A news release from CRU regarding the availability of the Logical Imaging feature, endorsed by Blazer Catzen.
For the full release, click here.
IT Forensic Specialist
A news release from CRU regarding the availability of the Logical Imaging feature, endorsed by Blazer Catzen.
For the full release, click here.
Computer Sleuth
November 18, 2014 – כה חשון תשעה
By Melissa Gerr
Digital Forensic specialist Blazer Catzen retrieves data and does analysis work for attorneys, corporations, private individuals and government agencies.
Pikesville native Blazer Catzen is a self-proclaimed Sudoku junkie (the super, hard and genius levels) and crunches through a couple of the numerical puzzles daily. It’s just a warm-up to trickier brainteasers he’ll tackle that might be rooted in allegations of infidelity, manipulation of documents or intellectual property theft – all in a day’s work as a digital forensic specialist.
“The first step is preservation of [digital] evidence,” said Catzen, whose firm retrieves data and does analysis work for attorneys, corporations, private individuals and government agencies. “Then you look at what’s there, and more specifically, what’s not there.”
First contact for a digital forensic case is typically from an attorney, chief technology officer or chief financial officer, he said, when someone believes there is digital evidence that needs to be analyzed or preserved. The investigations range from family law or intellectual property to fraud and might include delivery of a computer, hard drive or cell phone.
Catzen’s repeated caveat to any user of any electronic communications is, “Remember, nothing is ever deleted, only overwritten.”
That credo played a large part in a recent case involving alleged deed fraud, for which Catzen was hired to digitally investigate and testify by local attorney and Baltimore native Kenneth B. Frank.
Multiple property deeds were allegedly all signed on a particular day, but Frank, who has practiced law for more than 40 years and has also developed software, said, “I knew because of my suspicious nature and all the other facts that that didn’t happen. But we had no real proof. And we always believed we’d have the proof once we got a hold of the disk drive and we could see the history of the documents.”
The first external disk drive produced to Frank and Catzen as evidence wasn’t a copy of the entire drive and didn’t even include the deed documents, so they asked for the original. Upon forensic examination, Catzen deemed the second drive produced wasn’t an original either, because it didn’t contain system files or metadata that would typically be present.
In a later deposition, a witness revealed she destroyed the original drive. Frank enlisted Catzen to help determine “what have we lost “¦ and what are all the things that could have been on that drive “¦ and what could they have told us?”
They examined the actual computer and discovered the deeds weren’t there. They could also see that the computer hadn’t begun to be used until after the documents were copied onto the external drive so that twist prompted them to look at other computers in the office, including an allegedly inoperable one.
“We were told it was broken,” said Frank. But they quickly discovered the operating system had been reinstalled around the same time all the deed files were copied to the external drive, and the computer hadn’t been used since.
“Step by step, we put together a history, and we were going backward instead of forward,” said Frank. “And there are a lot of footprints and fingerprints on that digital media, and that’s what [Catzen] discovered and resurrected.”
“Never deleted, only overwritten,” Catzen repeated. “So a lot of those files were still there.”
Catzen, though, uses much more than the naked eye to decode the truth behind very long strings of hexadecimal code teased out of a computer. Like any good sleuth, he employs all the available tools, and with expert discretion.
“I think part of my success as an analyst is I go outside the box,” said Catzen. “First, I use multiple tools on everything I do. Most analysts pick a [single] tool and stick with it.”
The typical thinking, he explained, is that when two deciphering tools are used it could raise doubt on efficacy if the results aren’t identical. But different software tools have different strengths, he said, so he uses two or three and sometimes other single-purpose tools that zero in on one specific artifact and parse it out.
He may need to decrypt information or follow a trail of date stamps to determine when something was created, deleted or overwritten or when a thumb drive was inserted or what files were opened and which websites were visited and how often, and he can even isolate a single word on an entire drive and see it in context. The tools are powerful, but understanding how to deftly use them and interpret results can only come with experience.
His current companies, Catzen Computer Consulting and Catzen Forensic, founded in 2008, are built upon decades spent solving complex problems and learning computers from the inside out, as he put it. He dipped his toes in computer waters back when it was just a kiddie pool.
“I remember one of the deans at [the] University of Virginia was talking about how computers were the new thing,” said Catzen. “Everybody was going to have a computer on their desk, [and] we’re all sitting there looking at each other, going, yeah, OK, it’s the ’70s – what’s he been smoking? But he was spot on.”
At Virginia, Catzen learned computer-programming basics and the Fortran programming language, and he chose to study engineering because, as a dyslexic, he saw the topic as “a great field leveler.”
When he plowed through the necessary tomes of engineering books, he said, “every other paragraph was an equation.” Catzen could simply look at an equation, and it would immediately click for him visually, but his classmates typically struggled longer to understand it.
“That education did two things,” said Catzen. “It gave me a framework around which to solve problems – a methodology and approach – and it gave me the confidence to be able to learn anything.
“If you can pick up a thermodynamics book and learn thermodynamics,” he added, “you can pretty much go anywhere with that.”
After college, Catzen worked as a construction geotechnology engineer and became more adept and fascinated with computers and the potential power of those early machines.
He applied for a job at the construction management and development firm Dalsemer, Catzen and Associates, the initial interview unbeknownst to owner and father Bob Catzen. He laughed at the memory and added, “Needless to say, I got the job.”
DCA was his first deep dive into computing in the mid-’80s, when the company used computers for financial modeling and AutoCAD space design. Then, in 1986, Catzen purchased his first IBM 286 personal computer.
“I had written my own memory management program by 1988, and I was into various operating systems “¦ and by 1989 I was getting very good at it,” he said.
In 1991, Catzen became vice president at CAPE Development Corporation, a company started by his father and longtime family friend Richard Pearlstone, where he designed applications that allowed companies to manage large amounts of data. Catzen was wearing a lot of different hats, “but I loved the computer stuff,” he said, seriously pushing the edges of what IBM and Lotus programs could perform. His inquiries often stumped the help desks.
“I don’t like getting beat by technology,” he said. “I really don’t. I take it personally.”
Lotus enlisted him to test software, and IBM shipped him its enormous set of internal training manuals, and Catzen was happy to receive free licenses and support. But his friend and partner Pearlstone gave him a reality check and the push he needed.
“You’re solving these guys’ problems and not getting paid,” Catzen remembered Pearlstone telling him. “You’re a shmuck.”
In 2004, CAPE received its first request for digital forensic assistance, and though the case settled out of court, Catzen was smitten with the challenge of more complex digital puzzles. His engineer-honed problem-solving approach coupled with his love for cracking a conundrum
resulted in his feet-first jump into forensics.
Since then Catzen has unearthed many digital “smoking guns” in cases that can take from five to hundreds of hours to solve. Currently, he’s seeing a lot of spousal infidelity cases that, he said, are often exhibited through instant messages, texting – one case registered 7,000 messages between parties in a month – and even photographs.
“I could identify [some of the] individuals without ever seeing them above the shoulders,” he said.
He’s consulted the military, presented at the Techno Security Conference and lectured internationally on the specialty of file system tunneling (complex date manipulation of documents). The deed fraud case with Frank was the first time he’d witnessed it “in the wild.”
“His testimony was very powerful because it demonstrated that the deeds “¦ could not have been created when the other side said they were,” said Frank. “Blazer played a big role in presenting that evidence, because technology was the only way to do it.”
Story and photo by Melissa Gerr
[email protected]
© 2024 Catzen Forensic