Forensics 101

While the industry has taken off only in the last few years, the science began back when computers were used mostly for word processing and spreadsheets. In those days, if corporate officials suspected employees of foul play, they’d dispatch secretaries to snoop around hard disks after hours. When these secretarial spies uncovered something fishy, officials instructed them to use the digital document as a guide while they rifled through file cabinets, desk drawers and the trash. The thinking here was practical?because few businesspeople eschewed the printed page until the rise of the Internet, it was a safe bet that any document stored electronically had a matching hard copy somewhere nearby.

Gradually, as computers entered the mainstream and computer crimes became more complex, forensic methods changed. Today, with recent statistics from the Meta Group indicating that the vast majority of all documents are stored digitally, the science hinges almost entirely on computers themselves. Computer forensic specialists call on a mix of investigative wit and high-tech know-how to reconstruct the particulars of a hack, theft of trade secrets or pornography scandal conducted on company machines. To extract a deleted memo, for instance, they can scan thousands of hidden backup folders for certain key words. To establish someone’s whereabouts on a particular day, they might peek at a series of pages in the Web cache or in an area called file slack?the microscopic space between individual files?for time-stamped text documents.

"Forensic investigators of the modern age can resurrect e-mail messages from a computer that hasn’t worked in years, or establish a time line of crime from the hard drives on 15 separate laptops," says Talleur. "We sure have come a long way from sending the secretary to rifle through the trash."

Despite this evolution, a key aspect of the science, called chain of custody, hasn’t changed at all. Chain of custody is the record of who had possession of the evidence and what they did with it. The chain, which can be established with documents or testimony, enables lawyers to show the court that computer records submitted as evidence are in the same condition they were in at the pertinent time, and that they have not been tampered with or altered so as to become inaccurate records of the event, according to Linda Stevens, general partner in the litigation and intellectual property groups at law firm Schiff, Hardin & Waite in Chicago. While this provision is intended to protect the defendant from evidence tampering, the requirements can hurt the plaintiff if the evidence is mishandled. A perfect example: Last spring, after a hacker broke through the firewall at Wallingford, Conn.-based CD Universe and stole 300,000 credit card numbers, authorities declined to prosecute a teenage suspect because they claimed specialists responding to the situation had tainted the evidence. Details are still sketchy, but experts familiar with the case allege that employees from one or more of the computer security companies that handled the break-in inadvertently altered access times on log files from the day of the attack. Joan Feldman, founder and president of Seattle-based Computer Forensics, followed the case closely; she says this kind of mistake would have made it impossible to authenticate any evidence whatsoever.