Embed Size (px)
Citation preview
Vermont Bar Association
Seminar Materials
56th
Mid-Year Meeting
E-Discovery, Part 3 – Digging through the
Data: The Basics of Digital Forensics
March 15, 2013
Sheraton Burlington
Faculty:
Cristian Balan
Craig Cantwell
James E. Knapp, Esq.
Daniel Maguire, Esq.
3/14/2013
1
Practical Computer Practical Computer Forensics Forensics
for the VT Attorneyfor the VT Attorneyyy
Cristian Balan, CISSP, CHFI, ACECristian Balan, CISSP, CHFI, ACE
Craig E Craig E Cantwell, CCNA, MCP, Cantwell, CCNA, MCP, Network +, Security +, A+Network +, Security +, A+
Southern Vermont Digital Forensics LaboratorySouthern Vermont Digital Forensics Laboratory
OverviewOverview
About the presentersAbout the presenters
Why we need Why we need Computer Computer Forensics?Forensics?
The Digital Forensic ProcessThe Digital Forensic ProcessId tifi tiId tifi ti IdentificationIdentification
PreservationPreservation
ExaminationExamination
AnalysisAnalysis
ReportingReporting
Some best practices and lessons learnedSome best practices and lessons learned
Cristian BalanCristian Balan
IT Director/Information Security ManagerIT Director/Information Security Manager
Digital Forensic ExaminerDigital Forensic Examiner
Hacking and Intrusion InvestigatorHacking and Intrusion Investigator
Chief of the VT Army National Guard Chief of the VT Army National Guard Computer Emergency Response TeamComputer Emergency Response Team
Digital Forensics Faculty at Champlain Digital Forensics Faculty at Champlain CollegeCollege
Geek at large!Geek at large!
3
3/14/2013
2
Craig E CantwellCraig E Cantwell
Over 30 years experience working with Over 30 years experience working with technologytechnology
Digital Forensic ExaminerDigital Forensic Examiner
DF L bDF L b MM DF Lab DF Lab ManagerManager
Computer Security AuditorComputer Security Auditor
GrammGramm––LeachLeach––Bliley Act (GLBA/FFIEC) Bliley Act (GLBA/FFIEC) compliance compliance consultantconsultant
System administrator and network System administrator and network managermanager
4
What is Computer ForensicsWhat is Computer Forensics??
Digital Forensics – more encompassing!Cyber Forensics – even more encompassing!
5
Important in the definitionImportant in the definition
It is a science?It is a science? Is it an art?Is it an art? Where is it used?Where is it used? What is it used for?What is it used for?
Can you answer the 5 W’s”Can you answer the 5 W’s” WhatWhat WhenWhen WhyWhy WhereWhere WhoWho
Can we also answer the how as well?Can we also answer the how as well?
6
3/14/2013
3
One of the definitionOne of the definition
“Forensic science is the study of any field as it pertains to “Forensic science is the study of any field as it pertains to legal matters. Forensic evidence refers more specifically to legal matters. Forensic evidence refers more specifically to evidence which meets stringent standards of reliability and evidence which meets stringent standards of reliability and scientific integrity for admissibility in court. Digital forensics is scientific integrity for admissibility in court. Digital forensics is the forensic science related to computer operations, software, the forensic science related to computer operations, software, and files, as well as the digital or electronic files contained on and files, as well as the digital or electronic files contained on other technologyother technology--based appliances or storage devices suchbased appliances or storage devices suchother technologyother technology based appliances or storage devices, such based appliances or storage devices, such as a digital camera. There is a broad array of applications of as a digital camera. There is a broad array of applications of digital forensics to civil and criminal cases.” digital forensics to civil and criminal cases.” http://www.ehow.com/about_5504910_definitionhttp://www.ehow.com/about_5504910_definition--digitaldigital--
forensics.htmlforensics.html
7
Let’s not forget other usesLet’s not forget other uses
ResearchResearch
How is a piece of software change the data on a diskHow is a piece of software change the data on a disk
What happens to the computer memory when we turn What happens to the computer memory when we turn off the systemoff the system
Incident ResponseIncident Response
What happened?What happened?
What files were accessed?What files were accessed?
How did the intruder gain access?How did the intruder gain access?
What damage was done?What damage was done?
RecoveryRecovery
HDD is corrupt and I need to retrieve my filesHDD is corrupt and I need to retrieve my files8
Electronically Stored InformationElectronically Stored Information
LogicalLogical Can be viewed from Operating Can be viewed from Operating System (Windows System (Windows
Explorer)Explorer) Can be viewed from a common Can be viewed from a common application (MS Word, application (MS Word,
Excel Image Viewer)Excel Image Viewer)Excel, Image Viewer)Excel, Image Viewer) Once copied logically from original media it changes Once copied logically from original media it changes
hidden information and metadatahidden information and metadata PhysicalPhysical
Zeroes and ones on the mediaZeroes and ones on the media Forensically copied keeps hidden properties and Forensically copied keeps hidden properties and
metadatametadata
3/14/2013
4
How much ESIHow much ESI
1GB = approximately 251 Reams of Paper1GB = approximately 251 Reams of Paper10
How do we quantify dataHow do we quantify data
Bit Bit –– 0 or 10 or 1
Nibble Nibble –– 4 bits4 bits
Byte Byte –– 8 bits8 bits Can represent ASCIICan represent ASCII
GB GB –– 1,000,000,000 B1,000,000,000 B
TB TB ––1,000,000,000,000 B1,000,000,000,000 B
Average MS Word DocAverage MS Word Doc Can represent ASCII Can represent ASCII English English characters characters with a bite 01000001 with a bite 01000001 ––capital Acapital A
KB KB –– 1000 bytes 1000 bytes
MG MG –– 1,000,000 bytes1,000,000 bytes
Average MS Word Doc Average MS Word Doc –– 1KB1KB
Average JPEG Average JPEG –– 5 5 megapixels camera megapixels camera 2MB2MB
Average attorney’s Average attorney’s office backup 50GBoffice backup 50GB
The The Digital Forensic ProblemDigital Forensic Problem
Investigating, prosecuting, defending Investigating, prosecuting, defending ---- crimes involving crimes involving computers and the Internet is increasingly difficult due computers and the Internet is increasingly difficult due toto the incredible volume of information and places to the incredible volume of information and places to
looklook
12
the lack of a centralized administrationthe lack of a centralized administration the short time in which to start an investigation the short time in which to start an investigation
before evidence disappearsbefore evidence disappears the rapid rate of change of the 'Net (and the the rapid rate of change of the 'Net (and the
evidence!)evidence!) the global nature of the networkthe global nature of the network user mobilityuser mobility
3/14/2013
5
What is Digital Evidence?What is Digital Evidence?
Digital evidence is any information of value Digital evidence is any information of value that is either stored or transmitted in a that is either stored or transmitted in a binary form, including digital audio, image, binary form, including digital audio, image, and videoand video
01000001
and video.and video.
Computer Forensic ExaminationComputer Forensic Examination
The Computer forensic examination is:The Computer forensic examination is: Locating digital evidence Locating digital evidence Ensuring the evidence can withstand close Ensuring the evidence can withstand close
i l li l l h llh llscrutiny or a legal scrutiny or a legal challengechallenge Read Craig BallRead Craig Ball
Presenting the digitalPresenting the digitalevidence so it can beevidence so it can beunderstood by layperson understood by layperson
Guiding PrinciplesGuiding Principles
Predictable Predictable –– Digital Forensic tools must do what Digital Forensic tools must do what they purport to dothey purport to do Example Example –– Write Protection DevicesWrite Protection Devices
Repeatable Repeatable –– Digital Forensic tools must be able Digital Forensic tools must be able pp ggto produce consistent resultsto produce consistent results Example Example –– Keyword search resultsKeyword search results
Verifiable Verifiable –– Digital Forensic findings must Digital Forensic findings must capable of being authenticated by another capable of being authenticated by another personperson Example Example –– Validating ones workValidating ones work
15
3/14/2013
6
Reasons for Reasons for Computer Forensic ServicesComputer Forensic Services
Inappropriate Use of Computer SystemsInappropriate Use of Computer Systems
Determining a Security BreachDetermining a Security Breach
Detection of Disloyal Employees Detection of Disloyal Employees
Evidence for Disputed DismissalsEvidence for Disputed Dismissals
Malicious File IdentificationMalicious File Identification Malicious File Identification Malicious File Identification
Theft of Information AssetsTheft of Information Assets
Forgeries of DocumentsForgeries of Documents
Corroborate other evidenceCorroborate other evidence
User Web behavior as related to caseUser Web behavior as related to case
Communication between parties that might have been deletedCommunication between parties that might have been deleted
Document phone calls and messagesDocument phone calls and messages
New New –– location of Cell Phone or carlocation of Cell Phone or car
CSI EffectCSI Effect
… The week of December 29, 2009
26 million viewers watched CSI66 million viewers watched a “CSI” variant
http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2009/12/29/entertainment/e131524S42.DTL#ixzz0cEqalBge 17
Five Phases of a Digital Forensic Five Phases of a Digital Forensic ExamExam
IdentificationIdentification
Digital Forensics
Digital Forensics
PreservationPreservation
ExaminationExaminationAnalysisAnalysis
ReportingReporting
18
3/14/2013
7
IdentificationIdentification
IT ROLEIT ROLE1. Determine if ESI is
accessible
Attorney’s RoleAttorney’s Role
1. Determine when to use
2. Identify where additional digital evidence may reside
Computer Forensic Services
2. Help client identify where digital evidence may reside.
3. Identify relevance of ESI to case
Collection of EvidenceCollection of Evidence
• IT ROLE– Help Secure the
computer to be examined
• Attorney’s ROLE– Ensure that computer
to be examined remains secure
– Require and Complete Necessary Forms
– Securely Collect Computer from user
– Store securely until moved to attorney’s office
– Notify Appropriate Corporate Counsel or client
– Complete Chain of Custody Form
Collection of Evidence Collection of Evidence ––(Do's & Don'ts)(Do's & Don'ts)
Do not disturb the computer in question. Do not disturb the computer in question.
3/14/2013
8
Computer is off, Leave it offComputer is off, Leave it offCell phone Cell phone –– best option might best option might
b t t ff!b t t ff!
Collection of Evidence Collection of Evidence ––Do's & Don'tsDo's & Don'ts (con’t)(con’t)
be to turn off!be to turn off!
Computer is on, Computer is on, Leave it onLeave it on
Collection of Evidence Collection of Evidence ––Do's & Don'tsDo's & Don'ts ((con’tcon’t))
Balan’sBalan’s expert opinion expert opinion –– unplug network unplug network
cable!cable!
Do not run any programs on the Do not run any programs on the computer.computer.
Collection of Evidence Collection of Evidence ––Do's & Don'tsDo's & Don'ts (con’t)(con’t)
pp
3/14/2013
9
Do not make any changesDo not make any changes
Collection of Evidence Collection of Evidence ––Do's & Don'tsDo's & Don'ts (con’t)(con’t)
Do Not Insert Anything Into The Do Not Insert Anything Into The ComputerComputer
Collection of Evidence Collection of Evidence ––Do's & Don'tsDo's & Don'ts (con’t)(con’t)
Secure the computerSecure the computer
Collection of Evidence Collection of Evidence ––Do's & Don'tsDo's & Don'ts (con’t)(con’t)
3/14/2013
10
Required DocumentationRequired Documentation
Computer Forensic Request Form Computer Forensic Request Form
Chain of Custody FormChain of Custody Form
Signatures Signatures
Disclosures and Disclaimers Disclosures and Disclaimers
Required DocumentationRequired Documentation
By far the most important document is the By far the most important document is the chain of evidencechain of evidence In criminal casesIn criminal cases
In civil litigationIn civil litigation In civil litigationIn civil litigation
For tracking and knowing who has whatFor tracking and knowing who has what
Required DocumentationRequired Documentation
IT Role Start a local case Assign A Team Date & Time When
device was secured
Inside Counsel Document Date & Time of
Request
Name of Requestor
Date & Time Client secured h ddevice was secured the device
Organization Name
Manager’s Name
3/14/2013
11
Required DocumentationRequired Documentation
First Responder Role Document Hard Drive
Serial Numbers
IT RoleDocument computers: Mac Address -Static IP Address
Serial Number -Make & Model
Reason For Request
Desired Objectives
Approval From Corporate Officer & Approval From Corporate Officer & Legal CounselLegal Counsel
We also obtain approval from both We also obtain approval from both corporate officer and legal counsel before corporate officer and legal counsel before commencing Computer Forensic services. commencing Computer Forensic services.
This approval will be documented on theThis approval will be documented on the This approval will be documented on the This approval will be documented on the requisition forms and filed with the case requisition forms and filed with the case evidence as well.evidence as well.
IT Role Sign and Date form Obtain Corporate Officer
and Legal approval
Attorney’s Role Sign and Date form Obtain Client approval
Required DocumentationRequired Documentation
3/14/2013
12
Additional Chain of Custody Form
Chain of Custody forms we use are very detailed – Tie HDD to computer, to owner, to attorney
Tie the cellphone to battery cables owner Tie the cellphone to battery, cables, owner, carrier, attorney
Why Are These Documents Why Are These Documents Necessary?Necessary?
Collect important informationCollect important information Legal AspectsLegal Aspects
Get out of jail free cardGet out of jail free cardjj
ImagingImaging
• DF Examiner
– Determine where to perform the image:
O i
• CLIENTS ROLE
– escort our staff to physically collect the computer from– Onsite
– In the Lab
the computer from the computer’s secure location.
3/14/2013
13
Hardware Imaging
ImagingImaging
Here are some of the procedures we use Here are some of the procedures we use during imaging to ensure that evidence during imaging to ensure that evidence collected is clearly identified and preserved:collected is clearly identified and preserved:
Scan HardcopiesScan Hardcopies
We scan all hardcopy forms to PDF and this electronic We scan all hardcopy forms to PDF and this electronic copy is kept with the images of the evidence.copy is kept with the images of the evidence.
3/14/2013
14
Tag EvidenceTag Evidence
We manually tag all evidence items with an assigned We manually tag all evidence items with an assigned case number using the following naming convention:case number using the following naming convention:
Case Number and Hard Drive Serial Number Case Number and Hard Drive Serial Number (Ex., 01(Ex., 01--20082008--0404--Agency Name Agency Name –– HDD Serial#)HDD Serial#)
Connect Suspect Drive to Write BlockerConnect Suspect Drive to Write Blocker
Connect Write Blocker to Connect Write Blocker to the suspects hard drivethe suspects hard drive
3/14/2013
15
Imaging Regular Hard DriveImaging Regular Hard Drive
To image a regular sized To image a regular sized hard drive, implement the hard drive, implement the following procedures:following procedures: Request the client to Request the client to
purchase a storage device. purchase a storage device. Reduces CostReduces Cost Ensure enough space is Ensure enough space is
available to process the available to process the evidence. evidence.
Easy transfer of images to Easy transfer of images to clientclient
Storage DeviceStorage Device
•
Organize Evidence InformationOrganize Evidence Information
Create the following folders on the destination drive Create the following folders on the destination drive for every case:for every case: Case NameCase Name--Evidence Item Number (Folder)Evidence Item Number (Folder)
1.1. Evidence (subEvidence (sub--folder)folder)1.1. HDD1 (subHDD1 (sub--folder)folder)
HDD2 (subHDD2 (sub folder)folder)2.2. HDD2 (subHDD2 (sub--folder)folder)
2.2. Export (subExport (sub--folder)folder)3.3. Temp (subTemp (sub--folder)folder)4.4. Index (subIndex (sub--folder)folder)5.5. Drive Geometry (subDrive Geometry (sub--folder)folder)6.6. Report (subReport (sub--folder)folder)7.7. Case BackCase Back--up (subup (sub--folder)folder)
Place all images produced in the Evidence Folder
3/14/2013
16
Use FTK Imager Use FTK Imager Create the image using FTK imagerCreate the image using FTK imager
Through experience, we have found this to be one of the Through experience, we have found this to be one of the easiest and most portable software to create images. easiest and most portable software to create images. Also, this image can be used in both FTK and Encase. Also, this image can be used in both FTK and Encase.
Image Physical DriveImage Physical Drive
Always image the Physical drive.Always image the Physical drive.
Special casesSpecial cases Encrypted HDDEncrypted HDD
Too complicated RAIDToo complicated RAID
N t k tt k h k iN t k tt k h k i Network attack or hacker in Network attack or hacker in the wirethe wire
Imaging A Raid ServerImaging A Raid Server Redundant Array of Inexpensive Disks Have the systems administrator to help Have the systems administrator to help
you review the RAID information. you review the RAID information. You need to gather the following You need to gather the following g gg g
information: information: Stripe SizeStripe Size Element Order (Disk Order)Element Order (Disk Order) Element Size, whether it is a RAID 1, 5, etc. Element Size, whether it is a RAID 1, 5, etc. Right hand, left hand, forward, back, or Right hand, left hand, forward, back, or
dynamic disk.dynamic disk.
3/14/2013
17
Imaging a Cell PhoneImaging a Cell Phone
Even an Even an iPhoneiPhone can take several hourscan take several hours
Depends on amount of data Depends on amount of data –– pictures, pictures, videosvideos
C ll h t k i l dC ll h t k i l d Cell phones take special proceduresCell phones take special procedures Disconnect from the networkDisconnect from the network
Use Faraday bagsUse Faraday bags
Must be imaged live Must be imaged live –– sometimes install small sometimes install small files on the phone to allow for imaging files on the phone to allow for imaging Android phonesAndroid phones
Secure the originalSecure the original
Remove hard drive from the Write Block Remove hard drive from the Write Block device. device. Reassemble the computerReassemble the computer Reassemble the computerReassemble the computer
Ensure evidence remains tagged.Ensure evidence remains tagged. Secure the original Secure the original Make two forensic copiesMake two forensic copies
Store one Store one Analyze the otherAnalyze the other
Forensics ToolsForensics Tools
The best tool: examiner's skill and The best tool: examiner's skill and imagination (Gary Kessler, PhD)imagination (Gary Kessler, PhD)
Software and Internet resourcesSoftware and Internet resources
51
Operating system resources, user and object Operating system resources, user and object monitoring, system loggingmonitoring, system logging
Disk imaging tools (e.g., Ghost, Disk imaging tools (e.g., Ghost, dddd)) Specialized forensics software (e.g., Specialized forensics software (e.g., EnCaseEnCase, ,
FTK)FTK) Hex editorsHex editors Internet sites (e.g., Sam Spade, Internet sites (e.g., Sam Spade, DNSstuffDNSstuff))
3/14/2013
18
Examination/Analysis (Examination/Analysis (con’tcon’t))
FTKFTK
Early Case AssessmentEarly Case Assessment
Can’t wait for imaging?Can’t wait for imaging?
Don’t know if any potential evidence existsDon’t know if any potential evidence exists
Make a $10k to $20K decisionMake a $10k to $20K decision
MetaLogicMetaLogic ECSECS Will connect a Will connect a writeblockerwriteblocker to HDDto HDD
Will browse most common evidence itemsWill browse most common evidence items
Will provide a brief report and Will provide a brief report and recommendationsrecommendations
Examination/AnalysisExamination/Analysis
FTK can take a few days to process your image.FTK can take a few days to process your image. Index all wordsIndex all words Carve files from unallocated spaceCarve files from unallocated space Create file listCreate file list Unpack compound filesUnpack compound files Populate a database with all file informationPopulate a database with all file information Create timelineCreate timeline Filter specific files if limiting scopeFilter specific files if limiting scope
During this time, we communicate with counsel During this time, we communicate with counsel -- get get and give case updatesand give case updates
3/14/2013
19
Examination/Analysis (Examination/Analysis (con’tcon’t)) Try to answers questions related to the caseTry to answers questions related to the case
ExculpatoryExculpatory
Look for common user activityLook for common user activity Web browsingWeb browsing Inserted USBs Inserted USBs
k f fk f f Look for specific user activityLook for specific user activity Were files accessedWere files accessed Were files deletedWere files deleted
Look for unusual user activityLook for unusual user activity Hiding or encrypting filesHiding or encrypting files Shredding filesShredding files
Examination/Analysis (Examination/Analysis (con’tcon’t))
Run Keyword SearchesRun Keyword Searches Obtain from attorneyObtain from attorney Will discuss as part of initial Will discuss as part of initial
consult and creation of scopeconsult and creation of scope
Review Corroborating EvidenceReview Corroborating Evidence EmailsEmails Surveillance VideoSurveillance Video DVD & CDsDVD & CDs
3/14/2013
20
Forensic ReportForensic Report Professional report Professional report –– Word/PDF Word/PDF
Really nice cover pageReally nice cover page
TOCTOC
Executive SummaryExecutive Summary
Results and commentsResults and comments
Conclusion and opinionConclusion and opinion
Media examination (process and tools)Media examination (process and tools)
ExhibitsExhibits
Timeline analysisTimeline analysis
Technical BackgroundersTechnical Backgrounders
Glossary of termsGlossary of terms
Appendices Appendices
Forensic tool report Forensic tool report –– on CD/DVD or External Drive in HTML formaton CD/DVD or External Drive in HTML format
Five Phases of a Digital Forensic Five Phases of a Digital Forensic ExamExam
IdentificationIdentification PreservationPreservation ExaminationExamination AnalysisAnalysis ReportingReporting
59
Storage of dataStorage of data
We will store your external HDD for the We will store your external HDD for the length of the litigationlength of the litigation
Will preserve the forensic imagesWill preserve the forensic images
Will t th d tWill t th d t Will store the case dataWill store the case data Might require later for additional analysisMight require later for additional analysis
The opposing party might requestThe opposing party might request
If the client purchases the external HDD If the client purchases the external HDD this is relatively easy for usthis is relatively easy for us
3/14/2013
21
Most important take awayMost important take away
If court action is anticipated, issue If court action is anticipated, issue immediate request to preserve the original immediate request to preserve the original evidence if possible.evidence if possible.
If original evidence cannot be preservedIf original evidence cannot be preserved If original evidence cannot be preserved, If original evidence cannot be preserved, some Court Rules of evidence allow for some Court Rules of evidence allow for the image to be admitted as evidence. the image to be admitted as evidence.
Can you return cell phone or Can you return cell phone or laptop?laptop?
Depends Depends –– do you expect the opposing party to do you expect the opposing party to request interrogation of original evidence?request interrogation of original evidence?
Can store in attorney’s safe!Can store in attorney’s safe!
We can store for you in lab evidence locker!We can store for you in lab evidence locker! We can store for you in lab evidence locker!We can store for you in lab evidence locker!
Cell phones are volatile Cell phones are volatile –– no HDD, everything is no HDD, everything is in memory in memory –– continued use will taint the continued use will taint the evidence.evidence.
Laptop Laptop –– client can purchase another HDD and client can purchase another HDD and we can image from original we can image from original –– store the original store the original bagged and tagged in evidence lockerbagged and tagged in evidence locker
Last important take awayLast important take away
““Too many attorneys and corporate officers initially call Too many attorneys and corporate officers initially call upon their trusted IT personnel to “poke around” in a upon their trusted IT personnel to “poke around” in a computer and see what evidence can be viewed or computer and see what evidence can be viewed or recovered. Yet, as described above, each time a file is recovered. Yet, as described above, each time a file is highlighted opened copied moved or otherwisehighlighted opened copied moved or otherwisehighlighted, opened, copied, moved, or otherwise highlighted, opened, copied, moved, or otherwise “poked” without the appropriate forensic tools, the “poked” without the appropriate forensic tools, the system dates on important files can change and the system dates on important files can change and the likelihood of tainting the evidence increases. By likelihood of tainting the evidence increases. By consulting with a computer forensic expert early in a consulting with a computer forensic expert early in a case, the attorney can preserve the quantity and quality case, the attorney can preserve the quantity and quality of valuable evidence, avoid spoliation charges, and of valuable evidence, avoid spoliation charges, and minimize the risk of facing civil or criminal sanctions.”minimize the risk of facing civil or criminal sanctions.”
3/14/2013
22
Some general thoughtsSome general thoughts
Computers are getting faster, cheaper, and smaller...Computers are getting faster, cheaper, and smaller... And are present at an increasing number of crime And are present at an increasing number of crime scenes and scenes and
civil casecivil case
Storage devices are increasing in capacity while Storage devices are increasing in capacity while decreasing in size and costdecreasing in size and cost
64
Access to the Internet is practically ubiquitous, getting Access to the Internet is practically ubiquitous, getting faster, and getting cheaperfaster, and getting cheaper Access devices include Access devices include iPadsiPads, , cell phones, as well as cell phones, as well as
"computers""computers"
Log files grow so fast that ISPs maintain them for less timeLog files grow so fast that ISPs maintain them for less time
The amount of information (e.g., Web pages) on the The amount of information (e.g., Web pages) on the Internet is growing exponentially and sites are more Internet is growing exponentially and sites are more globalglobal
Questions????Questions????
SOUTHERN VERMONT DIGITAL FORENSICS LABORATORY
SP
www.SVDFL.com
SVDFLcellebrite® UFED
Cell Phone Forensic Examinations FTK® & Encase®
Computer Forensic Examinations
Cristian BalanDigital Forensic Examiner
802.451.1098 ext. [email protected]
36 Chickering Drive, Suite 101Brattleboro, Vermont 05301-4419
SOUTHERN VERMONT DIGITAL FORENSICS LABORATORY
SP
www.SVDFL.com
SVDFLcellebrite® UFED
Cell Phone Forensic Examinations FTK® & Encase®
Computer Forensic Examinations
Craig CantwellLaboratory Director
802.451.1098 ext. [email protected]
36 Chickering Drive, Suite 101Brattleboro, Vermont 05301-4419
