A presentation on how to identify useful data and secure a chain of custody in the context of teacher misconduct investigations. Presented to the Professional Practices Institute on October 24, 2013.
Interactive Powerpoint_How to Master effective communication
Forensic Computer Techniques
1. Forensic Computer Techniques
How to Identify Useful Data and Secure a
Chain of Custody
Frederick S. Lane
NASDTEC/Professional Practices Institute
Boise, ID
24 October 2013
www.FrederickLane.com
www.ComputerForensicsDigest.com
2. Background and Expertise
• Attorney and Author of 7
Books
• Computer Forensics
Expert -- 15 years
• Over 100 criminal cases
• Lecturer on ComputerRelated Topics – 20+
years
• Computer user
(midframes, desktops,
laptops) – 35+ years
• 10 yrs on Burlington VT
School Board
4. Current Projects
• Cybertraps for Educators (2014)
• Safe Student and School Employee
Relationships (2014)
• Cybertraps.wordpress.com
• CPCaseDigest.com
• MessageSafe.com
• Informational Web Sites:
• www.FrederickLane.com
• www.ComputerForensicsDigest.com
• www.CybertrapsfortheYoung.com
5. Lecture Overview
Pre-Incident Preparation
Common Types of Incidents
Electronic Evidence Is Everywhere
Response to Civil Litigation
Response to Criminal Activity
Risks for Administrators and
Teachers
• A Quick Intro to Computer
Forensics
•
•
•
•
•
•
6. Pre-Incident Preparation
• Policies and Procedures
•
•
•
District Decisions re Access, Services, Storage
AUPs for Staff and Students
Data Handling and Response Protocols
• Professional Development for Teachers
and Staff
•
•
•
Typically First Responders
Potential Legal Risks
Technology Is Continually Changing
• Student Education
•
Critical Component of K-12 Curricula
7. Common Types of Incidents
• Employment Issues
• Harassment/Hostile Work Environment
• Disciplinary Issues
• Student Misconduct
• Cyberbullying & Cyberharassment
• Sexting
• Teacher/Student Misconduct
• Student Attacks on Teachers
• Inappropriate Relationships
8. E-Evidence Is Everywhere
• Inventory Possible Devices
•
•
•
Computers (Desktops, Laptops, Servers)
Mobile Devices (Phones, Tablets)
Peripherals (USBs, CDs, external drives, etc.)
• Inventory Possible Types of Data
•
•
•
•
•
•
Communication (E-Mail, IMs, Texts, etc.)
Social Media (Facebook, Twitter, etc.)
Web Activity (URLs, cookies, bookmarks, etc.)
Network Logs and Access Data
Cloud Storage (Dropbox, Flickr, Boxy, etc.)
Deleted Data
9. Whose Data Is It Anyway?
• Where Did the Incident Occur?
•
•
On-Campus vs. Off-Campus
Zone of District Responsibility Is Growing
• Who Owns and Uses the Device?
•
•
Misconduct Using School-Owned Equipment
Misconduct Using Privately-Owned Equipment
• Who Runs the Service?
•
•
•
Evidence Hosted by District
Evidence Created by Teachers/Students
Evidence Hosted by 3rd Parties
10. Response to Civil Litigation
• Preservation of Potentially
Relevant Evidence
• Adherence to Established Policies for
Handling Data
• Notice of Litigation or Reasonable
Anticipation of Litigation
• Discovery Requests
• Privacy Concerns
• Burdensomeness of Requests
• Production of Data Held by 3rd Parties
11. Response to Criminal Activity
• Anticipate Prosecution and/or
Disciplinary Proceedings
• Adherence to Policy/Process Is Critical
• Involve Law Enforcement ASAP
• Protect and Preserve Data
• Restrict Access to Potentially Relevant
Data
• Hire a Computer Forensics Expert?
• Some Evidence Is Radioactive
12. Risks for Admins. & Teachers
• Good Intentions, Bad Outcome
• “Sherlock Holmes” Syndrome
• Forwarding Content for Advice
• The Cover-Up Is Always Worse
• Trying to Protect Colleagues and Friends
• Desire to Protect District by Handling InHouse
• “Delete” Is a Myth
13. A Cautionary Tale
• Ting-Yi Oei, now 64
• Assistant Principal at
Freedom HS in So. Riding,
VA (Loudoun County)
• Told to investigate rumors
of sexting at HS
• “Inappropriate” image
was forwarded to Oei’s
cellphone, then computer
• Charged with “failure to
report,” then contributing
to delinquency of a minor
• Charges ultimately
dismissed
14. Computer Forensics 101
• Field Previews
• Acquisition & Mirror Images
• Some Data Are More Fragile Than
Others
• Speed Is Of the Essence
• Powerful Forensics Tools
• Data Recovery and Analysis
• IP Addresses Link to Real World
• 4th Amendment and Privacy
Concerns
15. Forensic Computer Techniques
How to Identify Useful Data and Secure a
Chain of Custody
Frederick S. Lane
NASDTEC/Professional Practices Institute
Boise, ID
24 October 2013
www.FrederickLane.com
www.ComputerForensicsDigest.com