Week 1: Assignment #1
Please read these two articles:
Using forensics against a fitbit device to solve a murder: https://www.cbsnews.com/news/the-fitbit-alibi-21st-century-technology-used-to-help-solve-wisconsin-moms-murder/
How Amazon Echo could be forensically analyzed!https://www.theverge.com/2017/1/6/14189384/amazon-echo-murder-evidence-surveillance-data
Then go around in your residence / dwelling (home, apartment, condo, etc) and be creative.
Identify at least five appliances or devices that you THINK could be forensically analyzed and then identify how this might be useful in an investigation. Note – do not count your computer or mobile device. Those are obvious!
I expect at least one paragraph answer for each device.
Why did I assign this?
The goal is to have you start THINKING about how any device, that is capable of holding electronic data (and transmitting to the Internet) could be useful in an particular investigation!
Week 1: Assignment 2
On your computer, look for the following files created by Microsoft Office (I assume you have Microsoft Office on your computer).
Adobe Acrobat (.PDF)
Right click on the file and select Properties. Seescreenshot.
You will see something like this. See screenshot.
What information do you see in the metadata? How could this metadata be valuable to you in the context an investigation?
Do the same thing by examining the metadata of your other files created with word processing software e.g. Microsoft Word, Adobe Acrobat, Microsoft Excel. What else do you see and how could the metadata be helpful?
Experiment. For example, make some changes to the Microsoft Word document, save the file, then close it. Then check the metadata properties. What changed?
Make a copy of the file and then check the properties of the copied file. Did anything change? If so, what changed?
Make a copy of the file and copy the file to a USB device (external storage device – if you have one) and then examine the copied file on the USB device. Did anything change? If so, what changed?
Do some research if you can. Which of the dates are probably the MOST likely trusted?
Note – the Created , Modified , and Accessed dates are not infallible but generally some are more “trusted” than others.
Write an evaluation of your observations and let me know if this has helped you understand the importance of fragility as well as chain of custody considerations.
Ensure professional writing. Be concise and make it easy to understand. Screenshots are appreciated as this will add transparency to your work.
Why Did I Assign This?
There can be A LOT of clues found in metadata e.g. for example:
If the metadata shows several files being last accessed on April 19, 2017 at 1:11:41 PM and then there is a history of a USB device used at 1:15:12 PM on the same date then it is possible that the actor copied the files to the USB device.
If the actor states that the contract was finalized on April 3, 2016 but the metadata shows that the file was modified on April 19, 2017 at 1:11:42 PM then it is possible the actor may have made some changes to the contract which means it cannot be considered the original contract.
A savvy investigator especially in eDiscovery knows about metadata and will insist that metadata be preserved.
Would you like a real world example too?
You are an investigator involved in a contractual case.
The substantive issue at question is when a contract was created. The other side has claimed that the contract (Microsoft Word) was created on Monday, September 21 then signed by the parties on the same day.
Your client vehemently disagrees “We did talk about a deal but I did not sign a contract that day!”
You ask the opposing client for a copy of the document and you are given that document. Naturally the thing you do is examine the metadata. Then you depose the opposing party.
Given your knowledge of metadata, you ask very careful questions during the deposition including:
“Did you create the document on your computer?”
“After you crated the document, did you copy it to a external drive or to an different location on your hard drive”
“Did you access the document or modify once you received notice of this lawsuit?”
Then you smile when you hear the answers. So, you go to the judge and request that the actual “contract” be thrown out it cannot be authenticated based on metadata BECAUSE the created, modified and accessed date is on a different day and opposing party just told you that he had not touched the document after the contract was allegedly signed. Settlement in favor of your client is now looking more likely..