Forensic Accounting
Brand Protection
Computer Forensics
Corporate Investigation

Volume 9 - No. 1                    Download PDF

In this edition of
The Kessler Report:

Computer Forensics: Sherlock Holmes in the Information Age

What's Infecting
Your Computer?

Stop Harassing Email

The Trojan
Horse Defense

Automatic Thieving Machines: ATM Frauds Exposed

Q&A: Do It Yourself Investigation

Kessler's Corner:
The Growing Field of Computer Forensics

DOWNLOAD PDF

Computer Forensics: Sherlock Holmes in the Information Age

The past decade has certainly been memorable… technology has exploded, advancing so rapidly that most people simply can't keep up.  The PC that was considered state-of-the-art at the turn of the century is now barely powerful enough to run a standard operating system.  Wireless technology has expanded so fast, that customers can hardly get used to their phones or PDAs before they are eclipsed by the next best thing.    Home computer users are surfing the Internet at speeds they would have thought impossible only a matter of years ago.  Tons of information is only a mouse click away, and people are communicating with others from all over the globe without ever getting off their chairs.  Technology has truly changed the face of business and society at large by leaps and bounds, and not since the Industrial Revolution has something managed to alter the lifestyles of so many people worldwide.  Impressive?  Yes.  Amazing?  Perhaps.  Dangerous?  Without a doubt.

Because for all the convenience, entertainment and "wow" value technology has bestowed upon us in recent years, it has also revealed a dark side.  High-tech crime has become as widespread and common as street crimes, and even worse, the victims usually have no idea they're under attack until it's too late.  From simple software piracy to high-level corporate espionage, techno-crooks work under the cover of silence and anonymity.  And because their methods revolve around new technology, there may not be laws or police techniques in place to stop them.  Gone are the simpler days, when a good, old-fashioned mugging was the preferred method of theft… now robbers sit in front of a computer screen, swiping credit card information or passwords from unsuspecting Internet denizens, and taking home a lot more than a few crumpled dollar bills.

Of course, law enforcement has done its best to keep up with the bad guys, passing new laws and developing new techniques to stop them in their tracks.  Today, criminals are convicted due to solitary pieces of digital evidence, files that are physically nothing more than a series of magnetic particles.  Tracks that cybercrooks thought they covered by deleting incriminating files are restored and presented in court.  Unscrupulous workers who cost their employers money or tarnish reputations are revealed and dealt with accordingly.  How is this all possible?  The answer is simple.  The answer is computer forensics.

Computer forensics, in a nutshell, is the application of technical knowledge and investigative techniques to find, identify, preserve and present evidence contained within and created with computer systems.  The goal of computer forensics is essentially the same as with any other investigation, and the same rules of evidence and legal processes still apply.  Finding out the who, what, where, when and why is still the prime directive of any examiner, only the methods used to answer those questions are now considerably different. 

The Bits and Bytes of Computer Forensics
Whether the need for a computer forensics expert is for a large corporation or an individual who wants to see what their son is doing online, the first rule of computer forensics is crucial… Do not destroy the evidence.  Data can be altered or completely eradicated very easily without the knowledge of the user, and the failure to preserve data can make or break an investigation.  In fact, simply opening a single file, or turning a computer on or off can permanently taint or completely overwrite otherwise useful information.  IT administrators sometimes believe they are helping investigators, when in reality they are actively destroying potential evidence!

Acquiring such evidence is clearly a delicate process, and forensics experts take great care in the physical and virtual handling of all sources.  If hardware needs to be sent off-site to a lab, drives and other devices are carefully packed in foam and protected from harmful jostling.  On-site acquisition is done as quickly and discreetly as possible, without disrupting operations or arousing suspicion. 

When the time comes to extract evidence, an investigator will make an exact copy of the media, not just a copy of the folder contents.  The information is written onto a form of media that cannot be altered (such as a CD-ROM or other read-only disk), thereby preserving the integrity of the data obtained from the original disk.  This copied data can now be scrutinized by investigators for important information.

However, finding this information is no easy process.  Computer forensics has been described as looking for a needle in a mountain of needles, with literally thousands of files for examiners to pore over.  The procedure requires a great deal of skill, experience and patience.  Specialized software is used to help sort through the labyrinth of both active files (the files we see) and unallocated (currently unused) disk space that may contain temporary or previously deleted data.  Investigators may also decode protected or encrypted files, if it is possible and legally appropriate.  In some cases, sophisticated equipment is used to extract data from damaged or destroyed media, such as a floppy disk that had been cut in half.  Still, despite the wealth of high-tech gadgetry at many examiners' disposal, finding evidence often requires someone who simply knows what to look for and how to find it, a skill that only comes with experience.

Once all this data is gathered and analyzed, the investigator then compiles a detailed report for their client, after which they are often called on to testify at some sort of legal proceeding.  In such cases, it is not only important for the forensic expert to possess exceptional technical knowledge, but the skills necessary to present the evidence in a courtroom setting.  The ability to present information in a logical, persuasive manner that a jury can understand, while being able to withstand the opposing counsel's scrutiny, is very valuable and often makes or breaks a case.

Crimes and Misdemeanors
Computer forensics, while it is a specialized area of investigation, can be applied to a vast variety of crimes and devious activities, from high-tech system security breaches to burglary.  The primary areas in which computer forensics is used are law enforcement, private company investigations, and individual consulting.

Computer forensics is regularly used by law enforcement agencies as a method of investigating and prosecuting various crimes.  These days, criminals are using computers to commit crimes that would not be possible without them (such as hacking into corporate databases, stealing passwords and account information, unleashing viruses, etc.), as well as crimes that traditionally did not involve any sort of advanced technology.  Child pornography and kidnapping, for instance, are among the most feared and widely publicized crimes that often enlist the aid of the computers.  It's a parent's worst nightmare to think that their children could be lured away by a smooth-typing pervert, but it happens, and computer forensics experts are often called upon to track them down and collect evidence. 

While child pornography and fraud are the most prevalent types of computer crimes, even homicides and grand larcenies are solved via computer forensics, when villains discuss their plans with partners online or compile lists of victims on their home PC.  Virtually any type of crime can have links to computers, but what many lawbreakers don't realize is that the electronic fingerprints they leave behind (e-mails, documents, instant messages, etc.) can quite easily come back to haunt them.

Many private companies also employ the aid of computer forensics, whether it is done in-house or an investigator is contracted by the company.  It is no secret that system security is a major issue for most businesses, especially in the wake of the many viruses, worms and system break-ins that have occurred all over the world in the past few years, crippling operations and costing companies billions of dollars.  Computer forensics is also used to help companies locate evidence regarding a wide range of matters, from sexual harassment to intellectual property theft.

Individuals also call upon computer forensics specialists for a variety of reasons, such as support in medical malpractice or wrongful death suits, wrongful termination, sexual harassment, discrimination, recovering lost data, or even to find out what children and spouses are up to on their computers.  Indeed, computer forensics can be applied to almost any investigation-worthy subject, and more and more people are taking advantage of this technology to help combat crime and tackle civil wrongdoings.

The Future of Computer Forensics
As the world becomes increasingly reliant on technology, it is inevitable that computer-related crimes will only increase in regularity.  As a result, the field of computer forensics is destined for an extremely active future.  Already, forensics software is littering the security landscape.  Learning institutions are chomping at the bit to initiate computer forensics programs, and students seem just as eager to learn and find a career in this rapidly expanding field.

Of course, the future holds some important questions.  Will there be standards?  As of now, there is no governing body or certification standards for computer forensics "experts."  Many current certifications are simply based on certain types of software or methodology, some are open to only certain practitioners, and some are nothing more than marketing gimmicks to sell more of a particular tool or training.  Most examiners agree that there needs to be some sort of standardization so that when an "expert" conducts an investigation or takes the stand in a legal proceeding, their client is actually getting credible, competent support.

Scientific innovations also need to be considered.  Technology has advanced tremendously quickly in recent years, and the bad guys aren't the ones playing catch-up.  As computer forensics techniques become more advanced, so will the methods criminals use to stay a step ahead of the law.  Encryption, for instance, is already considered a major issue, and it is poised to become an even greater hindrance as criminals learn more about the process.  Wireless and portable technology is another big concern… it is the wave of the future, and it's a foregone conclusion that scams will proliferate on our ubiquitous multi-function handheld devices in the coming years.

Whatever the future holds for us, one thing is for certain… computer forensics is here to stay.  The long-shot years are dead and buried, and the horizon looks to be packed with exciting innovations and significant developments in the field.  We at Kessler International are leading the charge, and we are ready and willing to take on any challenge that comes our way.  If you require the services of a computer forensics expert, give us a call.  Our specialists have the experience, the knowledge and the professionalism that will guarantee a job well done and another case cracked.

BACK TO THE NEWSLETTER ARCHIVE       BACK TO THE KESSLER HOME PAGE

Copyright © Michael G. Kessler & Associates, Ltd. 2004. All rights reserved.