by Andy Fox
Director
Audax Digital Forensics
www.audaxuk.com

March 2005

Computer forensics has become an increasingly important part of IT security. A 2003 survey carried out on 201 companies by the National High Tech Crime Unit (in the UK) showed that computer related crime is costing an estimated GBP195 million nationally and within these figures over a third of this crime involved company employees. Given these statistics, many companies would not find it too difficult to make a compelling business case to make sure both data and systems are as secure as possible.

Computer forensics entails gathering and examining data from a range of electronic media - not just computers - and this data can take the form of photographs, downloaded images, text, documents, emails, internet pages and any other information that is stored to a hard drive. This data or evidence can then be used in a court of law, employment tribunal or simply as a sample of evidence to present to an individual under suspicion.

Computer forensic investigators will often work by taking a copy or 'digital image' of suspected electronic media using specialised forensic examination software tools like 'EnCase'. EnCase searches for and extracts particular data of interest to an investigator. With the incredible amount of information held on electronic media it would be virtually impossible and take a huge amount of time to investigate data if software like Encase was not available.

Even with suitable software investigations can be time consuming, but can also produce some stunning and unexpected results.

Employee Misuse and Fraud

Employee misuse and fraud crimes are on the increase and can vary from the misuse of computer systems to the theft of corporate and financial data. These crimes can occur due to disgruntled employees taking revenge, underemployed employees looking to take advantage of their situation or simply employees engaging in criminal activity. The possibility that the employee sitting next to you could be committing offences while they work is certainly very real and one doesn't have to look very far in the local or national press to read cases of employees caught looking at pornography, accessing confidential company information or stealing data.

Combating these types of computer related crimes can be very expensive, particularly for small businesses; however, being proactive in spending the right amount on the security of systems and data is a good place to start. Effective and regular monitoring of systems is also a good idea in trying to make it more difficult for individuals to commit offences (and get away with them) in the first place. However, with all the security and prevention techniques in the world, businesses find it very difficult to be 100% successful in stopping employees taking part in these crimes whether they be misuse or criminal activity and this is where computer forensics is a very useful tool.

Computer forensics is usually required after an incident has taken place and is a very effective option in providing evidence of misuse or crime. Forensic work is effective in detecting or identifying suspect activity as the methods used focus on the individual's usage of equipment over a period of time. Computers automatically log when and how images, text and documents were last created, viewed or modified and together with physical time and date activity the investigator can match an activity to an individual.

Evidence and Data Gathering

Securing the continuity and validity of electronic data and evidence in proving computer misuse and criminal activity can be a real problem. Problems often arise inside companies when IT Staff or Senior Management fail to resist the temptation to investigate equipment themselves and this can have serious consequences. One of the most crucial elements of computer forensic investigations is the preservation of evidence and 'non experts' can easily overwrite time and date information (the digital fingerprint) by accessing material themselves. This time and date information is vital in proving when data or images were modified or viewed. The time and dates stamp elements are particularly important in working environments where more than one person has access to a piece of equipment, e.g. a computer in an open office used by several members of staff during the day.

A computer forensics expert will be able to limit the potential for damage to data or evidence by following the ACPO (Association of Chief Police Officers) guidelines for retrieving electronic evidence [NOTE: this document is available from the Forensic Focus "Downloads" section]. This should ensure that the investigator knows how and where to look for information without compromising any potential evidence - hence it is very important for 'non-experts' to resist the temptation to look at data or evidence without contacting an expert.