IT Autopsy

No longer an obscure component of network security, computer forensics has blossomed into a science all its ownReader ROI Understand the science of computer forensics See how forensics can uncover evidence of crimes Learn to use forensics to your advantage The call came in early on a northern winter morning last year. An urgent voice spoke about corporate espionage and theft of trade secrets. After a few deep breaths, the caller identified himself as counsel representing an international bank and said he was highly distressed about a developing situation with one of the bank's former employees. He outlined allegations that before joining another company, the employee took internal client information valued in the million-dollar range. The official said he was turning to investigators from New Technologies Incorporated (NTI) for help.

Paul French, manager of NTI's Computer Forensics Laboratory, opened an investigation right away. With cooperation from the bank and the suspect's new employer, French got the employee's old and new computers and made copies of the hard drives on each one. Working off these copies so as not to damage the originals, French then used proprietary tools to search for hidden information about certain files. In a matter of hours, NTI investigators confirmed that the employee had taken key documents from the bank, downloaded them onto a floppy disk, and saved them on his computer at his new job.

"All in a day's work," French deadpans, in the best Sgt. Friday [employee] thought that by tossing files in the trash, he could erase all the evidence of his crime. Suffice it to say, he thought wrong."

Bad guys always overlook some-thing, and this ill-fated criminal underestimated the effectiveness of computer forensics. Like more traditional police forensics, this science has one overarching goal: to find evidence of crime and preserve it for eventual use in a court of law. Once regarded by technophiles as an obscure component of network security, the discipline has blossomed into a science all its own, garnering widespread attention from analysts and CIOs and sparking an industry of companies such as NTI. This boom makes perfect sense - as enterprises become more complex and move more information online, they leave themselves increasingly vulnerable to high-tech crimes of every ilk. Securing evidence necessary to convict an attacker becomes a matter of paramount importance.

Still, because the industry is fairly new and response efforts can cost millions, it is primarily CIOs at large, well-endowed companies who have had the opportunity to tackle the science in-house. Those looking for cheaper solutions have outsourced computer forensics on a case-by-case basis, calling a third party for help after an attack. Both strategies work, so long as evidence of a crime is obtained through the proper methodology. And computer forensics is perhaps the best way to track down who did what, and how he pulled it off, according to Thomas Talleur, managing director of the forensic technology services group at KPMG (US). "Corporate criminals don't always tell the truth," he says. "Their computers, however, usually do."

Forensics 101

While the industry has taken off only in the last few years, the science began back when computers were used mostly for word processing and spreadsheets. In those days, if corporate officials suspected employees of foul play, they'd dispatch secretaries to snoop around hard disks after hours. When these secretarial spies uncovered something fishy, officials instructed them to use the digital document as a guide while they rifled through file cabinets, desk drawers and the trash. The thinking here was practical - because few businesspeople eschewed the printed page until the rise of the Internet, it was a safe bet that any document stored electronically had a matching hard copy somewhere nearby.

Gradually, as computers entered the mainstream and computer crimes became more complex, forensic methods changed. Today, with recent statistics from the Meta Group indicating that the vast majority of all documents are stored digitally, the science hinges almost entirely on computers themselves. Computer forensic specialists call on a mix of investigative wit and high-tech know-how to reconstruct the particulars of a hack, theft of trade secrets or pornography scandal conducted on company machines. To extract a deleted memo, for instance, they can scan thousands of hidden backup folders for certain key words. To establish someone's whereabouts on a particular day, they might peek at a series of pages in the Web cache or in an area called file slack - the microscopic space between individual files - for time-stamped text documents.

"Forensic investigators of the modern age can resurrect e-mail messages from a computer that hasn't worked in years, or establish a time line of crime from the hard drives on 15 separate laptops," says Talleur. "We sure have come a long way from sending the secretary to rifle through the trash."

Despite this evolution, a key aspect of the science, called chain of custody, hasn't changed at all. Chain of custody is the record of who had possession of the evidence and what they did with it. The chain, which can be established with documents or testimony, enables lawyers to show the court that comp-uter records submitted as evidence are in the same condition they were in at the pertinent time, and that they have not been tampered with or altered so as to become inaccurate records of the event, according to Linda Stevens, general partner in the litigation and intellectual property groups at law firm Schiff, Hardin Waite in Chicago. While this provision is intended to protect the defendant from evidence tampering, the requirements can hurt the plaintiff if the evidence is mishandled. A perfect example: last spring, after a hacker broke through the firewall at Connecticut-based CD Universe and stole 300,000 credit card numbers, authorities declined to prosecute a teenage suspect because they claimed specialists responding to the situation had tainted the evidence. Details are still sketchy, but experts familiar with the case allege that employees from one or more of the computer security companies that handled the break-in inadvertently altered access times on log files from the day of the attack. Joan Feldman, founder and president of Seattle-based Computer Forensics, followed the case closely; she says this kind of mistake would have made it impossible to authenticate any evidence whatsoever.

"On a PC running Windows or NT, when you go into Explorer and click on a file, you automatically change the last access date, right?" Feldman says. "If you do that to the only copy of a file that's critical to a case of computer crime, you've just ruined your evidence."

Process Makes Perfect

What happens when a company suspects a security breach and turns to forensics for help? First, as with any other crime scene, it's crucial that no one disturb the evidence. Even without a body or bullet casings, a computer can contain just as much evidence as the site of a homicide, says Julie Lucas, director of information security at Houston-based network consultancy GlobalNetwork Technology Services (GNTS).

To ensure that evidence is processed safely and to eliminate discrepancies in the industry, investigators follow a standard four-step regimen. First, they isolate the system, making sure no perpetrators, outside or in, can further damage or alter the crime scene. Next, they secure and copy the evidence for analysis. One way to do this is to mount an external tape-drive and take an exact binary image of the computer's hard disk. This digital duplicate becomes the version investigators use to explore the evidence without ruining it, and its importance is yet another reason why IT staffers should avoid tinkering when something dire occurs.

Many investigators take the original hard drive and lock it in an onsite storage facility such as a closet or safe. With this evidence secure, investigators finally can do what they do best - investigate. Using a bevy of forensic tools made by niche companies, investigators search hidden folders and unallocated disk space for copies of files a user thinks he's deleted. The tools allow searches by keyword, file type or access date.

These procedures usually take a few days to complete; evaluating the data they produce takes much longer. Once experts have conducted an investigation, it can take weeks for them to make sense of everything they've found. Verification is the final step in the forensic process and usually ends with the preparation of a findings report that can be used in a court of law. Documentation is key here. Sean McCreight, CEO and chairman of California-based Guidance Software, says investigators must be able to explain the methods they employ to uncover every byte of data. Because evaluation strategies differ, McCreight notes that this is the part of the forensic process that sets one investigator apart from another. Do it right, he says, and you're golden; do it poorly, and you could find yourself on the wrong side of a devastating legal loss.

"Data without the proper validation and documentation is just pure data," he says. "It's one thing to have volumes of information in front of you. It's another thing to be able to dig in there, give everything some context and put it together in a way that everyone in a courtroom can understand."


Companies that develop forensic capabilities in-house use money from the general IT security budget to develop divisions devoted to chasing down evidence after crimes. At Boeing, Motorola and others, for example, CIOs have hired squadrons of network security specialists to double as forensic investigators. Because these companies have so many security concerns, it's actually cheaper for them to build forensics teams from scratch than to farm out services on a per-case basis.

Microsoft, for instance, has hired Howard Schmidt, former director of computer crime and information warfare at the Air Force Office of Special Investigations, as chief security officer and has groomed a team of 10 investigators to gather digital evidence. Late last year, EDS launched a Global Information Assurance program structured around a spanking new CyberForensics Lab at the company's Virginia office.

Companies can also use forensic techniques to engineer some pre-emptive security checks. At EDS, for instance, forensic specialists occasionally monitor employee hard drives to make sure nobody's stealing company secrets.

At Microsoft, Schmidt says his job hinges on much of the same. "With all of the top-secret stuff we have going on here, we need to make sure that none of our employees are taking classified information and sending it elsewhere," he says. "When we're not tracking down evidence of wrongdoing, we're proactively searching for it, scanning hard disks in the name of corporate security."

These projects can get expensive. While they declined to reveal actual figures, Schmidt says Microsoft spends "millions and millions" on forensics every year, and Daryl Eckard, director of operations for EDS's Global Information Services Group division, says his company threw a "significant" amount behind the new lab. But financing is only the beginning, and even with the necessary funds, establishing an in-house computer forensics program on the corporate level can be tough. First is the issue of education. Investigators who have not received formal law enforcement training must endure rigorous knowledge transfer classes to learn the craft. Second is the issue of policy. McCreight and Schmidt suggest that before IT leaders even think about forensics, they should sit down with representatives from the legal and human resources departments to discuss procedural requirements and other expectations.

Chris King, program director of the global networking strategies team at the Meta Group (US), warns, too, that CIOs should be aware of how network security decisions might affect an employee's perception of privacy. Because plans such as Microsoft's hinge on regularly imaging a company's hard drives, employees often speak out against them, publicly invoking passages from the 1986 Electronic Communications Privacy Act (US) and privately comparing employers to Big Brother. While concerns like these are legitimate, KPMG's Talleur suggests that employees should be told that forensics is a matter of self-defence, and if they don't like it, they can work somewhere else.

"Being able to retrieve digital evidence is more about catching em-ployees stealing company secrets than it is about nabbing them abusing the Internet," he says. "If an employee is spending the day looking at [pornography], you can bet we'll take note. In the scheme of things, though, that stuff is harmless compared with the crimes we're really out to find."

A Little Help from Their Friends

Because not all companies have the resources to handle forensics endeavours on their own, their CIOs have turned to vendors and consultants who specialise in forensics solutions of every kind. Experts say this set-up benefits everyone involved - vendors earn more charging for services by the hour than by selling a product, and clients achieve peace of mind knowing that their evidence is being processed by true pros. Some forensics, says King, is better than nothing at all.

1 2 Page 1
Page 1 of 2
7 secrets of successful remote IT teams