"On a PC running Windows or NT, when you go into Explorer and click on a file, you automatically change the last access date, right?" Feldman says. "If you do that to the only copy of a file that’s critical to a case of computer crime, you’ve just ruined your evidence."

Process Makes Perfect

What happens when a company suspects a security breach and turns to forensics for help? First, as with any other crime scene, it’s crucial that no one disturb the evidence. Even without a body or bullet casings, a computer can contain just as much evidence as the site of a homicide, says Julie Lucas, director of information security at Houston-based network consultancy GlobalNetwork Technology Services (GNTS).

To ensure that evidence is processed safely and to eliminate discrepancies in the industry, investigators follow a standard four-step regimen. First, they isolate the system, making sure no perpetrators, outside or in, can further damage or alter the crime scene. Next, they secure and copy the evidence for analysis. One way to do this is to mount an external tape-drive and take an exact binary image of the computer’s hard disk. This digital duplicate becomes the version investigators use to explore the evidence without ruining it, and its importance is yet another reason why IT staffers should avoid tinkering when something dire occurs.

Many investigators take the original hard drive and lock it in an onsite storage facility such as a closet or safe. With this evidence secure, investigators finally can do what they do best?investigate. Using a bevy of forensic tools made by niche companies, investigators search hidden folders and unallocated disk space for copies of files a user thinks he’s deleted. The tools allow searches by keyword, file type or access date.

These procedures usually take a few days to complete; evaluating the data they produce takes much longer. Once experts have conducted an investigation, it can take weeks for them to make sense of everything they’ve found. Verification is the final step in the forensic process and usually ends with the preparation of a findings report that can be used in a court of law. Documentation is key here. Sean McCreight, CEO and chairman of Pasadena, Calif.-based Guidance Software, says investigators must be able to explain the methods they employ to uncover every byte of data. Because evaluation strategies differ, McCreight notes that this is the part of the forensic process that sets one investigator apart from another. Do it right, he says, and you’re golden; do it poorly, and you could find yourself on the wrong side of a devastating legal loss.