The television series CSI has given millions of viewers an appreciation of the role and importance of physical evidence in conducting criminal investigations.
Each week, we see the confluence of fingerprints, DNA tests, autopsies, microscopic examinations and ballistic evidence used to solve a murder or explain the circumstances surrounding an unusual death. The drama lies less in the events that are portrayed than in the thinking that lies behind the collection, preservation and interpretation of the evidence needed to solve the case and support prosecution.
IT managers aren't likely to confront dead bodies on the job, but a rudimentary knowledge of evidence, as it relates to computer data, can help protect your organisation's operations, data and processes. In today's computer-driven world, where networked e-mail and instant messaging are the communication norms, knowing how to collect, handle and analyze information on a miscreant's computers can be critical to a successful civil or criminal prosecution.
There are two categories of computer crime: criminal activity that involves using a computer to commit a crime, and criminal activity that has a computer as a target, such as a network intrusion or a denial-of-service attack. The same means of gathering evidence are used to solve both types of crimes. And the same kinds of skills used by the lawbreakers are needed to track them down.
Computer forensics is not a task to be undertaken lightly by just any IT worker. Instead, it calls for specialised skills and careful, documented procedures. A forensics expert knows what signs to look for and can identify additional information sources for relevant evidence, including earlier versions of data files or differently formatted versions of data used by other applications.
Computer data is fundamentally different in some respects from other types of information, and this affects how we have to handle it as evidence. Unlike a traditional paper trail, computer evidence frequently exists in many forms, and often different versions of documents are accessible on a computer disk or backup tapes. Data stored on a computer or network is difficult to destroy completely, because the data is likely to coexist on multiple hard drives, and deleted files and even reformatted disks can often be fully recovered. In addition, computer data can be replicated exactly for special analysis and processing without destroying the originals.
Any type of data can serve as evidence, including text documents, graphical images, calendar files, databases, spreadsheets, audio and video files, Web sites and application programs. Even viruses, Trojan horses and spyware can be secured and investigated. E-mail records and instant messaging logs can be valuable sources of evidence in litigation, because people are often more casual when using electronic communications than they are when they use hard-copy correspondence such as written memos and snail-mail letters.
And finally, digital data can be searched quickly and easily by machine, whereas paper documents must be examined manually.
Like other information used in a case, however, the result of a computer forensics investigation must follow the accepted standards of evidence as codified in state and federal law. In particular, an investigator must take special care to protect evidence and to preserve its original state. It's especially important to prevent suspect files from being altered or damaged through improper handling, viruses, electromagnetic or mechanical damage, and even booby traps. To accomplish this, it's necessary to do the following:
- Handle the original evidence as little as possible.
- Establish and maintain the chain of custody.
- Document everything that's done.
- Never go beyond what is known and can be proved from direct, personal knowledge.
Failure to protect evidence might mean that original data is irretrievably lost or changed and that results and conclusions may not hold up or be admissible in a court of law.
While the circumstances of each case will differ, some elements are common to most computer forensic investigations. Here are some actions you should take:
Secure the computer system to prevent it from being altered or tampered with by the investigators, third parties or automated processes such as viruses or other types of malware. Unless you can't avoid it, never analyse data using the machine it was collected from.
Make exact, forensically sound copies of data storage devices, including all hard drives. Do not change date/time stamps or alter data itself. Do not overwrite unallocated space, which may happen when rebooting. Specialised equipment is available to speed and facilitate the forensic copying of hard drives.
Identify and discover all files on the system, including normal files, deleted-yet-remaining files, hidden files, password-protected files and encrypted files.
Recover deleted files as much as possible. Pay special attention to specific areas of the hard drive, including boot sectors, page files and temporary or swap files used by application programs and by the operating system. Look at unallocated space (i.e., marked as currently unused), as well as the unoccupied space at the end of a file in the last assigned disk cluster after the end-of-file marker. Either area, though not considered a part of an active file, might hold relevant data from a different file or version of a document.
Maintain a full audit log of your activities throughout the investigation, and produce a detailed report at the end.