Computer forensics experts piece together the puzzle
By Shelia Watson
The television series “CSI: Crime Scene Investigation” has done much to educate the viewing public on the importance of collecting physical evidence. Each week viewers are treated to a variety of forensic activities, including autopsies, ballistics examinations, fingerprint collections, DNA tests and blood sampling.
Computer forensics is much the same, except, one would hope, without dead bodies or bloodstained crime scenes.
“What we do is a lot like what you see on the CSI show,” said Mark King, a computer forensics expert working on the Al Parish case.
Obviously the case isn’t solved in an hour, he pointed out, but the meticulous nature of the work is the same.
“You see them (on the show) taking every fingerprint, getting details of everything and taking the photos,” he said. “That goes on with the data too. We’re looking at the computer, noting that it’s the original data drive, getting an accurate image so the evidence can be used in the cases.
“It’s different than a bullet shell or blood, but it’s still important evidence.”
In today’s computer-driven world, where email and instant messaging are the norm, knowing how to collect, handle and analyze information on a computers can be critical to a successful civil or criminal prosecution.
King said that years ago discovery of evidence meant spending hours looking through stacks of papers in file cabinets and boxes. Today, almost everything is in electronic form.
“There are still some things printed out, but most things are on computers today,” he said. “That’s where we first go to try and forensically recover electronic data and media, be it a desktop computer, a laptop, a PDA or a cell phone.”
Forensics experts know what to look for and can identify additional information sources for relevant evidence, including earlier versions of data files or differently formatted versions of data used by other applications.
The ways in which computer data is different from other types of information can affect how it is handled as evidence. Like other information in a case, the investigation must follow the accepted standards of evidence as codified in state and federal law. With electronic data in particular, an investigator must preserve the evidence in its original state and prevent suspect files from being altered or damaged through viruses, improper handling, or electromagnetic or mechanical damage.
Fortunately, data can be replicated exactly for analysis and processing without destroying the originals. King said he makes a copy of the hard drive and works off of the copy using forensic software to analyze the data.
Unlike a traditional paper trail, computer evidence can exist in many forms, and different versions of documents often are accessible on a disk or backup tape. A wide range of data can serve as evidence, including text documents, databases, spreadsheets, images, audio and video files, calendar files, Web sites and application programs.
Electronic data also has an advantage over paper in that it can be searched quickly and easily, whereas paper documents must be examined manually.
The work itself is the epitome of perseverance.
“You have to be very persistent, very patient,” King said. “It’s very time consuming because of the amount that has to be analyzed, but it’s also very interesting and challenging.”
King called the work a type of triage.
“When we go in, the first person we’re interested in is the top person, the CEO or president,” he said. “Next we go to the accounting person, the CFO or controller. Next we get the person in charge of investor relations. That way we start acquiring and triaging the electronic media.”
King said the first items he tries to locate are the investor lists so he can start forming a database and contact them about the case so they can provide their proofs of claim. After that, he begins looking for the accounting records and puts together a funds tracing database that will tell him what was invested and by whom.
“Typically the electronic records that can be the most important to our investigation and piecing everything together are the financial records, the accounting and bank statements,” said J. David Dantzler, an attorney who is working with the receiver in the case. “We also want any information regarding investors, and that could include drafts of advertising materials, offering documents, agreements, basically anything that could inform us about the history of the person we’re investigating.”
Dantzler pointed out that email records and instant messaging logs can be valuable sources of evidence, because people are often more casual when using that type of communication than they are in hard-copy correspondence such as written memos and letters.
“Far and away those are among the most important records,” he said. “They’re usually quick and off the cuff, so it’s much more like having insight into a phone conversation. You’re not as measured as you might be in a letter, so you can sometimes get a more accurate view of the person.”
King called the Parish case “unique” in the sheer volume of data that needed to be analyzed. According to the receiver’s report filed in May, the items recovered included 17 computers and laptops along with a number of electronic storage devices.
“The computer he used at his office held two 500-gigabyte drives,” King said. “Most people don’t need a terabyte for data. When you get up into that size, it really takes a long time to analyze.”
King noted that computer forensics will only become more challenging because more and more items are being stored electronically.
“More computers are being used in business today, plus the programs are getting larger and the hard drives are getting bigger,” King said. “For us and for law enforcement and the government, we’re continually trying to keep up so we can do a fast analysis.”
“We’re in the electronic age,” he said. “That’s certainly true with respect to funds tracing. Today people usually keep electronic checkbooks or accounting records, and we can very quickly get a sense of where the money came from and where it went. In fact, if someone is keeping a paper check register, it’s a little more difficult than it used to be to get that information because you have to piece it together now from records turned over from the banks.”
Computer forensics is likely to become not only more challenging but more competitive. According to a recent Socha-Gelbmann Electronic Discovery survey report, about $1.3 billion was spent on electronic discovery last year and that figure is expected to grow this year by 37%.
Killing an electronic file easier said than done
By Shelia Watson
Parish may have claimed amnesia, but his computer’s memory remained intact.
Destroying information on a computer is an extremely difficult task. Memory chips can be read even after a machine is turned off, and they have undocumented diagnostic modes that allow access to leftover fragments of bits.
Data on a magnetic disk can be recovered even after being overwritten multiple times, and, although disk drives are designed to read only what was written last, traces of older magnetic patterns can exist on the physical drive for years.
Data stored on a computer or network can coexist on multiple hard drives, and deleted files and even reformatted disks can be fully recovered.
Computer file systems typically store files as contiguous sequences of bytes and organize those files within a directory hierarchy. Besides names and contents, files and directories have attributes such as ownership, access permissions, time of last modification, etc., all of which provides clues for forensics experts.
John Patzakis, president and chief legal officer of Guidance Software, a company that specializes in forensics software solutions, pointed to an example in one computer forensics case: The forensics team recovered more than 1,000 emails on a hard drive 18 months after the individual had left the company, after the hard drive had been reformatted and after the machine had been in use by another individual for those 18 months.
“The best way to remove email from a hard drive is to hit it with a sledge hammer and throw it into a furnace,” Patzakis said.