Digital Supersleuths
Kate Livingston’s hands are clammy. Her heart beats quickly. Time seems to stand still. She is serving as a digital forensics expert in a high-profile corporate espionage case. A cybercriminal has stolen sensitive information from a government organization.
Sitting on the stand in Department 083 at the Los Angeles Airport Courtroom, Livingston is explaining her process for collecting and analyzing the evidence, including the hash values she calculated for a crucial disk image file of the suspect’s computer. For the past three months she has thought of very little else. Now, she’s in the hot seat.
“Can you please repeat the question again?” she asks.
The prosecutor sighs. “How can we trust the entirety of your report when you were only able to provide one piece of evidence of the accuracy of your image acquisition?”
The “evidence” is a hash value. Like a secret code that turns information into numbers and letters, it helps digital analysts make sure the data hasn’t been tampered with during or after the analysis process. But sometimes different information can accidentally make the same code — like two different people with the same locker combination. To prevent this, analysts create two hash codes. If one fails, there is a backup.
Panic sets in. When Livingston wrote her report, the window on the computer screen cut off the end of one of the hashes. The attorney has seized on this oversight to undermine the credibility of her evidence.
Finally, she’s got it.
“Hash collisions are extremely rare. In this case, the probability of a hash collision occurring is 1 in 340 undecillion,” she says. “Your Honor, I don’t believe the missing hash value would have made a significant difference in the case.”
The evidence is still admissible. The prosecution rests. She breathes a sigh of relief and exits the stand. She did it — she made it through her first expert testimony. She learned a valuable lesson that day: Always double check your evidence. But learning, after all, is what this experience has all been about.
That was in 2017, and Livingston was an undergraduate computer science student pursuing a digital forensics minor in USC Viterbi’s Information Technology Program. It was a moot court exercise, but the courtroom, the judge and the attorneys were real.
“I’ll never forget that moment,” said Livingston, ’19, now a digital forensic analyst at Microsoft.
The moot court exercise is the culmination of a year’s work in the program, which teaches students how to perform computer forensics investigations, practice writing forensics reports that can be up to 100 pages long, and prepare for trial.
During the trial, students wait in the hallway as the defense summons them one by one to the witness stand. Once in the courtroom, each student spends around 10 minutes answering questions about the simulated case.
Student cyber sleuths have previously tackled a re-creation of the infamous Richard Reid “Shoe Bomber” case, as well as cash fraud, money laundering and ransomware attacks. Their mission: Solve the crime by investigating the suspect’s computer and gathering all the evidence necessary to testify as expert witnesses.
“We tell students this is as real as it gets without anyone losing money or going to jail,” said Joseph Greenfield, an associate professor of information technology practice.
A practicing digital forensic examiner with more than 15 years of experience in the field, Greenfield created the minor in 2012. Since then, more than 200 students have participated in the moot court exercise, said Greenfield. Graduates have gone onto roles with the FBI and U.S. Secret Service, as well as Apple and major consulting and investigative firms.
“Students have told me universally that it’s one of the hardest classes, and one of the most rewarding,” said Greenfield. “It’s certainly one of the most nerve-wracking events they’ve ever experienced in their academic lives. And that’s the point: If we weren’t making it as real as we can, why are we doing it? The attorneys aren’t pulling any punches.”
Wendy Wu, a former assistant United States attorney and cybercrime prosecutor who now leads cybersecurity and digital investigations for Wallbrook, a risk advisory firm, took part in the moot court exercise in 2020 and 2021.
“All of the students I’ve had the pleasure of questioning have performed so well under pressure,” said Wu. “It’s one thing to be intelligent and to have the technical skills to be a good forensic examiner, but testifying as an expert is a whole different exercise. For the students to get that experience while they’re still in a safe and supportive environment, it’s invaluable.”
“The bad actors are always ahead”
Hackers have disrupted health care services, attacked fuel pipelines, halted the operations of multibillion-dollar companies and shut down school systems. In the first half of 2022 alone, an estimated 53 million Americans were hit by cybercrimes, with the number of breaches jumping by 38% last year. And the trend shows no sign of slowing. By 2025, cybercrime will cost the world $10.5 trillion, according to Cybersecurity Ventures.
While major government and business hacks steal the headlines, cybercriminals often set their sights on more vulnerable members of society. In 2021, a tech support fraud targeted almost 14,000 people, including many elderly victims, conning them out of nearly $240 million. Cybercrime targeting children also increased during the pandemic: The number of reports made by TikTok to the National Center for Missing and Exploited Children has increased by 258% since 2019.
The nature of cybercrime is constantly changing, and attacks are becoming more sophisticated and targeted, making it difficult for organizations and individuals to protect themselves. What’s more, the rise of “smart” devices — as billions of people hook up home security systems, watches, cars and appliances to the internet — is providing cybercriminals new entry points.
Cybercrime targeting children also increased during the pandemic: The number of reports made by TikTok to the National Center for Missing and Exploited Children has increased by 258% since 2019.
It’s no surprise then that cybersecurity ranks among the fastest-growing career areas, according to the U.S. Bureau of Labor Statistics. The cybersecurity workforce has reached an all-time high, with an estimated 4.7 million professionals, but there is still a global shortage of 3.4 million workers in the field, according to the 2022 (ISC)2 Cybersecurity Workforce Study.
“The bad actors are always ahead,” said Wu. “They’re always ahead of the FBI, they’re always ahead of the attorney’s office. But there’s a lot that still can be done to educate companies and individuals and to help them protect themselves.”
Sleuthing out clues
Enter the digital forensic investigators, who play a crucial role extracting digital evidence of cybercrime from computer systems, smartphones and tablets to bring hackers and thieves to justice. You could think of them as detectives who help solve digital crimes. But instead of relying on physical evidence — like witness statements, fingerprints or blood samples — they work with electronic data to solve the case.
A variety of tools are used from database forensics and email analysis to file and internet analysis. The students in Greenfield’s class have to figure out the best and fastest tools for the case in question. But finding the right tool is only the beginning.
“I tell them the tool doesn’t matter,” said Greenfield. “It’s the investigative techniques and the report, because anyone can use any tool. The question is, how is the house built? It doesn’t matter if you’re using a screwdriver or a hammer as long as that beam is standing properly.”
Cybercriminals are virtuosos at covering their tracks, but they still can leave a fingerprint or two at the crime scene. Sometimes analysts have to think outside the box to discover where the print might have been left.
Five weeks before the moot court exercise, the students in Greenfield’s class are given access to the relevant systems and devices. Then they get to work. Clues are often found in the most unlikely places, as Livingston discovered when she sat down at the computer to scour its contents for evidence in the case.
She was looking through the suspect’s photos when she stumbled upon a seemingly ordinary photo of a cat. A cute calico cat, sitting on a ledge looking out the window. She had a feeling there might be more to the photo than met the eye, so she ran it through some steganalysis tools.
Steganography is the practice of concealing a secret message or information in digital media such as images, files and videos to communicate covertly. To detect steganography, digital forensic analysts use steganalysis tools to pick up anomalies or patterns in the image.
The first tool she ran didn’t detect anything unusual. But the niggle was still there.
“Timeline correlation is one of my favorite phases in forensics,” said Livingston. “Right before those photos had been created, a particular software was downloaded to conceal the photos. This happened immediately after a remote connection was established between the user’s personal system and the system where the intellectual property had been stolen from.”
There had to be some connection between the feline and the felony, she thought. There was too much evidence to think otherwise.
She then tried a stenographic decoder tool. Bingo. It generated an image that had been hidden in the photo — a set of engineering plans leaked by the suspect. It was a huge break in the case. She documented the evidence and included it in her report.
As in any detective story, there were also decoys — “red herrings” — planted by the course developer to throw the students off the scent.
“There was an out-of-scope item — a Snapchat video that seemed relevant and had been synched to the device that we were analyzing,” said Livingston. “But it was outside the scope of the investigation by about a week, so we had to be careful about not including that in the details of the report.”
Livingston “lived and breathed” the case, she said.
“I would find myself thinking, Wait, I haven’t gone down that rabbit hole yet. I spent hours in libraries with my teammates trying to make sure we weren’t missing something,” she added. “We learned that while you may have a theory of what happened in that time frame, you can’t go seeking evidence to prove your theory. Facts are facts. You always have to ask yourself is this a narrative changing event. If not, move on.”
There are no lanes
The digital forensics minor is open to all majors and attracts students from a wide range of fields. Joel Garrison ’13 was a political science major with a focus on criminal justice and civil rights. He had planned to go into law enforcement but, in his senior year, heard about the digital forensics minor and contacted Greenfield to ask if it was feasible to complete the program before he graduated.
“He was like, You want to become an engineer in your last year of school?” said Garrison. But Greenfield was supportive. “And it was one of the best decisions I ever made,” said Garrison.
It’s been almost a decade, but the memories of the moot course exercise come flooding back, he said.
“Man, I was the most nervous I’ve ever been,” said Garrison. “It was in the Beverly Hills courthouse. I had to wear a suit. Joe gave us a lot of coaching and classes. He’d say, ‘They’re going to grill you, it’s going to be hard, but ultimately, you are ready for this.’”
And he was. Garrison is now a manager in Ernst & Young’s cybersecurity consulting practice, focusing on incident readiness and threat intelligence. His future employer was sitting in the audience when he presented at the mock trial, and he received a job offer soon afterwards.
He has since attended several mock trials to provide feedback and recruit talented students for his own team.
“Coming from political science, going to computer science was a big change for me,” said Garrison. “I think going through it, and not only surviving but thriving, it just kind of taught me that there are no lanes. And I’ve taken that perspective with me all through my career.”