Digital Forensics: Sleuthing on Hard Drives and Networks
| Publication year | 2005 |
| Citation | Vol. 2005 No. 12 |
December 2005 - #4. DIGITAL FORENSICS: SLEUTHING ON HARD DRIVES AND NETWORKS
The anonymous e-mail demand was blunt: "This is your notice that you are being given two weeks time to give $17,000,000 cash" or else "I will NOT deactivate all those servers that have been programmed to deliver DDOS attacks to IP attorneys world-wide, salvo after salvo, with compromised proprietary information."(fn1) The company victimized by this extortion demand had been on the receiving end of a harassing e-mail campaign for over a year but this e-mail catapulted an annoying situation into a crisis.
The same anonymous perpetrator had sent hundreds of "spoofed" e-mails designed to appear as authentic messages from the company's officials to customers with derogatory text about the company and attachments containing stolen confidential information and offensive sexually explicit patent applications. The perpetrator had successfully cloaked his identity by using unauthorized access to unprotected wireless computer networks in homes and businesses and computer labs at local universities. In short, this was a sophisticated hacker and cyber-crook who appeared capable of making good on his extortion threat to unleash the company's confidential and sensitive data to the world while shutting down, through distributed denial of service (DDOS), attacks the computers of customers and potential customers.
In this case, tracking the suspect required the combined resources of law enforcement, a behavioral psychologist and a private digital forensic and investigations firm. Over the course of three months, after the author's firm was brought into the case, steps were taken to ascertain whether the perpetrator was a malicious insider or outside hacker; to close security vulnerabilities within the company's network subject to exploitation, profiling, and other techniques; to identify the suspect and whether he was working alone or with co-conspirators, and to monitor the suspect's movements and connect his whereabouts to the locations where anonymous e-mails originated. In the end, he was caught "red-handed" in his car with his laptop, computer equipment, and an antenna used to "surf" the airwaves to find open wireless Internet connections to hijack. More items related to the attempted extortion were located in a search of the perpetrator's house, including firearms, components for hand grenades, explosive powder and the ingredients, such as large quantities of castor beans, for making ricin, which is fatal in small quantities.(fn2)
In-house counsel and outside attorneys are usually the first people called when companies or individuals confront problematic situations that put their businesses in jeopardy. These situations may range from the lawsuit triggering electronic discovery obligations or a document demand for electronic records, to a network intrusion, denial of service attack, theft of intellectual property, an employee using the company network to download child pornography, or other kinds of unauthorized or even criminal activity. In each of these situations, the attorney is called upon not just for legal advice but also practical advice about what to do. Since most information created and received in an organization is generated electronically and is stored on hard disks,(fn3) attorneys would well-serve their clients to know enough about digital forensics to make strategic decisions about its use in these situations, rather than forfeiting this evidence out of ignorance.
Attorneys do not have to become computer scientists or professional cyber-sleuths to use digital forensics and, in fact, should leave to the independent forensic experts the performance of computer and network examinations. Yet, given the ubiquity of electronic information and electronic storage devices, every attorney should have an appreciation of the scope and types of information that digital forensic examinations can reveal from desktop and laptop computers, servers, personal digital assistants (PDAs), cellular telephones, and Blackberries, not only to avoid missing useful evidence to support a client's claims, but also to anticipate its defensive applications.
This article will survey the different types of evidence to search for on a computer or network, and the more common situations where such evidence may be probative and computer forensic expertise helpful. While it is the job of expert computer forensic examiners to preserve and examine digital evidence in a manner that does not damage, modify, or alter the data, attorneys should themselves be familiar with the kinds of evidence that can be found on a computer to help clients appreciate when such expertise would be helpful.
When to Speed-Dial - Computer Forensics Experts
The situations where the assistance of a computer forensic expert may be helpful or even necessary are myriad, and just a few are highlighted here. For example, possible employee malfeasance may warrant examination of the employee's workplace computer. If a company suspects an employee is stealing, or using in an unauthorized manner, trade secrets or other confidential business information, such as customer lists or pricing data, examining the employee's computer may show improper copying or transfers of the stolen digital property onto thumb drives or other removable media, or to web-based e-mail accounts to avoid the corporate e-mail account. If a company discovers violations of workplace computer use policies involving employee installation of highly insecure peer-to-peer file-sharing software, compounded by use of that program to download pirated music or child pornography, the company may itself face liability risks associated with copyright infringement or possession of contraband.(fn4) Forensic imaging and examination of the employee's computer may reveal the extent of the liability exposure and bolster any administrative sanction the company determines is appropriate.
When confronted with document demands, subpoenas for records, or electronic discovery preservation and production obligations, attorneys must balance their clients' legitimate concerns over compliance costs with the risks of compliance shortfalls.(fn5) Noncompliance - inadvertent or caused by the intentional disregard of a litigation hold by a rogue employee - can have serious adverse repercussions for a company, ranging from costly spoliation sanctions to criminal liability for document destruction, either of which may be accompanied by reputational harm.(fn6) A company served, for example, with a document demand for all e-mails for the CFO, should preserve and search not only that employee's workplace computer and e - mailbox on the networked server, but should also preserve and search file servers for archived e-mail, old computers used by the employee, PDAs, and other areas depending on the network topography and scope of the request. Using digital forensics to preserve the relevant data, particularly of "key players" in the litigation, may counter any subsequent claims of insufficient search and preservation efforts and may provide exculpatory evidence to allay suspicions of improper deletion activity. Indeed, one court, which has issued a series of influential decisions on the scope of the preservation duty, has advised that keeping a set of existing backup tapes and a going-forward procedure for segregating later-created documents, "along with a mirror image of the computer system taken at the time the duty to preserve attached (to preserve documents in the state they existed at that time), creates a complete set of relevant documents."(fn7)
In situations where electronic records appear to be missing, or exist in a form that is surprising to one party, a computer forensic examination may shed light on the discrepancy and even dispose of the case. For example, if examination of a computer shows that a wiping program was used to delete data and render the data unrecoverable, that fact alone may be sufficient, depending upon the timing of the use of the destructive program, to show consciousness of guilt in both civil and criminal cases.(fn8) Where a "surprise" e-mail or other electronic record shows up in litigation, computer forensics can help establish its authenticity, or lack thereof, through examination not just of the...
To continue reading
Request your trial