News Stay informed about the latest enterprise technology news and product updates.

Computer forensics not just for TV

Computer forensics isn't just a Hollywood invention. More businesses are relying on it to find incriminating evidence against employees.

WASHINGTON, D.C. -- When most people think of computer forensics, they picture federal agents storming in to confiscate computer systems to look for evidence of cyberterrorism or other criminal activity.

Yet many companies would likely reap benefits from developing computer forensics skills in-house for more mundane uses. The skills used in computer forensics will pay dividends for companies even if they don't have a lot of incidents to investigate, according to experts attending the CSI conference this week.

"Everyone thinks of [TV programs like] Quincy or Crossing Jordan when they hear forensics and don't think of data recovery," said Warren Kruse II, a consultant with Eatontown, N.J.-based Computer Forensic Services.

Computer forensics is the practice of preserving, documenting and analyzing computer-related evidence. Typically, companies use special software to create an exact copy of a hard drive and then search it for something incriminating.

IT departments can use forensics to find files on the hard drive of an employee who lost data or to track inappropriate behavior. For example, an employee may be suspected of violating company policy by visiting pornography Web sites. By employing computer forensics, the company can preserve that user's hard drive as evidence. Just printing out the offending pictures wouldn't hold water if the company took disciplinary action and was later challenged in court, Kruse said.

"If an employee was fired on the second of the month but you print out the pictures on the third, then the time and date stamp of those files will [show] they were accessed a day after the person left the company," he said.

In other words, there is nothing to say the files weren't modified or added after the person was let go.

Marc Dabros of Canada's National Research Council, a federal agency based in Ottawa, is often called in to preserve hard drives when management suspects someone is doing something they shouldn't. "For example, a firewall administrator may notice some logs showing someone has been going to an illegal site," he said.

That suspicion is then relayed up the chain of command to senior managers, who decide whether to start an investigation. Dabros is then called in to assist. By filtering such decisions through senior management, the process ensures that employees aren't targeted because someone has a grudge against them, Dabros said.

"If [the data] shows it's of a criminal nature, then we will hand it over to RCMP [Royal Canadian Mounted Police]," Dabros said. "We make sure it's preserved as evidence."

The first rule of computer forensics is preserving the data, Kruse said. Once an image is made of the hard drive, it can then be analyzed, but everything investigators do to the image must be documented to protect the integrity of the investigation.

A standard backup won't suffice. The image must be a complete copy. For example, Kruse once saw a system that had a dual partition set up so that, when his client sent him a standard copy of the hard drive, only the non-incriminating data came up. He was able to find the data on the hidden partition.

Writing down everything found on the image and how it was found is imperative because often such information would be needed if a criminal prosecution or wrongful termination lawsuit occurred. "You are not going to need it next week or next month. You may need it years from now," Kruse said.

After the image is analyzed and notes made, both should be stored securely. "Lawyers are great at attacking the chain of evidence," he said.


Expert advice: What is the future of computer forensics? Get Sondra Schneider's thoughts

Article: Plentiful resources, certifications for combating cybercrime

Dig Deeper on Real-time network monitoring and forensics

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.