One only has to look at the headlines to understand that examining computers and related devices is one of the best ways to identify people's hidden illicit activities. “Victim's computer leads to woman now charged with kidnapping,” (Kansas City Star, December 18, 2004) refers to the case of Bobbie Jo Stinett, the Missouri woman who was kidnapped and murdered before her unborn child was cut from her womb by a woman she met online. And it was data recovered from a floppy disk that led to the arrest and eventual conviction of the BTK serial killer, Dennis Rader, as outlined in the May 3, 2005 posting to Blogcritics.org, “Denny the Dog Catcher and the Purple Diskette of Doom.”
Cyberforensics, also known as digital forensics or computer forensics, is the art of recovering digital evidence in a manner that will withstand courtroom scrutiny. The legal aspect of computer forensics means that it is much more than simply a technical process.
No More Private Places
Nearly everything we do and much of what we think is now stored electronically somewhere. This information is created on computers we use in our “private places”—our homes and offices, where we feel our information will never be discovered. But it can be discovered, often even if we try to hide our tracks. (I always find it amusing that people will shut the doors to their offices when they are going to do something inappropriate on a networked corporate computer.)
In addition to the files we create on our own, computers create records of our activities in the background that most users don't know exist. And perhaps most important, deleted files can often be recovered. This makes computers and related digital devices great sources of information during internal investigations and investigations regarding civil litigation.
Computer forensics is a great tool for investigating employee misconduct. It can be used to investigate sexual harassment, age discrimination, theft of trade secrets, and violation of non-compete and non-disclosure agreements. It has also been used effectively in medical malpractice, wrongful death, and product liability cases. But it has only been widely embraced by the legal community in recent years.
Everyone is starting to recognize that investigations are incomplete unless they consider digital evidence. In many cases there is evidence that only exists in digital form. Because of this, many consulting firms have developed computer forensics service offerings, and corporations are looking at developing computer forensics skills internally. Unfortunately, many people who wish to develop these services lack a complete understanding of the true nature of computer forensics and overlook key issues and concepts in their rush to “get to market.”
Think Twice Before Going In-House
The ultimate goal of cyberforensics is to recover evidence so it can be used in a court proceeding. This means that not only are the processes and procedures used to recover the evidence called into question, the computer forensics examiner's credentials and credibility are also scrutinized. This is why it is extremely important for corporations to think twice before using internal IT staff for a computer forensics project.
The majority of IT staff members are trained to configure, maintain and troubleshoot corporate information systems. Their training does not develop the very specialized skills necessary for computer forensics. Although they might be able to figure out how to use a piece of computer forensics software, their lack of specialized training may prevent them from qualifying as experts in the courtroom, which will prevent their findings from being entered into evidence.
IT professionals often simply purchase a piece of software, click a button and assume the tool performs as promised, whereas computer forensics examiners test all of their software prior to using it on an active investigation.
Last, IT professionals often gravitate to their industry because they get to spend the majority of their time with technology and not with people. Many IT professionals lack good communication skills, and they may not be able to present themselves well in the courtroom, where they will be grilled by lawyers who are often expert wordsmiths. Internal IT staff members' neutrality will also be questioned, since they are paid by the corporation asking them to conduct the forensics examination.
One only has to look at the case of Gates Rubber Co. v. Bando Chemical Industries Ltd. to understand the problems inherent in using IT staff for computer forensics. In this case one side used an internal IT staff member to examine a computer. The employee was not properly trained in computer forensics and actually destroyed seven to eight percent of the information on the computer. This caused the court to issue sanctions in the amount of 10 percent of attorney fees—not a small sum.
Develop the Skills with Training
This is not to say that corporations should not develop their own computer forensics capabilities. Many large corporations have computer forensics examiners or departments, but they work outside of the IT department—a good idea, because IT staff members can be the target of an investigation. A logical place for them is either in the security or legal departments.
Anyone involved in computer forensics should receive the correct training and be given the opportunity to continue learning. There is never a point at which a computer forensics examiner has learned all there is to know about examining computers. Constant training and research and development time are needed to keep a computer forensics examiner's skills sharp. There are numerous training options, but the following series of classes would create a well rounded entry-level computer forensics examiner.
CompTIA A+ Training and Certification. Requiring that an established IT professional pursue A+ training and certification will be a tough sell, since this is a basic IT certification. However, it is a requirement for examiners at the FBI's Regional Computer Forensics Labs, and it ensures that the forensics examiner has a good understanding of hardware. For organizations that have non-technical staff interested in pursuing computer forensics, this is a great foundation class and can be used to determine if the person has the technical aptitude to pursue a career in computer forensics. If they are unable to pass the certification tests after completing the training, then they are probably not suited to the computer forensics profession.
Vendor-Neutral Training. Vendor-neutral training provides information on the concepts behind computer forensics, not just how to use a specific computer forensics tool. The Southeast Cybercrime Institute at Kennesaw State University offers an excellent program that also prepares attendees for the Certified Computer Examiner (CCE) certification. In addition to classroom study, they offer an excellent online program. Visit their Web site for more information: (www.kennesaw.edu/coned/sci). Many colleges and universities are beginning to offer cybercrime and computer forensics-related programs. When selecting a program like this, be sure it is designed and taught by experienced computer forensics experts, and not simply by a professor reading out of a book.
Vendor-Specific Training. Once the basic concepts are understood, it is appropriate to move on to vendor-specific training. These classes explain how to conduct computer forensics examinations using specific tools. Well known tools include EnCase Forensic by Guidance Software
(www.guidancesoftware.com), SMART (for Linux) by ASR Data (www.asrdata.com), and the Forensic Tool Kit by AccessData (www.accessdata.com). These are excellent tools, and their developers offer top-notch training programs.
Network Training. Because it is extremely rare to find a stand-alone computer, it is important to have a basic understanding of networking concepts. Programs like CompTia's Network + or a similar college-level program would be extremely helpful.
After this series of training programs, staff should pursue advanced and specialized training to handle complex investigations and additional devices, such as personal digital assistants and cell phones.
Hire an Expert
If you do not have the staffing or interest to train an internal employee, you can hire an expert to assist with your computer forensics needs. When hiring a third-party expert, be sure to verify their credentials. Many firms and individuals think they can buy a piece of software, take one computer forensics class and suddenly be an expert. To identify these people, ask what software they use for investigations. If they respond with the name of a single software product, move on. Not all software performs perfectly all the time. If a firm relies on one piece of software, what will they do when the software hangs or fails? The expert's reply to this question should be along the lines of, “We use multiple tools and choose the tool best suited to each project.”
Look for involvement in the High Technology Crime Investigation Association (HTCIA). This organization comprises both law enforcement and private-sector computer forensics examiners. The knowledge shared at monthly meetings is invaluable, but more important, HTCIA-sponsored training conferences provide some of the most cost-effective training opportunities available. Their annual conference includes hands-on labs and training programs by industry experts. Locally sponsored regional conferences are also a good value, such as the Southeast Cybercrime Summit sponsored annually in March by the Atlanta Chapter.
Also look for established certifications. One certification is the Certified Forensic Computer Examiner, which is sponsored by the International Association of Computer Investigative Specialists. This certification is only available to law enforcement personnel, but retired personnel can generally recertify. This is an extremely challenging certification to achieve.
Arguably, the most established computer forensics software in use is EnCase by Guidance Software. Experts using this program should hold the EnCase Certified Examiner Certification (EnCE). AccessData recently developed the AccessData Certified Examiner (ACE) certification for the users of its products.
A popular certification maintained by the International Society of Forensic Computer Examiners is the Certified Computer Examiner certification. If a computer forensics examiner has this vendor neutral certification combined with any of the previously mentioned certifications, he or she is well trained and experienced.
When evaluating certifications, you may see people offering the Certified Information Systems Security Professional (CISSP) certification as an indication of their computer forensics capabilities. While the CISSP is an excellent information technology security certification, it is not a computer forensics certification.
Historically, computer forensics has been used reactively, to determine the activities of someone suspected of some form of misconduct. The normal procedure is to seize the computer of the person in question, make an exact copy of their hard drive (maintaining data integrity) and then search the image for relevant materials. This can be cumbersome and can notify the person in question that they are under investigation.
There are now computer forensics tools that allow an examiner to image and examine a live system across a network. These tools, like EnCase Enterprise, provide the opportunity to examine live systems, which means it is possible to capture volatile data such as memory, open ports and running processes. This expands the computer forensics realm into the world of incident response, capturing data from a system after it has been compromised. In addition to EnCase Enterprise, other products for “across the wire” examinations include Online Digital Forensics Suite from ATC-NY (www.atc-nycorp.com /Products.html) and Pro Discover Incident Response by Technology Pathways (www.techpathways.com/ProDiscoverIR.htm).
Most investigations will be incomplete if they don't include the use of computer forensics tools and experts. Don't neglect to follow proper procedures and protocols, and use properly trained examiners to ensure your investigation will uncover every bit of hidden information.
John Mallery is a managing consultant for BKD, LLP, one of the 10 largest accounting firms in the United States . He works in the Forensics and Dispute Consulting unit and specializes in computer forensics. Mr. Mallery is also a co-author of Hardening Network Security, which was recently published by McGraw-Hill. He can be reached at firstname.lastname@example.org.