. The official investigation of the 1970 shooting of Kent State students by national guardsmen concluded that a certain Terry Norman (paid FBI informant) played no role in the shooting. However, forty years later a previously-unknown tape recording of the events has surfaced, and a forensic analysis of the recording shows that someone fired a .38-caliber pistol four times, shortly before the guardsmen opened fire. Norman was known to have brandished such a pistol at that place and time. It appears that


Affidavit as Support for an Investigation

An affidavit can be a vital tool in any type of investigation, whether the investigation be forensic, internal, criminal, regulatory, incident response or otherwise. As an investigator gathers facts, he will often interview witnesses, and obviously the investigator is wise to make records of the interviews (written notes or even audio/video records). But sometimes it is prudent to take an additional step in securing what a witness has to say.

I recently advised an investigation where numerous witnesses had much to say. But as I assessed all that was being said, a particular statement of one certain witness stood out as crucial to the outcome of the case. I recommended that witness record her statement in an affidavit.

An affidavit is a formal, written document that memorializes a declaration of facts by a witness. The preparation and execution of an affidavit can help to lock down a complete and careful statement of what the witness has to say. An affidavit

... Continue reading Affidavit as Support for an Investigation

Digital Forensics and Social Media

Privacy | Transparency

Social networks like Facebook, Twitter, Foursquare and Google Buzz can be a treasure trove for forensics investigations. The expanding ocean of data in those networks is irresistible to investigators.

Marketers are already exploiting social data to analyze associations among consumers. A startup named 33Across looks at relationships among social media users to ascertain who, for example, would be a good prospect for viewing an ad on costume jewelry. If Jane is a good prospect, then some of her friends - or maybe just people who circulate in the same social group - might be too. 33Across uses tools like tracking cookies to follow relationships.

Just as this style of data gathering and analysis can help marketing, it can help law enforcement or dispute resolution.

Public Communications Are Critical to Computer Security Incident Response

Law, Forensics and Public Relations

Historically IT security and incident response programs did not include much of a public communications component. Enterprises spoke little about attacks or breaches of security; they quietly focused on defense, investigation and remediation.

Law and politics have changed the game. Since 2003 many laws such as California's Senate Bill 1386 have required data holders to notify constituents and sometimes government authorities when private data have been compromised. For many private and government organizations, their data security posture has become a subject of keen public import. Lawsuits and government investigations are becoming more common.

Today when security incident happens, public communications can be critical to an effective response.

A high profile example is Google's announcement that it was the target of an attack allegedly from China. Google views the incident as much more than just a

... Continue reading Public Communications Are Critical to Computer Security Incident Response

Digital Forensics Professionals: Texas PI Legislation Interpreted

Automated Traffic Enforcement Opinion: Relevant to Electronic Discovery Work?

A Texas state government agency has published a formal opinion interpreting controversial new legislation on the licensing of computer forensics experts as private investigators. The Texas Private Security Bureau says it "generally" feels the private administrators of traffic enforcement cameras need not be licensed as PIs. The ruling may help us construe this new law in other contexts, such as e-discovery performed by computer forensics professionals.

The agency's reasoning is that the companies running traffic cameras are engaged in only "ministerial" activities at the direction of public servants (i.e. city employees). But the Bureau says its opinion applies only "generally" to traffic camera operators because some operators might be