There will be a couple follow on posts to suggest some solutions, (so I will offer some ways to fix this) but first I think we need to address the root of the problem a bit. I want to be clear that these characteristics are an overall generalization and of course can vary greatly from individual to individual.

Problem 1) Slow to ask for help, or at least help from a computer professional. Then doesn’t take the time to actually interactively discuss what needs to be done.

- These high status professionals are surrounded by various talented office workers who are very skilled at their jobs. Billing specialist, paralegals, insurance specialists, and office managers. There is a tendency to rely on these computer power users to be the network administrators. There is no one working on the computers that really understands how to deploy an effective and secure computer network. The network environment for the office usually ends up looking like one you would see at a very big house with a bunch of Windows XP installations sharing EVERYTHING with everyone. In some of the worst cases, the people who were designated as administrators have created unsecure portals to their home computers and back-doors to login to the system should they ever get locked out. When there is a problem, the doctor or lawyer often does not know how (or that they need to) take the extra measures to completely shut down the former administrator’s access. I have seen this over and over again in small and large businesses alike. It simply highlights the need for the senior executives to have at least a general understanding of how the system operates and what to do in the event of an “incident.” But that is for another post….

-Once the hacked together network which was designed for home use, not organizational security, becomes completely dysfunctional. They lose data, or get hacked; then a computer professional is called. When this computer guy comes in, he finds a huge mess. Not only will this mess take a lot of time to fix, but will probably require new software and hardware (server, server OS, firewall, anti-virus, intrusion detection…). This causes the initial quote for fixing things to result in complete sticker shock to the doctor or lawyer involved.

-Generally, the initial evaluation and quote is further complicated because the doctor or lawyer is “too busy” to take the time to be personally involved in evaluating what they want or need. The job of working with the computer guy to “just make it work” is delegated to the para-legal or office manager. This prevents an interactive discussion of the best ways to set things up, costs, and options with the actual decision maker.

-If the doctor or lawyer does get involved in the discussion process, there is generally a very rushed air about the conversation that conveys they really don’t want to be there and they are irritated to be spending time/ money to talk to someone. Since the discussion is outside their expertise area, they don’t seem to want to expend the mental energy to understand the problem and solutions. It is often this lack of willingness to understand the situation that has led to the problem in the first place. My wife is the perfect example. I am the web administrator for her practice, and I cannot tell you how often I have heard her say to me–”I don’t care how you do it, just fix it.”

Problem 2) They are tired of the sale.

- Doctor and lawyers are frequent targets of sales people of all kinds of products. Sometimes, they have already bought various pieces of software, services, or hardware that were sold for WAY more than they were worth and didn’t solve the problem. This leaves them very jaded and skeptical of your advice. Again, it is usually far, far less expensive to have a trustworthy IT person who can evaluate and explain the pros and cons of the different options. One company I worked with was developing a tele-mental health program. I developed a solution for them that would cost about $16,000 per year to handle the secure video conferencing, and secure email and chat at three clinic locations. The IT Director got sold on an out-of-the-box “solution” for $40,000 that only handled the encrypted video. He was told by the sales person that he needed a certain resolution to have insurance accept it. That was totally false, but he did not do his research. To this day they have $120,000 of equipment sitting in the IT department and have not deployed anything.

Problem 3) Doctors may not understand there legal obligations to secure networks and data.

-We have all experienced the medical professional that upon being asked any question states, I can’t tell you that because of HIPAA. Which if very confusing when you are asking for where the water fountain is?? Seriously, though even though almost all doctor’s offices have stuck the HIPAA forms into their patient packet they don’t really understand it in regard to computer security. (Although, I have to admit it is a bit fuzzy to everyone.)

- The big point to understand is that the doctor has an affirmative responsibility to secure patient data in house, in transit, and that is handled by business associates with similar safeguards. This includes faxes, email, chats and standard snail mail. But, what does it mean to “secure it?” Good question. HIPAA and HITECH don’t spell out exact technology standards. It is clear that doing things like sending patient data in unencrypted emails is probably not allowed. Further, even if your email is encrypted on your computer, that does not mean that it is encrypted in transit. Email containing patient information must be encrypted at both ends and everywhere in between.

- The fines for not securing patient data, especially in a large practice could be quite large.

Problem 4) Lawyers tend to think in terms of someone accessing their data in a manner that is legal.

I have been exposed to attorneys who argue to medical professionals that sending patient data in unencrypted email is alright if you add a line saying it is illegal to read the message if you aren’t the intended recipient. Coming from a law enforcement background this is laughable to me. I imagine the computer criminals I interviewed… I am sure that after they hacked a server, computer, or network to get to an email….they will not read it if you add a line telling them not to! (I am being sarcastic if you didn’t get that.)

A law practice computer network houses a ton of confidential data. There is a lot of the data that is protected by attorney-client privilege. If someone tried to compel a lawyer to disclose a privileged communication in court the attorney would fight the disclosure to the end. Many of the same attorneys routinely send their attorney-client privileged communications through unencrypted email. The thought process is no administrator on any system between my client and me will read the message, because “That is illegal.” You get the idea.

Problem 5) Computer Techs and System Administrators are at fault for not sticking to their guns for what they need to do.

Especially as a younger computer guy, it is very easy to get intimidated into making bad decisions. Especially by professionals that tell others what to do all the time. For instance, you know the doctors office needs a business class firewall, anti-virus, and intrusion detection system. You tell the doctor this is what is needed, and it will cost $2,000 dollars to buy the system you need for this office. The doctor responds he is not paying that price. Why don’t you just put a free firewall and anti-virus on every computer. It works for me at home, just “make it work” here.

An experienced computer guy, who probably has a thriving customer base and doesn’t need the work as bad, would probably say he isn’t going to be responsible for a hacked together system with sensitive information on it. An inexperienced tech who really needs the work will probably try to hack together a solution for zero dollars. He will probably continue indefinitely having to hack solutions, to which the doctor will complain that this he is being billed too many hours. An untenable and bad situation will get worse and worse.

Ultimately, it is the vital that professionals work together to build a secure and use-able network.

I will follow up this article with some tips and resources that I advise clients to use.

We are choosing to base additional operations out of Manassas for a few reasons. Quick access to DC, close to Dulles International Airport, rapidly growing, and just a really nice town. Dulles, and the Manassas general aviation airport, will allow us quick and affordable travel to destinations throughout the United States.

In the course of this expansion, we are maintaining a business presence in Florida. We also have an eye on a office in the Research Triangle of Raleigh-Durham, NC. We feel that all three markets offer the chance of long term growth.

We anticipate being fully up and running in Manassas by early August 2011. In the meantime, I look forward to beginning the process of making business contacts and friends in the area. Additionally, we will be back and forth to the area in the meantime. If you believe I can be of service to you, don’t hesitate to contact me before August.

This is not goodbye Gainesville, just turning the page to a new chapter and expanding into more markets.

Well I knew my friends from England, CNW recovery, had been working hard on their DVD data recovery routines. I decided to give CNW a try. It has a very user friendly menu that guides your through each step of the process. It recommends at each step the next step in the recovery. I watched as it imaged the disk, carved the MPEGs, then did its best guess at reassembly. The process was very easy to understand and smooth for a low-level data recovery tool.

The resulting MPEGs were much cleaner than the VOB’s produced by ISObuster. There were segments, that by manual review, I could tell needed to be reassembled. There were none that were incorrectly put together though. (A much harder thing to deal with.)

I manually re-assembled the MPEGs together that were really part of one continuous shoot. The resulting product was very good.

I am very impressed with the progress of CNW recovery in this area!!

I am able to announce big changes at DataTriangle. I have been employed by the Alachua Sheriff’s Office as a Deputy Sheriff for the last 14 years. Most recently I was assigned to the FBI CyberCrime Task Force, Internet Crimes Against Children, and the computer forensic examiner. Yes, this has been as busy and stressful job as it sounds!

I am leaving the Sheriff’s Office to devote myself full-time to DataTriangle. I will be doing work in the areas of computer forensics, data recovery, and website administration. I will supervise staff members working on general computer repair services in the Gainesville, Florida area.

My recent computer forensics experience translates most closely to work in criminal defense cases. As I have always done though, my goal is to expand my experience. I have already worked civil cases involving digital evidence. I anticipate working a lot more with the increased availability. I have also had Gainesville Attorneys approach me requesting e-discovery services.

There is a great deal of overlap between e-discovery and computer forensic practice. A lot of the difference lies in acquiring a few new software tools and becoming proficient in them. I am in the process now of buying these tools and practicing. I don’t presently see myself trying to get into large scale e-discovery work. I am more interested in supporting law firms with their small to medium size e-discovery matters.

It is with great excitement that I enter into the private practice of computer forensics! The excitement is somewhat tempered by sadness at leaving all the great comrades and professionals that I have worked with through the years in law enforcement. I wish all of them the best of luck and safe patrols!

From their website: “The software helps you to find largest folders and files on your hard drive.  Get hard disk space consumption report grouped by file size, file types, ownership, file date and attributes.   Quickly drill down to folders consuming most of your hard disk space.”

As soon as the program launches, it asks you which drive you would like to analyze.  Once you pick the drive it quickly analyzes it.  It did my 500GB drive I chose in about 20 seconds.  The program then presents its main work interface.  The primary area is a row of tabs that lets you sort the files by different criteria.

DiskAnalyzer Pro Tabs

You can click any of those tabs to quickly sort/ group files by that criteria.    For instance, you can click file types to quickly see how much storage is being taken up by every file type on your drive (by extension).  Wondering why you have so many rich text files?  Just double click the “rtf” extension folder.  A new window opens called the “File Viewer and Explorer.”  This view list all the rtf files on the drive with the associated metadata.  To the left is a window to quickly sort further by any of the file attributes.  Date searching even has a handy pop-up calendar to assist in choosing the dates you need.  (Very useful when you are lost in programming, and lost your orientation to time and place!!)

File Explorer View

Double-Clicking any of the files in the file viewer will launch the associated program to view the file.  For some of the simpler file types there is the option to launch and internal pre-view within the application.

A very nice feature if you need to report to someone else what is where, is the ability to export an HTML or CSV report of files located.  This is very useful for quick inventories after a data recovery or computer forensics job.  The same can be done with computer forensics software, but it is more time consuming to set up.

I can also see it be very useful for network IT professionals trying to find out what or who is taking up all the space on the server!

Overall, I find this to be a very easy to use and cost-effective utility.

I was happy to learn that the case agents, attorney, and jury were very happy with my testimony.  Everyone told me that I was very clear and did an excellent job of making highly technical material understandable.  Being technically accurate and at the same time understandable, I believe, is one of the greatest challenges to anyone testifying as a computer forensics expert.  Throughout my training I have always tried to ask myself, “How would I explain this to a jury?”

The entire case was a great experience from working with the U.S. Attorney, investigators, criminal defense attorney, and everyone else involved in this case.

I am proud and happy to have accomplished my goal of being recognized as an expert in state and federal court.  I look forward to continuing to learn in this field, and hope I have a long and successful career in it!

Yesterday, in the Rhoden v Rhoden in the 8th Judicial Circuit of Florida I testified as an expert witness in “Computer Forensics and Cybercrime!” 

Since there is not a universally accepted gold standard in computer forensics certifications, testifying as an expert in court is about the only standard that indicates you have entered the top tier of the field. 

I very pleased to have accomplished a goal I set for myself in 2006.  Hopefully this is just the mid-point of great career in computer forensics.

The class is broken up into two segments, which you can purchase seperately.  The first three days is disigned specifically to teach the student how to use X-Ways Forensics.  The last two days is a file systems course.  Since the segments are very different, I will cover them individually.

X-Ways Forensics Course:

If you have read my previous blogs you know I was already a fan of X-Ways Forensics prior to attending the course.  I knew though that there had to be functionality I was missing out on having not attended the training.  I was right!  lol   I of course had learned a lot of the features through use and reading the manual.  There were areas that I had not really explored that I will probably use in every investigation. 

All students are provided with printed training material, digital copy of training material, a computer, and a copy of X-Ways to use during the course.

The class starts out with an overall tour of the user interface and how to navigate in X-Ways Forensics.  Mr. Fleischmann regularly demonstrates that there is multiple ways to do almost everything in X-Ways.  I gained an appreciation for the phrase: How many ways are there to  _______? “X-Ways”  You have to use the “X” to denote the number of ways to do a task because you can’t easily count them all! That is a bit of joke, but whether you prefer context menus, main menus, or keyboard shortcuts there is probably the choice of doing it your preferred way in X-Ways Forensics.  Additionally, along with all those normal ways there are often sorta hidden short-cuts built in to make common tasks faster.  Once you see theses, there location makes great sense.   But they are one on the kinda of things that are hard to pick up on in a manual, but easy to learn when you see someone do it.

While teaching, Mr. Fleischmann shows students through the tasks that he is performing.  After learning a series of features, Mr. Fleischmann has very well planned out exercises that the students execute on their own.  These are very good at reinforcing what you just learned.  After giving you time to practice, Mr. Fleischmann then leads you through the ideal solution to the exercise.

Mr. Fleischmann starts off each day of class with a review of what was learned the day before.  This is another great adult learning teaching method that reinforces learning. 

There were a wide variety of computer examiners in the course.  Everything from private to the biggest name federal LE agencies.  I did not hear one examiner that was not impressed with the software, Mr. Fleischmann, or the training.

File Systems:

The last two days of the five day course, are a class on file systems.  These two days are very fast paced.  If you don’t come into the class with some knowledge of file systems it is probably to fast to comprehend a lot.  That said, if you come in with some knowledge;  you will leave with a lot more.  Mr. Fleischmann has an amazing knowledge of file systems.  He moves through the MFT in NTFS very fluidly.  He explains all the ends and out.  I don’t mean the usual, “this is a journaling file system that maintain individual entries of each file and their location..”  Mr. Fleishman dives into the actual binary code in example after example, breaking down file entries.   Mr. Fleishman also breaks down and explains other important system files like the $logfile.  I have already used information in this portion of the class to find evidence in a couple cases I would have otherwise missed.

Mr. Fleischmann is nothing short of amazing as an instructor.  He is extremely punctual and efficient throughout the class.  There is not a moment of the course that is not well organized.  He is able to intelligently answer almost any computer question that comes up, no matter how trivial it may be. The course is definitely fast paced, though.  Get your rest, because you will need all your focus. 

This was certainly one of the best computer courses I have had the opportunity to attend.  I would highly recommend it to any computer examiner or data recovery technician!

This software has a whole lot of functionality and power “under the hood.”  I have used it in a few cases/recoveries so far. Its results have been most impressive.  For the readers information, my comparrison is to my other software such as Encase, X-ways, R-studio, and an assortment of other data recovery products that I have tested that are targeted at consumers and techs.  Encase and X-ways are obviously much more mature pieces of software with a great deal of emphasis on forensic features.  Most of the “data recovery” software targeted at the consumer market is not very powerful or versatile; and they milk their customers for every dime. (NTFS version, FAT version, CD-ROM version…on and on)  With most of the consumer data recovery products the end user is not getting much for their money in results or functionality.

With CNW Recovery there has been a total departure from the what is the “norm” in consumer data recovery software.  This software is a very powerful piece of data recovery software at reasonable cost.  Currently a 30-day license is only $19.99!  That is a super deal in the data recovery world.

The software actually functions at three different levels.  These descriptions are mine for the reader, not the software authors mind you.

Wizard mode:  This is where the average consumer would work.  The software opens up the a screen that scans your computer for currently existing media.  It asks you to choose what type of media you are working with.  You choose from floppy, hard drive, dd image, cd-rom, flash, DVD, Jazz, or Zip drive.  The software then walks the user through either an extraction of files or creating an image of the drive.  The wizard mode might be somewhat confusing to the computer novice, but if you just trust the software and go through the process it would result in good recovery work.

Manual Mode: The manual mode of the software allows the user to go directly to the various functions.  The major ones are Recover, Partition, Image, View, Properties, and Log.  The recovery mode is where most of the work will be done for data recovery.  This allows the user to use the File Table to recover files.  Partition allows the user to locate the partitions and file tables. Partition also includes the ability to do repair operations on these structures, although I haven’t had the opportunity to test that feature.  View allows the user to see the contents of the drive in a HEX editor sort of view. Properties displays fundamental information about the device.  The log actually provides a print out of all the file names recovered or mapped for recovery including the physical location, parent directory, parent directory location, short file name, and directory path.

This manual mode allows the skilled computer user to do alot of very powerful data recovery.  As far as data recovery work goes, it is very user friendly.

Expert mode:  Although not explicitly a “mode” I wanted to note this usefulness of the program.  Because of how robust the log is in displaying details about the files, if you understand all the data it is delivering the expert can actually jump directly into a hex editor and use the information to start manually carving out the data.

Forensic Edition: CNW is rapidly expanding the features in the forensic side of the software.  While the interface to the data is much different than something like X-ways, it is still very informative.  The logs and pop-ups while scanning the MFT allow a very granular view of the raw data the program in using. This provides for the investigator to have a more in-depth understanding of the data.  While it is not as much of a “point and click” interface, this is actually a good thing for when you are trying to manually validate findings, educate yourself, or prepare for courtroom presentation of the evidence.

Just a couple notes on what I have personally used the program to do with success.

I was able to use the software to carve out previously existing image and videos from an NTFS hard drive.  This resulted in very robust recovery of data.  I compared the recovered data to work done on the same drive with X-ways Forensics.  The recovered data was very consistent.

I used the software in a data recovery job that involved a hard drive with bad sectors, inconsistent reads, and a Master File Table (MFT) that would read very inconsistently due the errors the drive was having.  CNW Recovery was able to read the MFT and retain the MFT information.  I was then able to use CNW Recovery to gather the needed files from the sectors that they mapped to with the MFT.  The recovery was very robust and complete.

A neat feature of CNW Recovery is during recovery work its directory pane maps the directory structure of the drive you are working on, but also shows you the directory structure of the recovery you are working on.  This allows a quick reference to what has been recovered and what still needs to be recovered.

If at any point in using the program you are confused, you can go to the programs manual.  Regardless though, I highly recommend reading this manual if you are interested in data recovery.  The manual is a guide to the software, but CNW has done an awsome job of making their manual an education on data recovery also.  There is a lot of good information within the manual.  It is as beneficial a read as any computer forensic book I have ever purchased.

I can’t say enough positive things about this program, most especially at the current price point!!!  The author has shared with me that he will continue development on the software this year.  I expect the program to be truly amazing with the author’s continued enhancements!

If a consumer is looking for data recovery program, to try a do-it-yourself recovery of data this software would be my first choice.  It is so affordable it is certainly worth trying before seeking out professional data recovery help.

I was recently introduced to a program called Directory Opus. This is a very of Windows Explorer to view files. The awsome thing about it for data recovery is that it shows file metadata. If you don’t know, Microsoft Word documents and other have things like their title and author embedded in the document. Well, with Directory Opus you can see all this data in the file tree. It will also show the EXIF data associated with photos. The user can drill down into zip archives to see what they contain.

It also has a nice dual pane interface to allow files to be moved about onto the new locations the client needs them. It has advanced ways to automate the process for the client that wants to put in some more time learning how to operate the program.

The software comes with a free 30 day trial. That should be plenty of time to get your recovered files straightened out.

Before someone writes in and tells me… I know you can view these same file properties in Windows Explorer…just not in the default view. The view the metadata in Windows Explorer.. just go to the top of the view pane where you see the column titles, right click, and a list of attributes the user can add to the view will show up. Just left click on title, author, or whatever else you would like to add, This way is completely free with no new install… whichever you like. Directory Opus is prettier though

Happy file browsing!