The Truth is in There: Sleuthing for Data with Digital Forensics

Page 2 of 3

      Bookmark and Share

BEST PRACTICES SERIES

Keeping Investigations In-House
Corporations tend to take a different view of digital forensics, according to Karney, mostly because, unlike criminal investigations, they often want the final results kept quiet, building up just enough evidence to force out the employee or to make them stop the offending behavior. "In the corporate world, companies do everything they can to keep incidents from ever becoming legal matters," Karney says. 

"Organizations use digital investigative tools to get answers such as ‘I had an event. I think someone is stealing intellectual property. I need to confirm or deny the event took place.'" If the company confirms that something has happened, it needs to determine what, if anything, it will do, such as whether or not to prosecute. In the event it does want to prosecute, the company needs to be able to prove it gathered evidence using a defined (and proper) process. 

Jeffrey Gross, who runs a private digital forensics company—Computer Forensic Associates, Inc., which specializes in computer crime and fraud investigations—and also teaches graduate-level courses in digital investigation, says companies will often quietly force out an employee before prosecuting, even in cases of criminal wrongdoing. "We do a lot of financial fraud cases, embezzlement, the kinds of cases that never make the headlines and are handled internally. When you read about a CEO that makes $2 million a year who suddenly announces in the papers that he wants to spend more time bass fishing, those are the people we often end up investigating, the untoward financial activities in a corporate structure."

In the case of a hacking incident, there has to be a reasonable cost-benefit when it comes to tracking down the perpetrator, and it may be enough, says Carrier, to simply figure out that it has happened, work out a solution, and move on. If, for example, the company has to take down the network for a significant period of time to figure out what has happened, it may not be worth the trouble. In other cases, simply finding a solution is the endgame. Tracking the culprit may not be possible.

"A lot of times, quite honestly, attackers go through multiple computers…and the process to get back to an actual person is very difficult," Carrier says. It could require the cooperation of many different parties including different individuals, corporations, universities, and governments all over the world. "For a lot of companies, cases where there isn't a significant loss and damage, while due diligence was done and attempts were made to track the culprit, they are not going to spend more on the investigation than was lost to find out who was responsible." 

Proving a Case in Court
Trying to force an embezzling employee to resign may be different than a situation where investigators are trying to prove a murder because in the latter case, it will always end up in court where the prosecutors must prove the case. As such (as any CSI fan knows), investigators must follow a proscribed protocol to collect and analyze evidence. Carrier says an investigator typically starts by unplugging the computer, rather than going through the operating system's shutdown procedure, because bad guys can plant logic bombs in computers that destroy evidence as part of the shutdown process.

Next, the investigator makes a copy of the hard drive, keeping the original drive in a safe place. "If you are going to bring digital evidence into court, they require you to be able to verify that you are working from original evidence and it wasn't modified," Carrier says. This involves making a copy or two and putting the original in a safe before starting the analysis, always leaving the original intact in its original state." 

Once the investigator has a copy, he will begin using various tools to help locate data to prove a case. Gross says that very often he starts an investigation and he has very little information. He may only know, for instance, that money is missing, but not have any sense of how that happened. He says the evidence is typically found across a variety of locations including on many personal computers, entire network drives, raid arrays, various servers in different locations; making it a difficult prospect to find the information. 

"There's a lot of potential evidentiary media we have to put together to try and cull out what the traces are, what the activities were, what the fraud was, and address the issue of knowledge. What was the person thinking? What were they planning as opposed to the possibility it was just technical errors. We use the software to build a profile of what was going on involving that person in that particular set of activities," Gross says. 

You might wonder how a plaintiff could prove that the investigator used legitimate means to extract the information and then prove that it was indeed the defendant who used the computer. For starters, Guidance EnCase file formats have been accepted by the courts as a standard for computer investigation, according to Karney. Further, he says that each individual has a profile of how we use a computer and a trained investigator can begin to build a picture of the defendant's computer usage style. "Interestingly enough, you have interaction behaviors with your computer. You can build a type of physiological profile from the way you do things—how you store files, how you conduct searches, how you delete files, the websites you typically visit and the times of day you do certain things," Karney says. 

As digital content invades every corner of our behavior, criminal and enterprise investigators alike will increasingly be called upon to scour content repositories—from emails and instant messages to extracting deleted files from the unallocated space on hard drives. As a manager, you can keep your head in the sand, as Karney puts it, or you can come to terms with the fact that in any company, as in society at large, we must be prepared to contend with a range of human behavior. Managing content is not enough; nor is managing where content goes, in and outside the enterprise. Sometimes you need to track the trail of errant bits and bytes, and digital forensics is there to guide you.   

Page 2 of 3