Digital Forensic Process—Presentation

By John Ahearne, Forensic Analyst

This article is part of a series that delves into each step of the digital forensic process. If you missed one of the previous articles, you can read them at the links below:

In this article, we outline certain digital forensic best practices on writing reports for the purpose of presentation of digital analysis and evidence.

Presentation of Digital Analysis and Evidence

Forensic cases often present unique scenarios that require a customized process that utilizes all possible best practices. The presentation of digital analysis includes a formal written report on the identification of relevant information.

Ultimately, the report and relevant information will be viewed by human resources, executives, law enforcement, lawyers, judges and juries. As such, the report should be clear and concise, yet still contain sufficient detail to describe a repeatable and defensible process.

The information must be provided in an organized and easily accessible format. Depending on the ultimate use of the information, there may be the need to provide the same data in different formats.

The most important overriding principle for a forensic report is that it is based on objective findings. It is acceptable to give opinions or examples when necessary. Any conjecture, however, should be clearly identified as such.

As with any written document, the digital forensic report must be drafted for the intended reader/audience. Since it will be intended for multiple audiences, it is important to divide the report into sections that appeal to each. Audiences may include individuals, businesses, clients, legal counsel, opposing counsel, forensic experts, judges and/or juries.

The organization of a report presenting digital analysis and evidence should include:

  • Executive Summary
  • Findings
  • Appended Reports
  • Conclusion

Due to the variation of potential readers, the report should balance the use of layperson definitions of technical terms with the need for sufficient technical detail.

Executive Summary

The Executive Summary includes a high-level description of analysis findings in language that can be understood by individuals who may be less tech-savvy.

Executives do not have the time to read an entire report but definitely need to know what is going on, which is why a report should always begin with an Executive Summary. This section will also appeal to judges, juries and other readers who do not have significant technical backgrounds to know what forensic images are, care about the file carving method used to recover deleted files or why they may be important.


Opposing sides and expert witnesses, on the other hand, will want to know the technical details. In addition, many judges, lawyers and juries are becoming more sophisticated than ever as technology advances. Therefore, a report should provide a Findings section that contains all the technical language and details.

This section will contain visual illustrations such as diagrams, charts and pictures of important information that is easily viewable and understood by the entire audience.

The Findings section is intended to satisfy the tech-savvy and, more importantly, defend the findings outlined in the Executive Summary by clearly describing the repeatable and defensible process used in the forensic analysis of evidence referenced in the report.

Appended Reports

Appended reports further support the analysis of the relevant information without losing an audience’s focus. Appended reports are useful for highly detailed technical information and for evidence that can produce a tremendous amount of data such as email or chat message analysis.

Appended reports can be handy for changing format without changing the entire report. For example, chat messages presented in a spreadsheet are easy to sort and organize by legal counsel. However, a conversational view of chat messages can better illustrate communication of multiple parties.


The Conclusion section is where it is appropriate to provide subjective analysis and expert opinions. The Conclusion should never contain new information and should wrap up the analysis in a direct and concise manner.

Additional Tip

To better prepare a defensible report, review by a peer is not only helpful, it is highly recommended!

A peer would be someone on staff, a coworker, management or someone else who is familiar with the forensic process. Ideally, more than one person should review your report. A coworker or lead examiner should go over the entire case, the scope of work, how you came about your findings and supporting evidence. Management or Director of Forensics should go over the case at a high level to see that it makes sense to the intended audience.

ESI Review

The Presentation Process also includes providing the relevant information in native or a requested format, i.e. PDF, TIFF or database format for ingestion into eDiscovery software. This brings us to electronically stored information (ESI) Review Process, which will be discussed in the next article of this series.

Stay tuned for your lesson in ESI Review.

Legal Email Collection

When collecting email evidence for use in litigation, whether it’s criminal or civil in nature, it is imperative that emails be obtained in a lawful, repeatable and defensible manner. If they are not, they may not be admissible in court.

electronic mail email

Obtaining Emails for Criminal Investigations

There are three legal methods routinely used for obtaining emails for use as evidence in a criminal investigation.

  • Warrant
  • Subpoena for Non-party Records
  • Signed Consent/Authorization


A warrant is a document obtained from a judge by law enforcement that authorizes law enforcement to conduct a search for possible evidence in a criminal investigation. When requesting a warrant, law enforcement must show probable cause to believe that an item, in this case email, may be evidence of a crime.

A proper warrant must be specific about what location(s) may be searched and what item(s) may be seized or obtained. Law enforcement is required to stay within these parameters when conducting a search and seizing possible evidence, including obtaining emails. In the case of electronic evidence, the warrant issued may specifically note the phone, computer or other data storage device that is subject to data collection, and also specify the type of data to be collected—in this case, email. The device is collected by law enforcement and may also be brought to a third party, such as DriveSavers, to collect the email evidence.

Example: John Smith is under investigation. There is probable cause indicating that there is evidence for the case located in his email. It is suspected that email from John Smith’s account is downloaded into Outlook on an HP laptop computer used by his entire family. Law enforcement goes through the proper channels to obtain a signed warrant from a judge that allows them to search only that single laptop and obtain only email from John Smith’s email account. If the specified email account exists in a program on the specified computer, then the email data may be collected.

Subpoena for Non-party Records

A subpoena duces tecum, in the case of evidence collection for criminal investigation, is a formal demand for the production of documents from a non-party. A non-party is an individual, company or other party that is not directly involved with the investigation but may hold ownership or access to related evidence. In the case of email, a non-party would be an email provider such as Gmail or Yahoo.  

Where a warrant allows law enforcement to directly conduct collection themselves, a subpoena duces tecum requires the non-party that hosts the email, such as Gmail or Yahoo, to produce the email data and provide it to the requesting attorney, District Attorney’s office and/or the court for review.

Signed Consent/Authorization

If the owner of the email agrees to voluntarily provide email messages or direct access to the account, the requesting party should obtain a signed consent/authorization.

Obtaining Emails for Civil Litigation

The most common methods for obtaining emails for use as evidence in civil litigation are:

  • Demand for Production
  • Stipulation
  • Subpoena for Non-party Records
  • Court Order

Demand for Production

A Demand for Production of Documents, including electronically stored information (ESI), is part of the formal discovery process prescribed by a jurisdiction’s rules of civil procedure.

Although discovery rules in different jurisdictions may be similar, subtle differences and recent amendments may affect how to best demand emails and in what format that the emails will be produced. The producing party is then obligated to collect the email in a defensible manner in order to avoid expensive discovery disputes.

In most cases, the discovery process is the most expensive part of civil litigation. Employing a credible eDiscovery company like DriveSavers can help to mitigate costs by ensuring that emails and other ESI are produced using methods and formats that will be accepted by both parties and the court.


In order to reduce discovery cost, attorneys from both sides of a civil dispute may stipulate, or agree, to allow collection of their client’s email.

Stipulations most often include a protocol, specifying the allowable access to email accounts. A neutral eDiscovery/forensic company, such as DriveSavers, is used to collect the email data in a defensible and repeatable manner.

In most instances, when a neutral company is used to collect email, the protocol requires that the data first be reviewed by the attorney for the email owner prior to handing it over to the opposing party attorney. Privileged data and data that is not relevant to the case will be excluded from what is produced to the opposing attorney.


Similar to criminal matters, a subpoena duces tecum used in civil litigation is a formal demand for the production of documents (email) from a non-party. In the case of email, a subpoena requires the individual or company that owns or hosts the email to produce the email data and provide it to the parties for review. The email data may be collected and produced using a third party such as DriveSavers.

Court Order

If the parties fail to agree or there was an irregularity in an initial email production, the matter may wind up in front of a judge. After hearing argument from counsel, the court may order a collection procedure similar to a stipulated protocol. The Court may also appoint its own expert to collect or evaluate a party’s original collection.

Consequences of Obtaining Emails Incorrectly

Using a third party digital forensic or eDiscovery company like DriveSavers can make or break a case. It is the business of such companies to know how to collect, produce and present digital evidence.

In both civil litigation and criminal investigation, there are consequences if emails are not obtained properly.

  • Inadmissible Evidence
  • Spoliation Penalties

Inadmissible Evidence

If evidence is not obtained properly, then it may be ruled inadmissible. It is, therefore, imperative that proper procedure be followed in every detail from the beginning.

Spoliation Penalties

If email evidence is collected or obtained incorrectly and any data is intentionally deleted or otherwise altered in the process, spoliation monetary penalties may be imposed. Always use a reputable company that will obtain emails and other electronic evidence in a defensible, repeatable and court-validated manner.

Checklist for Properly Obtaining Email Evidence

  1. Go through appropriate legal channels: Obtain a warrant or court order from a judge, a subpoena, stipulation from an attorney or written consent from the owner of the email.
  2. Device collection: Digital evidence collection requires careful attention, as described in this article.
  3. Do your research: Use a reputable digital forensic or eDiscovery company such as DriveSavers. If email evidence is extracted improperly, the data may accidentally be changed or deleted in the process, and metadata such as time and date stamps may inadvertently be altered.
  4. Review: Once email data is extracted by a reputable company, the data may be provided to the attorney representing the email owner for review. Privileged and non-relevant data will be excluded from what is produced.

If you need assistance with legally and correctly obtaining emails or other electronic evidence, or have any questions regarding a digital forensic or eDiscovery issue, please call DriveSavers at 800.440.1904 for a consultation.

Digital Forensic Process—Analysis

By John Ahearne, Forensic Analyst

culling data through digital forensic analysis

This article is part of a series that delves into each step of the digital forensic process. If you missed one of the previous articles, you can read them at the links below:

Analysis of Digital Evidence

Forensic digital analysis is the in-depth analysis and examination of electronically stored information (ESI), with the purpose of identifying information that may support or contest matters in a civil or criminal investigation and/or court proceeding.

When forensic analysis is the ultimate goal, it is imperative that the electronically stored evidence is treated with great care. The evidence must be preserved and nothing should be done that may alter the ESI during the analysis process. This is why the best legal result will be obtained by analyzing a forensic image or copy of the device as opposed to the original device or source. A source of digital evidence may be cloud-based as well.

As explained in the previous article in this series, the first step to the digital forensic process is identification. This step goes hand-in-hand with determining your scope of analysis.

Scope of Analysis

The scope of analysis begins with identifying who the key players are and where the electronically stored evidence is. This information is gathered during the identification step of the digital forensic process and requires clear communication with the client.

Whenever possible, the initial scope should be clearly identified, but that is not always the case. In some cases, we may be looking for a “needle in a haystack,” so the scope may be expanded or contracted as the analysis progresses. This is the Who, What, When and possibly the Where and Why part of the examination.

Documentation and communication should include:

  1. Focus of the examination
  2. General nature of the matter
  3. Time frame of the chain of events
  4. Logical and/or deleted data
  5. Data leakage
  6. Keywords

Focus of the Examination

What is the focus of the examination?

Identify who are the people involved on both sides of the dispute and who is the focus of the examination.

Please see our article, Digital Forensic Process—Identification.

General Nature of the Matter

What is the general nature of the matter? Is it regarding a will or trust, or a company design? Many legal cases have also arisen regarding customer lists, which can be considered valuable intellectual property (IP).

Employee misconduct, misappropriation of company information, fraud or divorce are just a few examples. Knowing the nature of the matter will help identify what type of data or what file types a forensic examiner should be looking for and where that data might be found.

Time Frame of Chain of Events

When did the chain of events occur?

The times and dates or a date range of when an alleged event took place will help narrow the examination. In the example of employee misconduct, when was the employee’s last work date? When was the device last used by the employee or returned to the company?

In this and similar situations, resist the temptation to log into an employee’s computer because you will compromise potential evidence, especially time/date stamps.

Logical and/or Deleted Data

Logical data refers to data that is not deleted and does not require data recovery or special software to access the information. Determine which data types should be included in the examination, such as Word documents, Excel spreadsheets, Acrobat PDFs, photographs and emails. Use of social media, such as Snapchat, WhatsApp, Facebook and YouTube may require analysis, depending on the case.

An emptied Recycle Bin or Trash is referred to as a hard deletion. Deleted data and a cleared web history are signs of hiding one’s tracks. With deleted data, we cannot be limited by a targeted collection of logical data only. A sector by sector forensic image of the entire device must be performed. It’s good practice to pre-emptively extract a forensic image of employee devices when any employee leaves a company.

Establishing a scope of analysis and understanding where the data is stored helps us as forensic examiners to provide the client with accurate and fast results.

Data Leakage

The unauthorized transfer of information from inside to outside an organization is known as data leakage.

Were any external hard drives or other connected devices plugged into the computer? Examples include USBs, mobile devices or backup devices. Be sure to identify any possible sharing of data to another device.

Internet of Things (IoT) are becoming more prevalent in our lives and should also be considered. Examples include wearable technology, company/rental cars, surveillance cameras or home assistants.

Are the email servers and cloud storage systems monitored and backed up by IT? Is there a legal responsibility to preserve data?


What are names, phrases and words that could be helpful in locating the data of interest? Examples may include contacts, personal email addresses, project names or companies in direct competition.

Scope Limitations

Limitations may be in effect due to privacy or opposing interests.

In matters involving opposing interest, a party or court may limit the scope of information to be analyzed or even collected. It is always best to get this in writing in the form of a Stipulation or a Protective Order. The digital forensic analyst should be included in the creation of this documentation to insure that the limitations are possible, based on the way the ESI is stored and how forensic software acquires and processes the data.

Time can be an issue. Are there any immediate court dates or depositions scheduled?

Privileged communication between attorney/client, doctor/patient, and husband/wife are common limitations to consider when providing evidence in a case. Just because a wife hands over her husband’s cell phone, it does not mean that the authority to analyze it is automatic. Employees may have an expectation of a certain amount of privacy even when using a company supplied laptop. Does company policy clearly define what privacy the employee can expect, and does the employee understand it?

Personal Identifiable Information (PII), such as patient records, Social Security numbers, and tax records are ESI that needs to be protected. It is important to investigate any third party digital forensic team you may employ to be sure all data is protected by necessary security certifications, such as SOC 2 Type II and HIPAA.

Forensic Tools and Software

A repeatable and defensible process is the continuing theme throughout this series of articles. Forensic and eDiscovery software are no exception. There are many forensic/eDiscovery tools on the market. Free and open source tools are also available. An experienced digital forensic examiner will know what tool or tools are the best for the type of device and the type of data.

Forensic Software Validation

Regardless of what tool or software you use, it must be validated. I am not going to get into the Daubert Standard here; a quick search will provide you with plenty of reading material. However, the digital forensic examiner has to be certain that the information produced by the forensic software is accurate.

A forensic examiner has to know where information is stored and how the chosen forensic tool parses out that information. There are no shortcuts to this requirement. You can’t rely on “push-button” forensics by simply running some software and spitting out the results.

Training, experience and good tech support are a few of the ways a forensic examiner can gain the knowledge necessary to validate their tools. Forensic forums, podcasts and articles are other methods to stay on top of new trends and technologies.

At the same time, there has to be some faith in your forensic software. If we had to validate every single step, we would never get any work done. An application’s main purpose is to improve productivity and accuracy. Industry leading forensic software does not stay in the lead if their subscribers are finding errors in their product. It is important for forensic analysts to be trained and certified in digital forensics and eDiscovery by leading software vendors because these are the tools that generally provide the best results.

Open Source vs. Commercial Software

Open source software certainly has its place. There are times that, if a forensic examiner sees something that doesn’t seem right or doesn’t make any sense, open source software can be used to validate commercial software by comparing results. If results from different software vary in ways that were not expected, then it’s time for some research and/or software tech support.

One thing about open source software, there is no tech support. You are on your own with open source. If you paid for software—any kind of software—take advantage of that tech support (it’s paid for!).

Budget matters as well. Industry leading software and forensic training is not cheap. A lot of good open source software is free and many leading vendors offer tools for free, especially to law enforcement.

You may already have software in place, like Google Vault or Takeout, that can be of use to your forensic/eDiscovery team. BlackBag Technology offers free two-day training. SANS Institute offers a free forensic toolkit and free webinars that earn CPE credits. Keep informed of upcoming offers like these.

Every good forensic lab should have a healthy balance of quality forensic software by leading vendors and open source, and the knowledge to stand behind them.

Accurate, Repeatable and Defensible

Whether you work in law enforcement putting criminals behind bars, or in the corporate/civil world where someone may lose a job or custody of their children, we as forensic examiners and analysts always have to be sure that our results are accurate.

With DriveSavers, you can be confident that our results are accurate, repeatable and defensible, as well as secured and treated with the respect and the integrity that you require.

Stay tuned for your lesson in Presentation!

DVR Examiner User Certification

DVR Examiner

DVR Examiner Certified UserUser Certification Course

3 Day Course
December 5-7, 2017

DriveSavers, Inc.
400 Bel Marin Keys Blvd.
Novato, CA 94949

What is DVR Examiner?

DVR Examiner is a software solution for acquiring video and metadata from CCTV DVRs in a forensically sound manner. DVR Examiner eliminates time consuming export processes, password complications, and issues with the DVR’s overall condition.

Class with DVR Examiner



  • 3-day course
  • 2-year certification
  • One year subscription to DVR Examiner
  • Tour of the DriveSavers facility

Class Only



  • 3-day course and 2-year certification
  • Tour of the DriveSavers facility

Hotel Information

Best Western Plus Novato Oaks Inn
415.883.4400 or 800.625.7466

Ask for the “DriveSavers” group block.

Special group rate $139 + tax guaranteed until November 20th.

Register Today!

Email: [email protected]
Call: 800.413.0363

Payment Deadline: November 5th

eWeek: Data Recovery Specialist DriveSavers Meets New SSAE 18 Security Standards

Originally published by eWeek.

By Chris Preimesberger

New standards converge the varying degrees of compliance standards that previously existed and bring all U.S. standards up to international standards of compliance.

DriveSavers, which specializes in data recovery, eDiscovery and digital forensics, said Aug. 2 that it is now in compliance with new data security requirements added to Standards Organization Controls (SOC) 1 and 2.

The American Institute of Certified Public Accountants recently enacted updated attestation standards for SOC 1 and 2. As of May 1, 2017, all service organizations who want to certify as maintaining security measures compliant with these protocols must pass Statement on Standards for Attestation Engagements (SSAE) No. 18, otherwise known as SSAE 18, rather than the previous standard, SSAE 16.

The new standards converge the varying degrees of compliance standards that previously existed and bring all U.S. standards up to international standards of compliance.

New requirements by these regulations are practices to which DriveSavers said it has been adhering for several years, including regular risk assessment and detailed reporting of the security practices of third-party services used by the company.

DriveSavers retrieves critical files from all types of data storage media, including solid state drives (SSDs), hard disk drives (HDDs), smartphones, camera cards and enterprise-level devices such as RAID, NAS and SAN. The company handles all kinds of data loss situations, including mechanical failure, physical, water and fire damage, data corruption, file deletions and more.

DriveSavers said it already meets international data security protocols, such as the Privacy Shield Framework and organizational data security protocols such as those for financial, legal, corporate and healthcare industries, including HIPAA, GLBA, FERPA, SOX and others.

Not only is security compliance essential for enterprise-level multi-drive devices such as RAID, NAS and SAN devices, but for all data storage devices. This includes smartphones, DriveSavers said.

During the last 32 years, DriveSavers has worked extensively with law enforcement agencies to provide legally defensible investigations and reports, and has experience understanding and interpreting data from all types of digital devices and operating systems.

DriveSavers claims to be the only data recovery service provider in the industry to post proof that it undergoes an annual SOC 2 Type II audit, which qualifies its security practices to handle enterprise-class recoveries and support those customers who must maintain compliance with data privacy and data security regulations including:

  • NIST (National Institute of Standards & Technology) SP 800-171
  • NIST (National Institute of Standards & Technology) SP 800.34 (Rev.1)
  • HIPAA (Health Insurance Portability and Accountability Act)
  • FERPA (Family Educational Rights and Privacy Act)
  • SOX (Sarbanes-Oxley Act of 2002)
  • GLBA (Gramm-Leach-Bliley Act of 1999)

All leading manufacturers authorize DriveSavers to open sealed drive mechanisms without voiding the original warranty, including Intel, Toshiba, SanDisk, Apple, Western Digital, Dell EMC, Sony, Kingston, VMWare and others.

DriveSavers customers include Bank of America, Google, Lucasfilm, NASA, Harvard University, St. Jude Children’s Research Hospital, U.S. Army and Sandia National Laboratories.

Read more:

Legal Technology Moves Into “IoT” Territory

By Bob Mehr, Sr. Legal Services Advisor

Internet of Things (IoT)

Technology is changing today’s legal landscape as courts grapple with a wave of electronic evidence coming from places and things that connect to the Internet. This new evidence is from sources we never imagined would be admissible, including smart phones, doorbells, virtual assistants and even implanted medical devices.

All of the above tools can be part of the Internet of Things (IoT), a category of equipment with an active Internet connection. The output is commonly referred to as ESI, or electronically stored information. These IoT devices—which by 2020 are expected to outnumber humans by a 3-1 margin, according to Pew Research—routinely collect, analyze and store information that can be transmitted through the Internet.

Sometimes that information may actually be evidence of a crime and how the courts deal with that issue is a work in progress.

Texts Urging Suicide Lead to Manslaughter Conviction

In a recent Massachusetts case, the girlfriend of a teen-age suicide victim who used texts to encourage him to end his life was convicted of manslaughter for her role in the death.

Conrad Roy III died from carbon monoxide poisoning inside his pickup truck in July 2014.

Juvenile court Judge Lawrence Moniz last month found Michelle Carter guilty of manslaughter in Roy’s death because texts and calls from her phone encouraged him to get back into the truck as it filled with deadly carbon monoxide gas.

“Instructing Mr. Roy to get back in the truck constituted wanton and reckless conduct, creating a situation where there’s a high degree of likelihood that substantial harm would result,” the judge said.

Sentencing is due later this year.

Echo Data Key in Murder Trial

In an unrelated case, information that was recorded by an Amazon Echo device and could be evidence of an Arkansas murder may be used at trial later this year.

Amazon had initially resisted legal efforts to hand over recordings made by an Echo device owned by the alleged assailant, James Andrew Bates. Bates has subsequently given authorities the device to search for clues.

Bates is accused of murdering Victor Collins, who was found dead in Bates’ hot tub in November of 2016.

Police are hoping that the Echo, a personal assistant that responds to verbal requests for information, may have recorded something important about the activities that happened on the day of Collins death.

Investigators have already found some evidence from another Internet-connected device, a water meter at the Bates home, that showed 140 gallons of water usage on the night of the murder. Police theorize that Bates used the water to wash away blood from Collins murder before authorities arrived at the scene.

Pacemaker Info Sought in Arson Case

Police in Middletown, OH hope to prove an arson case through evidence obtained from a pacemaker inside the defendant’s body. Investigators say the pacemaker’s readings do not support the defendant’s claim about his activities prior to the fire.

Police reported that the defendant, Ross Compton, told them that after he saw the fire, he packed his belongings in a suitcase and then threw everything out a broken window before he rushed out of the burning home to safety.

Doctors have told police that it was “highly improbable” that someone with Compton’s ailments could collect and remove the items iso quickly.

The Changing Landscape of Electronic Evidence

Law enforcement and civil litigators now have another source of evidence—searching for clues and ESI in the IoT universe where “always-on” smart devices may collect and store evidence of criminal behavior or civil liability.

Never underestimate the importance of an electronic device. At DriveSavers, we have analyzed voice recorders, automatic electronic defibrillators (AEDs) and all manner of IoT devices. Even automobiles are sources of ESI (how many times has your smartphone synced with your car?) and may one day be called upon as evidence in court.

Petya/ExPetr was Data Killer, Not Ransomware

By Michael Hall, Chief Information Security Officer

Data Killer Malware

The malware attack that started in Eastern Europe in late June and quickly spread around the globe looks like it was not a ransom attack at all, but an all-out effort to destroy data, according to a security company that examined the program’s code.

At first, it looked like the attack that was detected on June 27 was similar to the Petya ransomware virus that emerged in 2016. With that software package, infected customers had to pay a ransom to the hackers to unlock their encrypted files.

Now it looks like the new software, dubbed Petya/ExPetr, does not contain any decryption information, leading the researchers at Kaspersky Labs to conclude the main reason for the attack was to wipe or destroy computer content, not to collect a ransom.

“After an analysis of the encryption routine of the malware used in the Petya/ExPetr attacks, we have thought that the threat actor cannot decrypt victims’ disks, even if a payment was made,” Kaspersky Labs said in a blog post.

“This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware.”

The security firm called this a “worst-case” situation for victims because even if they pay the ransom they will not get their data back. The Kaspersky blog added, “this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive.”

Matt Suiche, a researcher with another security firm, Comae Technologies, reached the same general conclusion. “This version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon,” Suiche wrote. “We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents, to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon.”

Like the recent WannaCry malware, Petya/ExPetr used the EternalBlue Windows exploit, created by and then stolen from the United States National Security Agency (NSA), to enter computers that had not already been updated with the targeted Windows patch. Unlike WannaCry, however Petya/ExPetr encrypted whole hard drives rather than individual files. In addition, this malware was programmed with advanced worm capabilities. This allowed the malware to quickly spread to networked computers once an unpatched computer had been infected, including those that had already been successfully patched with updated Windows security.

Three quarters of the victims of Petya/ExPetr were located in Ukraine, where the attack initiated. Targets included Ukraine’s central bank, main international airport and the Chernobyl nuclear facility. From there, it spread to sixty-five countries around the globe, including some businesses in the United States such as multinational law firm DLA Piper, the Pennsylvania health care provider Heritage Valley Health Systems and pharmaceutical company Merck.

Petya Prevention

There is a simple way to protect your organization against a malware attack like Petya/ExPetr and others: Apply security patches immediately.

All organizations should have a clear and updated list of all company devices and devices connected to company computers, such as employees’ personal devices that connect through services such as VPNs. When security patches become available, the organization’s IT department must check off each device on the list to be sure all possible entry points are protected.

In addition to keeping up with security, operating system and program updates, it is important to use and maintain antivirus and anti-malware software. Be sure to also install updates to these programs whenever they become available.

Related Articles:

Ransomware Takes a New Turn—How WannaCry was Different

WannaCry Recovery Tips

Ransomware Data Recovery

Cybercrime Forecast: Upswing in 2017

6 Ways to Protect Yourself from Hackers

Ransomware Takes a New Turn—How WannaCry was Different

By Michael Hall, Chief Information Security Officer

Bullet hole, loophole data

Last month, the ransomware known as WannaCry spread through the world at an astonishing rate, attacking hundreds of thousands of computers literally overnight and holding their data for ransom.

In 2016, ransomware cost its victims approximately $1 billion. That’s $1 billion for all victims of all ransomware programs over the entirety of 2016.

WannaCry cost victims that same amount in only twenty-four hours.

So how did it spread so quickly and do so much damage in only one night?

Weakness—Computer or User?

Previously, malware had to be downloaded to a target computer and executed, or set loose, by someone actively using that computer. Once activated, this malware could then encrypt important files with a code that could only be unlocked by using a decryption key held by the hackers who control the malware. This key could generally be obtained by paying a ransom, hence the term ransomware.

Why would anyone download ransomware to their own computer? They wouldn’t. Malware has historically been downloaded from innocent-looking emails or links. It might even look like a message sent by someone the user knows. This is known as phishing and it continues to be a growing problem.

Learn more about traditional phishing and how to identify it.

Once the victim clicked on the bait link, the attack happened automatically and access to their data became blocked—just like somebody had slapped combination locks on their files and then demanded payment for the combination!

The WannaCry ransomware that disrupted businesses around the world last month, however, did not depend on the usual devices such as phishing. Instead, hackers used a new, more direct route to private information that bypassed users altogether.

The criminals responsible for WannaCry instead used stolen technology that was developed by the CIA for anti-espionage purposes, known as EternalBlue. EternalBlue was a type of technology known as a zero day exploit. An exploit is a program designed to take advantage of loopholes in commonly-used software and operating systems. When the exploit is based on a weakness that is otherwise completely unknown, it is known as a zero day exploit because, without knowledge of a weakness, there are zero days to protect against it.

Zero days are valuable for espionage because they can be used to enter into systems without detection. As WannaCry makes it abundantly clear, this type of exploit is also valuable for theft, ransomware and other malicious hacker activity. Less than a month after it was stolen and released online in April 2017, hackers used EternalBlue to enter computer systems through a gap in the Microsoft operating system and launch their attack of WannaCry ransomware.

For WannaCry, only Microsoft-powered computers are vulnerable. Microsoft has since produced a patch for the EternalBlue loophole, which Microsoft users can download. Windows 10 users should already be protected, but users of previous versions of the operating system software will need an update to bring their protection up to par. Users of Windows XP are especially vulnerable to such attacks and they should upgrade to a later version of the OS before the improved security measures can be put in place.

Don’t Let Your Guard Down

The Microsoft patch doesn’t mean the end to this type of malware access. Criminals continue to use similar technology and security vulnerabilities to take control of users’ systems for a variety of malicious purposes. In fact, the sale of exploits is a thriving trade in the criminal world.

As always, it is critical that all computer users—not just Microsoft users—check for new patches for their systems and update to the latest software and operating system versions on a regular basis. You can be certain that more zero day exploits like EternalBlue will be used for criminal endeavors like WannaCry ransomware in the near future.

Professional Ransomware Data Recovery

If you have been infected by WannaCry or any other type of ransomware, there is hope! Call DriveSavers at 800.440.1904 to find out more.

WannaCry Data Recovery Tips

DriveSavers Ransomware Data Recovery Services

Digital Forensic Process—Preservation / Collection

By John Ahearne, Forensic Analyst

This article is part of a series that delves into each step of the digital forensic process. If you missed one of the previous articles, you can read them at the links below:

Handling Digital Evidence

Handling of evidence is the most important aspect in digital forensics. It is imperative that nothing be done that may alter digital evidence. This is known as preservation: the isolation and protection of digital evidence exactly as found without alteration so that it can later be analyzed.

Collection is the gathering of devices and duplication of electronically stored information (ESI)  for the purpose of preserving digital evidence (exact copy of the original) that remains untouched while digital forensics is performed. Here at DriveSavers, we never work on the original copy. Historically, the collection of data for forensics literally involved pulling the plug from a computer and sending it to a forensic team. However, depending on the situation, this is no longer acceptable in some cases. In fact, in certain cases this is a sure way to lose valuable evidence. On the other hand, you may have to turn off the device or isolate ESI in a way that will not alter evidence, such as with some smartphones. For example, a wipe command can be sent remotely erasing everything. Careful consideration of the situation is necessary.

Dead box forensic collection (imaging a device after it is powered off in order to collect digital evidence) still remains an essential part of the digital forensic process. It is growing more and more important with today’s technology to conduct live box forensic collection or simply a live collection (the collection of data from an active device prior to shutting it down). For example, if the device is encrypted, without the passcode or encryption key, you may never have another chance to acquire valuable evidence if that device powers off or locks due to inactivity.

Relevant data will be permanently lost due to continued use of the device, such as when an employee leaves a company and their computer remains in use. When a summons arrives six months later, it might be too late to realize that you should have preserved their old computer. Preserving a former employee’s electronic devices, especially C-level, may not be forensic best practices, but can surely be considered business best practice. I know it is tempting to log onto a former employee’s device and see what they did, but Stop! The data must be preserved for collection if it is to be considered for litigation. Time and date stamps will change, system log files will rotate and valuable information can be lost.

A copy of digital evidence must be properly preserved and collected in accordance with forensic best practices. Otherwise, the digital evidence may be inadmissible in court or spoliation sanctions may be imposed. This might be a good time to go back and review the Identification process.

A proper forensic image (sector copy) contains the operating system (OS) and deleted data, in addition to user-generated data. There will be times when it is not possible to collect the OS or deleted data due to time constraints, business operations or court order restrictions. A focused and/or targeted approach to collection of ESI will be required. If deleted data is suspected then a sector by sector copy of the entire computer will be necessary and could be time consuming. If you have minutes not hours, 90% of relevant evidence can be acquired by collecting user-generated data only; don’t forget the recycle bin.

Critical Business Operations

Business servers used in a production environment will be providing critical employee functions or providing a service to its customers. Unplugging one of these could cost a corporation millions in lost revenue and productivity. In this situation, the device cannot be powered down, and collection of relevant data must occur while the system is active. After-hours, weekends or scheduled down times are options for collection of a business server. It is important to consult with experts such as DriveSavers that will work with the company’s IT department to ensure that business operations are not adversely affected by the collection of server drives or data.

More and more companies are moving critical functions to the cloud or to a hybrid, a combination of both (servers and the cloud). DriveSavers can control collection costs by acquiring evidence remotely and securely from our protected environment.

A court order may direct its defendants/plaintiffs to provide data from a particular employee or employees and no others, not to mention privileged communication or personal information that will have to be redacted. Again, it is important to consult with an expert such as DriveSavers that can act as a neutral third party and understands the importance of relevant, privileged and regulated data. Please stay tuned for future articles in Analysis and Presentation for more information.

Encrypted Data

Data at rest will not be accessible on an encrypted device or inside encrypted partitions after it powers off or locks if the following is unknown:

  • User names
  • Passwords and passcodes
  • Encryption keys

This becomes an issue for both personal devices like laptops and smartphones and also in small companies without a dedicated IT team that manages a master encryption key for company-owned devices. It is important to note, that most smartphones and laptops are encrypted. Nearly all smartphones have a privacy lock, and increasingly complex passcodes and encryption schemes make it very difficult to bypass such schemes.

If the device is unlocked and you are unsure of the passcode, and you have the authority to do so, please disable the passcode or change/simplify it to something that can be remembered. If you have a company device, please check with your IT department for admin accounts and/or master keys. It is a good idea to place a device in airplane mode and/or remove the SIM card, if it is to be considered for collection. Please document every step taken to secure a device for collection: the time, date, location and changes that were made.

If the device is NOT encrypted, computer user passwords are not required.

Inaccessible Devices

If a device is locked or physically damaged to the point that it is not possible to access the ESI, give DriveSavers a call. DriveSavers engineers in our Certified ISO Class 5 Cleanroom have had tremendous success in recovering wet/corroded, fire damaged, physically damaged (crushed, cracked screen, etc.), mechanically and electronically failed devices. Please have the passcodes/passwords readily available because sometimes the window of opportunity to access a severely damaged device is a short one-time opportunity.

If a device is locked and its passcode is unknown, please give DriveSavers a call. We may be able to help.

Locations of Electronic Evidence

Examples of devices that may need to be collected for digital evidence:

  • Smartphones
  • Tablets
  • Laptops
  • Desktops
  • External hard drives
  • Flash/Thumb drives
  • Camera cards
  • Backup Tapes
  • Servers & RAIDs
  • DVRs & Surveillance systems
  • MP3 players
  • GPS devices
  • Game stations (Xbox, PlayStation, etc.)

Never underestimate the importance of an electronic device. We have even analyzed voice recorders and automatic electronic defibrillators (AED)! Internet of things (IoT) and automobiles  are also a source of ESI (how many times has your smartphone synced with your car?).

Preparing Devices for Data Collection

There are many different scenarios. Every possible situation has to be thought out carefully. DriveSavers specialists are available by phone 24/7 by calling 800.440.1904.

If the device is already powered down, do not turn it on. Follow these steps for forensically sound data collection:

  1. Determine if the device is on or off:
    • Look for lights
    • Listen for sounds
    • Feel for vibrations, haptic feedback and heat
    • A smartphone, tablet or laptop may be in sleep mode and appear to be off
    • If the device is a laptop or desktop, wiggle the mouse, but do not click any buttons
    • Is the smartphone or tablet’s screen greasy or dirty? Look for swipe patterns
    • Press the Home button or swipe the screen
  2. If the device is on, ask these questions and document the answers:
    • Is the device locked?
    • Is the user interface accessible?
    • Is the device encrypted? Do you know the passcode?
    • Is the battery charged?
  3. If a smartphone, tablet or laptop is on, activate airplane mode
  4. Record device model numbers, serial numbers and passcodes
  5. Take pictures
  6. Start a chain of custody document; DriveSavers will send you one
  7. If a device must be shut down in order to preserve ESI (such as a computer), shut the device down properly using the “shut down” command
  8. If you suspect destructive software (formatting, deleting, removing or altering data) is running, turn off the device immediately; pull the plug!
  9. Check for any removable media
    • CD/DVD trays
    • SD card slots
    • Flash drives
    • Sticky notes

Once a device is turned off, it can be delivered to a lab like DriveSavers for acquisition and/or analysis. Package all components, clearly labeling all devices, preferably in anti-static bags:

  1. Label the bags or boxes containing devices
  2. Package the device (anti-static bag whenever possible) tightly and securely in a box or evidence bag with at least two inches of bubble wrap
    • A local FedEx office can help you package the device
    • DriveSavers has several drop off locations in major cities; assistance with packaging is available here
  3. Keep all media away from magnets, moisture, extreme temperature and other potentially damaging elements
  4. Do not place evidence in the trunk of a vehicle, especially overnight

Sometimes due to business requirements, company policy or geographic location, it may not be feasible to send devices to a forensic lab or it may be financially prohibitive to shut down a corporate system. In the case of malware or network intrusions, valuable information may be lost if an electronic device is shut down. In this situation, an Incident Response Team must be onsite in a timely manner.

In any situation, DriveSavers can work with company IT staff, legal departments and opposing parties to preserve data for collection in a manner that is both defensible and repeatable according to forensics best practices.

Click for your lesson in analysis!

May 23, 2017: A Primer on Current Android Device Forensics (Enfuse)

Enfuse Conference 2017

Rene Novoa, DriveSavers Sr. Manager of eDiscovery and Digital Forensics, will be joining Ronen Engler, Cellebrite Sr. Manager of Technology and Innovation, to speak at the Enfuse Conference in Las Vegas.

Title: A Primer on Current Android Device Forensics
Date/Time: Tuesday, May 23, 2017 11:00AM – 12:00PM
Location: Caesars Palace, Las Vegas, NV

With Android devices compromising a majority percentage of the smartphone market it is critical to stay advised of the current state of Android device forensics. This session will cover current extraction technology, potential additional sources of data to supplement extraction limitations, encryption issues and challenges facing mobile device examiners specific to Android devices. Topics covered will be an Android workflow starting with pre-seizure all the way through to advanced analysis overview. Participants will be provided with a current breakdown of options for devices running the most recent version of Android, including obtaining a physical extraction, bypassing locked devices, and identifying and handling device encryption to obtain the most data possible.

Click here to learn more or to register to attend.