When I was a full-time police detective, I was fortunate enough to attend several very good, very long digital forensic training courses (see letters at end of name). Unfortunately, what this also did was widen the gap between what I knew I could do in a forensic analysis and what my supervisor(s) thought I could do in a forensic analysis. Nowhere was this more apparent than when we seized a couple of computers on a drug search warrant where the suspect was growing his own marijuana by the gross in the acreage behind his house. The computers were seized under the guise of potentially containing pertinent financial documents or other transactional information with regard to the suspect’s drug production and distribution (selling) activity. Pretty simple, right? Wrong.
At the time, I had just returned from the Federal Law Enforcement Training Center (FLETC) with new forensic hardware, software and fresh knowledge on how to do this stuff! Apparently, my supervisor should have gone too. As many of my colleagues who are still fighting the good fight in law enforcement will attest to, it’s very hard to do a highly technical job like computer forensics when your direct-report doesn’t have a clue what you do, how you do it, why you do it or how much time is involved. It’s honestly one of the most frustrating professional experiences I can point to in my time as a police investigator.
Like I said, we seized these computers and my boss wanted me to work my newfound magic on them. “Ok”, I said, “What would you like me to look for?” The first answer was “Anything”. Ummm… that doesn’t work. So I asked him about key word searches. He said “YES!” Ok, what key words would you like me to search for? “Weed. Pot. Drugs. Money.”
Are we seeing a problem here yet? If not, allow me to explain…
Key word searches are generally conducted over the entire forensic image (i.e., exact copy). This amount of data can be as “small” as 16 GB on your smart phone or as large as the 4TB (or more) hard drive I have in for analysis now. Yes, we can limit the searches to specific partitions or pieces of evidence in a global case if necessary, but generally speaking, I like to search an entire physical hard drive just to see what we can find. The way these searches are conducted with modern forensic tools is by translating the text into any number of coding formats and scanning all of the data for that specific coding, i.e., key word. This can often take a bit of time and VERY often yields false positives and/or repetitive hits. In the screen shot below, you can see that my very basic search on a current case for five simple terms (four names and the word “ashes”) yielded thousands of hits while only 4% of the drive was scanned. Not only does this not bode well for maximizing the examiner’s time, but the hits are so voluminous that it tends to all blur together after a while. Plus, because there’s no buffer, the search for the term “ashes” will yield every single word that contains those characters in that order. Sashes, hashes, flashes, mashes… you get the idea. Tons of false positives. The same is true for all of the terms my former supervisor told me to search for.
On the next search, I remembered some of my key word training… Insert a space before and after the search term(s). This ensures that ONLY your term is reported back on the hits. The number of hits went from thousands to just a few hundred. Not only that, they were much easier to sift through to see what may be relevant vs. what isn’t .
So if you’re sending a computer, smart phone or other digital device to your forensic examiner and key word searches may be relevant to your case (and they often are), here’s a few tips that may help him or her out:
- The longer the search term, the better. Think about it this way, if I searched for one whole sentence in this blog as opposed to just one or two words together in the same sentence, that will drastically cut down on the false positives AND the time it will take to achieve and examine the results. More is definitely better.
- Short words are bad. Even with a space before and after the search term, short words yield a ton of false positives and the hits for those terms will just keep climbing. Best bet, try to use longer words in your search terms which hopefully also consist of multiple words. “Connecticut” is much better than “con” or “cut”.
- Unique terms are good. Full names of people involved, cities, unique internet search terms are all great things to search for and will narrow the scope of the key word search.
- Think globally. Don’t just think about the case you have before you, but think about other things the owner of the computer or smart phone may be involved in that are on the periphery of your case. Then, incorporate that mindset into the information you provide your forensic examiner using the first two tips.
Key word searches often provide valuable evidence, but generally, they’re also just pieces in the bigger puzzle. By providing the right key words from the start, you can help your forensic examiner be more effective and, hopefully, get you the evidence you need faster. Whether you’re an investigator, attorney, IT security professional or other interested party, just please don’t say the one dreaded “key word” answer when your forensic examiner asks you what to look for: “Anything”Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
About the Author:
Patrick Siewert is the Principal Consultant of Pro Digital Forensic Consulting, based in Richmond, Virginia. In 15 years of law enforcement, he investigated hundreds of high-tech crimes, incorporating digital forensics into the investigations, and was responsible for investigating some of the highest jury and plea bargain child exploitation cases in Virginia court history. A graduate of both SCERS and BCERT (among others), Siewert continues to hone his digital forensic expertise in the private sector while growing his consulting business marketed toward litigators, professional investigators and corporations.