Well, if you need to parse out SMS records from an iPhone sms.db file, you might find the following EnScript useful.

Usage:

1. Copy the EnPack you downloaded into your <EnCase-Install>/EnScript directory. You may want to create a sub-folder called “Custom”, so 3rd party scripts clearly separated.
2. Load the exported sms.db file into EnCase as a single file.
3. Blue-check the sms.db file.
4. Double-click the script “CellPhoneMessages”.
5. The console view will provide status information.

NOTE: No guarantee is made that this EnScript is error free. Please use at your own risk and validate your findings.

Please report any bugs or suggestions to EnScript Support

Developing, maintaining and hosting this content does take time and financial resources.  Your support is much appreciated.

The EnScript can be downloaded here: iPhone_SMS_DB (38 KB, 17 downloads), version: v1.0.63 (Requires EnCase 6.14.3)

ver 1.0.63: February 13, 2010

(+) improved SMS record recognition

ver 1.0.59: December 07, 2009

After receiving another sms.db file from a fellow examiner in Italy, I had the opportunity to update the script with the following:

(+) account international country codes prefixes
(+) improve record identification for parsing
(+) “fuzzy” record parsing if a reference; such as a name is used instead of a phone number.  It is fuzzy, because I am trying to identify a date based on other records, since the record structure does not have a fixed offset for the date.  This makes parsing “non-phone#” records more difficult.  Although it has a high success rate, I hope to improve this feature in the near future.  Records that are “unparsable” are still stored in the log file created.

ver 1.0.58: November 15, 2009

Note: This script should be considered a BETA release, as it was developed based on only one sms.db file. Other sms.db files may contain more complex sms record structures. If you are able to share other sms.db files for research, please contact us.

I think it is important to realize that certification in any area of expertise should be designed to tell the world that you have attained something that sets you apart from others in the field. Digital forensic certification should be measured much like a college degree program. There are a number of undergrad and post graduate degree programs out there that are designed simply to make money through mail order and not to provide something of real value that tells the world that you have earned a college degree through a nationally or internationally accepted and recognized degree program. The programs I will discuss here have various requirements and levels of difficulty and it is up to you decide the direction you want to go. Any good certification program in digital forensics should have a practical examination component and a written examination that requires the student to show their knowledge and proficiency in performing digital forensic work. The organization putting forth the certification should also require certificate holders to subscribe to best practices standards and to a code of ethics. Additionally, the certificate holder should be required to recertify and prescribed interval and maintain continuing education in the field of digital forensics.

Digital forensic education programs leading to certification are generally divided into two areas; those open only to law enforcement and those open to any professional. Those open only to law enforcement typically also allow “non-sworn” personnel to attend if they are engaged in a full time position with a government agency that prepares criminal cases and assists in the prosecution of defendants. There are two programs that fall into the law enforcement only classification the CFCE and SCERS certifications.

The Certified Forensic Computer Examiner (CFCE) certification is offered through the International Association of Computer Investigative Specialists (IACIS). This program is offered by attending a two week intensive training course in Orlando, Florida. This course is offered every year and is now offered in multiple countries. IACIS began in the early 90’s and the training course is staffed by a host of volunteers who each year gives up two weeks of their Summer to teach and coach in the two week class. While the course is geared for the novice it will be very difficult to keep up in the class if you have not acquired at least a basic knowledge of technical background in the Windows operating systems. The class covers everything from basic FAT file systems to NTFS and Unix/Linux basics and also includes the various Apple Macintosh file systems. The class also covers the logical and the physical disk structures and computer forensic artifacts. Following the completion of the class the student is granted the Certified Electronic Evidence Collection Specialist (CEECS) certification which signifies training in how to seize and gather digital evidence in forensically sound manner.

Shortly after graduation from the two week class the student applies for and is assigned a regional coach who will help guide the student through a series of five practical exercises designed to cause the student to explore digital forensic issues, locate forensic artifacts, and prepare a technical report based on their findings and conclusions. Each report is reviewed for thoroughness and once all issues in the exercise are resolved the student advances to the next practical. The final practical is a full size hard drive that must be imaged correctly and fully reported on. Once the final practical is completed the student is presented with an one hundred question multi-part written essay examination that usually requires several days to complete. The student must pass at 80%. If successful, the student is awarded the Certified Forensic Computer Examiner designation. The CFCE is required to maintain annual training hours and to recertify every three years. The cost of this program is approximately $1600 plus room and board. In the event that a student wishes to participate in the certification process without attending the two week training course there is also an external certification method. Each year approximately 200 students begin the process but only about 50 percent complete it. The CFCE is allowed to maintain their certification when separating from the public sector provided the separation was under honorable conditions.

The Seized Computer Evidence Recovery Specialist (SCERS) training program is only available to law enforcement and is part of the Federal Training Program offered at the Federal Law Enforcement Training Center (FLETC) in Glynco, Georgia. Students who are from a non governmental private entity may take part in the training provided they are sponsored by a law enforcement agency and the agency training coordinator or other responsible party within the agency makes the request for the student to attend. There is a prerequisite for this training in that the student must have completed the Digital Evidence Acquisition Specialist Training Program (DEASTP) or the Criminal Investigations in an Automated Environment Training Program (CIAETP) to qualify for admission to the SCERS Program. The SCERS program is quite expensive at $5,047 US but as a part of this price the student receives numerous pieces of hardware including a mini personal computer as well as the top selling forensic software products like Guidance Software™ Encase Forensic and AccessData™ FTK; generally almost everything needed to conduct digital forensic examinations and analysis. The training program covers two weeks and involves extensive after classroom time. The in class curriculum is very similar to the CFCE program but also provides an introduction to the use of some forensic software tools. At the conclusion of the training program the student must pass a graded practical examination to be awarded the SCERS certification.

Private Sector Programs

For the digital forensic professional in the private sector there are several programs leading to certification. These programs are of course also offered to professionals in law enforcement but it is not required. These programs are generally divided into two areas; programs offering certification using non vendor specific digital forensic methodology and those which certify the student in the use of a particular piece of forensic software.

The High-Tech Crime Network (HTCN) offers several levels of proficiency for applicants seeking to attain certification. The HTCN state that they are the only certifying body that actually perform a background check on applicants and award a certification based on experience in the computer forensic industry. The candidate must provide satisfactory proof that he or she has received a minimum number of hours in computer crime and/or computer forensic training and must be able to document their experience in the field. The applicant can download a 17 page application from the HTCN website, submit the notarized application to HTCN with a $50 non-refundable application processing fee. The applicant must also submit a copy of the notarized application to their direct supervisor who authenticates the information contained in the application and also must sign a notarized affidavit to that effect. The supervisor then forwards the affidavit to the HTCN under separate cover. The applicant then waits 45-90 days for the HTCN decision concerning approval for certification. Prior to being awarded certification the applicant must become a member of HTCN and be an annual dues paying member in good standing and pay the remaining $450 to get their certificate.

The HTCN offers four different certifications:

Certified Computer Crime Investigator, Basic Level requires candidates have 2 years of investigative experience or a bachelor’s degree and one year of experience. It also requires 18 moths of experience directly related to the investigation of computer-incidents/ crimes. The basic certificate also requires the candidate to have completed 40 hours of training in computer crime investigation from an approved source.

Certified Computer Crime Investigator, Advanced Level candidates must have an additional year of investigative experience and 4 years of experience directly related to the investigation of computer crime. Candidates for the advanced certificate must have completed 80 hours of training.

Certified Computer Forensic Technician, Basic requires 3 years of investigative experience or a bachelor’s degree and 2 years of experience. Candidates must have 18 months of computer investigation experience and 40 hours of computer forensic training from an approved source and must pass a written examination on computer forensics. Additionally, the candidate must provide documentation that they have performed at least 10 computer forensic examinations.

Certified Computer Forensic Technician, Advanced also requires 3 years of investigative experience but must have 4 years of direct experience related to computer forensics. Additionally, the candidate must have 80 hours of computer forensic training. Candidates for the advanced certificate must have been the lead examiner in at least 20 examinations in the past 3 years and in 40 or more or additional computing investigations as the lead forensic technician, supervisor, or contributor. The candidate must have been involved in a total of at least 60 computer forensic investigations at some level in the last 3 years.

LC Tech offers training in several computer crime disciplines marketed as the High Tech Crime Institute (HTCI) that culminate in certification one of which is the Computer Crime Scene Technician (CCST). HTCI offers tracks of study in which the student is required to attend training courses in certain topics to achieve certification in a particular area of study. Other forensic designations through HTCI include Certified Computer Network Investigator (CCNI), Certified Computer Forensic Technician (CCFT), and the Forensic Operating System Specialist (FOSS). Each of these tracks has their own exam and results in the designation of High Tech Crime Investigator Basic, Intermediate or Advanced.

The International Society of Forensic Computer Examiners (ISFCE) offers the Certified Computer Examiner (CCE) certification. CCE certification exams are offered at several locations around the country. CCE authorized training centers are also found at university and other locations in the US and internationally. The applicant must have documented training at one of the approved training facilities or have 18 months of responsible computer forensic examination experience. As an additional option the candidate may produce documented proof of a valid self study in computer forensic examination. The initial CCE process consists of a proctored multiple choice online exam and the forensic examination of a floppy disk, CDR, and hard drive. An 80% or better score is required to complete the process. The fee for the process in $395 US and additionally may also include a proctoring fee. The CCE must adhere to the ISFCE code of ethics and complete recertification every 2 years. A CCE may take additional online examinations particular to computer operating systems such as FAT, NTFS, Linux/UNIX, or Apple Macintosh in order to receive specific endorsements for demonstrated learning in these areas. The attainment of 3 or more such endorsements grants the CCE the advanced certification of Master Certified Computer Examiner (MCCE). There is no fee for membership to the ISFCE once the candidate has completed the CCE certification but there is a recertification fee of $75 US. The CCE also requires continuing education in computer forensics.

The International Information Systems Forensic Association offers the Certified Information Forensic Investigator (CIFI) certification. Training courses aimed at attaining this certification are available at various Technet Training Centers around the US. Candidates wishing to sit for the CIFI examination can do so at any Prometrics testing center for a fee of $150 US. Candidates must score a 70% or better on the exam to qualify.

New Technologies, Inc. acquired in 2000 by Armour Holdings, Inc. offers comprehensive training in computer forensics and a Certificate of Professional Development through the Oregon State University. Students earn the certificate of completion and college credit through the university. NTI offers their classes in Portland, Oregon and Jacksonville, Florida. The process involves both a practical and written examinations.

In addition to these non-vendor specific training and certification opportunities several of the forensic software vendors are also offering forensic certification using their products. Guidance Software makers of the EnCase line of forensic software offers the EnCase Certified Examiner (EnCE) certification. The EnCE has two paths to certification. One path requires that the candidate attend Guidance Software’s computer forensic or incident response training at the intermediate level or above. Those candidates must possess a valid EnCase software license personally owned or purchased through a training site or business. He or she must have 18 months of investigative experience with at least 6 months or verified experience in computer forensic examinations endorsed by their department head. The other path is for candidates who have other computer forensic training and have not taken the Guidance Software courses. In addition to the EnCase software license requirement the candidate must have 80 verifiable hours of authorized classroom computer forensic training with 18 months of total investigative experience including 6 months of experience in computer forensic examinations, or 32 hours of classroom training and two years of total investigative experience with 1 year of computer forensic examination experience. Both paths to certification require a two phase testing process. Phase I is a computerized examination proctored through Prometric Testing Centers. It requires and 80% or better grade on the exam. Phase II is practical test requiring the candidate to examine computer evidence on CD-ROM. Candidates have 60 days to complete the practical and submit a report of their findings. Candidates must achieve and 85% or higher rating on the practical.

AccessData Corporation makers of the Forensic Tool Kit (FTK) and Password Recovery Toolkit (PRTK) have recently developed the AccessData Certified Examiner (ACE) certification. Candidates for the ACE certificate are required to possess (individually or through their employer) a licensed copy of FTK, PRTK, and Registry Viewer. The applicant must also have completed the AccessData Forensic Boot Camp and Windows Forensic training classes. There is no waiver or allowance for other types of forensic training. The applicant must also have 6 months of computer forensic experience. Successful completion of the process is also in two phases. Phase I is an 80% or better score on the computerized exam administered by Prometric Testing and Phase II involves completion of a Practical Based Assessment (PBA) administered by AccessData. The cost of the certification at the time of this writing is $395 US.

While it may not be necessary to have a certificate in Digital Forensic proficiency to conduct computer forensic work it shows that you have submitted your knowledge and skills in this area for review by an outside party. Much like the Certified Fraud Examiner, possessing a certificate in digital forensics sets you apart from others in the field. The CFE is highly recognized and a very valuable certification to have in today’s job market. Be certain the certification you choose in Digital Forensics will have the respect of your peers in the industry and be something that you can proudly display. It’s been said that computer forensics is a community of practice; we all learn from each other. Having a certification does not make you an expert but it does say something important about you and your level of knowledge and skill.

As a caveat, you should know that many states are requiring private computer forensic examiners to be licensed private investigators. If you are considering this field as an independent private examiner you should check with your state to find out if they will require licensing as a PI before you engage any clients.

Richard Cannon is both a Certified Forensic Computer Examiner and a Certified Fraud Examiner and has over 20 years experience in the fields of criminal and civil investigation and for the past 6 years he has worked in the field of digital investigation and analysis. He is the former Forensic Technology Director for the Association of Certified Fraud Examiners. He has written on the topic of digital investigation and spoken at a number of conferences both in the US and internationally on the subject of Digital Forensic Evidence and the investigation of fraud using digital forensic methodology. Mr. Cannon is currently Chief Investigator for Corporate InfoSec at a large global corporation and continues to conduct forensic examinations and investigations.

With two brand new Tableau Forensic Duplicators (TD1) on my desk, I thought I share my testing results. First I would like to point out some of the key features I immediately noticed.

• Compact design
• A large and clearly readable LCD display
• Easy to navigate menu items
• Ability to enter the investigator’s name which will show up in the log files created during acquisitions
• Internal clock (date & time)
• SATA interface for source and destination
• IDE interface for source and destination

This round of testing focuses on the disk-to-disk and disk-to-file duplication feature. The Tableau Forensic Duplicator can be configured via its menu to default straight into disk-to-disk or disk-to-file acquisition mode. Ultimately turning the unit into a single button acquisition device, which makes training someone who only acquires drives very straight forward. What I really like about the TD1 is the fact that it has IDE and SATA interfaces for both the source and destination hard drives. It is possible to connect drives in any combination.

Disk-To-Disk Acquisition

The fastest acquisition method seems to be the disk-to-disk mode. Using this mode, I was able to image a 40.0 GB Western Digital IDE drive in 18 minutes. The image was done from IDE to IDE (see disk information at end of review) with MD5 and SHA1 calculation enabled. The LCD menu provides all necessary information during the imaging process. You see the percentage of completed transfers, MB/s rate, total size imaged. Upon completion the TD1 shows the information an examiner would expect: method of image, date, start time of acquisition, examiner name, source drive information, destination drive information, error counts, MD5 and SHA1 values.

The log information created in this mode only exists within the device itself and is somewhat limited compared to the log file created when using the disk-to-file mode. One shortcoming of this mode is that log information available via the LCD doesn’t show the end time stamp of the acquisition. I yet have to test if it is possible to download the log via the USB or 1394 interface to see if more information is actually captured than displayed on the LCD screen.

Disk-To-File Acquisition

The TD1 allows splitting the raw image files into 4 GB, 2 GB, 1 GB and 700 MB chunks. At this point the Tableau does not allow the creation of one single raw image. I was told that it might be available in future firmware upgrades. The TD1 allows spanning the image files onto different destination drives should the currently connected drive fill up.

I saw the following performance when imaging a 40.0 GB IDE drive onto a 160.0 GB IDE drive (see disk information at end of review). The images were accumulative onto the 160.0 GB drive to fill it up and test the spanning feature. Both MD5 and SHA1 was calculated.

• 4 GB chunks
• 11 chunks created
• 28 minutes

• 2 GB chunks
• 21 chunks created
• 29 minutes

• 1 GB chunks
• 41 chunks created
• 32 minutes

• 700 MB chunks
• 58 chunks created
• 37 minutes

As desired all hash values matched up and no errors were recorded.

Summary
Thus far, I like the Tableau Forensic Duplicator (TD1). The unit appears to be very solid and as expected performs well. There are still more tests to do from a duplication standpoint. Plus, other features like disk wipe, blank test, error handling are still on my to-do list. The TD1 is reasonably priced (~$1,200) and should be considered as a contender if you are looking for a new disk acquisition tool.

Device Tested

• Tableau Forensic Duplicator
• Model TD1
• Firmware: 1.10 (September 19, 2008 / 16:44:44)

Source Drive

• Model: WDC WD400BB-23DEA0 (40.0 GB)
• Firmware Revision: 05.03E05
• HPA in use: No
• DCO in use: No
• ATA Security in use: No
• Cable/Interface type: IDE
• ATA PIO mode: PIO 4
• ATA DMA mode: UDMA 5

Destination Drive

• Model: WDC WD1600AAJB-00PVA0 (160.0 GB)
• Firmware Revision: 00.07H00
• HPA in use: No
• DCO in use: No
• ATA Security in use: No
• Cable/Interface type: IDE
• ATA PIO mode: PIO 4
• ATA DMA mode: UDMA 5

When adding the DD images to EnCase I ran into a little snag however. Wrote a song about it, wanna hear it? Here it goes…

Started EnCase, created case, opened the “Add Raw Image” dialog.

Then went ahead and opened the dialog to add the “Component Files”.

Selected “Image.001″ + SHIFT + selected “Image.021″.

Clicked “Open” in the dialog box, and clicked “OK” to add the raw image.

The result: Nothing, nada, nichts; well if you call Unused Disk Area nothing.

So I tried again. This time by only selecting the first of the raw DD images. No luck either. This time I got at least an error message.

I began to question the Tableau’s DD format. So I fired up FTK Imager and tried loading the image, which worked without any problem.

Not wanting to give up I reached out to EnCase support and it turns out there is a simple, yet very important way to add raw image files.

I did everything right up until selecting the actual raw image files.

The critical thing to remember is the ORDER in which the raw image files appear in the “Component Files” window when adding raw image files. So in my case above, notice that on #1 position it shows “image.021″. Not good.

Solution:

The trick is to actually select the raw DD image files in reverse order such as:

Select “Image.021″ + SHIFT + select “Image.001″.

If you select files any other way, you can drag and drop the various component files within the “Add Raw Image” window if needed.

Hope this helps others.

I thought I share a little EnScript I wrote which deals with long file path export issues. The script I wrote basically does the following:

This EnScript plug-in is used to identify and export entries which would exceed the path depths limitations of 245 characters during a normal export. The script will loop through entries that are blue-checked and exports entries which exceed the above limit based on the FullPath column and the specified export path.

The script will export entries that exceed the 245 character limit. Once exported it will also “uncheck” them. This should leave you with items you can safely export using the native EnCase Copy Folder… function.

The script will create a subdirectory called “pathdepth” inside the user specified export folder and export data using the Logical Size of an entry. In addition a log file is created which contains the reference to the original entry details.

Since the script generates a flat export, it renames the files with a prefix to guarantee uniqueness. This prefix is actually the MFT record number on NTFS volumes (File Identifier).

Please report any bugs or suggestions to EnScript Support

Developing, maintaining and hosting this content does take time and financial resources.  Your support is much appreciated.

ver 1.0.31 : 22 September 2009
+ (fixed) total byte size of selected files keeps increasing if going back and forth with new destination path
+ (fixed) split file type extension into own column in export log
+ (fixed) exclude case name in path upon export
+ (fixed) remove CaseName from path calculations
+ (fixed) add original file name to export log
+ (fixed) uniform export format: with MFT FileIdentifier available (file.ext_id.ext), without MFT FileIdentifier availabe (file.ext_hash.ext)

The EnScript can be downloaded here: Long File Path Export (32.93 KB, 87 downloads), version: 1.0.31 (updated 09/22/09) (Requires EnCase 6.11.2)

ver 1.0.9 : 10 October 2008
+ added MD5 hash value to the exported file name if no MFT file identifier is available.
File Identifier is only available if the MFT is within the evidence file. In case of a LEF
that doesn’t have the MFT, it shows a zero.
+ added check if entry is folder. Folders are not considered for export.

This script was written and tested in EnCase v6.11.2. Please keep in mind that his is the first (beta) version.

NOTE: No guarantee is made that this EnScript is error free. Please use at your own risk and validate your findings.

What is the magnitude of the threat? Should the United States be worried when only five percent of the cargo that enters its ports is inspected, or when security at nuclear power plants is dismally inadequate? Possessing quality information is a definite attribute that can mean the difference between success and failure — and now is the time to proactively arm oneself with relevant and accurate information, or at least the sources of such information. Simply, this is the ancient Chinese philosophy of knowing your enemy and yourself. If you know both, you will generally succeed; if you know neither, you will never succeed, and if you know only one of the two, you will only sometimes succeed.

Information must be gathered about proactive and reactive security methods, procedures, planning, firewalls and responses at all levels and depths. The security of the individual infrastructure, facility or business must be assessed and the technology for “holistically” protecting it must be tailored to the results of the assessment. For many large infrastructures, this has already been done (some mandated by federal law), or is at least an ongoing effort. However, for many of the smaller infrastructures, the security problem has not been seriously nor completely addressed. Furthermore, the planning and preparedness against terrorist activity for manufacturing and businesses are woefully lacking. About 85 percent of all privately-owned infrastructures and facilities have inadequate security and are easily vulnerable to attack. Most do not consider themselves targets and are not willing to spend the money to implement and install the necessary safeguards. Their rationale (i.e., safety in numbers) is that statistically, in a probabilistic sense, they are not a target.

Global terrorism has a long history and it is not expected to go away tomorrow. The United States ill-planned invasion and seemingly endless occupation of Iraq (based on faulty WMD and terrorist intelligence) has undoubtedly precipitated the growth of a new generation of anti-American terrorists around the world. Although security is being tightened on many fronts and new counter-measures are being implemented, upgraded, and installed, simple but ingenious attacks, such as the 1993 and 2001 World Trade Center (Twin Towers) attacks against Americans and American property are undoubtedly in the planning stages now. These future attacks will be much less frequent than the non-terrorist sabotage attacks seen at industrial sites (primarily disgruntled employee problems) but they will be much more devastating. If an amateur geek 15-year-old boy in Canada with minimal, if any, hacking expertise can paralyze the Internet and bring billion-dollar businesses to their knees from his bedroom computer, imagine what a sophisticated internet attack by skilled terrorists can accomplish. If an employer does not believe that background checks should be part of the hiring process and unknowingly hires someone with a criminal history, this may spell future trouble related to sabotage or terrorism. A newly-hired terrorist may engage in fraud, identity theft or hacking of computers and confidential information. The result could either fund terrorist activity or allow vulnerabilities to facilitate an attack. The potential is there and it can happen. Thus, this list of references is intended to reside on the desk of every facility manager, government official at any level, business executive, public utility commissioner, security professional, and threat assessor and any other person who has direct or indirect responsibility to protect assets.

The reference manual is available in print or as a download.

Problem: How do you locate the parent email which contained the attachment with the keyword hit?

Answer 1: Manually review each single item in your search result set. Using the “View the item in a different list – Email tab”. Ok, if you have only a few items.

Answer 2: Wait for a new version of FTK to come out and hope the feature to export parent emails is included. According to AccessData’s support form, it might be in a new release.

Answer 3: Use the attached Microsoft Excel spreadsheet. I recently worked a case where I was in the same situation and needed a somewhat automated tool. So I took it upon myself to write a VB macro that basically compares two columns from the FTK “Copy special…” feature.

Here is how you would use the tool.

Within FTK perform the following steps:

Step 1: Perform your search on emails with attachments within FTK

Step 2: Right-click in your search result pane and select “Copy Special …”

Step 3: Select “All Currently Listed Items”

Step 4: Only check the “File name” and “Attachment Info” column

Step 5: Select “Clipboard” within the Copy destination section.

Step 6: Click “Copy” button

Open the Excel spreadsheet (don’t delete any of the columns)

Step 1: Click on the “FTK Feed” worksheet tab

Step 2: Paste the results you have copied above into the “FTK Feed” worksheet.

Step 3: Within the “FTK Feed” worksheet, select column B2 and sort in “ascending” order

Step 4: Go to the “Locator” tab.

Step 5: Press the button…

The macro will crawl column A and compare it to column B. Column A is considered the “base”, which was extracted from the “Attachment Info” column. It is compared to Column B, which basically contains all files and email messages. If any value from column A is in B, you are lucky. If not, the macro will mark it in RED. This still means that you have to find the message within FTK, yet now you have a list to work with.
I know the tools doesn’t really solve the problem, yet it helps automate the process of locating the missing parent email.

I hope this helps.

Download: Find Parent Email (12.28 KB, 69 downloads), version:

NOTE: Use this tool at your own risk. Make sure you test the results.

Everyone lies. It is not abnormal behavior until it becomes compulsive, excessive, and chronic interfering with the individual’s ability to cope with life. These compulsive liars are becoming detached from reality and have a major character flaw. About 60 percent of “normal” people tell one lie every ten minutes during a typical conversation. Everyone to some degree deceives by concealing, omitting, distorting, embellishing, exaggerating, or falsifying information or the truth. The amount of dishonesty displayed in our verbal communications is all relative – some people just tell “little lies” and some people tell “big lies” that later have major consequences. It is not easy or even possible to be truthful 100 percent of the time. All people lie with good intentions – it fulfills a basic need. Tartaglia (1999) suggests that the subtle intention of lying is to be in control. He also states that all children lie to test their parents in order to see how much they can get away with.

Lying is fundamental in the human condition and a crucial dimension of all human relationship (Smith, 2004). It follows that everyone is constantly bombarded by new and possibly inaccurate information from various media and through interpersonal relationships. Conversely, everyone practices detecting the deception they know exits in the world. This plethora of information is therefore automatically, even unconsciously, evaluated for truthfulness. But how do we know what information is accurate and what is not? Among adults, there are vast differences in deceptive abilities – a skill learned early in life (Lewis and Saarni, 1993). We rely on intuition — which may not always be right — and non-verbal communication to help in this process of determining truth. More specifically, a fundamental skill for investigators and interviewers operating in a world awash in deception, misinformation, and disinformation is the ability to know something about an interviewee’s mindset, such as, the veracity of what they might be thinking, and if they are showing defensive, neutral or aggressive signs.

To know when someone is “cognitively challenged”, anxious, and under emotional stress because they are lying, particularly when they are adamant about their truthfulness, has obvious advantages. It is important to note however that just because a person is under emotional stress does not mean that the stress is due to lying. Probably two-thirds (70 percent per Inbau, et. al., 2005) of all human communication takes place through subconsciously displayed (involuntary) body language. According to Wainwright (2003), “Body language is nearly always a better guide to the truth than even the most eloquent words”. Mehrabian (1971) concluded that only 7 percent of our information-gathering comes from the actual language used in conversation – the rest comes from body lingo and voice patterns, volume, cadence and pitch. Therefore, being able to spot these non-verbal warning signals, indicators, or gestures of deception plays a paramount role in the quality of decisions investigators and security professionals make daily. The problem with detecting lies is that most people are poor lie detectors (lie catchers); studies have shown that unless one is very highly trained in this area, there is only a slightly better than a 50-50 chance of detecting lies by intuition. About a fourth of one percent of the population can consistently detect lies (The Associated Press, 2004). Even judges and law enforcement officers are not much better than the general population at detecting lies (Ekman, 2001).

This focus of this article is neither interviewing techniques nor the formulating of interview questions nor the use of polygraph techniques (Moenssens, et. al., 1995; Ekman, 2001). These are topics expertly covered in Inbau et. al. (1986 and 2001); rather, it is a description of the common clusters of non-verbal body signals that individuals subconsciously use when they “talk with their body”. This is a brief introduction to the analysis of body language for the purpose of recognizing clues, signals, gestures, and posturing as they relate to the true emotional state and mindset of an individual, and ultimately to the true meaning of their verbal messages. Most people normally use a variety of gestures, such as hands and facial expressions (illustrators), when they speak to assist the listener. [more...]

The complete 20 page scientific paper is available for only $14.95. The electronic copy will be sent to you in PDF format.