Writing Tips: Digital Forensics for Screen Writers and Novelists

It can be a challenge to keep up with technology in our real lives, let alone inside the books we write.

In this article, cybersecurity expert Cynthia James offers tips to writers who want to make sure their handling of technology in legal circumstances is factual and authentic.

Want to be just a little more accurate with your plots that involve digital evidence?

Or do a better job writing about an investigator who is trained in technology?

Let’s look at the fun stuff first, two solid technology-oriented ploys which could work in real life. One can be used to change evidence AFTER it has been collected, and the other is a way for law enforcement to obtain data quasi-legally without a company knowing (no warrant).

Oops, the evidence changed…

We all know every police station has a least one evidence room. Most Law and Order fans also realize that it’s legally necessary to document every twist and turn the evidence takes, and with whom, between collection and court – this is called the Chain of Custody.

The idea here is to ensure there is no opportunity for the evidence to be altered from the time it is seized to the time it is presented in court.

However, digital evidence can be altered more easily than physical evidence, because it can be changed while it’s still locked away. For example: if a system is simply sitting on a shelf somewhere and it has at least some battery power left and there is a wireless network in the vicinity (where isn’t there?) this provides access to hackers.

Why not frame someone by adding some salacious email or browser history to their PC about human trafficking or dealing drugs on the Dark Net?

It would also be a cinch to pre-program a device in advance to connect to the police station’s wifi without any human intervention, or to connect to a nearby wireless when it reaches the evidence room.

Once it’s connected to the internet, the device easily reaches back to whoever infected it in the first place and then follows the instructions received. This could include possible self-immolation, in case the hackers want to destroy other evidence in the same facility…or maybe the whole gambit is set up just to hack the police station network.

In any case, these are just some of the reasons a detective is supposed to remove the battery from any computer or phone which is seized; when ordinary citizens are hacked, what often occurs is that the laptop or PC wakes itself up at night, connects to the wifi, behaves badly, erases its tracks and goes back to sleep.

So the attorney’s question should be, “Was the battery was removed from the laptop before it was put into police evidence?” If we are to believe most movies we see, the answer would be, “Nah, that never occurred to us”.

And in fact, too few police investigators are trained on handling digital evidence, and this is usually overlooked.

Dang it, did you lose your data?

The biggest privacy problem with storing anything in the cloud (besides the fact that companies constantly mess up their security settings so it gets hacked) is that your data resides on a server alongside that of other tenants.

If one of those tenants commits a crime (think white collar, like SEC infringement), the entire server can be seized without notice, and your data goes along with it. This could be a cool way for investigators to discover evidence about a company that appears squeaky clean – it falls into their hands because the co-tenant broke the law.

Now the FBI or SEC isn’t supposed to share such evidence with local law enforcement, but that still happens via the loop-holes provided by the totally unconstitutional Patriot Act.

One challenge is that whoever is keeping your data in the cloud for you can be put under a gag order by the FBI where they are prohibited from admitting your data was seized.

A partial solution to this problem which we have used in high tech for many years is to add a contractual clause like a Warrant Canary. It works like this: you ask once a month if your data has been seized. If one month they don’t deny it, that’s effectively a “yes”.

Now onto the four basic rules

These should be applied by police detectives to all seized digital devices (soon we will need to include all other smart IoT home devices on the list too):

1. If it is off, don’t turn it on (check for lights, heat, vibration). (If it’s confirmed to be off, take out the battery, bag it separately.)
2. When removing evidence from a crime scene, be sure to not to mess up fingerprints and other bio evidence (hair follicles, skin) before hacking in.
3. If it is on, don’t touch it unless you are fully trained in digital forensics.
4. Collect all other media you can find at the scene which can be used to store data (including USBs, SIM cards, play stations, DVDs).

Complications of gaining access: Location

As we would expect, the forensics process also includes trying to obtain or guess passwords to all devices. The devices are then brought to a digital forensics lab to be accessed. However: multi-factor authentication now includes location in many cases, so it may be easier to hack a device from the perpetrator’s home. Interesting, eh?

Going back to the crime scene just to authenticate the user? There’s also a timing problem: if the perp has already logged in from a new location, the old location may be rejected.

Anyway, good luck fiction writers – accurate tech depictions are going to get harder over time before they get easier! If you have any questions about what is technically possible or plausible, please ask in the comments and I’ll do my best to answer.

Do you write contemporary fiction or mysteries that involve technology? How do you keep up with the tech changes your characters would encounter? Please leave your thoughts below and join the conversation.

Cynthia James has spent over 25 years in the field of high tech with the last decade spent in cybersecurity. While working for the Russian cyber intelligence firm Kaspersky Lab, she obtained the top credential in her field, the CISSP (Certified Information Systems Security Professional) and in 2016 completed a Master of Cybersecurity Strategy and Information Management from George Washington University.

She is currently founder and principal consultant of Cyberus Security, a firm who focus on protecting small and medium-sized businesses from cyber threats through on-site training and auditing. She lives in Silicon Valley and has written two non-fiction books, including Stop Cybercrime from Ruining Your Life! Sixty Secrets to Keep You Safe.