Cyberforensics: The Ultimate Investigative Tool

The right way and the wrong way to run a computer investigation

One only has to look at the headlines to understand that examining computers and related devices is one of the best ways to identify people's hidden illicit activities. “Victim's computer leads to woman now charged with kidnapping,” (Kansas City Star, December 18, 2004) refers to the case of Bobbie Jo Stinett, the Missouri woman who was kidnapped and murdered before her unborn child was cut from her womb by a woman she met online. And it was data recovered from a floppy disk that led to the arrest and eventual conviction of the BTK serial killer, Dennis Rader, as outlined in the May 3, 2005 posting to, “Denny the Dog Catcher and the Purple Diskette of Doom.”

Cyberforensics, also known as digital forensics or computer forensics, is the art of recovering digital evidence in a manner that will withstand courtroom scrutiny. The legal aspect of computer forensics means that it is much more than simply a technical process.


No More Private Places

Nearly everything we do and much of what we think is now stored electronically somewhere. This information is created on computers we use in our “private places”—our homes and offices, where we feel our information will never be discovered. But it can be discovered, often even if we try to hide our tracks. (I always find it amusing that people will shut the doors to their offices when they are going to do something inappropriate on a networked corporate computer.)

In addition to the files we create on our own, computers create records of our activities in the background that most users don't know exist. And perhaps most important, deleted files can often be recovered. This makes computers and related digital devices great sources of information during internal investigations and investigations regarding civil litigation.

Computer forensics is a great tool for investigating employee misconduct. It can be used to investigate sexual harassment, age discrimination, theft of trade secrets, and violation of non-compete and non-disclosure agreements. It has also been used effectively in medical malpractice, wrongful death, and product liability cases. But it has only been widely embraced by the legal community in recent years.

Everyone is starting to recognize that investigations are incomplete unless they consider digital evidence. In many cases there is evidence that only exists in digital form. Because of this, many consulting firms have developed computer forensics service offerings, and corporations are looking at developing computer forensics skills internally. Unfortunately, many people who wish to develop these services lack a complete understanding of the true nature of computer forensics and overlook key issues and concepts in their rush to “get to market.”


Think Twice Before Going In-House

The ultimate goal of cyberforensics is to recover evidence so it can be used in a court proceeding. This means that not only are the processes and procedures used to recover the evidence called into question, the computer forensics examiner's credentials and credibility are also scrutinized. This is why it is extremely important for corporations to think twice before using internal IT staff for a computer forensics project.

The majority of IT staff members are trained to configure, maintain and troubleshoot corporate information systems. Their training does not develop the very specialized skills necessary for computer forensics. Although they might be able to figure out how to use a piece of computer forensics software, their lack of specialized training may prevent them from qualifying as experts in the courtroom, which will prevent their findings from being entered into evidence.

IT professionals often simply purchase a piece of software, click a button and assume the tool performs as promised, whereas computer forensics examiners test all of their software prior to using it on an active investigation.

This content continues onto the next page...