Menu
  • Home
  • My Books
  • Courses
  • About Me
  • Contact
  • Home
  • My Books
  • Courses
  • About Me
  • Contact

Brett Shavers | Ramblings

Brett's Ramblings

Subscribe to blog
Unsubscribe from blog
Settings
Sign In
If you are new here, Register
  • Forget Username
  • Reset Password
Font size: + –
Subscribe to this blog post Unsubscribe
Report
Print
4 minutes reading time (776 words)

Old hat investigative work will always work

Digital Forensics
Brett Shavers
Wednesday, 27 June 2018
2322 Hits
0 Comments

The Reality Winner case is good example where a basic investigative method still works regardless of how much publicity that the same method has received for years prior. In the Winner case, printed documents were tied to Winner based on “microdots”. This article below does a decent job of explaining what micro dots are if you haven’t heard of this before, or if you associate microdots with LSD...


https://www.grahamcluley.com/reality-winner-pleads-guilty-after-being-unmasked-by-microdots/ 

Basic (and non-secret) investigative methods suceed more often than not, and actually happens all the time. It doesn’t really matter that criminals know police investigative methods, because the methods still work. A personal example that I had when I was doing drug investigations, was ‘knock-and-talks’, where my partner and I would knock on the door of a suspected drug dealer and ask consent to search for drugs.  On one knock-and-talk, we were given permission to search a home that had hundreds of marijuana plants. Not that unusual. But what was unusual was finding a book written by a prominent Seattle defense attorney, opened to a page on “Police Knock and Talks”, with a highlighted sentenced that stated something to the effect of ‘Say no to the police when asked for consent to search’.  Even the attorney’s business card was used as a bookmark that had the same advice printed on the back of the card. Yet he willingly let us in.

This concept applies to all aspects of investigations, including technology related investigations like the Reality Winner case.

Part of the reason why the tried and true, traditional methods continue to work is that no matter how secure a criminal will try to be in all that he or she does, there are times where complacency creeps in. Add a bit of arrogance (“They’ll never catch me!”), and BAM. It’s over.

I’ve had cases where a dozen hard drives were wiped clean, but another dozen had plenty of evidence (illicit images). In these instances, the suspects were fanatical about wiping evidence until they weren’t. This applies to everything that anyone does with their electronic devices and online behavior. Complacency allows traditional methods to work and the complacency monster always wins because eventually everyone slacks off in something they do eventually.

Search warrants are not difficult to get

In a recent court decision, law enforcement is now required to obtain a search warrant for cell phone records. If you didn’t know how it worked before this decision came out…

http://www.governing.com/topics/public-justice-safety/tns-supreme-court-privacy.html

Depending on how you think this affects you personally, your perspective may be different. But in all practical reality, nothing really changed. Your cell phone records are not protected from reasonable search and seizure. The records are still there, and if probable causes exists, law enforcement can get it with a warrant. I do not believe any criminals are jumping for joy over this court decision, because they are still ripe to have their records pulled with search warrants.

As far as how difficult is it to get a search warrant…it’s not difficult at all if you have probable cause. I have found that the longest time to apply for a warrant is the time it takes to type up the affidavit. The faster you can type, the faster you can get a warrant. The rest of the process only takes minutes (not counting any traffic while driving to the judge’s home…). But you don’t even have to type up a warrant if you don’t have time. Simply call a judge, get sworn in over the phone, and ask the judge for a telephonic warrant with a verbal affidavit. I’ve done both ways and typically had a signed warrant in under an hour…nearly every single time. I've had warrants in less than 30 minutes on a few occasions. If a warrant is needed faster than 30 minutes, then you might be dipping into exigent circumstances, which is a different topic.

Your cell phone records probably weren’t going to be pulled anyway, and won’t be unless there is probable cause to do. As for criminals knowing that cops need a warrant now, that won’t make a bit of difference as to how they use cell phones to commit or facilitate crimes and it won’t make a difference in that law enforcement will still get 100% access to everything. 

The point

No matter how sophisticated your suspect in (or custodian in a civil case), never forego looking for the low hanging fruit first. Don't assume that files were wiped, browsing was only done with Tor, or that the suspect didn't use his home Internet to hack into a victim's system. Because they do and always will. Old hat stuff works.

 

Tweet
Share on Pinterest
0
Interconnected Devices Investigations
In the #DFIR world, it seems like everyone is an e...

About the author

Brett Shavers

Brett Shavers

 

Comments

No comments made yet. Be the first to submit a comment
Guest
Tuesday, 26 January 2021

Captcha Image

By accepting you will be accessing a service provided by a third-party external to https://www.brettshavers.com/

direct link

Brett's blog

Posts List

Tag Cloud

Bitcoin Forensics case studies Registry Forensics phishing forensics dfir 4cast windows fe Volume Shadow Copy privacy North korea training University of Washington expert bitcoin RegRipper X-Ways Forensics Jimmy Weg gmail email writing investigation Windows Forensic Environment imaging presentations Virtualization investigations windows forensic environment surveillance bitcoin forensics Hacker tor browser Hiding Behind the Keyboard wiretap Placing the Suspect Behind the Keyboard winfe X-Ways Forensics Practitioner's Guide book

Search Blog

DFIR Training

Be sure to check out my DFIR Training website for practically the best resources for all things Digital Forensics/Incident Response related.


Even better, support DFIR Training by subscribing at https://www.dfir.training/subscribe-3 and get access to multiple online courses in digital forensics with included ebooks!

© 2021 Brett Shavers