BYOD continues to be a popular topic of conversation. Here at Digital we are torn on the business use case. This seems like a technology with a high hurdle in costs to attain any payback. On the other hand, we love it for the ease with which it allows us to penetrate security layers in companies. This is definitely a two edged sword and business entities are strongly advised to have their security ducks in a row before putting any important assets at risk. Get an outside opinion on your setup. This is one area where an extra set of eyes is important. When you permit BYOD you drastically increase the attack surface of the company. We can help ensure your security preparations meet your requirements.

Law firms, are particularly interesting targets for computer crime.  They frequently have large amounts of sensitive data, some of it of distinct value, some of it useful to criminals for a variety of reasons.

It can be used to make fake ID’s or provide the opposition with intelligence they shouldn’t have, and that’s just the tip of the iceberg.  Imagine if all the firm’s data, notes, communications, were all in the hands of the opposition or a criminal.  Imagine if it all simply vanished.  One recent virus did this by encrypting data files and demanding money.  What would happen to the typical law firm if all their online case data became inaccessible?  Perhaps permanently.

Firms frequently have banking data that can be used to pilfer funds from client accounts.

Client data they posses may have value outside the legal forum.  For example, a blueprint might be of interest to a bank robber.  Copyright materials might be of interest to client competitors.  Contracts might be of value to the opposition or a third party.  Criminal and social behavior notes are valued by unscrupulous news people, as we saw in the Rupert Murdoch scandal.

Then there’s access to client networks.  If the firm doesn’t have direct access to the client network via VPN, they’ve got email, and once internal email is compromised, sending emails with malware into a client network is relatively easy.

But the bad guys don’t need to get control of a firm’s email, they can, with a simple forged email that looks like it came from the firm, get a client to click on a link that infects their computer.  It’s telling that simply the name of the firm can be of value to an attacker.  With just a name, they can reach out and cause trouble.

Worse, firms can be targeted.  Because of public filing or news, it is quite easy, in most cases, to find out who someone is being represented by, and then use that information for nefarious purposes.

Which is why law firms need to be certain they are effectively managing risks.  Understandably, most don’t have the level of security in house to do the job, but help is available.  By contracting a professional service to assist with risk management activities, the firm can continue doing it’s business with the assurance that they are more secure and aware of all the potential problems.

Management can make rational judgments about how much to spend, on what, and to what ends.  Without professional assistance, crucial details can be missed, and gaps can remain where none appear.

Digital Trust provides security and risk management services, and we’re intimately familiar with the environment.  Give us a call, or email us, but make sure you’ve looked at your risk situation, no matter who you use for security services.

When it comes to electronic preservation of evidence in civil litigation (as opposed to criminal evidence collection), there is some discussion about what is the best evidence to preserve.

On the one hand, you want to ensure you collect everything that is relevant.  On the other, you can’t collect primary sources for everything in most modern companies, because it is too disruptive.  For example, we don’t collect the disks from the email server, but this is highly likely in a criminal proceeding.

The question then becomes, what’s best?  How do you preserve defensibly whilst doing so economically?  Particularly when preservation requirements begin when litigation is a potential and not an actual event.

Our mandate is to preserve broadly, but how without breaking the bank?

By using a reasoned approach, seasoned with the perspective of a potential litigator and a judge.

When collecting materials, consider what might play out and designate accordingly.  Then determine what’s the most effective means of preserving it, and what arguments you can make if you’re excluding anything.

For example, if we preserve email based on a filter, is that filter sensible in terms of what the litigation might reference?  If the filter is too restrictive, opposing counsel will object and the judge might rule in their favor.  If we collect too broadly, we risk exposing client business secrets and increasing expenses for evidence handling.

Whatever the limitations you impose on a potential pool of evidence materials, make sure your rationale is sound.  Put yourself in opposing counsel’s shoes and ask the questions they will ask.  Follow the leads they will see, and document why a direction doesn’t make sense or is overly burdensome.

In the end, it is best to over preserve than under, but there’s no reason to overwhelm a client with a massive collection effort if something smaller makes sense.  Just make sure you can back it up with fair reasoning.

The two premier options for forensic collection are the Voomtech Hardcopy 3P, and the Tableau offerings.  We use both here, in limited ways, along with dcfldd booted from a CD.

One of the things that new people in the field sometimes miss, is effective use of technology for client efficiency.  The emphasis here is on parallel collections, but this actually works for any volume, from one on up.

As a new forensicator, the impulse can be to obtain the best “device” for collection, based on LE input or marketing or whatever.  Many of us rush to buy the best device for collection, when in fact, no device is necessary, and in many cases, detrimental.

Our first loyalty is to the preservation, and our second is to the client, which means, our imaging must be flawless and our billing must be minimal.  We are not here to maximize our billable hours; that is morally repugnant.  We should always strive for greater efficiency, and the way to do that is through the use of boot images for collection.

Assuming modern computer hardware (SATA2+, USB2+), the difference between using a dedicated device and using a boot image can be startling.  While a single PC can quickly show an advantage for a dedicated device, truly modern hardware (3 series SATA/USB) exceeds or equals it in cost and speed.

Dedicated devices cost money, around $2000 a piece.  A boot image is free, other than time to create it.  Both collection processes require opening a PC and messing with wires.  Both take about the same time on similar hardware, with the dedicated devices being faster on older hardware.

But if you need to do two or more, the cost effectiveness of a boot disk clearly shines. Duplicate the boot disk however many times necessary for a parallel effort (one tech can manage 10 running instances, typically) and do multiple PC’s at the same time.

The cost for using a dedicated device is $2000 x # of collections.

The cost for using a boot disk is $0 x # of collections.

The time (assuming you can afford that many) for dedicated devices is X collection devices x connect time.  It looks like this: fraction(x1)+fraction(x2)+fraction(xN).  By the time you get to the end of your loop in setup, the first device is finished and by the time you finish putting them all back together, the last one is finished and you close up.

The time is the same for the boot disk, only there’s no upfront cost for equipment. And they don’t break.  And they stay current with technology and don’t cycle out as technology advances.

(Slower machines are better on devices, but this is offset if the number of collected devices grows to overcome the efficiency gap.  Meaning, usb2 is slow, but 20 usb2 collections is faster than 20 dedicated hardware collections split using two devices.  There’s lots of wiggly room in low volume, do the math yourselves.)

And you can do a BUNCH of collections in a single sweep.  As mentioned previously (thanks Vestige!) the boot disk is the ONLY WAY to do an entire building in one night.

So if you’re considering buying yet another device, please reconsider.  Devices are nice for collection personnel that don’t know what they’re doing inside a boot image and require strict training (like criminal evidence collection by LE), but for forensic ePreservation, you can’t beat a boot disk.

We like Ubuntu + dcfldd.  It keeps overhead down and increases billing efficiency.  DO IT.

Most companies are implementing (or already have) encryption of local data to prevent loss from a compromise of security.  There are two obvious concerns when thinking about using data encryption.

First, is it reducing your real risk?  Most encryption starts out as a defense against physical compromise.  For example, a hard drive walking out the door.  Well and good, but what is your risk of physical compromise?  Do you even know your ALE?  Because it’s become policy, most companies don’t even bother with the cost/benefit, but it’s always good to know the real value of an effort, if for no other reason, than to understand how reasonable the regulatory burden is.

The real problems start once encryption is in place and executives know the language, but don’t comprehend the true functionality.  In several situations, senior management has looked at a network security incident and expressed little concern thinking that encryption protected them from harm when encryption did no such thing, and the intruders would have been free to pilfer online data had they desired to do so.  Encryption methods vary, but be sure management is clear on what risks are or aren’t mitigated, to prevent a false sense of security.

The other added risk that typically goes unremarked is the risk of data loss.  Encryption is a harsh mathematical reality, and when it goes wrong, there’s typically nothing we can do except go to backups and restore the data.  In some instances, encryption can add mandatory operational steps that seriously complicate data integrity efforts, requiring extensive procedural compensation to reduce risk to acceptable levels.  This can add significant costs to an encryption program.  Worst of all, failure to identify these preventable loss risks up front may mean a serious data loss incident down the road.  Meticulous processing, planning, and testing is not usually within a business budget, yet is required when dealing with encryption.  Vendors will never bring up the difficulties of using their software, so using it safely requires thoroughly understanding how it works and how it fits into the business.

Encryption is a good tool, but it’s just one of many, and like any tool, can be a good thing or a bad thing.  It’s good when it saves the company from data loss, and it’s bad when you lose the password and can’t recover 3TB of image data.

Digital Trust’s founder is going to be presenting a short how-to on building a consulting business over at concise-courses.com on January 10th at 1200EST. Please join us for an informative talk and for questions after. If you can’t make the time, the talk will be taped and available via the concise-courses website.

If you’re at shmoo in Feb, catch up with us then for more in depth discussions about running the business.

So, admitting for the nonce that our graphics abilities are limited to ms-paint, we’ll opt not to post any of the action shots until we figure out how to layer xparent gifs onto jpgs.  Hey, we’re an ePreservation and analysis shop, primarily, give us a break.

The show was a kick and we had at least 30 people pop their first lock at the key impressioning rig.  We were lucky enough to get some input from Deviant and now we’ve got a better pathway for key impressioning training which means the contest next year at Hack3rcon & BsidesDE (primary) should be capital.

We did teach impressioning to at least a dozen people, and by teach, we mean convey the rudimentary understanding necessary to achieve complete frustration in 15 minutes on a normal 5 pin lock.  But it’s a start.  Impressioning is *hard*.

There’s no next show for the rig to attend until next year’s Hack3rcon, but if by some miracle we make it into shmoocon as a vendor (our fallback plan for not getting a talk accepted or sponging a ticket) we’ll bring the rig for the table as well as our awesome espresso machine (srsly, shmoogroup, an espresso machine on the vendor floor, what more could you want?

But back to BsidesDE.  Since we were manning the booth, there wasn’t a lot we could see, but there were some cool things going on in the hallway, with discussions on class 3 trusts (something we’ve demonstrated interest in previously) and inheritance, courtroom testimony, fraudsters, and how the hell we were going to get shmoo tickets.

The most exciting part of the show for us was the live auction to benefit Hackers For Charity.  We nicked a pair of coins that escaped our grasp at hcon in October, to the dismay of several.

Backtrack Challenge Coin

NSA Front

Sorry guys, no hard feelings.

What really got the auction wound up was the offer of a shmoocon ticket.  Being rather interested, we jacked up the bidding into insipid zone, and there was nobody else interested at that level.  But this was for HFC, after all, so we sweetened the deal by tossing in a bottle of absynthe owned by @JadedSecurity (we drank the last one, so we owed him one), special absynthe you can’t get in the US, and the price jumped another $100  which made us happy enough to let it go at that price.

Jaded’s bottle will be going to shmoo with or without him, and into the hands of stranger.  Lucky for us we’ve got *another* bottle of even better absynthe to bring for Jaded, provided we get a ticket somehow.

 

So next BsidesDE will have the new and improved locks rig, with 24 distinct locks of varying difficulty, and we will be a 5 year running sponsor!!!  Speaking of which, AWESOME
, gang! (pic coming)  Thanks for the honor of letting us help sponsor the show.  We’ll try to line up something special contest wise to make it exciting.  Hmm.  How about a forensics challenge AND a locks challenge!  MINIONS!!!  Make it so!

Excellent job, DD and KF, see you next year after the “merger”.  😉

Badges came from @MakeItUrz, and you can see the rest of the con badges here, eventually.

Hack3rcon 3 was a success, at least as far as we’re concerned.  The lock wall and impressioning contests were a lot of fun and drew quite a bit of traffic.  We’ll definitely be doing that again.  Congratulations to PunkAB for winning the contest, and thanks again to Front Sight for providing prizes.  We can’t wait to get back to both hack3rcon and Front Sight for more valuable training.

The 3 day event was full of great lectures, discussions, and food.  Charleston did not disappoint with a bunch of new or remodeled restaurants.  You’re a cool city, Charleston, stay classy.  Thanks to the 304geeks for awesome support, and IronGeek for his usual outstanding video support.  Full blown corporate sponsorship was a treat, so thanks to all of you, especially

Highlights from the show would have to include rel1c breaking a key in a lock, PunkAB mangling one of the locks, and 40 or so geeks descending on a sports bar.  One of them with a TV remote controller.  We had at least a dozen people pop their first locks, and taught impressioning to a dozen more, and even some bump key theory.  Thanks to DEFCON and Jos Weyers for the inspiration for the contest.  Notably, we finished the weekend with all tools accounted for, proving once again that although hackers engage in the same activities as criminals, they are generally some of the most trustworthy people on the planet.

The party, in case nobody mentions it elsewhere, was fantastic.  When all you need is good friends, the addition of strange new forms of music, pool tables, and good food and drink make it that much more fun.

In addition, Digital Trust would like to thank our supporting partners, BodyTeeze and PostUpStand.

Finally, we promise *promise* to do something technical next year, assuming the world doesn’t end on 12/21.

We’ve belabored the morality of sales previously, but something has arisen prompting an additional emphasis on slimy sales tactics and the scum that practice such disgusting habits.

It was brought to our attention that one of the top vendors in the forensic market, and we mean top, had contacted non-clients under the guise that they were existing customers in an attempt to upsell them products based on product they didn’t own. This is a tactic used by copier fraudsters and not something that we should see from a respected forensic vendor. It’s disturbing. If you work at one of the top vendors of forensic software, I urge you to contact your sales managers and emphasize to them the moral hazard in such tactics before they attract charges of fraud. If it’s not stopped, and we continue to see it used, we will publish the emails of the scumbags and disclose the company involved. Get your business together, gentlemen, or we will clean it up for you.

Are certifications necessary for eDiscovery and eForensics experts and technicians?  While the strict answer is “no”, because we’re managing okay at the moment, as a profession, the long term answer is “yes”, because of the number of mistakes made by ignorant parties, wether it be the collector, the processor, the lawyer, the client, or the opposition.  The only person paying the prices for screw-ups is the legal client.  Worse, the technical people screwing up (who aren’t really all that technical) usually don’t carry insurance, because they have no idea what they are doing to begin with.  While any bar to entering a field is a last resort, here, as in law enforcement, medicine, and law, it appears necessary.

People who have never gone through a grueling evidence deposition cannot comprehend what they are up against.  In some cases, they may be backing up data using “copy.com”, while in others, they may be skipping deleted files.  The opportunity for mistakes that end up costing the client the case is nearly endless, and now that lawyers are beginning to get acclimated to the new materials, negative outcomes are going to increase if the integrity of the profession isn’t maintained.

Those of us in the field for a time have seen how it’s evolved.  We know that we do things differently now.  We’ve been educating legal teams since the beginning, and now they’re starting to ask really good questions.

We can’t allow some tech-school dropout with a boot disk to take on clients.  While there is room for error and room for a wide variety of techniques, we all know that there’s some people who are doing it wrong, and the client pays the price.

So certification becomes necessity.  Or perhaps voluntary.  Although any attorney who voluntarily worked with an untested, uncertified technician might be skirting professional misconduct.  We all have a duty here.

The certifications can be from multiple sources, and should be, to keep the market competitive.  In every market where a single standard has come to dominate, pricing becomes fixed and quality suffers.  There are quite a few, sometimes called paper tigers, sometimes called barriers, but they all lower the quality of work in those areas.

The certifications shouldn’t be long or overly burdensome.  It’s okay to assume a baseline knowledge and to test based on that.  Computer science isn’t a bad place to start, although there are specialty degrees now.  Assuming at least a college level education is warranted, since these experts need to document and testify.  Could be law, law enforcement, or other related disciplines with additional experience and/or training.

One thing it shouldn’t require is PI licensing.  This should be optional, but required for experts working aside law enforcement.  Or an LE background.  For non-criminal legal cases, it’s completely unnecessary.  Digital Trust’s entire practice is civil litigation and compliance issues, what good will a PI license do us, other than create a barrier to work?  So don’t mandate PI licensing.

But some certification is warranted, and it needs to be beyond vendor specific certification.  While nVendor might include some non-technical topics in their training, it would be better if tool vendors stuck with tool training and left legal training to outside agencies.  Unless they enjoy the liability that follows along.

While certification may be a pain for professionals, it does provide the client with a reasonable assurance that they are being assisted by adequate technical experts and not some person who’s going to cost them the case.  And without the client, what’s the point?  So let’s get this certification thing figured out right, and not just throw PI at it.