Entering Private Practice!

I am able to announce big changes at DataTriangle. I have been employed by the Alachua Sheriff’s Office as a Deputy Sheriff for the last 14 years. Most recently I was assigned to the FBI CyberCrime Task Force, Internet Crimes Against Children, and the computer forensic examiner. Yes, this has been as busy and stressful job as it sounds!

I am leaving the Sheriff’s Office to devote myself full-time to DataTriangle. I will be doing work in the areas of computer forensics, data recovery, and website administration. I will supervise staff members working on general computer repair services in the Gainesville, Florida area.

My recent computer forensics experience translates most closely to work in criminal defense cases. As I have always done though, my goal is to expand my experience. I have already worked civil cases involving digital evidence. I anticipate working a lot more with the increased availability. I have also had Gainesville Attorneys approach me requesting e-discovery services.

There is a great deal of overlap between e-discovery and computer forensic practice. A lot of the difference lies in acquiring a few new software tools and becoming proficient in them. I am in the process now of buying these tools and practicing. I don’t presently see myself trying to get into large scale e-discovery work. I am more interested in supporting law firms with their small to medium size e-discovery matters.

It is with great excitement that I enter into the private practice of computer forensics! The excitement is somewhat tempered by sadness at leaving all the great comrades and professionals that I have worked with through the years in law enforcement. I wish all of them the best of luck and safe patrols!

Data Breach Investigation and Response – Dealing with the Emotions

Part of why I have been away from writing my blog as of late is I have just been swamped with computer crime investigations.  I have had the experience of investigating data breaches large and small, as a criminal investigator, and as a private computer examiner.  I think this has given me a unique perspective worth sharing.

It seems that every data breach produces a ton of emotion for a variety of reasons.  I am going to outline some of these emotions.  I think this is important for an investigator to understand because it has such an impact on these investigations.

Emotion 1)

The IT staff is going to feel very guilty about what happened, rightly or wrongly.  The finger is almost immediately pointed in their direction by management.  This comes in two forms.  One believing they must be involved because of course security couldn’t have been penetrated!  Secondly, they are responsible for the computers; so, it follows it is there fault.

Is it IT’s fault?  Maybe it is, maybe it isn’t.  I think the organization managers must stop and assess their responsibility first.  Was IT adequately staffed and trained?  Did management stress that security was important?  Was management willing to fund positions and hardware focused on security?  Did management demand ease of access over security?  Did you allow any middle manager in the organization to override IT and become local/ domain admins?  Did management provide for physical security of computer assets?

That is a lot of questions for management to ask, but I think that is where to start the assessment of whether to blame IT for the breach.

2) Emotion 2-

This is really going to hurt our business.  Maybe we can cover it up?

Not many business’ or involved decision makers are going to openly admit to this, but I think it goes on in almost all cases.  Even with individuals that are very morally motivated to always do the right thing.  There are two major reasons for these feelings.

a) It is going to hurt the business so badly financially and in public image, can the business even survive.

b) It is so damaging to the business, any manager involved has to wonder if they are going to lose their jobs (along with the IT staff).  So, you have the feeling of need to protect your job and indirectly those you support with that job.

3) Emotion 3-

A sense of helpless confusion and anger.  This comes in from a few sources.

a) Not understanding how it happened and where the organization went wrong.

b) Not having the training and experience in responding to a high tech crime incident.

c) Anger that you didn’t take the time to or didn’t know how to take steps that could have prevented the breach.

d) Anger at the person who lost the laptop, left it where it could be stolen, or at the IT admins who didn’t secure the system.

4) Emotion 4- Hopelessness and Fear

For the IT admin and managers they are used to being the decision makers and people who know the answers.  Now suddenly they are having to be the ones to ask for help and seek to understand what do now.  Not being used to this kind of situation, it is difficult to adjust to the new role/ situation.

I point this out not to be negative in any way to anyone.  I point these emotions out because if your company is the one involved in the data breach these emotions will be present in various shapes and intensities.  This is when one of my core rules of dealing with humans comes into effect.  It is one that I have seen over and over again in a 15 year law enforcement career.  You can’t accurately predict how any person is going to respond to a specific high stress situation.  So, be prepared for individuals to react in unexpected ways.

I further point the emotions out because as the investigator you will be dealing with them!  I think you will get a lot more honest and open responses to your investigative questions if you take the time to express an empathetic understanding of what the IT staff and managers are going through.  Just like a cop arriving on the scene of traumatic incident, the involved persons are looking for you to normalize there feelings and demonstrate that you understand and have empathy for their situation.

I know everyone is saying right now, “I thought this was a tech blog, not a psychology blog!”  It is, but I just have really found that understanding the above is the first skill in being a good responder to a data breach.  After all, there are PLENTY of blogs with a dry technical report on what happened!  Or maybe the 1-2-3 of which log files to grab.

I am going to follow this post up with some of the lessons learned and priorities of investigation.  For now, if you are reading my blog think about how you would express empathy and what you would say to the involved persons.  In any kind of investigation one of the first things to remember is: “Everyone is a person first with unique experiences, emotions, and perspectives on events.”

Good luck to you all, and do some good investigating!!

DiskAnalyzer Pro

I recently received a courtesy upgrade to a software product I already owned and used, DiskAnalyzer Pro.  I am excited to review the software because it has really come a long ways.  The version I am reviewing is 3.4.

From their website: “The software helps you to find largest folders and files on your hard drive.  Get hard disk space consumption report grouped by file size, file types, ownership, file date and attributes.   Quickly drill down to folders consuming most of your hard disk space.”

As soon as the program launches, it asks you which drive you would like to analyze.  Once you pick the drive it quickly analyzes it.  It did my 500GB drive I chose in about 20 seconds.  The program then presents its main work interface.  The primary area is a row of tabs that lets you sort the files by different criteria.

DiskAnalyzer Pro Tabs

DiskAnalyzer Pro Tabs

You can click any of those tabs to quickly sort/ group files by that criteria.    For instance, you can click file types to quickly see how much storage is being taken up by every file type on your drive (by extension).  Wondering why you have so many rich text files?  Just double click the “rtf” extension folder.  A new window opens called the “File Viewer and Explorer.”  This view list all the rtf files on the drive with the associated metadata.  To the left is a window to quickly sort further by any of the file attributes.  Date searching even has a handy pop-up calendar to assist in choosing the dates you need.  (Very useful when you are lost in programming, and lost your orientation to time and place!!)

File Explorer View

File Explorer View

Double-Clicking any of the files in the file viewer will launch the associated program to view the file.  For some of the simpler file types there is the option to launch and internal pre-view within the application.

A very nice feature if you need to report to someone else what is where, is the ability to export an HTML or CSV report of files located.  This is very useful for quick inventories after a data recovery or computer forensics job.  The same can be done with computer forensics software, but it is more time consuming to set up.

I can also see it be very useful for network IT professionals trying to find out what or who is taking up all the space on the server!

Overall, I find this to be a very easy to use and cost-effective utility.

GoGrid Hosting Review-Not Good

I have had web sites for 13 years.  I have to warn others that using GoGrid hosting has been my worst hosting experiences.    Deciding to accept there “free” $100 dollar credit offer to sign-up was a bad mistake.  One of my earliest budget providers based in India was a better experience.

I accepted their offer to evaluate their service for use as back up servers for some of the commercial websites for which I am the system administrator.

To start with their interface is clunky and far from ready for actual commercial use.  It is confusing, lacks useability, help, and documentation.

There customer service was slow and largely unhelpful when I had issues.  They left me feeling that they thought I was stupid because I didn’t know every aspect of their system.

Worst of all is their billing.  They tell you that you are being billed for RAM hours used.  Well their gottcha trick is how they define your RAM hours.  Their claim is that a server that is turned off is using RAM hours.

Well we all know that the whole idea of “cloud” computing is to lower costs because the provider can use the actual physical hardware for another client when you do not have your server on.  Well GoGrid claims that your server is still using RAM when it is off.  If there is still RAM actually alloted to your off server, then that is not cloud computing.  It is FAR cheaper to use a traditional hosting provider than to  pay GoGrid for RAM on your server that is not even running!

I had to request my account to be closed multiple times, before they finally complied.  Requests to refund my money were never fulfilled.

The traditional hosting providers, such as Liquid Web, also provide FAR better customer support at a much lower price.  Liquid Web, for example, provides a much more polished interface for the user.  After this very unfortunate, and personally costly, experience with GoGrid;  I love Liquid Web even more than I did previously.

I hope this review saves other business owners and Tech workers from a costly mistake like mine.

Computer Forensics Expert in Federal Court

I am very pleased to announce that I testified as an Expert in Computer Forensics and Cybercrime.  I was on the stand for about an one and one half hours.  The material of the case involved the receipt, possession, and distribution of child pornography.

I was happy to learn that the case agents, attorney, and jury were very happy with my testimony.  Everyone told me that I was very clear and did an excellent job of making highly technical material understandable.  Being technically accurate and at the same time understandable, I believe, is one of the greatest challenges to anyone testifying as a computer forensics expert.  Throughout my training I have always tried to ask myself, “How would I explain this to a jury?”

The entire case was a great experience from working with the U.S. Attorney, investigators, criminal defense attorney, and everyone else involved in this case.

I am proud and happy to have accomplished my goal of being recognized as an expert in state and federal court.  I look forward to continuing to learn in this field, and hope I have a long and successful career in it!

Phone: (615) 208-6565 1633 W. Main St, Suite 902, Lebanon, TN