Considering that Private Investigation is widely regarded as the second oldest profession, it is amazing that it is found in virtually every emerging new facet of business. Computer forensics is just such an area. Although it has been around loosely since computers started becoming more widely used, it is only within the last 10-12 years that it has begun to take on structure, with companies dedicated solely to its practice. As a result, it can be quite a “buyer beware” environment.
The first hurdle is recognizing when computer forensics is necessary. CF is not something that should be called in at the eleventh hour. It is something that should be a consideration from the very onset of any investigation. Consider this statistic. Variously 91% of all information generated today is done in the electronic medium. 86-90% of that never leaves the electronic form. It is clear to see that if computers are not being considered in an investigation, a great deal is being left out.
One of the first considerations of the application of CF need not go any further than the Human Resources department. This includes the 2 man shop where the owner IS the HR department. A forensic image (the second step in a CF examination) should be taken of an employee hard drive immediately after dismissal. It should be an integral part of any walk out policy. Fully 85% of employees currently spend some part of their day utilizing the computer for non employment related tasks. Things like checking personal email accounts, using e-Bay, Facebook, MySpace, online gambling, cyber chatting, and even viewing pornography are commonly performed on company time. An entire article could be written on just the security implications of this!
If a forensic image has been obtained of the departing employee’s computer hard drive, it makes it much easier to follow a trail than if the employer is presented with a wrongful dismissal lawsuit 6 months after the fact. At that point, the computer has already been repurposed and put into use by a new employee, making it much more difficult to extract potential evidence. This is merely one example.
Case Intake
The most important part of any investigation, and certainly of a CF investigation is the case intake. This will usually start with a meeting between the client and the CF examiner. It is integral to the investigation that all parties have a clear understanding of the objectives and expectations, what is possible, and what is not. To some, CF seems almost magical in its ability to reconstruct computer history and recover what was thought to be deleted long ago. Depending on the scope of the investigation, a common task is compiling a set of search terms to be used against the computer to extract relevant information. The creation of the search terms should be a collaborative effort between the client and the examiner, simply because the client alone may not understand how data resides on a computer. A common example in corporate investigations is wanting the term “contract” searched for, to locate evidence of an employee stealing proprietary data, or planning on working for the competition, etc. A seasoned examiner knows that searching for this term by itself with no context will obtain hundreds, if not thousands, of non-relevant “hits”. One of the reasons is that the word “contract” exists numerous times within the End User Licensing Agreements of every piece of software installed on every computer. Another common mistake is searching for a term that shows up inside larger words. For example, a recent search term provided by a client was the acronym “OTTED”. Without proper context, and without a skilled investigator to run complex coding instruction for exclusions and exceptions, this search term would result in “hits” in words such as jOTTED,rOTTED, allOTTED, spOTTED, etc. This would create an overwhelming number of search hits, causing the investigation to take much longer than necessary.
Another common mistake is requesting all the emails from the computer. This is not a difficult task if the client only wants emails that still exist in the regular places on the computer, but if the client wants every email, deleted or not, this becomes a herculean task, simply because when the client asks for “all emails”, they are thinking from the perspective of relevant emails. They don’t realize that their request for “all emails” can’t tell the difference between the one relevant email a day, and the 30 spam emails a day. The issue is far more technical than this article will allow, but this should serve as an indication of how carefully search terms, ideas, and parameters must be considered.
Forensic Acquisition
The forensic acquisition is extremely important to the resultant outcome of the investigation. If not done properly, all evidence extracted may very well be rendered inadmissible in court proceedings. As in any other type of investigation, continuity and proper documentation must be performed. This includes the standard photography of the scene and of the equipment, as well as proper documentation of the evidence being collected.
In many cases, investigations have been greatly hampered by companies believing their IT department could perform these collection and analysis functions. This could not be further from the truth. Besides the resultant conflict of issue problems, IT people, although very skilled in their area of computers, are not forensic collection or analysis specialists. The worst part is that they don’t know what it is that they don’t know. Think about that for a second. They believe they are doing the best they can, and they absolutely mean well, but they don’t know the forensics field any better than the forensics field would know the IT structure of the company.
Once properly documented, the issue now becomes how to proceed with the acquisition. This is not a straightforward procedure. There are a number of variables. Is the computer on or off? If off, then the job is much easier, and the specialist can skip straight to the acquisition. If the computer is on, the old school mentality is that it needs to be turned off immediately. While this was the standard 5-8 years ago, it certainly is no longer. Technology has advanced to the point where we now know that the content of the RAM, or Random Access Memory of the computer is a vital part of the evidence collection process. The RAM contains evidence that exists nowhere else on the computer. For example, many types of hard drive security including whole disk encryption, Windows BitLocker technology, and others hold the unlock key in the RAM. If the analyst can capture this, they have the keys to the hard drive. If the computer is off, or they do not collect this before turning it off, there is virtually zero chance of accessing the data on the hard drive without getting the key from the user. As well, chat logs and other data exist only in the memory, and are forever lost once the computer is shut down. Unlike a hard drive, when the computer is shut down, the content of the RAM is lost.
Other crucial data that can be captured only while the computer is on include things such as what programs are running at that particular time, what network connections and open shares are active at the time, and also, what compromises such as malicious software are running. Again, it is imperative to handle the computer properly, and not rush to turn it off. Only a skilled and qualified forensic specialist will have the specialized knowledge, hardware, and software to perform the capture of this memory.
After all evidence is collected from the running state, the various drives of the computer must be checked for rogue software. Floppy disks and CD or DVDs can be in the system that will cause the hard drive to initiate a complete overwrite of all data if it is not shut down in the sequence that a rogue employee or other person has set it up to be. For that reason, these drives need to be checked for media, and if found, media must be removed before initiating any shut down sequence.
Now that the point of shut down has been reached, a decision must be made on how to shut it down. This is usually a trade off between functionality and potential destruction of data. Simply turning the computer off using the normal shutdown method can destroy a great deal of evidence in the process. Pulling the plug, while maintaining the most amount of evidence, could also corrupt many files that are in use at the time, potentially damaging the network. Typically, the rule of thumb, all other things taken into consideration, is that any Windows servers, Unix flavors, or Mac systems should be shut down using the normal procedures. Any other types of Windows machines should have the plug pulled.
At this point, the acquisition can now start. The hard drive is removed and either imaged in a device designed specifically for this task, or it is hooked up to a computer through a write blocking device to perform the same task. The write blocking device ensures that no changes or alterations have occurred during the acquisition process. This process creates a bit by bit copy of the hard drive for later analysis at the forensics lab.
Forensic Analysis
This is the bread and butter of the entire computer investigation process. Trying to save money by hiring cheaper analysts will almost assuredly lead to failure at this stage of the investigation. In this field, as with most others, you get what you pay for. Unfortunately in this type of investigation, the client will never know what was missed by an unskilled analyst. Searches on provided terms were discussed earlier, but this is a very small part of a full analysis. A great deal of data is now being missed in investigations by questionably qualified examiners because many files are not being properly mounted in preparation for the search. In today’s computer, simply running a search term to find instances of it in potential contracts or emails will fail to provide any results because things like ZIP files, Office 2007/10/13 files, PDFs, and Outlook files are compressed in a proprietary fashion that “removes” the plain text content. Therefore, the search term could very well be in a Microsoft Word 2007 document, and would never be found if the data wasn’t first prepared properly for the search.
The question is oft asked of any analyst, “What can you find for me?” This is a very difficult question to answer. Quite often the sky is the limit, and the analyst will turn the question around to ask for specific details of what the client suspects, or may be looking for. Generally speaking, if it is still on the computer, it can be found. In terms of data resident on the hard drive, as long as it has not been overwritten by new data, it can be recovered. To better understand this concept, it helps to understand how data resides on a hard drive, and what happens when it is deleted.
When deletion of a file occurs, the file doesn’t actually disappear. It still occupies space on the hard drive, in what are called clusters. Given that hard drives have millions of clusters, the computer needs a way to find a specific one. The way it does this in the case of the Windows operating system is through the use of a MASTER FILE TABLE or MFT for short. This MFT is basically a table of contents that points to individual clusters. If a user creates a file, it will be saved to a space covering one or more clusters, depending on its size. For example, let us say it saved the document to cluster number 3,000,000. An entry will now be made in the MFT so the next time a user double clicks on the icon to open the document, the computer will be told by the MFT where to go find it. If it is then deleted, the document will still exist on cluster 3,000,000, but the entry in the MFT is what actually gets removed. Once the MFT has had the document reference removed, the computer no longer knows where to go and look for it. As well, the computer is told that it is perfectly OK to place a new document on cluster 3,000,000. BUT, until it actually does, the old data is still there. A skilled analyst is able to access the Unallocated Space and find the document based on various parameters. He or she can also use that expertise to actually restore the once deleted file to useable status again.
Beyond finding deleted data, CF can determine a number of activities that have occurred on a hard drive. Below is a list of just a few of the almost limitless possibilities:
Determine all USB devices ever connected to the computer and when;
Determine if data was burned to CD/DVD or other media;
What programs have actually been used on a computer, and how often;
What user was logged on during a specific time;
Websites visited, and whether they were typed in or just clicked to;
Lists showing what files were accessed on removable media;
Lists showing the last number of various files opened, such as last word documents opened, last videos watched, last music listened to, etc.
Defragmentation and other data destruction functions.
As more time passes, computer data will become a routine stopping place in the search for relevant information on any given subject. The business person that is prepared for this sooner rather than later, will always have the competitive advantage. An executive need not understand the technology. They only need to be willing to ask the specialist if something can be done to help.
