Towards the end of 2017 I was asked to conduct some forensics on our internal systems, and warned that if I accepted the job it may result in a court appearance.  The person making the request to my employer was a representative of the UK's Information Commissioner's Office, so this was a serious investigation for an external entity.  I can't go in to too much detail of the legal case but I'll be discussing the broader issues and processes in this post.  I gave a talk on this to BCS Kent Branch so will include a link to my slides at the end - I recommend you have a look at it if you're interested in this topic as it's more detailed than this post.

Digital Forensics (forensics hereafter) is the process of recovering files or determining what actions took place on a system.  If you've ever used a tool to recover deleted (or lost) files then you've performed some basic forensics yourself.  I won't be going in to too much detail on how or why forensics works, although I cover that a little in my presentation.

My brief was to determine if emails existed in a mailbox at varying points in time, and if possible determine what had happened to the emails.  Forensics will struggle to conclusively prove who performed an action as we're firmly rooted in the digital realm - I can tell you which account performed an action, but I cannot tell you which human was in control of an account at a given moment.  This is a similar problem when people share a user account as you can't know who really did something, as some of the UK's MPs commented earlier in the year.

As you can imagine, that Tweet earned a backlash on Twitter, but it highlights the point beautifully.  I make sure this caveat is in all of my reports as part of my job as a forensic analyst is to present facts, not supposition.  I have to be fair to all parties.

The forensic process

It's important not to jump straight in to analysing the evidence, we have to follow the correct process.  By following process we protect ourselves as digital forensic analysts, preserve the integrity of the evidence (which could be crucial in a case, legal or otherwise), and importantly ensure a fair assessment can be made.  Every movement of the evidence is noted in the chain of custody log: when we received the evidence (and from whom), when it's copied, where it's transferred to.

We start by noting down details about the evidence.  If we've been handed a physical asset, like a hard disk or mobile phone, we should note its make, model, serial number (or other identifying numbers) and also its condition.  If the evidence arrives with a cracked screen that should be noted (even photos taken).  Details go in the chain of custody documentation.  For me, the evidence was a PST file export from a Microsoft Exchange mail server.

Next we calculate the hash of the asset (MD5, SHA1, SHA2 etc.) to determine the asset's digital signature before taking an image of it using a tool like dd or ftkimager.  After checking the image created correctly (another hash calculation) we're ready to take a copy of the image (we always want to work on the copy) and start our analysis.

Some organisations have access to tools like Accessdata's FTK but this wasn't true for me (and the business wouldn't have supported a request for $3,000 for me to get a license).  I had to perform my analysis using Microsoft Outlook (arguably not a bad tool for this job) given I was looking at restored copies of the mailbox from different points in time.

It's easy to get distracted while looking in someone's mailbox - they've arguably got more interesting emails than you have! Keep your brief in mind and stick to it, avoiding anything outside of scope.  Don't delete files / emails that are out of scope - you want to avoid making changes wherever possible.

See the presentation for more information on the forensics side of things.

Attending court

I wasn't really sure what to expect during my court visit, although our legal team had given me some pointers.  My big concern was that I'd be discredited during cross examination (happens in the movies) and I explain more about that in the presentation.

When I arrived I had to pass security: a bag search and I had to sip from my flask of tea.  My tea flask keeps tea scalding hot for hours so that did hurt a bit, your mileage may vary!  It's certainly work taking lunch with you as not all courts have any form of canteen (this one did, but only on other days of the week).  Water was on hand though.

After passing security you need to report to the clerk, who records the fact you've arrived and will check any special arrangements with you.  I was asked if I was OK being sat in the usual waiting area, along with other witnesses and defendants, which was fine.  Be wary: anything you say can be overheard so be selective in your conversations.  Also note that you cannot speak to the other witnesses about the case, so for the sake of perception it's best not to talk to them beyond greetings.  This was unfortunate as I'd been working with someone at the Information Commissioner's Office for months and we'd wanted to swap anecdotes (suitably anonymised of course) but that wasn't possible.

At no point was I asked to show my ID, which I thought was very strange.  Once in the courtroom you have to swear an oath to tell the truth and then are asked to state your name.  To lie at this point is committing perjury so that essentially covers the identity part.

Questioning then began from the prosecution (ICO) side and initially I had to answer questions on my statement from memory.  After a few questions the barrister asked if my "memory 7 months ago was better than my memory now" (i.e. is my statement going to be better than my memory), which was obviously the case, so I was provided a copy of my two statements.  These were completely un-annotated (annotations would imply I was a coached witness, the same reason that I couldn't know the questions I was to be asked in advance).  When answering, you provide your answers to the magistrates, so look at them and watch their pens.  If they're writing notes and potentially struggling to keep up, they won't be listening to you correctly.  Slow down and make sure your answers are right for the audience - magistrates are lay people.  They have a legal adviser to help with the law but you're there to explain your statement and technical elements.  Don't make your answers so complicated that they can't be understood.

Cross examination then began and the defence barrister seemed to like asking vague questions.  I made sure my answers were precise, as that was only fair.  The best advice my employer's legal department gave me was to just treat cross examination questions like any other question.  It doesn't matter who's asked it, you just answer based on what you know and what's in your statement.  You're not there to create new evidence so there's no need to think on your feet per se.

Finally the magistrates asked some questions before dismissing me and advising I couldn't talk about the case to anyone outside the room.  That's why this post, and presentation, are all generic in terms of details.

On leaving the court I was intercepted by the press (my assumption, but as they'd been outside all morning it seems to be a fair one).  The reporter only asked one question ("did you say email was stored for a century?") and I declined to tell him what I said (given the magistrate's instruction).  This annoyed him but was unavoidable.  Just remain polite and bid them a good day, but also keep in mind your organisation may have a policy on talking to the press that you need to read up on.

Would I do it again?

Not that I'm expecting to be called as a witness to anything any time soon, but this is a good question nonetheless.  I'm always happy to provide technical guidance and perform forensics, although most often that's at work when a manager wants intrinsic details on what their employees have been doing online.  The only exception to that is when I'd be too close to the investigation (investigating a family member, for example).

If called to, yes I'd give evidence in court.  Mainly because doing so helps justice and sometimes having someone technical clearly explain things can be the difference between a conviction / firing and continued freedom / employment.

Presentation download

Show and Tell - Forensics and Giving Evidence (PDF)

Thanks to Fayi's blog for the nice walk through of how to serve static files (my slides) while using Ghost.  Saved my thinking about the solution.

Banner image, "magnifying glass", from, by TheStructorr.