The tickle of curiosity. The gasp of discovery. Fingers running across the keyboard.

The tickle of curiosity. The gasp of discovery. Fingers running across the keyboard.

The World of Iniquus - Action Adventure Romance

Showing posts with label Forensics and Incident Response. Show all posts
Showing posts with label Forensics and Incident Response. Show all posts

Thursday, April 10, 2014

Forensics in Your Plotline: Information for Writers



Amanda Knox reacts at the announce of the verd...
Amanda Knox reacts at the announce of the verdict of
her appeal trial in the Meredith Kercher' murder
 (Photo credit: Beacon Radio)
Amanda Knox has probably learned more about forensics than she probably ever thought or hoped she would. But her case in Italy makes a very interesting point. While specific laws change from region to region - country to country, what constitutes good science does not. 
Video Quick Study (1:26)
Video Quick Study (2:31) rape case thrown out over tainted forensic evidence


Forensics is a science; specifically, the application of science to the law. It is the application of scientific techniques developed through the scientific method that produces data. Are these 100% accurate and dependable results? No. They are not. They are within a scope or continuum - the data falls on a line of probability. When DNA results are offered, it usually reads as 98.99% chance of accuracy (and even those results are based on some pretty weird location generality tables). Nothing is 100%. This is an excellent way to twist your plot line.

I remember distinctly reading about a case where the body of a baby was hand-carried to the coroner for autopsy. Based on the coroner's findings, the mother was convicted of murder and sent to prison for life. Decades later when the officer was diagnosed with terminal cancer, he admitted that he had dropped the baby's body down a long marble staircase. Also, the person who had performed the autopsy had failed to document body damage that had occurred premortem versus postmortem. When these aspects came to light a second trial was held and the woman found innocent.

Forensics is processed by humans. Humans make mistakes. Mistakes effect lives - and plot lines.  

When you see a forensic scientist on the witness stand they will:
* Explain what they did in terms of collection and analysis and
   why (process)
* Offer an interpretation of the results (expert testimony)
* Explain how they arrived at their interpretations
* Explain what conclusions can and cannot be drawn. For example
   in the Casey Anthony case the forensic scientist indicates that
   hair is not a source of positive identification. 
    Video Quick Study (4:17)
   Video Quick Study (10:19) How reliable is forensic science?


Español: ESTUDIANTE INTEC
 (Photo credit: Wikipedia)

On occasion, forensics scientists will run experiments and try to collect data to help inform their testimony for a specific case.
Video Quick Study (2:10) 

And sometimes the scientists perform forensic experiments to inform future crime scenes. The Body Farm is an anthropological research center, for example, that sets up various scenarios for understanding how bodies decay. 
Video Quick Study (graphic in nature - 5:17) 


But it is important to note that not all forensic cases have to do with death. They can be anything from questioned document cases 
(Questioned Document Blog Article) to drug cases (Blog links to Illegal Drugs 101 and Toxicology Blog) and so forth.



Think about your crime scene as one great big science experiment.
1. There is an observation: "Hey, 
potd 4 17 12 - Forensic 497 final exam
potd 4 17 12 - Forensic 497 final exam (Photo credit: pennstatenews)
    look Harvey, I found
    a foot!"
2. There is a hypothesis: 
    "Someone must
     have been murdered!"
3. There is data gathering 
    (blog article CSI 101)
4. There is data analysis by
    various forensic experts
5. Conclusions are drawn. If the
    conclusion supports the hypothesis
    then you're ready to support a case in court. If the results do
    NOT support the hypothesis, then you have to start again with a
    different hypothesis.

Video Quick Study (7:33) Lack of reliable/valid research in forensic
                                          cases.

Here it is in a handy-dandy flow chart if that helps:


English: Flowchart of the steps in the Scienti...
 Scientific Method (Photo credit: Wikipedia)




English: A forensic scientist at the U.S. Army...
 (Photo credit: Wikipedia)

When you are plotting your story, the analysis section is where you can twist the status quo. "The red toe-nail polish and dainty size did not hold up to DNA evidentiary review - this is not a woman after all!"

Now your inspectors have to start back to square one with the formulation of a different hypothesis.



See how this article influenced my plot lines in my novella MINE and my novel CHAOS IS COME AGAIN.


Thank you so much for stopping by. And thank you for your support. When you buy my books, you make it possible for me to continue to bring you helpful articles and keep ThrillWriting free and accessible to all.


Monday, January 13, 2014

Digital Footprints - Computer Forensics and Digital Evidence: Information for Writers

_____________________________

This office is Grand Central.” He plugged a new flash drive into the computer.
      “Are you finding what you need?” I asked.
      “Some of it. They have security on top of security.”

     ~ Missing Lynx





If you're writing a contemporary suspense/thriller/crime novel, then digital information is an important angle to consider.

Modern technology makes certain crimes easier to carry out than ever before, indeed there are certain crimes that exist now that were not possible before computers became generalized to the world population.

How many of you have been at the end of an African lottery win phishing expedition? Conversely, if the criminal is not aware of how digital forensics can help an investigation, it can also make crime harder to get away with.



Map showing the Strategic Alliance Cyber Crime...
Map showing the Strategic Alliance Cyber Crime Working Group member countries and lead agencies (Photo credit: Wikipedia)


Most interrogators working with computerized information are called Digital Forensic Investigators. Apparently calling them computer-geek-cops is frowned upon.



Deutsch: Micro USB Ladekabel für Mobiltelefone
 (Photo credit: Wikipedia)

They cover such crimes as:

* Cyber bullying
* Child porn and child
   exploitation
* Pirating - software, music,
   videos, and
  other copyrighted work
   like books.
  Link to novalist John
  Dolan's blog post
  about his experience with
  pirating. Just FYI
* Credit card fraud
* Altering medical data for insurance fraud
* Espionage
* Terrorism
* Corporate crimes
* Pharming - Pretending to be a legitimate
   organization when they are not
* Phishing - Trying to defraud people


Video Quick Study (3:43) Phishing and Pharming examples
Video Quick Link (3:28) - excellent overview of digital crimes
Video Quick Study (6:44) - This is Josh Moulin who taught at
                                WPA 2011. He is explaining what he does,
                              listen carefully to his mode of speech and his
                              vocabulary. This is not specialized speak
                              for the interview. This is how he spoke with us.
                              (Don't go to the website he offers; it is
                              incorrect).
                             * Includes tips for how to protect a child on line
                             * Tips on general computer safety



The first hurtle to jump is just identifying that there is an issue.

* Is this a glitch in a program? A human error? Or, is this a crime?
   Often times computer crimes are hard to discover.
* Did the person have widely scoped criminal intent such as a
   terrorist? Or was this a bored teenager hacking into a system to
   see if he could?


Then they start looking for a suspect.

Digital Forensics Experts will:
1 Trace Back - the computer experts try to find the source
   computer - computer from which the attack originated - by
   following the trail of addresses (IP Addresses)
2. Scrutinize the computer system of the entity that was
   compromised called the target.


Once the investigators have narrowed in on the suspect, they need to prove:

MOTIVE
* Did the person have motive for perpetrating a crime and what
   was it? Motivators might include:
   ` Curiosity - like hackers to see if they can.
   ` Money
   ` Victimization (such as stalking or pedophilia)
   ` Power/leverage/ revenge

KNOWLEDGE and MEANS
* Believe me, I could have all of the motivation in the world, BUT
   if my scheme includes anything more than
   using a word processor, you've got the wrong girl.

ACCESS to perpetrate such things as:
* Data mining for materials that would benefit a criminal such as
  credit card numbers.
* Logic Bombs - "is a piece of code intentionally inserted into a
   software system that will set off a malicious
  function when specified conditions are met. For example, a
  programmer may hide a piece of code that
  starts deleting files, should they ever be terminated from the
  company." More information here.
* Opportunity to perform alterations of computer logs to show that
   the activity happened at a different time
    or date. (Investigators must look at the time/date stamp and make
   sure these were not tampered with,
    for example)



English: DCIS special agents investigate cyber...
English: DCIS special agents investigate cyber crime within DoD. (Photo credit: Wikipedia)


In order to develop the motive, access, and means, the investigators will collect evidence. Evidence is collected, analyzed, and stored.


Traditional Investigation
1. Interview eye witnesses - did anyone see or hear anything
    pertaining to the crime?
2. Conduct surveillance
    * Electronic surveillance might include pretending to be a target
       such as posing as a thirteen-year-old girl.
    * Discovering if the suspect would have been some how
       UNABLE to perform a cyber crime by location,
       activity, etc. Ex. a scuba diver would probably have an alibi if
       they were underwater.
    * Smart phones with internet capability make this difficult at
       times; though again, everything leaves a digital
       trail, so it might just be helping investigators.

Digital investigation

In order to access digital information from the target computer system, the investigators would need owner permission. If they wish to gather the information from the source computer they will need a warrant. 
* The investigators might want to do this surreptitiously so as not
    to let the suspect know that they are
    being investigated.
* They may confiscate the equipment.


COLLECT: 4 strategies for collecting the digital footprint.


English: A portable Tableau forensic write-blo...
English: A portable Tableau forensic write-blocker attached to a hard disk drive (Photo credit: Wikipedia)

1. Seizure - bag, tag, and send devices to
    the forensics laboratory.
   * Ever growing number of devices with
      huge amounts of memory makes long
      back logs.
   * No way to differentiate between items
      that might contain evidence and items that
      have no relevance.
2. Onsite Imaging
    * Time consuming
    * Issues of contamination
3. Digital Triage with Boot CD or Thumb
    Devices
    * Cannot cope with cell phones, GPSs or
       similar devices
    * Can contaminate the data that is being
       harvested.
4. Onsite collection with specialized equipment such as Spektor
    * The one in this video was developed for investigators who do not specialize in digital forensics. So your
      Joe-cop could collect the evidence with maximum forensic control.
   * Can handle cell phones and GPS devices.
   Video Quick Study  (4:53) Promotes Spektor - but is a good quicky-overview of the collection techniques


English: A Tableu internal forensic write-prot...
English: A Tableu internal forensic write-protection module (Photo credit: Wikipedia)


Once the device is in the hands of the investigator:

1. They make back up copy (working copy)
    * Original data must stay intact allows it to be presented later in original condition if needed in court.
    *  Making the copy is called imaging.
    * Working Copy Master (the original copy) is used to make
       more copies. The original WCM is archived along with the 
       original data.
    * Investigators work on one of the other versions - if it is
       somehow corrupted then the investigators can
        make a fresh copy from the WCM

Plot point: How are the investigators sure that the copy is correct? They use a hash value - program that converts data into whole numbers that are added up. These sums are compared and if they match, then investigators know that they have an exact replication. This is a very cool little piece to manipulate in a plot line so I'm including this LINK to an academic paper concerning its use.


2. Examination computer - the data is
Image found on Facebook
    removed by
   a. USB
   b. SCSI  small computer interface
   c. Computer firewires link to howstuffworks article
 
  The machine is placed inside of a
   protective box that prevents
   someone at a remote location
   from communicating with the data
   and, for example, wiping the hard
   drive.

Analyze - specifically and carefully

Preserve - with a documented chain of custody to maintain the integrity of the evidence for presentation in court.


DATA STORAGE - 

Where do people (the good guys and the bad guys) look for data?

Slack space - where data goes when your heroine thinks she deleted it.
Any digital data storage device can be used to...
 (Photo credit: Wikipedia)
* Unencripted passwords and bank account
   numbers could be found here by
   investigators
* Hackers can go and harvest that same kind
   of data
Browser history (opening individual files)
Keyword search 
Metadata searches ex:
*who created it
* when
* where was it received and by whom

Video Quick Study (5:07) Great easy-to-understand description of why data doesn't disappear when your heroine deletes her files.


Another way Digital Forensics Investigators gather evidence is cell phones via GPS.
Cell phones will ping off of a cell tower and give a general location. This can help establish an alibi; it can
also place a criminal in the vicinity of the crime. Investigators have to be careful in areas that have many cell towers because there can be bleed over. This happens when someone is near the overlapping area of two towers. PLOT TWIST if there is bleed over, it could put your heroine near the scene of the crime instead of in bed reading a good book like Virginia Is for Mysteries. (yup, I just unabashedly plugged my anthology!) Your heroine's lawyer might just use bring in an expert to testify on this very subject. Where was she the night of the murder? - Can't tell from her cell phone pings.

But this is all very cops and robbers. Your plot line runs more along the line of a savvy heroine who isn't taken advantage of. By anyone. What can she do? Your heroine doesn't have to be a forensic security geek - she can get simple tools like Recover It. LINK (quicky advertising video that shows this in action)


Pertinent Laws:

Cable Communications Policy Act 1984 link
Electronic Communications Privacy Act 1986 link
Digital Milennium Copyright Act 1998 link
USA Patriot Act 2001 (Uniting and Strengthening America Providing Appropriate Tools Required to Intercept and Obstruct Terrorism) link



See how this article influenced my plot lines in my novella MINE and my novel CHAOS IS COME AGAIN.


Thank you so much for stopping by. And thank you for your support. When you buy my books, you make it possible for me to continue to bring you helpful articles and keep ThrillWriting free and accessible to all.