Understand the science of computer forensics
See how forensics can uncover evidence of crimes
Learn to use forensics to your advantage
The call came in early on a winter morning last year. An urgent voice spoke about corporate espionage and theft of trade secrets. After a few deep breaths, the caller identified himself as counsel representing an international bank and said he was highly distressed about a developing situation with one of the bank’s former employees. He outlined allegations that before joining another company, the employee took internal client information valued in the million-dollar range. The official said he was turning to investigators from New Technologies Inc. (NTI) for help.
Paul French, manager of NTI’s Computer Forensics Laboratory, opened an investigation right away. With cooperation from the bank and the suspect’s new employer, French got the employee’s old and new computers and made copies of the hard drives on each one. Working off these copies so as not to damage the originals, French then used proprietary tools to search for hidden information about certain files. In a matter of hours, NTI investigators confirmed that the employee had taken key documents from the bank, downloaded them on to a floppy disk, and saved them on his computer at his new job.
“All in a day’s work,” French deadpans, in the best Sgt. Friday impression he can muster. “This [employee] thought that by tossing files in the trash, he could erase all the evidence of his crime. Suffice it to say, he thought wrong.”
Bad guys always overlook something, and this ill-fated criminal underestimated the effectiveness of computer forensics. Like more traditional police forensics, this science has one overarching goal: to find evidence of crime and preserve it for eventual use in a court of law. Once regarded by technophiles as an obscure component of network security, the discipline has blossomed into a science all its own, garnering widespread attention from analysts and CIOs and sparking an industry of companies such as NTI. This boom makes perfect sense?as enterprises become more complex and move more information online, they leave themselves increasingly vulnerable to high-tech crimes of every ilk. Securing evidence necessary to convict an attacker becomes a matter of paramount importance.
Still, because the industry is fairly new and response efforts can cost millions, it is primarily CIOs at large, well-endowed companies who have had the opportunity to tackle the science in-house. Those looking for cheaper solutions have outsourced computer forensics on a case-by-case basis, calling a third party for help after an attack. Both strategies work, so long as evidence of a crime is obtained through the proper methodology. And computer forensics is perhaps the best way to track down who did what, and how he pulled it off, according to Thomas Talleur, managing director of the forensic technology services group at KPMG. “Corporate criminals don’t always tell the truth,” he says. “Their computers, however, usually do.”
While the industry has taken off only in the last few years, the science began back when computers were used mostly for word processing and spreadsheets. In those days, if corporate officials suspected employees of foul play, they’d dispatch secretaries to snoop around hard disks after hours. When these secretarial spies uncovered something fishy, officials instructed them to use the digital document as a guide while they rifled through file cabinets, desk drawers and the trash. The thinking here was practical?because few businesspeople eschewed the printed page until the rise of the Internet, it was a safe bet that any document stored electronically had a matching hard copy somewhere nearby.
Gradually, as computers entered the mainstream and computer crimes became more complex, forensic methods changed. Today, with recent statistics from the Meta Group indicating that the vast majority of all documents are stored digitally, the science hinges almost entirely on computers themselves. Computer forensic specialists call on a mix of investigative wit and high-tech know-how to reconstruct the particulars of a hack, theft of trade secrets or pornography scandal conducted on company machines. To extract a deleted memo, for instance, they can scan thousands of hidden backup folders for certain key words. To establish someone’s whereabouts on a particular day, they might peek at a series of pages in the Web cache or in an area called file slack?the microscopic space between individual files?for time-stamped text documents.
“Forensic investigators of the modern age can resurrect e-mail messages from a computer that hasn’t worked in years, or establish a time line of crime from the hard drives on 15 separate laptops,” says Talleur. “We sure have come a long way from sending the secretary to rifle through the trash.”
Despite this evolution, a key aspect of the science, called chain of custody, hasn’t changed at all. Chain of custody is the record of who had possession of the evidence and what they did with it. The chain, which can be established with documents or testimony, enables lawyers to show the court that computer records submitted as evidence are in the same condition they were in at the pertinent time, and that they have not been tampered with or altered so as to become inaccurate records of the event, according to Linda Stevens, general partner in the litigation and intellectual property groups at law firm Schiff, Hardin & Waite in Chicago. While this provision is intended to protect the defendant from evidence tampering, the requirements can hurt the plaintiff if the evidence is mishandled. A perfect example: Last spring, after a hacker broke through the firewall at Wallingford, Conn.-based CD Universe and stole 300,000 credit card numbers, authorities declined to prosecute a teenage suspect because they claimed specialists responding to the situation had tainted the evidence. Details are still sketchy, but experts familiar with the case allege that employees from one or more of the computer security companies that handled the break-in inadvertently altered access times on log files from the day of the attack. Joan Feldman, founder and president of Seattle-based Computer Forensics, followed the case closely; she says this kind of mistake would have made it impossible to authenticate any evidence whatsoever.
“On a PC running Windows or NT, when you go into Explorer and click on a file, you automatically change the last access date, right?” Feldman says. “If you do that to the only copy of a file that’s critical to a case of computer crime, you’ve just ruined your evidence.”
Process Makes Perfect
What happens when a company suspects a security breach and turns to forensics for help? First, as with any other crime scene, it’s crucial that no one disturb the evidence. Even without a body or bullet casings, a computer can contain just as much evidence as the site of a homicide, says Julie Lucas, director of information security at Houston-based network consultancy GlobalNetwork Technology Services (GNTS).
To ensure that evidence is processed safely and to eliminate discrepancies in the industry, investigators follow a standard four-step regimen. First, they isolate the system, making sure no perpetrators, outside or in, can further damage or alter the crime scene. Next, they secure and copy the evidence for analysis. One way to do this is to mount an external tape-drive and take an exact binary image of the computer’s hard disk. This digital duplicate becomes the version investigators use to explore the evidence without ruining it, and its importance is yet another reason why IT staffers should avoid tinkering when something dire occurs.
Many investigators take the original hard drive and lock it in an onsite storage facility such as a closet or safe. With this evidence secure, investigators finally can do what they do best?investigate. Using a bevy of forensic tools made by niche companies, investigators search hidden folders and unallocated disk space for copies of files a user thinks he’s deleted. The tools allow searches by keyword, file type or access date.
These procedures usually take a few days to complete; evaluating the data they produce takes much longer. Once experts have conducted an investigation, it can take weeks for them to make sense of everything they’ve found. Verification is the final step in the forensic process and usually ends with the preparation of a findings report that can be used in a court of law. Documentation is key here. Sean McCreight, CEO and chairman of Pasadena, Calif.-based Guidance Software, says investigators must be able to explain the methods they employ to uncover every byte of data. Because evaluation strategies differ, McCreight notes that this is the part of the forensic process that sets one investigator apart from another. Do it right, he says, and you’re golden; do it poorly, and you could find yourself on the wrong side of a devastating legal loss.
“Data without the proper validation and documentation is just pure data,” he says. “It’s one thing to have volumes of information in front of you. It’s another thing to be able to dig in there, give everything some context and put it together in a way that everyone in a courtroom can understand.”
Companies that develop forensic capabilities in-house use money from the general IT security budget to develop divisions devoted to chasing down evidence after crimes. At Boeing, Motorola and others, for example, CIOs have hired squadrons of network security specialists to double as forensic investigators. Because these companies have so many security concerns, it’s actually cheaper for them to build forensics teams from scratch than to farm out services on a per-case basis.
Microsoft, for instance, has hired Howard Schmidt, former director of computer crime and information warfare at the Air Force Office of Special Investigations, as chief security officer and has groomed a team of 10 investigators to gather digital evidence. Late last year, EDS Corp. launched a Global Information Assurance program structured around a spanking new CyberForensics Lab at the company’s Herndon, Va., office.
Companies can also use forensic techniques to engineer some preemptive security checks. At EDS, for instance, forensic specialists occasionally monitor employee hard drives to make sure nobody’s stealing company secrets.
At Microsoft, Schmidt says his job hinges on much of the same. “With all of the top-secret stuff we have going on here, we need to make sure that none of our employees are taking classified information and sending it elsewhere,” he says. “When we’re not tracking down evidence of wrongdoing, we’re proactively searching for it, scanning hard disks in the name of corporate security.”
These projects can get expensive. While they declined to reveal actual figures, Schmidt says Microsoft spends “millions and millions” on forensics every year, and Daryl Eckard, director of operations for EDS’s Global Information Services Group division, says his company threw a “significant” amount behind the new lab. But financing is only the beginning, and even with the necessary funds, establishing an in-house computer forensics program on the corporate level can be tough. First is the issue of education. Investigators who have not received formal law enforcement training must endure rigorous knowledge transfer classes to learn the craft. Second is the issue of policy. McCreight and Schmidt suggest that before IT leaders even think about forensics, they should sit down with representatives from the legal and human resources departments to discuss procedural requirements and other expectations.
Chris King, program director of the global networking strategies team at the Meta Group, warns, too, that CIOs should be aware of how network security decisions might affect an employee’s perception of privacy. Because plans such as Microsoft’s hinge on regularly imaging a company’s hard drives, employees often speak out against them, publicly invoking passages from the 1986 Electronic Communications Privacy Act and privately comparing employers to Big Brother. While concerns like these are legitimate, KPMG’s Talleur suggests that employees should be told that forensics is a matter of self-defense, and if they don’t like it, they can work somewhere else.
“Being able to retrieve digital evidence is more about catching employees stealing company secrets than it is about nabbing them abusing the Internet,” he says. “If an employee is spending the day looking at [pornography], you can bet we’ll take note. In the scheme of things, though, that stuff is harmless compared with the crimes we’re really out to find.”
A Little Help from Their Friends
Because not all companies have the resources to handle forensics endeavors on their own, their CIOs have turned to vendors and consultants who specialize in forensics solutions of every kind. Experts say this setup benefits everyone involved?vendors earn more charging for services by the hour than by selling a product, and clients achieve peace of mind knowing that their evidence is being processed by true pros. Some forensics, says King, is better than nothing at all.
Perhaps the best known of these forensics companies is NTI, where French and his colleagues foiled the former bank employee earlier this year. From its modest headquarters in Gresham, Ore., a staff of 20, including 10 computer forensics specialists, supports 25 proprietary products. On a recent winter morning, investigators (they call themselves “geeks”) huddled around one of their own as he evaluated evidence for a $6 billion class-action lawsuit involving more than 20 laptops at a Fortune 100 company. Using a product called FileList, they strung together access dates in hidden files on each machine. “Of course we think our products are the best, but we don’t care if we use our products or the next guy’s,” says Mike Anderson, the company’s founder and CEO. “We’ll do whatever we can to establish evidence that our clients can use in a court of law.”
Others subscribe to the same philosophy. In Alexandria, Va., Riptech supplements an outsourced 24/7 information security monitoring and management offering with a computer emergency response team that performs general analyses and remediation efforts onsite. Provo, Utah-based AccessData recently released a Forensic Tool Kit to complement a previously limited consulting business that specializes in troubleshooting encryption crises of any kind. Then there’s WetStone Technologies, a company that offers products and services for helping companies address steganography, the process by which nefarious employees encrypt and embed data within ordinary e-mail attachments (see “Say What?” Page 118).
Not every company offers both proprietary products and advice on how to use them. Guidance Software sticks to software, devoting most of its efforts to developing its flagship product, EnCase, which it markets as a full-service forensic tool. GNTS does the reverse, eschewing sales for what the company considers to be a more practical focus on incident response and information assurance assessment. This second model appears to be popular; of the two dozen or so companies in the forensics space, more than half take a similar approach. At CFI, for instance, investigators help corporate attorneys understand the nuances of the evidence they find. And at Foundstone, based in Irvine, Calif., specialists tackle fraud and other computer crimes unique to the financial services industry.
“People can buy products anywhere, even online,” says Kevin Mandia, Foundstone’s director of computer forensics. “Talented, reliable and experienced people who understand a niche?now that’s hard to find.”
Mandia is right, but changes in the forensics landscape may soon make it easier for CIOs to spend a couple bucks and secure evidence on their own. A number of software companies such as AccessData and WetStone are developing applications that automate forensic responses, ostensibly eliminating the need for investigators. These programs promise to manage everything from copying hard disks to evaluating evidence. What’s more, because most of them are slated to cost less than $1,000 per license, industry watchers such as Meta Group’s King say that just about anyone with security concerns can purchase them and implement them painlessly.
While these new products could represent the democratization of computer forensics, vendors and forensics consulting companies see automation as a direct threat to their businesses. “Why would you pay to have a person secure evidence when you can have a program do it in a fraction of the time?” asks Larry Kanter, partner in charge of the computer forensics practice of PricewaterhouseCoopers. “With changes in the industry, with software that handles many of these forensic applications, I’d guess that a number of CIOs at smaller companies will handle this themselves.”
NTI’s Anderson disagrees, saying that so long as human beings sit on juries, there will be a need for some degree of subjective interpretation from real live people.
Whatever happens, many forensic experts are getting ready to fight other fights. The first is political, and dozens of investigators are lining up to help U.S. government officials review the recent recommendations of the Committee of Experts on Crime in Cyber-Space, an international coalition, for a treaty espousing increased computer surveillance for law enforcement officials around the world. The second skirmish is perhaps more immediate: With a new wave of tools and techniques for computer criminals to crack into corporate networks, government experts expect 2001 to bring more computer crime than ever before and are working furiously to develop ways to stop it.
For some CIOs, this will require increased commitments to raising awareness of the need for computer forensics, both inside their organizations and out. For others, it has inspired a return to basic forensic practices and a desire to enroll in classes to brush up on their forensic skills. Schmidt, Microsoft’s CSO, says these trends are only the beginning of major changes in the industry. And as more computer crime cases make their way to the courts, lawyers continue to establish precedents on which to build future arguments, preserving the future for a science that can only grow in scope.
“Sure there are threats, but on the whole, I’d say that as this industry hunkers down for the next big wave of crime, it’s also ready for more technologists to embrace forensics on the whole” says Schmidt. “The more people in IT understand about forensics, the more CIOs will jump aboard and start employing it. Will crime increase? Perhaps. But if you’re a bad guy, look out, because the chances of getting caught are about to increase tenfold.”