Computer Forensics: What's Every IT Organization Should Know

Part 1

In this article we will discuss pertinent details of computer forensics that every IT organization should be aware of. This is not meant to be an exhaustive study on computer forensics, but simply a first attempt at educating IT professionals on the basics and to emphasize the need to work with certified forensic examiners. If you want to explore this subject in more detail feel free to contact me at the email listed at the end of the article. One major caveat: the computer forensic methods mentioned in this article refer in large part to HDD and not SSD drives. SSD drives employ a completely different way of storing information internally, which makes it much easier to destroy information and much more difficult to recover it.

Why Computer Forensics

When I began my career in the computer industry over 30 years ago, most vital corporate information was stored on mainframes. In today's BYOD world corporate information can be stored on a large variety of devices. Many companies are just now creating policies regarding BYOD. The problem is that corporate data is no longer restricted to internal corporate machines. End users typically have documents, emails, presentations, and other types of data on their portable devices. This brings us to one of the main reasons to understand computer forensics: risk management.

What risks are corporations facing? Here is a short list of typical cases we have handled over the years:
  • Copyright infringement
  • Industrial espionage
  • Money laundering
  • Sexual harassment
  • Theft of intellectual property
  • Unauthorized access to confidential information
  • Intentional destruction of information
  • Fraud
  • Illegal duplication of software
The list goes on and on. The legal costs associated with these types of cases can be staggering. IT departments have to ensure they minimize any risks associated with searching for and retrieving data for evidentiary purposes. Using certified forensic professionals is the best way to safeguard your legal options. They can also uncover computer and network vulnerabilities you may be unaware of. One recent case involved an employee that was copying confidential documents from their work computer to their Xbox game system! Sometimes a forensic examiner can simply confirm or dispel an incident has actually occurred.

What is computer forensics?

The U.S. Department of Justice defines computer forensics as "the use of scientifically derived and proven methods toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events" . Basically, computer forensics is the expert acquisition, interpretation, and presentation of data from a computing device in a way that is suitable to use as evidence in a court of law. I want to emphasize the word "expert". This is not something that should be handled by your IT staff, unless they have been specifically trained and certified in computer forensics. The biggest problem we run into are companies attempting to retrieve evidence from devices and inadvertently modifying the data in the process. Any changes (date/time stamps, etc.) to original content can be suspect in court and potentially excluded as evidence. If your company or law firm has never retained the services of a computer forensics expert, NOW is the time to find one.

What to look for in a Forensic Examiner

In the vast history of data processing computer forensics is a relatively young discipline. Initially it was reserved for experienced examiners primarily from federal, state, and local law enforcement agencies. Today there are companies listed all over the internet. So how can you find the right company to handle your data? There are several factors to consider. First, how long has the company been in business? Like any industry some forensic companies have spring up overnight. Ask for and check professional references. Many states require certain licenses or certifications. In Texas, for example, computer forensic examiners are required to obtain a private investigator's license. It is imperative that the company has forensic experts who have courtroom experience. While many companies can deftly handle finding and retrieving the information you need, they also need the ability to testify in court as to how and obtained the evidence. Finally, you need to make sure the company has EnCase® certified professionals.