On Q Professional Investigations

A key factor in placing any person at the scene of a crime is obtaining evidence that can place an identified suspect as it relates to the scene of the crime. Previously discussed methods of physical surveillance and obtaining records are usually the best evidence of placing a suspect at a specific place and at a specific time, but as most investigations involve reacting to incidents, this may not be always possible.

Second best evidence is the examination of an electronic device that had been possessed by a suspect. The only reason why this is not as good as physically placing a person at a scene is because unless there is additional corroborating information, a forensic examination of electronic media by itself cannot place a person at that device.

Investigations need to establish where the electronic device has existed by date, time, and location based on the device’s activity. As there will be a multitude of dates and locations collected, our ever growing timeline of suspect activity comes into play to keep track of the evidence chronologically. In a case where several electronic devices have been used by a suspect, the amount of data expands exponentially.

Read More

In 2012, DFI News published an article called “Why SSD Drives Destroy Court Evidence, and What Can Be Done About It”. Back then SSD self-corrosion, TRIM, and garbage collection were little known and poorly understood phenomena. In 2014, the situation looks different. Having handled numerous cases involving the use of SSD drives and gathered a lot of statistical data, we now know things about SSD drives that allow forensic specialists to obtain information from them despite the obstacles.

SSD Self-Corrosion
The effect of SSD self-corrosion, as well as the root cause, is well covered by existing publications, including our own 2012 paper on SSD forensics. The evidence self-destruction process is triggered by the TRIM command issued by the operating system to the SSD controller at the time the user either deletes a file, formats a disk, or deletes a partition. The data destruction process is only triggered by the TRIM command; the data destruction itself is carried out by the separtate process of background garbage collection.

In many cases the TRIM command is not issued at all. This article discusses these exclusions to gain a better understanding of the situations when deleted data can still be recovered from an SSD drive.

Deterministic Read After Trim
Experiences recovering information from SSD drives vary greatly among SSD users.

“I ran a test on my SSD drive, deleting 1,000 files and running a data recovery tool five minutes later. The tool discovered several hundred files, but an attempt to recover them returned a bunch of empty files filled with zeroes,” said one Belkasoft customer.

“We analyzed an SSD drive obtained from a suspect’s laptop and were able to recover 80% of deleted files several hours after they’ve been deleted,” said another user.

Why such inconsistency in user experiences? The answer lies in the way the different SSD drives handle trimmed data pages.

Some SSD drives implement what is called Deterministic Read After Trim (DRAT) and Deterministic Zeroes After Trim (DZAT), returning all-zeroes immediately after the TRIM command releases a certain data block, while others do not implement this protocol and will return the original data until it’s physically erased with the garbage collection algorithm.

With non-deterministic TRIM, each read command after a Trim may return different data, while with both DRAT and DZAT, all read commands after a TRIM return the same data.

As we can see, in some cases the SSD will return non-original data (all zeroes, all ones, or some other non-original data) not because the physical blocks have been cleaned immediately following the TRIM command, but because the SSD controller says that there is no valid data held at the trimmed address on a logical level previously associated with the trimmed physical block.

Read More

In an interview on CBS’ “60 Minutes” on Sunday, Comey said Apple’s encryption standards for iPhones and iPads “put people beyond the law.”

Apple (AAPL, Tech30) recently took measures to enhance user privacy. Now, only users have the key to unlock text messages, photos and emails on their device. As such, iOS 8 will shield your data from anyone — including police.

Here’s how it works: You send a text message that’s encrypted on your device. It passes through Apple servers as jumbled code nobody can crack. And it can only get decrypted by your friend’s iPhone passcode.
Google (GOOG) has announced it’s doing the same for its Android devices.

The FBI director isn’t pleased.

“The notion that people have devices… that with court orders, based on a showing of probable cause in a case involving kidnapping or child exploitation or terrorism, we could never open that phone? My sense is that we’ve gone too far when we’ve gone there,” Comey told CBS.

Comey compared selling iPhones to selling “cars with trunks that couldn’t ever be opened by law enforcement with a court order.”

But there are two things that are wrong with that statement:

1) The FBI can still get your phone data. Now, they can’t do it secretly by going to Apple or Google. Agents must knock on your front door with a warrant in hand — the way it’s always been.
If you don’t give the FBI access to your phone, it can ask a federal judge to force you. If you refuse, the government can throw you in jail and hold you in contempt of court.

The FBI and Apple did not respond to requests for comment.

Joel Kurtzberg is a New York lawyer who specializes in First Amendment cases (in which journalists often refuse court orders to disclose sources). He said the biggest difference now is that the FBI can’t be covert when it wants your data.

“This is going to make it harder for law enforcement. Now, they’ll have to tip off their target,” he said. “And it will result in instances where someone will destroy evidence.”

But even for the most dangerous cases, there are still workarounds. Video surveillance — the classic kind — can spy on someone as they type their passcode. And the NSA has technology to slip device-controlling malware into phones anyway.

Read More

BRIDGEPORT CT Oct 14 2014 — A proposal to keep sex offenders and other criminals out of city schools by doing instant background checks and issuing photo IDs to all visitors could well be jettisoned before it is even tried.

Parents, members of the public and even school board members expressed concern that instead of keeping students safe, the system would become a deterrent to parent involvement for individuals who are undocumented, have pasts they want to put behind them or who worry about personal information being collected and stored by the school.

“What I am hearing as a parent, this is going to be a big problem in our district,” Tammy Boyle, president of the District Parent Advisory Council, said. “I can guarantee you if this is anywhere pertaining to what it seems like … it is going to be a problem.”

The idea, according to Police Lt. Paul Grech, who oversees school district security, is to create a visitor access system that is better than simply asking visitors to sign in and wear a green visitor sticker.

“We’re committed to further ensuring our kids are safeguarded against sex offenders at school,” Grech said. “This system helps us do just that by using 21st century technology.”

He told members of the school board’s security committee this week that the Fast Pass system — as it is known — is a tool other districts are turning to.

Using a portion of a $1.4 million school security grant the district received from the state following the December 2012 Sandy Hook School shooting that killed 20 first graders and six adults, the plan would require all visitors to a city school to show identification or give their name, which would be entered into a computer.

The computer would conduct instant background checks, and a printer would print out a temporary picture ID with the date, time and location.

About $20,000 would be enough to equip three schools with the system. Of that, $4,000 would come from the city.

Grech wants to try the system out first at the Fairchild Wheeler Interdistrict Campus, work out the bugs, and then bring it to the city’s other high schools.

The system could be customized to collect as much, or as little information, as the board wants, said James Denton, a supervisor of school security. In the case of evacuation, it would also tell officials who was in the building.

“It is a way to give security guards … another tool on their belt,” Denton said.

Now in place
All 37 school buildings in the district have one or more security guards and share about a dozen school police officers, according to officials.

There are also security cameras in and around schools, but not enough. Board member Dave Hennessey said he wishes instead of a visitor access system, the state grant money could be applied to more pressing needs, like extra guards and security cameras for the 1,200 student Cesar Batalla School.

District schools have locked doors and a buzzer entry system. Since Sandy Hook, security guards began asking to see identification of visitors.

“The last thing we want is parents to feel that the police are going to come get them,” said Hernan Illingworth, a school board member.

“We need to do a better job of keeping our children safe,” Illingworth said.

At Central High School, which his daughter attends, Illingworth said even with security guards and metal detectors at the front entrance, people seem to be able to wander the hallways unchecked.

Read More

Over the telephone, in jail and online, a new digital bounty is being harvested: the human voice.

Businesses and governments around the world increasingly are turning to voice biometrics, or voiceprints, to pay pensions, collect taxes, track criminals and replace passwords.

“We sometimes call it the invisible biometric,” said Mike Goldgof, an executive at Madrid-based AGNITiO, one of about 10 leading companies in the field.

Those companies have helped enter more than 65 million voiceprints into corporate and government databases, according to Associated Press interviews with dozens of industry representatives and records requests in the United States, Europe and elsewhere.

“There’s a misconception that the technology we have today is only in the domain of the intelligence services, or the domain of ‘Star Trek,’” said Paul Burmester, of London-based ValidSoft, a voice biometric vendor. “The technology is here today, well-proven and commonly available.”

And in high demand.

Dan Miller, an analyst with Opus Research in San Francisco, estimates that the industry’s revenue will roughly double from just under $400 million last year to between $730 million and $900 million next year.

Barclays PLC recently experimented with voiceprinting as an identification for its wealthiest clients. It was so successful that Barclays is rolling it out to the rest of its 12 million retail banking customers.

“The general feeling is that voice biometrics will be the de facto standard in the next two or three years,” said Iain Hanlon, a Barclays executive.

Vendors say the timbre of a person’s voice is unique in a way similar to the loops and whorls at the tips of someone’s fingers.

Their technology measures the characteristics of a person’s speech as air is expelled from the lungs, across the vocal folds of the larynx, up the pharynx, over the tongue, and out through the lips, nose, and teeth. Typical speaker recognition software compares those characteristics with data held on a server. If two voiceprints are similar enough, the system declares them a match.

The Vanguard Group Inc., a Pennsylvania-based mutual fund manager, is among the technology’s many financial users. Tens of thousands of customers log in to their accounts by speaking the phrase: “At Vanguard, my voice is my password” into the phone.

“We’ve done a lot of testing, and looked at siblings, even twins,” said executive John Buhl, whose voice was a bit hoarse during a telephone interview. “Even people with colds, like I have today, we looked at that.”

The single largest implementation identified by the AP is in Turkey, where mobile phone company Turkcell has taken the voice biometric data of some 10 million customers using technology provided by market leader Nuance Communications Inc. But government agencies are catching up.

In the U.S., law enforcement officials use the technology to monitor inmates and track offenders who have been paroled.

In New Zealand, the Internal Revenue Department celebrated its 1 millionth voiceprint, leading the revenue minister to boast that his country had “the highest level of voice biometric enrollments per capita in the world.”

Read More

CHICAGO (WLS) — Scam artists are ripping off consumers by asking for payment through the popular, legitimate pre-paid money card Green Dot, according to the Chicago Better Business Bureau.

“I am very, very much ashamed of the situation,” Magda Urbaniak said. The River Grove resident got a call offering her a $10,000 loan. “Caught me in the right moment because my daughter’s birthday was approaching she was turning 18 and I wanted to buy her a car.”

The catch: She had to rush to a convenient store and put money on a Green Dot card, which can be used as a pre-paid card or to pay bills with the account number on the back. Urbaniak says she got one for $500 and then the so-called loan advisor gave her several reasons why she had to keep going back to stores to get more. She spent a total of $1,500.

“I called him an hour later and he said the money is processed, go check your account . I checked and thing was there,” Urbaniak said.

The loan never showed. When she called the man back, the I-Team was there.

“So, do you want me to send the money the same way as before with the Green Dot?” she asked.

The Better Business Bureau has gotten hundreds of similar calls in the last several weeks about different schemes all connected to crooks asking victims for Green Dot account numbers. The Attorney General’s Office also said it’s getting a “steady stream” of complaints.

Recently, a Lakeview business owner fell victim to a phony ComEd rep who wanted a Green Dot card.

“I think it is a very popular card for consumers. It has legitimate services and has been around for a little bit of time. The scammers picked up on it because they market themselves pretty well. Consumers know about them,” BBB Steve Bernas said.

Green Dot warned customers on its website and on the back of its card that if anyone asks for an account number, it’s a scam; and Green Dot is not responsible for paying consumers back.

“They can take that number that you provide them over the phone and take the money out of the account pretty quickly and it is untraceable, like wiring your money outside the country,” Bernas said.

“He was very personable. He was saying about his life, he is single father. He has kids and if anything goes wrong, he is gonna pay the money,” Urbaniak said.

The ABC7 I-Team called the man who offered Urbaniak the loan, but never got a return call. Consumer experts say the best advice is not to give anyone prepaid card or money information.

View Source

CHICAGO (WLS) – It’s no longer a matter of “if” but “when” someone will take your personal information. Chicago police say in 2013 there were more than 13,000 reported incidents of identity theft or other similar crimes, and the department has also recently beefed up its financial crimes unit.

But one suburban woman is questioning why two suspects who may have taken her identity haven’t yet been charged.

Cyndi Foglio has a giant stack of paperwork full of credit checks, collection agency notices and $2,500 of payday loans in her name. They’ve ballooned to almost $200,000 with a 499 percent interest.

She says after discovering the identity theft in February 2013, she turned to the Algonquin Police Department for help.

More than a year ago, in August 2013, investigators handed the case over to the Chicago Police Department because the potential suspects live in Chicago. According to an Algonquin police report, subpoenaed information shows that the online payday loan was withdrawn from an IP address on the South Side. The report lists suspect names, a phone number and even an e mail.

“They have names and addresses and the phone numbers on there,” Foglio says. “I am asking them to do something about it.”

Chicago police say they’re still investigating, and that it’s not a slam dunk case. Police wouldn’t answer specific questions about Foglio’s concerns, citing that ongoing investigation, but did talk about the challenges they face in crimes similar to this one.

“IP addresses can be static or dynamic,” says Sergeant John Lucki, commanding officer of Chicago’s Financial Crimes unit. “They are not always associated to a fixed entity or location, so that creates a floating area as to what’s being done out there.”

Lucki says IP addresses can also be unsecure, meaning hundreds of other people could have hopped on that connection.

But Algonquin police, in their investigation, traced that pay day loan money to a pre-paid cash card with an account number, which was registered to one of the same suspects connected to that IP address. But for a non-violent crime, even that may not yet be enough proof for prosecutors.

“If you can’t assemble a complete case usually success for prosecution is minimal,” says Lucki.

Lucki says that in 2012, more detectives were added to the financial crimes unit to keep up with the growing number of cases.

Read More

For three decades, the key to identifying a pedestrian struck and killed near an interstate exit ramp sat at investigators’ fingertips. They just didn’t realize it.

The man was walking on Interstate 65 in central Kentucky in 1984 when he was struck by a semitruck. With no identification, the only clues he left were a couple of tattoos, a pack of cigarettes and his fingerprints.

The prints yielded no matches. John Doe’s body remained unidentified thirty years later, when the National Missing and Unidentified Persons System asked state police to review cold cases.

Forensic analyst Keith Dollinger went through John Doe’s file and noticed something odd about the ridges and patterns of the fingerprints.

“It looked to me like right hand prints were on the left hand card because of the way the ridges went through,” he said.

He was right: Investigators had transposed the prints. The right hand was on a card labeled “left” and vice versa.

“Once he figured that that out, it kind of snowballed from there,” Kentucky State Police Lt. Brian Sumner said.

Now, the man has a name: Roy Andrew Langley, who sometimes went by the alias “Red Anderson.” He spent his life in and out of police custody and was 34 when he died by the side of the road in Elizabethtown.

A preliminary identification was made in May, and this week, the Hardin County Coroner’s Office tracked down Langley’s sister in Houston for confirmation. Attempts by The Associated Press to reach Debra Langley Hamidian were unsuccessful.

Transposing fingerprints isn’t an everyday mistake, but it’s not uncommon, said Todd Matthews, director of case management and communications for the National Missing and Unidentified Persons System.

“There have been other times where prints were flipped,” Matthews said, although he didn’t have statistics on the frequency.

In fact, the officer who made the catch in Langley’s case said he’s caught himself making the same mistake.

“It’s something that happens every so often,” said Dollinger, a forensic specialist analyst with state police’s Automated Fingerprint Identification System. “It’s just something you have to be careful about.”

After discovering the error, Dollinger, who has 20 years of experience, resubmitted the prints through the state and national identification systems and turned up Langley’s name.

“It was kind of a quiet satisfaction,” Dollinger said. “It was a good thing because we know who the fellow is. The family can get some closure.”

View Source

Tapping phone lines and recording conversations is a classic spy technique, but it can be easy to protect yourself from these actions with a few simple gadgets and security practices. Make sure you are being proactive about your privacy and protecting your phone calls from unwarranted or illegal recording.

There are a few ways to protect your privacy on the phone. Whether the person on the other end is recording the call or you think your own line has been tampered with, make sure you’re taking the right steps toward eliminating these threats and having private conversations in peace.

Bug sweep – Bugging a room or phone is a key way to record or spy on conversations. Getting a Multi-Functional All Purpose All-in-One Sweep Unit can help you find and disable audio recording devices in your phone, as well as hidden cameras and other spying devices.

Tap detection – For increased protection from phone tapping, you can install a Super Tap Buster on your phone line. This tool will constantly monitor line voltage and detect changes that indicate a phone tap. This will further protect you from taps installed outside your home, and can remotely disable bugs, while alerting you to secondary listening devices on a line – such as when a second line is picked up and muted during a call to listen in.

Voice changer – If you’re trying to keep your identify a secret during a phone call, a Telephone Voice Transformer is the best way to go. This device will alter the pitch and tone of your voice to mask it and keep your identify a secret – an excellent way to prevent a phone tap from gathering too much information.

View Source

Philadelphia PA Oct 6 2014 The saying that the best defense is a good offense is not necessarily a strategy most wish would be applied to schools.

But as the issue of school safety stemming from school shootings continues, some lawmakers and schools are looking at offensive measures to help protect students.

One such measure is a bill in the state Senate Education Committee that would allow school employees to carry guns on school property. The bill was introduced as another option for protecting students, especially those in rural areas that rely on often-distant state troopers for police protection, The Associated Press reported.

That measure, however, does not sit well with everyone — even those who back offensive defense training for school staff.

After the Columbine shooting, former law enforcement officer Greg Crane co-founded the ALICE Training Institute with his wife, an elementary school principal. The two designed a training regimen for schools across the country that would allow staff to take action if confronted with an intruder.

Though a number of states allow teachers to carry guns on school property, Crane said he has not included weapons in the training program and does not believe they are a good idea.

“It’s actually not at all the same for people using weapons for self-defense as it is to use it (offensively),” Crane said. “(Arming teachers) is asking too much of teachers to be … the security force. If there’s a shooting in the cafeteria, what are the teachers supposed to do? Are they supposed to leave their students alone to respond?”

Mike Hurley, co-founder and president of Cumberland County Safe Schools Association, said there has been discussion locally on arming school staff after the Newtown, Connecticut, shooting, but the association has no position on the matter.

“There was a lot of discussion, there was a lot of different opinions, a lot of pros and cons that have to be looked at, and I think that’s something each school district has to look at with their own community,” he said.

Crane said there is a danger in adding more guns to an intruder scenario. He used the attempted assassination of Ronald Reagan as an example, saying the Secret Service members present were all armed but they did not fire their weapons — they used their numbers to tackle the shooter.

“They did not shoot back, but subdued him in three seconds,” Crane said. “They did it with overwhelming numbers. In that environment, there was a lot of friendlies standing around, and it’s unacceptable to put other people at risk.”

Intruder Training

Although using guns is not an option as a defensive measure in Pennsylvania, what is being taught is a way for teachers and staff to verbally or physically intervene when confronted with a violent and armed intruder.

Since its founding after Columbine, the ALICE Training Institute has trained teachers in 49 states and reached students in kindergarten through 12th grade. Crane said they are branching out to training staff in the private sector of education.

Crane said the training itself is not so much physical as it is retraining the policies with which the schools follow in intruder incidents.

“It’s not something out of a manual,” Crane said. “We don’t want you fighting a gunman, but you may have to mitigate his chances of hurting someone.”

The point of the training is to follow what Crane believes is the better instinct to flee instead of instituting the sole method of a lockdown.

“I don’t understand why in a fire everyone gets out of the building, but you stay in the building when an intruder is on the loose,” Crane said. “At Sandy Hook, the children who ran out of the classroom survived. Why didn’t we evacuate if it is possible?

“We don’t dismiss lockdowns as strategy, but we dismiss lockdowns as policy,” he added.
The training isn’t too involved because Crane said it can’t be.

“It really is very simple — it had to be very, very simple,” he explained. “In (a confrontation), people are not going to come up with fine motor skills and complicated (orders). But it is also very, very effective.”

Read More