Benjamin Wright, a technology lawyer in the US, set out to devise a new and better way to record the work of a cyber-investigator – which could be a police detective who is tracking activity on the Web.
Ben needed a tool that would capture a split-screen video record, showing both activity on a Web browser and simultaneous activity in a webcam. Furthermore, he needed the tool to create a final movie file that could easily be saved to a hard drive and transmitted as an email attachment.
BB FlashBack screen recorder presents a perfect way to make a permanent screencast record of a cyber investigation - showing what appears in a Web browser as the investigator clicks and types.
However, the software required for a cyber-investigation has to do more than just reliably capture a screencast. The software needs to capture a simultaneous webcam video of the user, which BB FlashBack does perfectly.
To authenticate the screen recording as the verifiable, legally-signed work and testimony of the investigator, Ben uses a split-screen to show a webcam image of himself (acting as investigator) observing and talking in real-time as the screencast was captured. The split-screen makes for compelling, easy-to-understand evidence and virtually constitutes a legal affidavit by the investigator.
The movie shows the investigator reading prepared remarks (i.e. his testimony as a witness) on camera, as he looks at written notes off-camera and confirms the time of the recording.
In making a forensics investigation report, he incorporates words such as ‘confidential’, ‘attorney-client communication’ and ‘attorney work-product’ directly into the spoken words of the movie. This makes the movie a verifiable, authenticated, legally-signed digital record without having to rely on “digital signature” technology.
Normally, when an investigator captures a record as a file, under conventional practice the investigator applies his or her "digital signature" to authenticate the file as secured evidence. But this can prove problematic because a digital signature relies on a complex infrastructure (commonly a ‘public key infrastructure’ or PKI), and involves the investigator holding, using and protecting a private key.
Verification of a digital signature after it is created depends on proof that the investigator possessed the private key, had relevant training for its use, and possessed the considerable resources needed to protect the private key. Often in practice, such proof can be difficult to acquire.
Using screen recorder software means the demonstration movie can employ a ‘webcam signature’ instead of a digital signature as an acceptable alternative.
A webcam signature captures real-time testimony by a signatory and links it to the evidence (i.e. activities in the Web browser, vocal observations by the investigator, facial expressions by the investigator and so on).
Ben’s movie of a cyber investigator using BB FlashBack can be seen on YouTube: http://www.youtube.com/watch?v=UgH6hzwAg5Y
Real-Time Evidence for Cloud Investigations
Benjamin Wright is a practicing member of the Texas Bar Association, He teaches the Legal 523 course (Law of Data Security and Investigations) at the SANS Institute.