TM

TM

What Lawyers and Managers Should

Know About Computer Forensics

10790 Parkridge Blvd / Suite 300

Reston / VA 20191

Copyright © 2001 Veritect, Inc. All rights reserved. Toll Free 866-VERITECT (866-837-4832)
Computer Forensics / June 2001 703.788.9800
info@veritect.com / www.veritect.com
 TM

S ometimes surprises are ugly. Frank Smith, an information

security manager, stumbled on a large encrypted file on his
company’s network server. It didn’t belong there. He suspected
it came from an employee who was either running a business out
of company computers or storing proprietary information for illicit
purposes. Frank identified the employee—a senior manager in
the marketing department—but he could not detect what the
manager was doing.

The file was too difficult to decrypt, and if there was nothing
serious in it, confronting the employee could be awkward. On the
other hand, if the file concealed proprietary data, the company
would need to act. Frank called in-house counsel. The senior
manager’s boss reported to the counsel that his employee was
involved in high-level operations including launching a product
that could make or break a division. Alarmed, the counsel called a
forensic examiner. The company needed to know what the man-
ager was hiding without giving him a chance to destroy evidence.

The examiner advised the company to conduct a forensics exami-

nation of the manager’s laptop hard drive. Frank scheduled
routine maintenance on the laptop to avoid raising the manager’s
suspicions then let the examiner covertly make an exact copy of
the hard drive. The examiner retrieved and recorded hundreds of
active and deleted files on the mirror copy of the hard drive,
using Federal Rules of Evidence (FRE) as a guide. He uncovered
deleted e-mails from a competitor which contained terms of a job
offer and discussions of the product. Among fragments of other
deleted e-mails, he pieced together confidential specifications
and code related to the new product. The examiner also found
sections of the company’s proprietary customer list.

With enough evidence to sue, the corporation confronted the

manager, who had just announced his intention to depart. The
firm subsequently gained a settlement barring the competitor
from using the stolen information and the senior manager from
working for the competitor for five years.

This, in brief, is what computer forensics is about. Forensics

investigators examine computer hardware and software, using
legal procedures to obtain evidence that proves or disproves
allegations. It is not complex science, but gathering viable
evidence is difficult, and getting results quickly requires trained
specialists who know computers, the rules of evidence gathering
and how to work with law enforcement authorities.

Copyright © 2001 Veritect, Inc. All rights reserved. Toll Free 866-VERITECT (866-837-4832)
Computer Forensics / June 2001 2 703.788.9800
info@veritect.com / www.veritect.com
 TM

Computer Forensics There are compelling reasons for using computer forensics but
before lawyers and managers do, they should know what foren-
sics is and when and how to employ it. Risk management and
self-defense are leading reasons for using computer forensics.
Any organization that does not have a way to detect and stop
malicious behavior may be victimized with no legal recourse.
Computer forensics safeguards legal options. Preserving evidence
according to Federal Rules of Evidence gives a company or indi-
vidual choices that otherwise would not exist. When an intruder
attacks or steals from an organization or individual, the ability or
threat to get law enforcement involved may be the only way to
stop intrusion or recover assets. Gathering computer evidence is
also useful for confirming or dispelling concerns about whether an
illegal incident has occurred, and to document computer and
network vulnerabilities after an incident.

When to Use Computer forensics examiners should be called in when a threat

Forensics to a company’s business and reputation is serious. Today, threats
almost always involve a computer or network because they
contain a company’s proprietary information and business
processes. Like Willie Sutton, the bank robber who went to the
bank because that’s where the money is, those who wish to
damage or steal from a business go to computers and networks
because that’s where strategic assets are located. Computers
store client/customer lists, proprietary technology and processes,
confidential financial data, personnel records and medical data,
contracts and agreements, payroll records, accounting data and
much more. A simple and virtually undetectable fraud that posts
a few odd cents to a phony account can reap a perpetrator
thousands of dollars out of the millions that flow through
accounts payable. A malicious change to an individual’s personnel
records could cost that person a job and a career. Divulging a
company’s financial records could damage it on Wall Street, in the
marketplace and before shareholders. Corporate spies might steal
trade secrets. Posting libelous information on the Internet about
a company or individual can so damage a reputation that business
cannot continue. Employees of a company might be stealing from
it by working for themselves and using company resources. Or,
they can be using work time to surf inappropriate or prohibited
web-sites or play games.

Companies employ computer forensics when there is serious

risk resulting from compromised information, a potential loss of

Copyright © 2001 Veritect, Inc. All rights reserved. Toll Free 866-VERITECT (866-837-4832)
Computer Forensics / June 2001 3 703.788.9800
info@veritect.com / www.veritect.com
 TM

competitive capability, a threat of lawsuits or potential damage

to reputation and brand. Some companies regularly use forensic
investigations to check employee computers, with the idea that
employees who know they are being watched are less tempted to
stray. For example, one corporation randomly selects a percent-
age of employee computers each month and conducts forensics
examinations of their hard drives. Investigations have turned up
pornography, private businesses, unauthorized use of proprietary
data and other infractions.

When Not to Use When the cost of a forensic investigation exceeds potential gain,
Forensics there is little reason to use it. However, that is a judgment call.
Managers and lawyers can and have used forensics for purposes
beyond serious threats. Some companies use legal evidence
gathering to drive home points with employees and external
intruders, even though the cost of the investigation often
exceeds recovery. Usually, a warning is enough to stop an
inappropriate action, such as excessive net-surfing so that a
full-scale investigation is not needed. Computer forensics also
may not be needed when computers had only a minor role in an
incident or threat, but this role may not always be clear. The
relationship between the computer and an event under inquiry
is critical, and until a forensics examination has been done, one
cannot always know whether a computer was a significant part
of an event, or not.

Legal Evidence A computer forensics examiner starts and completes assignments

with a court trial in mind. This means an examiner should always
gather and preserve evidence according to Federal Rules of
Evidence. The examiner has three basic tasks—finding, preserving
and preparing evidence.

Preserving computer evidence comes first, even before evidence

is found, because data can be destroyed so easily. The 1s and 0s
that make up data can be hidden in numerous places and vanish
instantly with a push of a button. As a result, forensics examiners
assume every computer has been rigged to destroy evidence,
and they proceed with utmost care in handling computers and
storage media.

Finding and isolating evidence which proves or disproves an

allegation is just as difficult as preserving it because with com-
puters there can be too much evidence. Investigators can plow

Copyright © 2001 Veritect, Inc. All rights reserved. Toll Free 866-VERITECT (866-837-4832)
Computer Forensics / June 2001 4 703.788.9800
info@veritect.com / www.veritect.com
 TM

through thousands of active files and fragments of deleted files

to find just one that makes a case. Computer forensics has been
described as looking for one needle in a mountain of needles.

Preparing evidence requires patient thoroughness and documen-

tation of everything one does so that it can withstand strong
judicial scrutiny. This is where lesser-trained specialists can and
have failed. For example, a hacking incident at a Web music store
was thrown out of court because examiners who prepared the
case failed to follow rules of evidence that properly document
where evidence comes from and that it has not been altered.

Illustration 1 • Prior experience in computer forensics examinations.

What to look for in a computer
forensics examiner
• Specialized training in computer operating systems.
• Specialized training in evidence handling and investigation
techniques, including information recovery tools.
• Documentation of processes used in forensic examinations.
• Personal integrity: Investigators must withstand scrutiny on
both technical ability and personal integrity.
• Investigative ability: Investigators need logical thinking, the
ability to uncover and understand cause and effect, and
possess an open mind.
• Demonstrated knowledge of the Federal Rules of Evidence.
• Experience testifying as an expert witness.
• A laboratory stocked with tools for evidence recovery.
• Quick reaction time to handle incidents before evidence
is destroyed and to report evidence before perpetrators
disappear. This also is a compelling reason to keep an
examiner on retainer.

What You Lawyers and managers involved in events where computer foren-
Should Know sics might come into play should follow a simple rule their mothers
taught them when they were little and entering a store: Don’t
touch anything.

Preserving computer evidence requires pre-incident planning and

training of employees in incident discovery procedures. System
administrators sometimes think they are helping a forensics
examiner when they are actually destroying evidence. There
should be minimal disturbance of the computer, peripherals and
area surrounding the machine. If a computer is turned on, leave

Copyright © 2001 Veritect, Inc. All rights reserved. Toll Free 866-VERITECT (866-837-4832)
Computer Forensics / June 2001 5 703.788.9800
info@veritect.com / www.veritect.com
 TM

it on, and if turned off, leave it off. Moreover, NEVER run programs
on a computer in question. For example, running Windows to
examine files destroys evidence in the swap file. Finally, NEVER
let a suspect help open or turn on a machine.

Sometimes, forensics examiners will interview a suspect in a

friendly way about the procedures for turning a machine on and
off, all the while taking close notes. Instead of following the
suspect’s directions, the investigators will crash the computer by
pulling out the power cord, in order to avoid any traps set by the
suspect, and preserving all evidence. The notes may then reveal
the traps and can be used later in a case against the suspect.
At other times, examiners will perform an orderly shutdown of a
machine and lock its original media so it cannot be changed. On
the other hand, if a machine uses a Unix operating system,
crashing it will destroy evidence, so examiners will investigate
it in place, as they find it.

Among the tasks that lawyers and managers should expect a

computer forensics examiner to perform are:

• Documenting all equipment and software under investigation,

including hard disk drives by make and model, the operating
system and version, the file catalog and any actions
the examiner takes to remove and examine equipment
and software.

• Gathering and documenting additional data sources such

as backup tapes, firewall logs and intrusion detection logs.

• Securing any items that may be evidence such as

notepads, papers, books, photos and other materials in
a suspect’s office.

• Starting and building a chain of custody that proves both

physical and electronic evidence has been preserved in its
original state. This requires logging each individual and/or
organization that handles evidence, where and when it was
handled, and maintaining records of custody, including
shipping numbers.

• Identifying the system’s relationship to the event and

developing then refining an approach to finding evidence.

• Finding and documenting evidence.

Copyright © 2001 Veritect, Inc. All rights reserved. Toll Free 866-VERITECT (866-837-4832)
Computer Forensics / June 2001 6 703.788.9800
info@veritect.com / www.veritect.com
 TM

Technical Lawyers and managers should have an appreciation for the

Challenges technical challenges of gathering computer evidence because it
goes beyond normal data recovery. Unfortunately, there are no
certified procedures for safe evidence gathering nor is there a
single approach for every type of case. To date, skilled forensic
examiners have used methodologies that produce hard evidence
and have survived court tests. To do this, examiners work on
trusted systems to which only they have access, in secure
laboratories where they check for viruses in suspect machines
and isolate data to avoid contamination.

Examiners will, for example, photograph equipment in place before

removing it, and label wires and sockets so that the computers
and peripherals can be reassembled exactly in a laboratory. They
transport computers, peripherals and media carefully to avoid
heat damage or jostling. They never touch original computer hard
disks and floppies. They make exact bit-by-bit copies, and they
store the copies on a medium that cannot be altered, such as a
CD-ROM. When suspects attempt to destroy media, such as
cutting up a floppy disk, investigators reassemble the pieces to
read the data from it. Nor do examiners trust a computer’s inter-
nal clock or activity logs. The internal clock might be wrong, a
suspect might have tampered with logs, and the mere act of
turning on the computer might change a log irrevocably. Before
the logs disappear, investigators are trained to capture the time
a document was created, the last time it was opened and the
last time it was changed. They then calibrate or recalibrate
evidence based on a time standard and/or work around log tam-
pering, if possible.

Investigators always assume the worst. It is a rule in computer

forensics that only the physical level of the magnetic material,
where the 1s and 0s of data are recorded, is real, and everything
else is untrustworthy. A suspect might have corrupted all of the
software operating systems, applications and communications in a
computer or the software itself might erase evidence while
operating, so forensic examiners avoid these.

Examiners search at the bit level of 1s and 0s across a wide

range of areas inside a computer, including e-mail, temporary
files in the Windows operating system and in databases, swap
files that hold data temporarily, logical file structures, slack and
free space on the hard drive, software settings, script files that
perform preset activities, Web browser data caches, bookmarks,

Copyright © 2001 Veritect, Inc. All rights reserved. Toll Free 866-VERITECT (866-837-4832)
Computer Forensics / June 2001 7 703.788.9800
info@veritect.com / www.veritect.com
 TM

history and session logs that record patterns of usage. They

then correlate evidence to activities and sources.

Investigators have many tricks of the trade that help them

get around the clever perpetrator. For example, they often do not
attempt to decode encrypted files. Rather, they look for evidence
in a computer that will tell them what is in the encrypted file.
Frequently, the bulk of this evidence has been erased but
unencrypted traces remain to make a case. For data concealed
within other files, such as buried inside the 1s and 0s of a pic-
ture, an investigator can detect that the data is there, even
though it is inaccessible. Nearly identical files can be
compared to expose minute differences.

Making a Case When forensic examiners find computer evidence, they must
present it in a logically compelling and persuasive manner that
a jury will understand and an opposing counsel cannot rebut.
This requires step-by-step reconstructions of actions with
documented dates and times, charts, and graphs. These exhibits
explain what was done and how. The result is testimony that
explains simply and clearly what a suspect did or did not do. Case
presentation requires experience, and, to date, such experience
has been gained through courtroom appearances. This is why
lawyers and managers should retain computer forensics examiners
who have a record of successful expert testimony on computer
evidence. An experienced examiner knows the questions that
opposing attorneys will ask and the ways to provide answers that
withstand challenges. A skilled litigator can defeat an inexperi-
enced examiner for failing to collect evidence in a proper manner
and failing to show that evidence supports allegations. Not long
ago most attorneys knew little about computers and how they
operated, but today they do and they are increasingly skilled at
challenging examiners’ methods.

A Growing Service With the growth of computers and networks comes growth of
crime committed through or with computers and networks.
Computer forensics is an extension of forensics examinations
used on other physical evidence. It is a fast-growing field be-
cause computers and networks have moved to the heart of
business and societal operations. However, it is not a service
that most corporations will or should establish internally. Because
investigations are so specialized, few organizations have the

Copyright © 2001 Veritect, Inc. All rights reserved. Toll Free 866-VERITECT (866-837-4832)
Computer Forensics / June 2001 8 703.788.9800
info@veritect.com / www.veritect.com
 TM

human or technical resources to gather and compile evidence

that withstands court challenges. Large multinational corporations
have or may develop the capability, but most organizations will
purchase computer forensics as needed or keep a computer
forensics firm on retainer. The important point for managers and
lawyers to remember is that computer evidence is fragile and the
best way to handle an incident is to isolate the suspect machine
until examiners take over.

Illustration 2 Case 1: Denial of Service

Typical computer A financial institution suffered multiple losses of service from
forensics cases its primary mainframes over an extended period.

Forensic activity

Forensics analysis ruled out external access to the mainframes

while nontraditional computer log analysis pointed to one dis-
gruntled employee. A forensic examination of the employee’s
personal computer confirmed his illegal actions.

What the employee did

The employee had exploited poor system controls and limited

network auditing to sabotage the mainframes.

Case 2: Network Intrusion of Educational, Military,

Government and Commercial Organizations
An intruder penetrated systems in several organizations
in the southeastern U.S.

Forensic activity

Examiners undertook six weeks of technical and nontechnical

tracing to identify three primary suspects in information tech-
nology jobs who had compromised an Internet Service Provider.

What the individuals did

The individuals had exploited poor passwords to break

into systems.

Copyright © 2001 Veritect, Inc. All rights reserved. Toll Free 866-VERITECT (866-837-4832)
Computer Forensics / June 2001 9 703.788.9800
info@veritect.com / www.veritect.com
 TM

Illustration 2 Case 3: Pornography on Company System

Continued During a forensics examination of problem systems, examiners
discovered two systems that contained numerous sexually
explicit images.

Forensic activity

Examiners searched the computers’ cache files, slack and

free space to verify that the users were engaged in active
browsing for the images.

What the employees did

Both employees had exploited the company’s nearly

unrestricted access to the Internet.

Case 4: Corporate Espionage

A large organization loses a CEO to a competitor, in violation
of the CEO’s anti-compete agreement.

Forensic activity

Examiners analyzed the former CEO’s laptop, revealing deleted

information regarding the courting and hiring negotiations and
job offer, including e-mails which detailed current sales activity
at the competing company. However these incriminating
documents had been deleted and overwritten. The examiners
developed a new process and tool to allow them to recover
the original encoded information which demonstrated beyond
doubt that the CEO was being hired to target current custom-
ers of his former employer. The information gathered was
instrumental in securing a settlement valued between 15
to 20 million dollars.

What the CEO did

The CEO had used e-mail to pass along critical information

to a competitor, and then attempted to hide evidence of
his actions.

Copyright © 2001 Veritect, Inc. All rights reserved. Toll Free 866-VERITECT (866-837-4832)
Computer Forensics / June 2001 10 703.788.9800
info@veritect.com / www.veritect.com
 TM

Illustration 2 Case 5: Outside Attack on a Small Network

Continued A small firm suspected its computer network had been
infiltrated by competitors.

Forensic activity

Examiners performed an initial screening of the computers

involved and determined that while a thorough forensic
examination could possibly yield information as to the method
used to attack the network, it was highly unlikely to identify
an actual attacker. The company instead received assistance
in the engineering of a more secure and scalable network
infrastructure, resulting in increased capabilities, information
protection, and a significantly reduced operating cost.

What the attacker did

The attacker exploited vulnerabilities in the company’s network

to extract critical information.

Case 6: Confidential material posted on

an industry rumor site
An international manufacturing firm discovered that someone
was posting confidential company information on an industry
bulletin board and, in addition, making slanderous comments
about company executives.

Forensic activity

Examiners covertly obtained image copies of the hard drives

of 11 personal computers while posing as information technol-
ogy consultants. Their analysis of the first five hard drives
identified the individual who was posting information to the
site. In addition, the examiners discovered several other
violations of company policy.

What the employee did

What the employee did: The employee had exploited the fact
that the company’s network had no monitoring of outbound
connections, as well as numerous unprotected modems.

Copyright © 2001 Veritect, Inc. All rights reserved. Toll Free 866-VERITECT (866-837-4832)
Computer Forensics / June 2001 11 703.788.9800
info@veritect.com / www.veritect.com
 TM

Illustration 3 Suspected Internal Abuse: If you suspect an inside job,

but don’t have sufficient evidence to confront the suspect,
Computer Intrusion investigate before tipping off the employee.
Emergency Response Checklist
Emergency Inside Situation: If you experience an inside
job where you judge immediate action must be taken against
an individual:
1. Contact organizational decision-makers.
2. Secure the area while the employee is away from the desk.
3. Minimize disturbance of the area. If possible, leave the
computer undisturbed for the professional investigators.
If the computer is turned on, leave it on and if it is turned
off, leave it off.
4. NEVER run programs on a computer in question.
5. NEVER let the owner/user of the computer help you open
or turn on the computer.
6. Gather and document additional data sources such as
backup tapes, firewall logs and intrusion detection logs.
7. Secure other items that may be evidence such as
notepads, books and office items.
8. Start a chain of custody documentation: Log each piece
of evidence and the individual and/or organization that
handles the evidence. Include where, when and who
discovered evidence; who has handled and/or examined
the evidence and a record of evidence custody, including
shipping numbers, times and dates.

Emergency External Attack: If you experience an external

attack:

Option 1: Maintain a low profile and call in the experts.

If you have time to assess the risk, keep quiet and contact
forensics professionals. Forensics investigators can help you
assess the situation and lay traps. This approach can help
catch perpetrators in the act, seize evidence before it is
altered or destroyed and better understand how intruders are
gaining access.

Option 2: If immediate action must be taken.

1. Contact organizational decision makers.
2. If the computer is turned on, leave it on and if it is
turned off, leave it off.
3. NEVER run programs on a computer in question.

Gather and document additional data sources such as backup

tapes, firewall logs and intrusion detection logs.

Copyright © 2001 Veritect, Inc. All rights reserved. Toll Free 866-VERITECT (866-837-4832)
Computer Forensics / June 2001 12 703.788.9800
info@veritect.com / www.veritect.com