Computer investigations are a relatively new but fast-growing field. In the past, computer investigations were conducted by the police, but today, the police are overwhelmed by the increase in computer crimes stemming from the widespread use of computers at work and at home. As a result, plaintiffs can turn to private investigators, and in some cases, their reputation for discretion can be an additional reason for engaging their services.
But what are computer investigations, also known as forensics? Essentially, they are the same as a standard legal investigation, but applied to the realm of computers. Any actual or alleged crime involving computer-related evidence falls into this domain. The litigation involved spans a wide array: theft of information, insider crimes, breach of contract, shareholder disputes, etc. Cracker intrusions into an organization’s systems can also lead to an investigation.
While computer experts abound, not all of them can conduct an investigation. After all, a security guard can’t automatically do a police officer’s job, let alone a detective’s job. Similarly, a computer expert is not necessarily a systems analyst, or a forensics specialist.
In reality, there is no standard profile. Many computer investigators are police officers who specialize in this area, and many others come from various backgrounds. Organizations are advised to entrust an investigation to investigators who have experience and proven skills in this field. Seasoned investigators know what must be done in order to come up with evidence that is acceptable in court. They use the so-called 3A technique to achieve this goal: acquisition, authentication, and analysis.
In order to facilitate the work of an investigator, a plaintiff should avoid delays in getting an investigation started, because speed decreases the chances of anyone tampering with the electronic evidence. The first thing the plaintiff must do is determine whether a court order is required, which is normally the case if the investigation involves an organization other than their own. A court order is usually not necessary for an internal investigation. The plaintiff must also take into consideration any employment contract clauses that might prohibit access to an employee’s personal information, particularly in terms of e mail.
Once these formalities have been resolved, the investigator can go to work. The investigator often arrives at the scene of the crime accompanied by bailiffs, and quickly makes binary copies of the hard drives relevant to the investigation. In order to ensure that all of the pertinent data is acquired, the investigator cannot leave out one bit. If the data that is considered necessary involves only 10GB on a 100GB drive, all 100GB must be copied. This is the only way to restore deleted data that has not yet been overwritten.
And since the golden rule is not to alter data, special software with write-protection is used. The investigator makes a first copy that can be searched for evidence without fear of modifying the original data. A second copy is also made, just in case the first copy becomes unusable. Finally, copies are made using different software, just in case one of the softwares is later found to contain bugs.
Human memory is inherently fallible, so detailed notes must be taken to be used when the case comes up in court, which may at a much later time. Notes include software versions used, condition of the computers, data volume, applications installed, etc. In order to ensure the success of the investigation, it is critical that everything be done impeccably from the start, because it is very difficult, if not impossible, to fix mistakes that are made at this stage.
The purpose of authentication is to prove to the court that the evidence that is exhibited is exactly the same as the evidence that was collected. Using what is known as a hash algorithm, investigators convert the data into a string of letters and numbers, which is the equivalent of a digital fingerprint. The slightest change to the original data – even changing only one bit among billions – produces a different fingerprint.
Analyzing the data involves examining the trails left by performing computer tasks. These trails can be found in the logs that are kept by various components of the technological infrastructure (servers, applications, firewalls, etc.). In order to reconstruct the facts, the investigator must follow every trail. This means that e-mails and keyboard sessions can be meticulously scoured for evidence of a suspect’s intentions. Investigators also check servers that might contain traces of past user activity, even after the record has been deleted at the user’s workstation.
Here again, the use of a specialist is of the utmost importance. Even though any computer specialist can analyze data in theory, it might take an inexperienced investigator a significant amount of time and effort to produce the expected results. This type of job is often the equivalent of searching for a needle in a haystack. When searching for specific information among gigabytes of data stored on a variety of media, it helps to be thoroughly familiar with search techniques and utilities.
The need to analyze the data raises two key questions: How much of it do you keep? And for how long? You have to take into account the significant cost of long-term storage of large quantities of data. Today, part of the answer can be found in the obligation imposed on organizations to keep certain records by the Sarbanes-Oxley Act in the United States, and by Bill 198 in Canada.
Otherwise, it boils down to a question of weighing the cost against the risk. A rule-of-thumb in risk management states that: if it costs $20,000 to protect information that is valued at $10,000, it’s simply not worth it. Another factor can also weigh heavily in the decision: trails are useless for prevention, and are only useful only to fix things!
When an investigation focuses on an intrusion into an organization’s systems, the first step is to determine how the intruder got in, in order to prevent recurrences. The investigators then try to determine how far the intruder penetrated, in order to assess the extent of the damage. Finally, organizations with a great deal of determination and willingness to try their luck will have the investigators track down the intruder – a task that can be extremely complicated, especially if the intruder is based in a foreign country.
Many victims of an intrusion are reluctant to call in investigators, for fear that word of the incident might spread and damage their reputation. However, there is no reason to be ashamed, because no security system is absolutely perfect. Even the best-protected organizations are vulnerable, especially if the information that they hold is highly coveted. Similarly, you wouldn’t be surprised by a burglary at a jewellery store with a high-end security system while the house next door is ignored, even though it doesn’t even have an alarm system.
Filing the investigation report
With the investigation report in hand, the plaintiff must decide what to do next. Depending on the conclusions reached in the report, the options might include taking legal action, trying to settle out of court, firing employees, tightening security, dropping the case, etc. In the case of legal action, the investigators will likely be asked to testify.
Mathieu Grignon is the director of security services for ESI Technologies one of CDN’s Top 100 Solution Providers for this year. He can be contacted at firstname.lastname@example.org