 Good afternoon. My name is John Bambenech. You're presenting virtually adventures in pro bono digital forensics cases on some Of the cases I've worked on in the last couple of years That I've had some time here for to work on some extra things. We'll talk about that here in a second As you know, it's all pre-recorded if you have questions and discord as as we go along I'm happy to answer them or send direct messages or if you happen to be in Las Vegas I want to catch up for drinks or coffee. I am I am available Certainly to talk about things that we're going to get at the very end my call to action So a little bit about myself. I am president of my own company Bambenech labs primarily selling Threat intelligence feeds, but I do some other consulting as well, but it's my company. So I'm fully independent for the time being I am getting my phd in cyber security machine learning But what's relevant for this talk is I helped develop a curriculum and taught for about three years digital forensics at the University of Illinois I actually don't have any current certifications in forensics, but I've taught it and have used that experience as my gateway into Getting judges to approve me as an expert witness because I've developed curriculum that others have used and some of my students have gone on to be Law enforcement officers and how I teach the course Actually, you'll see artifacts of how I present this talk and what I focus on So as an aside, right, I am in the lucky position to be self-employed So and basically a lifestyle company Some of you may be involved with startups looking for multiples and that kind of thing But you know when you're in a boutique lifestyle company, there's a lot of freedom that comes along with it to pursue things That you find interesting versus things that you just have to do because your boss tells you to do So between that and the pandemic. I used to be part of the security vacation club I'm sure that I've seen some of you Participants, you know around the United States around the world That we when we used to do that kind of a thing and not spending time on planes Especially for international travel has freed up a lot more time as well So I have more time to devote to non-income producing activities Which goes to my last point is that I think At this time in our society and the way things are going that we should get back and to use our skills There's we know like there's a cybersecurity job shortage and we could talk about why that is But more importantly, there's lots of things that there are lots of people in groups that aren't getting protected Right and not just even in the digital forensics or law enforcement sense, but You know, I've talked to PTAs at schools of parents who are trying to protect their kids And they have very little guidance. I mean, they can Google it You know, there's any number of groups of people who have cyber security needs that are going on met because They're just folk who don't have infinite amount of money to pay people And as much as possible, we should give back. Obviously, we have to feed our families and work But for the extent that some of us can do that I really feel strongly that we should Should do that and a spoiler alert at the end of this talk. I'm going to be asking for your help in some of this so Here's a one-hour talk in one comment that really underlines the premise of everything I don't know if any of you've seen this before you probably heard the expression I actually come from a family of lawyers and judges. Well, actually lawyers judges and petty criminals So, uh, I was built for cyber security, but I also have a lot of legal Uh, a lot of inherent legal knowledge and grew up on what lawyer jokes Um, so here's an older one. You can tell it's black and white, right? You know, you have a pretty good case, Mr. Pitkin. How much justice can you afford? Right Is we have a very romanticized idea of the legal system not just a criminal justice system But in civil court too that hey, each side can find a criminal justice system That hey each side can fight it out. They've got their lawyers and you know, you you get to the point to see who wins Well, there's a lot more that goes into that, right? You know, I'm one of my own personal experiences spending lots of money on lawyers that You know a lot of your outcomes in the court system depends on how much resources you bring to bear And how much you can spend and not just in money, but in time and expertise so he's the agenda the talk you know, we're gonna talk about the legal system a little bit because Usually what I try to focus on and really beat home when I teach forensics is the legal aspects of what we're doing You know, if you're using n case or any that are celebrate the tools do a lot of the work for you You need to understand what they do but the things that really Can impact the case are things that Um Don't aren't connected to technology, right? There's uh, you know integrity of evidence and chain of custody some of these things that if you don't get right is There goes your case right then and there and then one of the cases I'm going to talk about does deal with specifically of integrity of evidence Uh, we're going to deal with three cases specifically that have been dealt with and a potpourri of other kind of matters that touched on the legal system and Call to action at the end as I did uh mentioned before So there's a difference between incident response and digital forensics, right? It's possible to respond to an incident without really doing the work of forensics You know at a superficial level, right? It seems the same thing, right? How the attackers get in how do we kick them out? How do we move forward? The difference between iron forensics is there's a lot of overhead in preparing evidence for use in court now Very few of us has ever been called to a witness stand But the key focus of forensics Including the the latin origin of the word is That it's doing the work to prepare for trials and to prepare evidence Which leads to lots of overhead. I I can I can do incident response without locking hard drives in a safe Um, you really can't do that with digital forensics Uh, and like I said a very key point that deals with some of the imbalances inherent in the legal system is You know for those of you who are in discord I'd be interested to see how many of you have ever been on a witness stand After having done a forensic report, you know, there's probably a lot of forensic examiners listening to this talk That you know have written tons of reports But a lot of our work and a lot of the criminal matters I work on deal with overseas suspects Right, we know going in there probably isn't going to be a trial Um, you know, I've I've had clients and and sat them down I guess I'm not a great businessman in this way where I've said, okay You're dealing with ransomware. You want to sit there and try to do a tort case to recover Your losses or whatever is like, listen, we can do the overhead of doing forensics, you know I'll run the clock if you want But bear in mind we might not ever be able to get this person to trial or probably not so you're going to be paying me money, but I'm not going to be able to give you a return on that Um, so, uh, you know, there's lots of that that goes into it Uh, a lot of people doing forensics work for large large i r firms or rel resourced in enterprises You know, I'm not sure it wouldn't surprise me that there are people with law enforcement agencies That might be listening to this talk, but we have tools, right? You know, you've got an case or celebrate right kind of the gold standards of tools You know that you have to work with Um, I doubt very many there are no forensic examiners in a small business. There probably isn't a security guy Right, you know, there isn't there isn't a forensic person, you know at your local pta or The nursing home right the elderly have a lot of unique cyber threats directed at them Um, you know, if you think about business email compromise, right? A lot of people talk about ransomware But business email compromise or more more specifically rent roman scams There's nobody to protect the victim against the roman scam or to do the work to bring a prosecution And that's billions of dollars lost from that um And like I said, the tools do a lot of the heavy lifting for us I think it's important to understand what the tools are doing the science behind the tools That certainly is going to help you if you're ever cross-examined But it also leads to a degree of laziness At the end of the day like I said when I produce a forensic report I want to stand by behind all of it, you know, not just some of it, right if Whatever tool i'm using says x I want to be able to explain in detail Why it says x if i'm cross-examined because that's my credibility on the line, you know, I can't say well this tool said it You have to explain and understand the science behind it. We're going to talk about credibility a little bit more But this notion is that so very rarely is our work ever challenged in court Even if even if the matter ends up in court there can be a little bit of not laziness but Have kind of rustiness right we're not used to being scrutinized and when you know things aren't going to be challenged There you're not as on guard. You're not as thinking through the underlying stuff And in some matters it might not matter, you know, you may have it if you're doing forensics for an hr investigation of somebody doing something They shouldn't with corporate assets You know, but another subset of matters the outcomes really do have an outsized impact on on victims and defendants And we're going to talk about a couple of those So in the united states and kind of most of the british common law systems Anyway have this notion of an adversarial legal system, right and that's somewhat romanticized each side presents their case to a judge Or or to convince a jury or judge if it's bench trial Who is the trier a fact will decide you win or you win? Right and both people get their say they get to call their experts They get to cross examine each other's experts and witnesses And they can get court orders to compel evidence production, right? Sounds all very fair, right? If you're ever in a criminal case, you want to do all of these things, you know I don't want to just have the cop say. Yeah. He he shot that guy I want to be able to see the body cam footage or cctv or ballistics reports I want to be able to get my own ballistics reports, you know We've seen a lot of how this system works out and plays out in some of the high profile cases we've seen With black lives matter and others, right? Those are probably the most public trials that we've had in the past couple of years with Derek Chauvin and the like where You know, the police had their experts and their forensic examiner They're the corner who said You know, George Floyd died for x others brought in a different Corner or medical medical expert who then Said no, it was why right? So that's a system that works But only in a certain Case right the underlying x assumption Is that both sides are near parry? And it's not money necessarily money is important. That's a component, you know, but it's expertise Right, the only person who can question a corner is another medical examiner Lawyers may be able to ask some questions But lawyers need to know a lot of other stuff than just Technical areas of specific classes of evidence, right? You know, there are there are areas that lawyers are experts and they should be experts in and for that matter There's there's things police need to be experts in Beyond just the handling of a certain class of evidence if you think about What the FBI or police officers or detectives need to do there's there's a whole lot that they need to be trained and experts on And no natively versus us Right who are experts I can focus on digital forensics. I can give a talk on it You all can attend a talk on it, right? There is lots of police officers with celebrates and other tools who do the work of forensics But don't go to talks like this or don't have the same professional Training and experience that we do Time is a very important component especially when people are on the line and the people's lives are on the line and You know, they're looking for certain results in a certain time frame Or when the government acts and you know, you're on the wrong side of the the government's law enforcement arm There's also emotional energy right is We're going to talk about this briefly, but most cases settle Before they ever hit trial, you know, this is some subset of cases where there's a defendant So it's like I'm going to go all the way. I want to challenge this And once they sit in the room and they see their jury of 12 You know, then there's a recess and they settle right there, right? Because then it becomes real to them and that is an illegal question. That's just an emotional energy question But really think about just to do with the money question of what your hourly bill rate is if you work for an IR firm or Or what you're billed out at or if you're just a salaried Person who does IR on a company what you get paid now think of anybody in your life or that might have need For examining or handling digital evidence or helping with a cyber crime case. Could they pay? There's lots of small organizations charities There was a small media outlet that I helped with a ransomware case So that wasn't forensics that was that was just IR and ransomware negotiation But they didn't have any ability to pay and their insurance policy didn't have any room to pay me Even if I wanted to so there's lots of people who don't have access to the same money Or expertise or time or emotional energy So the assumption of this adversarial legal system where people at mayor parody Doesn't really often exist. Sometimes it does But very rarely does it right? And the bad news is as for those of us who work in For large companies or law enforcement agencies or IR firms is we're on the powerful side of that system Um, now generally the people we're investigating with the exception of law enforcement is You know, we're doing forensics for HR cases And it's usually pretty cut and dry Or we're doing forensics for a cyber crime or an apt case that'll probably never go to trial, right? There's parody there But that's not all of what exists there And there's lots of people who are on the I don't want to say wrong side, but the disadvantaged side of the criminal or the legal system I mean, you've got poor they can't afford their own lawyers. They got to deal with public defenders who have Case loads that if they were in private practice, they'd be disbarred for having You've got other disadvantaged people. You've got persecuted I'm going to talk about a journalist that the government that a city government just went after because they were mad Even middle-class people. I mean, we're all upper middle class here in this industry Um, I should say there might be there might be some entry-level people here But by and large, right, you know As a class people who work in cyber security can have a pretty pretty secure life, right? We're going to do. Okay But if you think about it, if you get unjustly charged with a felony You know a criminal defense could run a hundred thousand dollars. Do you have it? I don't Right, you know, I said to somebody who's who I said Who's had to have a lot of retainers on lawyers over the a lot of lawyers on retainers on lawyers Lawyers on retainer over the years, right? You know, I couldn't afford that and there's made at least a little easier in my cases that I have lawyers in my family that I can Barter, you know, they do stuff for me and I do stuff for them But the the hourly bill rate for lawyers for basic stuff is I don't know about 250 give or take Right, that goes up very, you know, those bills accumulate very quickly and that could be very hard for anybody to pay And there's lots of matters where you can't get free You aren't entitled to free legal representation, right? In criminal court, you need a public defender There is legal aid for certain classes of things But a lot of things you you may not if you don't have the money for a lawyer, then you're arguing the case yourself So Here's some examples of bad outcomes lisa. I think generally the fbi does does a good job with forensics You know, I have no beef with card examiners and and lisa generally if I were asked to look over the work I would expect that they probably got it. There's lots of checks and balances And how the fbi does things But sometimes they get it wrong And largely, like I said, it's due to things prior So this article Had to deal with with hair evidence, right is that the fbi labs, you know, did various forensic examinations of hair And we're able to get convictions based in part on that Well, eventually somebody who's resourced enough hired their own experts challenged it and found out. Hey, you know what this I This junk science, you know, maybe a step above junk science, you know, it ain't forensic science Right, it did not have the outcomes. They did but when an fbi expert shows up and says I did this I did this I did this You know They got a badge people take them at their word unless there's somebody like me or like you Who does the work to show that they didn't do it? You know is when Government presents their experts or one side presents the experts and the other side doesn't have any It is very very hard to impeach their work It really takes another expert And we're going to keep going to this point in a couple of cases. I'm going to talk about All right, so this is a very bad outcome You know for a lot of reasons is that one, I mean you had people who are potentially wrongfully convicted. That's bad, right You know But as somebody who wants the law enforcement system to work and actually put criminals behind bars Right, there may have been some guilty people who walk free because of the evidentiary error is made here, right is that I want My my cops and the fbi and law enforcement to get bad guys I want to get them the right way and make sure that they do it correctly Because the way we've calibrated our legal system at least in the criminal sense is You know beyond a reasonable doubt the error on the side of letting bad guys go And uh, you know versus keeping the innocent in jail It doesn't always work out that way. But like I said, there's an ocean. Oh, you got off on a technicality Well, the flip side of the quest quit that that equation is well did law enforcement do it right? You know, they have they have they have the high bar and they should have a high bar So there's also lots of other worst cases that we can point to right You can think of any of the cases that pointed to the black lives matter movement and talk and talking about a power differential there Right, you know, there's an entire project or There's lots of iterations of this the innocent project of looking at people just on death row Going through the cases with the fine-tooth comb and seeing if they're in fact people on death row who are innocent Um, you're right, you know the outcome of getting that wrong is irreversible Um, and there have been there have been convictions overturned it turned out that they found people who were in fact innocent for a wide variety of reasons Now the downside of this is also that well, I mean you've been on death row for 20 years You're free, but you don't get your 20 years back Right, you know, they're not going to execute you anymore But you've taken a 20 year break from society, right? There's no restitution I in some states you can get some money or whatever, but money is a poor substitute for time Um, a lot of the times, you know, the outcomes aren't just a question of malice, right? Is local police have to handle low-end cyber cases, right? The FBI has their thresholds not every cyber case is a federal case Um, you know, now they're police officers, you know, who can handle it You know, I'm in a somewhat rural part of Illinois where you know, there's a couple of cops You know who can do celebrate stuff and a couple of a couple of other things You know, but they have other duties as well But they've got to handle all of that and sometimes, you know, things that are complex enough or too complex for a cop but not Reaching the bar of the FBI's threshold means things fall through the cracks Right. Well, but those cops are usually, you know, not well trained, right? You know, they're the cops first or whatever Sometimes they have a forensic examiner who's that's their job is to do forensics on behalf of the police to not badge carriers Right. Um, but thank right, you know, many of you probably invested in a GCFA or GCFE Not cheap, right? You know, uh, would you settle for cop pay, right? When knowing your earning potential is high elsewhere Right. The FBI has a hard time retaining the cyber agents because they could spend 10 years And then punch out to to work for mid six mid six figures, right? versus The GS pay scale some people will still stay in for a sense of civic duty or whatever and that's great But it's known throughout government that, you know, the pay differential between the public and private sector is creating some real problems But I said, you know, we're on we're on the powerful side of an unbalanced power relationship and If that makes you slightly uncomfortable that's Not a bad outcome Hopefully if nothing else you get out of this talk is the the need to do our jobs correctly and diligently Even though we're probably never going to be questioned in court So My first case that I wanted to Bring up was I started doing some work for public defenders I said they have immense caseloads That wouldn't be tolerated in private practice They've got defendants who can't pay. That's why they have a public defender And especially when you get in rural areas, there's there's no money for it So as a personal anecdote the only criminal prosecution and I put prosecution in air quotes Because I think there's a couple of matters I was an expert witness on but but by and large it's Just helping research and investigate things and feed it to the bureau for them to do their thing But obviously like I said, I fed and dealt with the FBI So it's not exactly a conflict of interest then being a defendant against or helping the defense against the FBI It can get kind of weird, right? But doing state-level work For public defenders, there's no conflict because I've never worked with the dly state police or state's attorneys To help local prosecutions not for any reason. It's just it's never come up the kind of things I dig into or our large-scale billion dollar criminal enterprises. So those are inherently federal Many these public defenders that's never had a digital forensics expert before but wearing their peers, you know So there's lots of things they didn't know how to handle. So it's just kind of talking through Okay, how to how to engage and and you know work with me And So I got a case right not in the county. I'm in a different one But it was a cesium case unfortunately Referred to by the national centers a national center of missing and exploited children Who does a lot of work finding this stuff identifying it on the internet finding who's sharing it who's uploading it And and getting these people brought to justice and rightly so right? It's I do no desire that any of this material on the internet anywhere in the world, right? And primarily uh ncmc there's a lot of hash matching sometimes actually do image inspection to actually look at the stuff And in this case it was tied to a specific Google account So they were able to inherently trace it to an individual This because they've never dealt with a private Digital forensics expert before right this led to interesting questions about evidence handling and you can kind of you know Picture the absurdity this is like, you know, it's You know, all of us doing forensics right now are primarily remote. So somebody's sending us evidence, right? You know, so they say no, you know You know, would you like us to mail the evidence to you on a thumb drive is like No, no, I would not because that would be a federal crime and you can't protect me from that And you can't email it either, right? So I mean, we're you know, you know, so they curried it And I still kind of had a problem with that because well now I have something in my possession. I really don't want to have But I defense are entitled to defend their clients and they need to see all the evidence and examine Uh, the fbi how they handle this is that that you know, if you've got a federal ccm case and you've got Defense attorney and defense experts. They're just going to have to go to the field office or a residence agency and look at the evidence there On an offline on network computer and that's just that Which is a pain But you know what considering the subject material, uh, the subject matter, you know, I'm okay with that, right? You know, if somebody was making me jump through a bunch of hoops for you know, some Fraud case, you know, I'd be irritated in this case. It's like, yeah, okay. I get it, right? And and like I said, luckily like the work I would do with this case doesn't really involve me looking at the images I mean the metadata the files or whatever and the network telemetry sure But they really had no process in place, right here to handle it and I said they're federal questions, right, you know is you know Sending it through the us mail as a federal crime sending it over electronically as a federal crime You know possession in some cases is federal crime, right and state can't immunize yourself from federal charges, right? So Kind of talk through that. I actually asked the FBI if they had any, you know, there's the one de-conflict It's like by the way, this is what I'm doing. This is why I have it You know, which led to the the federal prosecutor given the prosecutor called saying hey, let's not do this so we'll try to Like I said make the work of law enforcement better in a place. It's never dealt with this is saying hey We need to keep this stuff in an evidence locker somewhere, you know At a police department and an offline computer so that if anybody ever needed to look at it to do the work they can But it's just not being Transmitted or shared it's it's being held in a very controlled way So even though as a defense expert, it's not my job to make the prosecution better At least for this is like glad we kind of went through this even though Is a very circuitous way of actually starting the case is like hey, let's Let's make sure we get the process right in this place communicated out That way when it comes up later, um, you know, it's handled correctly and it's very important to handle this stuff correctly so The nc m e c identified at hashes with upload events from specific ip's Those were authenticated to a google account. So kind of knew who they were Um, and as far as I could tell they just said okay. Well, you're the unit account. You're the guy All right, you know off you go hear your cuffs. Here's the charges gets a public defender Then here's about me and and contacts me So the threshold here right for a criminal case is beyond a reasonable out, right The defendant says hey other people have access to this, right? I'm not the only one with the password I you know That's reasonable people share passwords. They shouldn't I mean we we tell them not to but they do um Some of the ip addresses involved or locations not connected to the defendant right you've never been in that city There was mobile and isp, right? So It was kind of easier to to identify locations that didn't make a lot of sense um But here's an interesting question right as the the goals between prosecution and defense experts are different Right for a prosecution expert you have to collect all the evidence and analyze it to create a Beyond reasonable doubt scenario. That's actually fairly hard to do with digital evidence alone For a lot of reasons You know any number of things could happen to that computer, right? You know, even if it was in this guy's house Did somebody else put it on his computer or as you know into a cloud account? Because I can't tell that from network telemetry alone about who's sitting at the computer. You need other stuff and digital evidence is A form of hearsay, but there's a couple of exceptions that apply But can also be circumstantial, right? So there's a lot of legal concepts that come into play As a defense expert, right? But just a little bit different role that I'm used to is why I said I've done investigations of large-stale Crimes that led to federal prosecutions, right of getting to beyond a reasonable out A defense expert. I've just got to pick enough holes to say hey, you don't have it um Right, it leads to an ethical ethical question there is You know, do I want people with traffic and this stuff go free? well The flip side of that question is if you're going to shoot the shot to charge somebody with this kind of stuff You got to get the case um You got to do the work To close all the loops because if you're being lazy Um, maybe lazy is unfair in this case, but not thorough That opens the door to innocent people being charged with this kind of crime and it is a life altering crime um To be charged with and many people, you know, even if they're guilty You know plea out because they don't have the resources. They don't have the emotional energy. They don't have the time You know, the state over charges and offers a deal and says listen I'm going to put you away for 30 years or you can plea out here and take five You know, what do you want to do? Do you want to die in jail? Uh, you know, depending on your age I guess I'm facing 30 years in jail at my age That could be an effect of death sentence or five years where I can get out, you know um Yeah, maybe innocent, but the process that you know That's the kind of weighing criminal defendants have to do and it's not uh, it's not as simple as saying, you know, what I'm innocent, right, you know, because Everybody's heard horror stories and knows that You know, the state wants to get you often they can and if you don't have the money to fight then you you got to take the lesser of two evils So um and and sometimes the best way to make prosecutors and police more effective Uh is to challenge them the adversarial legal system works because it makes everybody involved better Right if you're just talking and nobody's actually questioning you or otherwise Examining your your findings, right? You get intellectually lazy not not in a moral sense. It's just You know, there's atrophy involved, right? You know, it's always better to have somebody Challenging you and challenging your your analysis and your biases and all the things that go into that and the more that I've done Threat intelligence and intelligence work the more that those kind of dynamics are the forefront of my mind Over 90% of cases settle out very very few actually hit hit court Of those right very few have uh a defense expert on some evidence, right like the FBI hair evidence They're not effectively cross-examined. You need You know an expert to question an expert You know and I said the system works where there's near parity It's better for all involved because it makes us all better, right? Having me questioning the work of police or the FBI for that matter is going to make them better Uh over the longer term, right? Um, so I I said it's an important that the system, you know works as how we idealize it Not necessarily works how it does today for a lot of people So here is actually one of my favorite pro bono cases for a wide variety of reasons and we're going to talk about this That was a pro bono expert in a state level cfa civil prosecution So like the federal cfa can be used in criminal and civil court california has another version of that The case is city of fullerton Versus friends of fullerton future. Uh, you can google that to to find materials because now that that case is resolved. It was fairly public for This kind of case Defendant was a journalist. He was a blogger Who exposed municipal misconduct? With an insecure dropbox account the city had an insecure dropbox. We'll talk about that I was connected to the case via the electronic frontier foundation. They have a co-op text listserv Where lawyers and others can ask. Hey, you know, we didn't expert Pro bono sometimes paid to help with something. It's a very low volume list but it's People have nowhere else to turn turn DFF. Hey, I need a technical expert for something So it's a good way to to pick up things every now and then But the case is kind of the nexus of free Of the free press the first amendment version of the free press, right Publix record law and using the cfa as a hammer against a blogger, right? I'm sorry for the typo So I'm gonna sure that many of you here Have some feelings about the computer fraud and abuse act as dy So the basics of this case Blogger did a foyer request for documents Notice the dropbox had no access control by no access control mean you move the root of the folder and walk the entire tree So for foyer responses, that doesn't really matter because we're really talking about public records. They're seeing other people's Public records request or the the responses to other people's public records requests. It's all public records governments are very Stupidly finicky about this stuff like oh if you request it then I'll produce this to you But if somebody else requests it then we've got to go do all this work all over again That's part of this stupid game many government agencies play to prevent the public from seeing their own government's business So like many cities this is this is where we start to get into hilarious territory, right, you know They produce a documents. Hey this this guy requested these documents Here's all the documents and the lawyers go through and say no you got to redact this you can't produce this because This is this exemption of the law They communicated all of the unredacted documents to their lawyers using the same dropbox account that was unprotected Yes, the communication would be privileged, right? Had they used any mechanism to protect the information? I mean literally anything Right, but they chose not to at one point. I brought up as like, you know what? This is actually a pretty serious violation of the california bar associations legal rules, right? Because you need to protect privileged communication and while your client may communicate stuff over an insecure channel Like making things publicly available to the entire planet earth You're you're the lawyer. You should be like, hey, no, you can't do that We need to come up with a secure mechanism for whatever reason they did So this stuff was all sitting on the internet freely available So Ferguson the guy involved published many otherwise redacted or unreleased records on police misconduct and other matters And as you can imagine hilarity did not ensue the city was quite pissed There was a public records lawsuit that was about to be filed So they retaliated filing a computer fraud abuse act accusing him of hacking the dropbox account Now it wasn't just a lawsuit. They talked about this in city council meetings. They're quite public They're quite public to the press. This guy is hacking our dropbox and stealing documents Very inflammatory defamatory language If it would have gone that way so They searched his computers his workplace and he's a blogger. He wasn't he wasn't paid as a journalist Which which led him to losing this job because I mean, you know If the police come in and start searching things because of stuff you're doing on your off time In employers will tend to frown upon that And surely the city knew what they were doing when they did that The city also hired their own digital forensics expert And I have that in air quotes because he was the living embodiment of what never to do in a digital forensic examination Right, literally his expert witness testimony is going to be case studies in my courses I'm going to mention this again of what not to do and what not to say in court, right The city didn't want Ferguson to access the docks They called it hacking an unauthorized access because they didn't explicitly Authorize him to use that part of their publicly available website I'm sure that your all your brains are all exploding right now Of this kind of preposterous druid logic a phrase that I tried to include in one of my declarations in court But the lawyer advised me that was probably too inflammatory for an expert witness report Right, it's there was no access control everything's live on the internet on a web page Right, there is no unauthorized access because there's no technical control to stop it. Nothing was gone around They also argued because Ferguson at one point used VPN I forget exactly which one he did that anyone Using a VPN service no matter the company was him any VPN from that provider was him For some reason anybody who used Tor was him and then anybody from outside the United States was him too I mean logical leap to logical leap to logical leap, right So you can imagine I'm kind of a I can be level headed, but I'm also pretty sarcastic I try to be level headed in court It was very hard to write my report based on how absurd some of these claims were I I don't know if it made it in or not But I think what no it made the cutting room floor went to the cutting room floor is you know They they make connections so tenuous Or a connection so illusory. They border on hallucination, right? They argued VPNs are hacking tools that if you use nor VPN your criminal They argued in one of their declarations I use this and I as as my own expert is that I use a VPN to access my campus environment when I'm a phd student to Access the network as if I run the u of i campus. I said well clearly that was hacking Even though the VPN was provided to me by the university for that express purpose This is the kind of arguments that we're making in court They're expert. Let me let me take let me emphasize this point These were arguments made by their technical expert, right? Who has it experience we'll talk about him in a minute Here is the worst legal thing they did the absolute worst They produced dropbox logs that they got from dropbox. They put it in their filing and said here's the proof They enriched those logs without disclosing how wire with what they enriched them with Until I basically tried to reproduce getting dropbox logs on a new account I set up and said they've added fields Where did those fields come from? The legal term to describe this is corrupting the integrity of the evidence You can enrich data, right? But as a defense expert, I need to know And have enough information from your filings to be able to reproduce your work. I shouldn't have to guess So when you sign an affidavit that says these are true and complete with no modifications And they're not that's also perjury um So it got into very legally Dangerous territory for the expert and their case quickly because I was able to reproduce and just like well Let's see what access logs and dropbox look like when I download them. It's like That's not what they look like. What are they doing here? They're adding more information and then they tried to play it off to the judge. It's like well Yeah, we enriched your you enrich evidence all the time. It's like. Yeah, you can do that But you can't not disclose it until you called out on it. That's not how this works at all So they're examiner right runs a small msp. Now. I want to emphasize there's a missing s from there That's not a typo, right? He is not a security provider He manages it's and telco and and help desk and nothing wrong with it Then doing it for over 20 years must not be terrible You know, but he runs an msp You look at his linkedin profiler ain't nothing about forensics in there We're at a bunch of books for john wiley. There's some network security in there, but mostly it related topics You know, but not everybody who does security can do forensics, right? There's lots of legal concepts Unconnected to the technology that are very very important like Let me think about this integrity of the evidence, right? Well, I said no forensics training that I could find is just some guy who knew technology We're really unclear as how he got connected to the case as an expert, but he did Um, so we've red flagged his credentials too and just says this guy is not a digital forensics expert, right? He may know technology, but that's not enough So which brings me to a note about training. It's like I don't I don't much care for the the gatekeeping that can happen with certifications and security generally Um, but it does matter in forensics, right? And then df really shouldn't be an entry-level career track because understanding the technology Is more important than being able to click the right buttons in in case you're celebrate, right? The most important part about forensics are are are not the technology. That's the law, right? We're not legal experts, but they're very specific things we need to be legal experts on right evidence handling namely, right? Because that's that's what we do. That's the service we provide Anybody can punch buttons in n case, right? But it's it's the the acquisition and analysis of digital evidence in forensically sound matters And there are legal ways to do that and less than legal ways to do that And I said the tools do the work But you need to understand the science behind it and that's a problem for cops is that they get to celebrate They get taught which buttons to push to to do things out And it works okay most of the time, but they don't understand what's going on behind the scenes and that's I mean That's not a criticism. It's like cops need to know a lot of different things then Sell forensics You know, but if you're going to engage in I do a high profile criminal prosecution You know, it's not unfair to expect that you know, the government needs to bring their agate The case was dismissed more specifically the city paid the bloggers to dismiss their own case I don't know if I've ever seen that right. It's the bloggers You know, we're going to sue just hadn't gotten to it yet You know, the city is like we'd like to drop this matter and we're going to give you some money And we're going to give your lawyers some money now. They couldn't give me money. Uh, this is an important note That I probably should mention right as a digital forensics examiner. I can I can do anything pro bono. I want What I can't do is contingency billing where I say give me 33 percent or some percent of the judgment because then my judgment And my analysis is tied to a specific outcome And that creates that that's kind of known to be a problem I said normally they just would throw out case Lots of questions about, uh, constitutional on the first amendment the EFF and the media groups You know got involved in the shoddy df work led to a very untenable position for the city to continue And I said I'm using this guy's expert witness reports in a class in classes of how not to do it You know, we have lots of case studies of doing it correctly I've only had theoretical cases, you know, examples of how to do it poorly now. I've got something concrete. So Thanks, you're you've improved my training So don't be lazy in your forensics reports Credibility is your most important asset, right? It takes a lifetime to earn and one trash report away from going away Um, you know, the only way to question the expert's work is with another expert Uh, and I said, you know, the the end day is like the city tried to railroad a blogger Uh, and he didn't have the resources to fight back. It took a lot of people who stepped up to to do it to help them out So my third third case is Um, if you remember charlotte'sville, there's a lot of related cases with dino bedal and tanya gersh with these neo nazi groups Uh that raised money in cryptocurrency for legal defense funds Uh, there's several different cases involved all torts. You did bad things. So you owe the victims money Uh specifically andrew anglin never showed up the court Uh, which is the first actual Testimony I've ever done an open court. That's because he never showed up Um, but he commented online and fundraised over the lawsuits so the court eventually said even though he was evading service He says well, clearly, you know about the case and you're just being a dick So we're gonna continue and if you don't want to show up, that's fine. We're just gonna have the trial in absentia Because it was in absentia though. They needed to go through motions. I wouldn't have gone through otherwise Like, you know odds are in a in a trial setting I would have said this is how I figured out what what he raised in bitcoin They'd examine whether it makes any sense to hire an expert and they probably never would have Because there's no one there to examine me. Actually the judge questioned me at several points of how I did my work Uh to to come to this So they needed someone to talk about how to Enumerate their bitcoin earnings. Uh, they also gave me financial records. So I was an expert for that piece of it And it was based off of twitter bot. I created several years ago to monitor neo-nazi fundraising in bitcoin So some interesting questions. How do you value bitcoin at the time of transfer or what it's valued at currently? Do you do the judgment in bitcoin at us dollars? This is all new questions of law and everybody's kind of looking to me. It's like, how should we do it? Well, I did it at time of transfer in usd. Um, it was just how we did it I don't know what the right answer is. It was just what I thought was best. I explained it and everybody accepted it It's always it's in bitcoin. It's easy to get those transactions And it led to a lot of adversarial changes of behavior. They're much more careful And nobody really buys them with their legal defense funds because they're not actually hiring lawyers So obi-dala got a four million judgment But judgments are easy, right? It's collection is the hard part where you've got to do the work to go find and take the money We're experiencing with ways to do that the simple matters with bitcoin But it's still very disruptive to their finances The bitcoin is also new. There's not a lot of case law there to work off of You know, we're trying to create some new case law Based on some technical expertise I provided and we'll see where it goes Um, and just random aside, I was able, you know to take my oldest son to drive out to a federal court in Ohio and see what this looks like, right? So You know, it's an opportunity of seeing the federal civil trial That, uh, you know, he's interested in law and politics. So I we got to see that too The last matter is potpourri There's lots of other matters that I'm working on a cyber stalking sexual harassment cases some other public defender cases poya cases I've got a couple of I'm getting on a trial experience or at least producing affidavits for courts But there's lots of stuff out there for people who can't pay and it just so happens. I have time But there's still more than I can do Which leads me to my call to action, right? The system is unbalanced against those who are not sufficiently resourced But there's a huge amount of need, right? Cyber stalking alone There's probably hundreds of thousands of cases right now of people who need help, right? They could just be locking down cell phones or Trying to move key lockers or whatever, right? I said if they can't pay they don't get help and there's no money to be paid with But we have skills and experience that can make big differences To these people in a wide variety of matters, right? And and I said some of these you don't necessarily need to be You know a fully trained df person, right? If somebody's dealing with You know cyber stalking or an abusive relationship, right? There are resources for them There's the coalition against stalkerware and A couple of other resources, you know, there's lots of technical help that can be provided to people Uh to help out You know, I said if you're going to go in courtroom, you probably want a credential But to help people To make cases even like cyber stalking or or sexual harassment. It's okay here You often need to have all the evidence collected to give to the detective You kind of need to do a lot of their work for them because they have huge caseloads Like what gets to the top of their pile versus what doesn't you know? If you give them 99 of a case and say you need to get this this and this and you'll have it, you know, you'll much You get a result much quicker for Your clients or the person you're trying to help So i'm setting up a 501c3 called cyber beast mode because it just happened to be a domain name a friend Friend of mine had had to collect refer and manage these cases to help the broader society You know, we'll get the organizational pieces put together. That's fine In the very early stages of it, I need people as willing to contribute some of their time I don't have to be a lot, right? You know, somebody could field a case here or there in in a city, right? There's there's one Uh victim i'm dealing with uh, who lives Quite far from me where it'd be very easy if I were physically there to say, okay, let's let's do this this and this But you can't really talk people remotely through Securing their digital lives. You could do some pieces for them You know, some might not be need to be formally handed aren't going to go to you know, the criminal criminal or civil court It's just helping people Who are victims of crime to get their lives back? So if if you're able to contribute if you want to help that this sounds interesting to you You can contact me my contact information is going to be on the next slide. I'm on discord, of course You can find me in las vegas. I'll be here until sunday. You can contact your local local public defender The electronic frontier foundation the co-op tax list Someone anyone and contribute right if the net result of this is that Some of you contribute, you know five hours a month to help make people's lives better And and in a pro bono way, you know, we're having real impact in people's digital lives and online safety And that would be a great outcome from this talk So with that I will pause for questions I said I'm going to ask on discord or set up time to you know, grab a drink here while we're in vegas I'm on twitter. I've got my email. I'm a fairly accessible person and Thank you for attending this talk. I hope you got some value out of it. I hope you decide to contribute and stay in touch