Topics

Introduction

Computers have permeated our everyday lives. They are used at work to create documents and correspond with coworkers, and at home to surf the Internet and keep track of finances. Due to the diversity of operations computers perform, they have become vast repositories of information about our personal and professional lives.

Therefore, it is not surprising that obtaining computer records and stored data is becoming “standard procedure” for many criminal investigations.

Cybercrimes

Cybercrimes, such as online fraud and online child pornography, are obvious candidates for obtaining and analyzing computer data. But the benefit of performing these procedures in less “high tech” areas may not be as apparent.

Many cases can profit from the information obtained through the forensic analysis of computers and electronic storage. Areas as diverse as fraud, discrimination, intellectual property theft, environmental law and murder may benefit from the results of a computer forensic search.

We do not have to think any further than current events to see how computer forensics is being used in today’s online world.

During the recent investigation of a large auditing firm, the media reported that investigators had retrieved internal corporate e-mails. The e-malls recovered suggested that high-level officials may have been aware of, or even encouraged, the possibly criminal actions of their subordinates.

Identifying these “cyberclues” may seem like work that can only be done by the FBI or CIA, but there are “civilian” computer forensics specialists who can perform the same tasks.

Obtaining cyberclues may make the needed difference in producing a successful outcome in a case.

In the example above, the government was able to find evidence that may suggest people in the organization were aware of the potentially criminal actions of their subordinates. Although this may not be the “smoking gun” for which the government was looking, it certainly helps ensure their case.

It may be thought that the only reason these e-mails could be found was because some workers neglected to delete the potentially incriminating documents. But many people are surprised to discover that forensic technicians often can recover files and e-mails long after they have been deleted.

This is an important point. Just as the FBI may be able to reconstruct shredded documents, computer forensics technicians can often recover “permanently” deleted items. Since people are most likely to delete what they want to hide, recovering these items may reveal a bounty of evidence needed to win a case.

A Practical Example

Take this fictional lawsuit as an example:

A small company approaches a law firm. They explain that they had an employee who was responsible for security at their main office. Recently the office experienced two inexplicable burglaries during which some office equipment and computers were stolen. Thinking it was an “inside job,” the small company decided to layoff the employee in question.

The company further explains that they instructed their information technology (I.T.) department to search the employee’s computer, but unfortunately he had deleted any pertinent information before leaving.

A short time later, they received notification from the employee’s attorney that he is suing for unlawful termination. He suggests he was terminated for reasons other than the theft and the company is using the incident as an excuse to get rid of him.

The law firm takes the case and retrieves the employee’s computer for forensic analysis.

Before the analysis, the forensics specialist inspects the computer and creates a log of the major components and their serial numbers or other identifying marks. The consultant then signs for the computer and keeps track of everybody that had possession of it.

Using special electronic tools, the technician creates an identical “forensic” duplicate of the computer’s hard drive (the main storage location for data) without ever turning on the computer. This ensures that the original hard drive is not modified during analysis. The technician also performs special tasks to guarantee the copy is identical to the original. All analysis of the data is then done on this copy using “forensic workstations.”

The work pays off: The technician recovers e-mails from the employee to a third party instructing him how to enter the building undetected. The technician also discovers that after the first theft, the employee had logged on to an Internet auction site and had attempted to sell some of the stolen goods.
After learning of the findings, the former employee drops his case against the company. Furthermore, the company brings a case of its own against the employee because the evidence found on the computer is enough to expose the former employee’s role in the theft.

The company may have still won the case brought against it without this information, but with it, not only is there no doubt, there is no case.

Forensic Fundamentals

This short example demonstrates several of the fundamentals of computer forensics.

Although not everything found through forensic analysis may be admissible in court, anything that is must pass the rigors of examination. Opposing attorneys, possibly with their own computer specialists, may attempt to attack the analysis process. A knowledgeable technician will anticipate these attacks and take steps to minimize or eliminate any potential doubt.

By working only on a duplicate, the technician ensures that the original data is never modified. He also ensures that this copy is identical to the original data.

The technician inspects and signs for the computer once in his possession. By keeping a “chain of custody” of the evidence, it is more difficult for an opposing attorney to argue that the evidence may have been tampered with or modified by a biased party.

Meaningful Analysis

Of course, computer forensics is not just securing and copying computers. It is the analysis that makes it so useful. The example demonstrates some common findings.

When a technician finds a deleted e-mail that seems interesting and appropriate, it is recovered by exploiting some of the “nuances” of most personal computers.

Think of the computer as a book with text and a table of contents. When a file is saved, the computer writes the file (this is a book’s “text”) to the hard drive. It also writes an entry showing where that file is stored in the computer (a “table of contents” with “page numbers”).

Because computers are optimized for speed and not security, when a file is deleted, in most cases, the computer only deletes the entry for the file in the “table of contents.” The actual data, or “text,” is not deleted. This means, unless it has been overwritten by another file, a technician can find this “text” and recover the “deleted” item.

In some cases, items can be recovered years after they have been deleted. For the most part, the larger the hard drive, the more likely it is to recover deleted items.

What is more, the technician in the example also determined that the employee in question had logged on to a particular Internet site, attempting to sell the stolen goods.

Most Internet browsers — including Microsoft Internet Explorer and Netscape — keep a history of the Internet pages visited. They also save many pages and images to special system files, sometimes called the “cache,” and are automatically created by the program. The files offer another trail that the technician may follow to recreate the user’s Internet browsing activity.

Conclusion

Although this article offers only a glimpse into computer forensics, it is a means to start thinking anew about how to obtain the bounty of information that may exist on computers. With the world turning electronic, successful attorneys must pursue every avenue of discovery, including seeking digital fingerprints.

(This article is reprinted with permission from the September 16, 2002 issue of "The New York Law Journal - Techtrends." ©2002 NLP IP Company. Further duplication without permission is prohibited. All rights reserved.)

Back to Top