Archive for February, 2010

How important are date/time stamps to online investigations?

Thursday, February 25th, 2010

Recently I read a listserv posting wherein the poster described his use of the system clock to document the video evidence he was collecting. He described using the computer’s system clock as the source of the verification of the date and time, and recording with the video the system clock to show what the time is when you are recording the video.

Likewise, a WebCase user I spoke with told me that in the past, members of his unit would have to create a folder in which to keep case documents. Again, this used the system’s date/time stamping.

Date/time stamping is one of WebCase’s key features, but these two users bring up an excellent question: what, exactly, is the big deal about date/time stamping? More importantly, how can the defense challenge it in court?

Actually, it’s pretty easy to fudge a computer’s system clock. Not that an ethical investigator ever would, but the defense can introduce reasonable doubt with a simple demonstration. In Windows Vista, all it takes is a right-click on the time in the bottom right-hand corner. Then, select “Adjust Date/Time” and click on “Change date and time…”. System clock changed.

How does using WebCase prove you didn’t do this?

WebCase, when it starts, makes a system call to the National Institute of Science and Technology’s (NIST) atomic clock to obtain the correct time. It then dates and stamps all evidence collected in the current UTC (this stands for Universal Coordinated Time, or what we used to refer to as Greenwich Mean Time) time—not the system clock time.

WebCase automatically verifies the UTC and documents this in the reports users generate. This helps to ensure that any reliance on the system clock is avoided.

On the listserv, the poster went on to describe his collection process using a document program to cut and paste chats into. Again, he used the system date and time as the time stamp for the file.

Not only does WebCase negate the need to use two separate programs—video collection and document—but its date and time stamping, along with its automatic hashing function, guarantees the file integrity of any video recorded.

See it in action: download a free demo!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Six Internet Tools for Researching Someone

Saturday, February 13th, 2010

Finding information about someone online can be as simple as searching them in Google. For some more detailed information about people several resources are available on the Internet for identifying people.  Each website returns a limited amount of information on whom you are researching and most are a front end for a pay for service which for a small amount you can get a complete background on the individual. However, searching several of the services, which return different information, you can quickly put together a significant amount of information on your target.

Search Bug

Zabba Search

The Ultimates

Skip Ease


Zoom Info


Internet Investigators Toolbar

All of these websites are easily accessible from our free, to the online investigations community, Internet Investigators toolbar which can be found on our website at

Cloud computing: Not just for geeks or feds

Monday, February 8th, 2010

Think online investigation is just for the high-tech crimes types, the computer forensics geeks or the feds? Not so, says Todd in his interview with Cyber Speak’s Podcast (hosted, ironically, by two former federal agents). The more people are online, the more they’re likely to use cloud services, the more important it is for local law enforcement to be there too.

Todd’s appearance on Cyber Speak came about because of his two-part article on cloud computing, which had appeared in December in DFI News. He and Ovie Carroll discuss:

Impact of cloud computing on first responders

Detectives performing searches can’t simply pull the plug on a running computer anymore (a fact which prosecutors are having to get used to). They need to be able to perform data triage and possibly even volatile data collection.

Why? Because knowing whether a suspect has an online presence is critical to whether an arrest is made—and what happens afterward. Whether users are actively storing files “in the cloud” or simply members of social networking sites, law enforcement officers who don’t find evidence and therefore, do not make an arrest risk that suspect going online and deleting all incriminating information.

Why is this a problem? Because the very nature of cloud storage means investigators may not be able to access a logical hard drive somewhere to recover the evidence. First, the sheer amounts of data stored on servers make this close to impossible. Second, there are jurisdictional issues.

Are you exceeding your authority?

Not only may information be stored outside your jurisdiction, but it may also be stored in another country altogether—one with different criminal and privacy laws. Accessing evidence of a crime in the United States may actually mean committing a crime in another country (Todd relates the story of two FBI agents for whom arrest warrants were issued in Russia).

This is a problem for local law enforcement, which Todd notes has been left largely to its own devices when it comes to online crime. Only Internet Crimes Against Children (ICAC) task forces have clear direction from the federal government on how to proceed.

Hence it’s easy for local police to kick Internet crimes up to regional, state or federal task forces. But as Todd points out, more people coming online means more crimes being committed against people in local jurisdictions both large and small. Law enforcement at every level needs to be able to respond.

Please listen to Todd and Ovie, and then come back and tell us what you think!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Monitoring Twitter? Try Searchtastic

Monday, February 8th, 2010

Twitter is not the pointless what-I’m-having-for-breakfast exercise in narcissism that many people think it is. The Washington Post recently reported that gangs are now using it and rival Facebook to discuss their activities–thereby inadvertently incriminating themselves.

So, it’s a good idea for gang investigators, probation/parole officers, and other law enforcement officers to monitor Twitter to see what’s going on. Best way to do that? Lauri Stevens over at ConnectedCOPS offers Searchtastic:

Try searching Twitter with its own advanced search “feature” and you might come up a bit disappointed. Put in a term or hashtag and it will take you go back only a week and a half or so in time.

With Searchtastic:

1. Search usernames or hashtags
2. You can pull up tweets from weeks and months back.
3. You can search on a particular user and the people he or she follows.
4. Then, click on a word in the search results and it modifies the search by the word. Once a word is in the search results, if you want to take it back out, click on it again.
5. And the clincher: When your search results look like something that might be interesting, export the results to Excel with the click of one button.

It seems like in ten or fifteen minutes, you could design a search, relevant to any investigation you might be working, that’s full of interesting terms and Twitter usernames. Export those results to Excel and cross reference them through your other database engines and maybe connect a few more dots. Useful?

I tried Searchtastic on the hashtag (a way to organize tweet topics) #webcase, which I used in November to live-tweet training from Charlotte, NC. The first run found tweets going back to October, but not my class tweets.

During my second run, without the # symbol, I found about six pages of tweets. Some came from Todd (who tweets as @Webcase); others from people who had “retweeted,” or recommended, WebCase or something we’d said.

As Lauri says, Searchtastic is in beta, so it may not catch 100% of what you are trying to find. As with so much when it comes to online investigations, best is to run the search sooner rather than later. However, Searchtastic does find much more than Twitter Search; it does organize tweets nicely by username; and it does allow for export to Excel.

Find out more on Searchtastic’s About page.

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

Todd on CyberCrime 101: Episode 7

Friday, February 5th, 2010

Last month while Todd was training in New York City, he had a chance to meet Joe Garcia, a computer crimes detective we connected with on Twitter. Joe has a podcast, CyberCrime 101, about all things computer forensics and information security. After reviewing the WebCase demo, he kindly invited Todd on the show to talk.

Their focus: Todd’s background, WebCase, and being president of the International High Tech Crimes Investigators’ Association (HTCIA). Joe voiced his approval for our tutorial screencasts, as well as our webinars and 2-day training; Todd told us that WebCase now offers 64-bit support, and will soon be released in a new version that has more features.

Thanks for having Todd on the show, Joe!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.

A DFI News double feature

Friday, February 5th, 2010

We were pleased and honored in December when Digital Forensics Investigator (DFI) News opted to give two of Todd’s articles top billing on its site.

The articles, a two-part series, addressed whether collection of electronic evidence from the Internet is feasible. Some say no; obviously, we say yes!

In Part I, Todd drew from his 2007 white paper, “Collecting Legally Defensible Online Evidence,” to discuss the need for and development of a standard methodology for Internet evidence collection. In Part II, he addressed the application of that methodology specifically to “cloud” computing.

The cloud does present different challenges to evidence collection than do conventional Internet sources. But that doesn’t mean evidence collection from the cloud is impossible.

Read Part I here and Part II here. And please be sure to come back and tell us what you think. Do you agree? Disagree? Have you encountered the need for Internet evidence collection methodology… or investigative issues specific to the cloud? Comments are open!

Christa M. Miller is Vere Software’s marketing/public relations consultant. She specializes in law enforcement and public safety and can be reached at christa at christammiller dot com.