First published March 2005
by Andy Fox
Audax Digital Forensics
Computer forensics has become an increasingly important part of IT security. A 2003 survey carried out on 201 companies by the National High Tech Crime Unit (in the UK) showed that computer related crime is costing an estimated GBP195 million nationally and within these figures over a third of this crime involved company employees. Given these statistics, many companies would not find it too difficult to make a compelling business case to make sure both data and systems are as secure as possible.
Computer forensics entails gathering and examining data from a range of electronic media – not just computers – and this data can take the form of photographs, downloaded images, text, documents, emails, internet pages and any other information that is stored to a hard drive. This data or evidence can then be used in a court of law, employment tribunal or simply as a sample of evidence to present to an individual under suspicion.
Computer forensic investigators will often work by taking a copy or ‘digital image’ of suspected electronic media using specialised forensic examination software tools like ‘EnCase’. EnCase searches for and extracts particular data of interest to an investigator. With the incredible amount of information held on electronic media it would be virtually impossible and take a huge amount of time to investigate data if software like Encase was not available.
Even with suitable software investigations can be time consuming, but can also produce some stunning and unexpected results.
Employee Misuse and Fraud
Employee misuse and fraud crimes are on the increase and can vary from the misuse of computer systems to the theft of corporate and financial data. These crimes can occur due to disgruntled employees taking revenge, underemployed employees looking to take advantage of their situation or simply employees engaging in criminal activity. The possibility that the employee sitting next to you could be committing offences while they work is certainly very real and one doesn’t have to look very far in the local or national press to read cases of employees caught looking at pornography, accessing confidential company information or stealing data.
Combating these types of computer related crimes can be very expensive, particularly for small businesses; however, being proactive in spending the right amount on the security of systems and data is a good place to start. Effective and regular monitoring of systems is also a good idea in trying to make it more difficult for individuals to commit offences (and get away with them) in the first place. However, with all the security and prevention techniques in the world, businesses find it very difficult to be 100% successful in stopping employees taking part in these crimes whether they be misuse or criminal activity and this is where computer forensics is a very useful tool.
Computer forensics is usually required after an incident has taken place and is a very effective option in providing evidence of misuse or crime. Forensic work is effective in detecting or identifying suspect activity as the methods used focus on the individual’s usage of equipment over a period of time. Computers automatically log when and how images, text and documents were last created, viewed or modified and together with physical time and date activity the investigator can match an activity to an individual.
Evidence and Data Gathering
Securing the continuity and validity of electronic data and evidence in proving computer misuse and criminal activity can be a real problem. Problems often arise inside companies when IT Staff or Senior Management fail to resist the temptation to investigate equipment themselves and this can have serious consequences. One of the most crucial elements of computer forensic investigations is the preservation of evidence and ‘non experts’ can easily overwrite time and date information (the digital fingerprint) by accessing material themselves. This time and date information is vital in proving when data or images were modified or viewed. The time and dates stamp elements are particularly important in working environments where more than one person has access to a piece of equipment, e.g. a computer in an open office used by several members of staff during the day.
A computer forensics expert will be able to limit the potential for damage to data or evidence by following the ACPO (Association of Chief Police Officers) guidelines for retrieving electronic evidence [NOTE: this document is available from the Forensic Focus “Downloads” section]. This should ensure that the investigator knows how and where to look for information without compromising any potential evidence – hence it is very important for ‘non-experts’ to resist the temptation to look at data or evidence without contacting an expert.
Employing Forensic Experts
Companies faced with a suspected criminal or misuse case need to know how to go about making sure that they follow the right steps in order to preserve evidence and avoid alerting the individual in question. The good practice ACPO guidelines are what most UK computer forensic investigators rigorously follow, but for the non-expert a few simple rules are important for preserving data for evidence purposes:
(Note: Once a suspect or suspicious activity has been identified it’s a good idea to start making notes on the dates and times that an individual has been using the computer or equipment in question. This narrows down and identifies all possible users and the times at which a suspect may have had access.)
The advisable steps to follow are:
– Call in an expert to advise on possible courses of action
– Do not alert the individual or anyone else
– Do not tamper or attempt investigation yourself, you may interfere with evidence
– Do not switch the machine on or off, isolate the power source instead
– Make sure all ancillary equipment, CD’s, floppy disks, thumb drives and PC equipment are stored securely
Computer forensics experts are specialists and may also be able to provide advice on security issues. Computer misuse has become so common that detection and effective monitoring of electronic activity, as part of a solid computer usage and monitoring policy, should now be a cornerstone of any IT or personnel policy. All employees need to know that they are subject to computer usage policies and be made aware that the employer has some right to monitor this usage (data protection and privacy laws are involved here and the subject needs to be approached with caution).
An example of computer forensics in action
A senior operations manager became suspicious of an individual who often worked late without producing results of increased productivity.
The manager decided to ask his IT Manager to look at some of the activity on the network in general outside of normal office hours to see if there were any irregularities. This network analysis showed some high volume email activity during the hours that the individual was working.
Without alerting the individual, the business manager called in a local computer forensics expert to assess the situation. The expert took an image of the individual’s computer (outside of office hours) and then worked over the next day to look at the data. The results were compelling.
The expert found emails and documents that were sent to a rival company in relation to a new job offer. Subsequently the individual had begun to send information to the rival on sales, budgets and marketing plans.
A formal report on the data was asked for from the expert and this was presented to the employee who, unsurprisingly, was shocked that he had been found out and was dismissed on the spot.
On this occasion, having assessed the information that had been sent to the rival, the company decided not to take the matter any further though could have gone to court to sue for theft of company information. The company did however undertake a complete review of its systems, procedures and permissions policies to look for where improvements could be made (with the help of the computer forensics expert).
Audax Digital Forensics
Comments and questions welcome to [email protected]
Audax are a Devon (UK) based Business Consultancy company with expertise in Computer Forensics, Recruitment, Security and Procurement.