CYBER SLEUTHS: Computer forensics booms as importance of electronic evidence grows

[InfoSec News <isn () C4I ORG>]

http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2001/02/26/BU69784.DTL

Carrie Kirby, Chronicle Staff Writer
Monday, February 26, 2001

Kris Haworth is sitting around at the office, waiting for the day to
end so her work can begin.

When night falls, Haworth and several staff members plan to go to a
client's office, where the chief financial officer will be waiting to
let them in. Once inside, the team will open up several desktop
computers, pull out the hard drives and copy their entire contents
onto portable computers.

Haworth, 31, is one of Deloitte & Touche's computer forensics
investigators, private eyes for the digital age. For this case, her
team of eight is looking for evidence that an employee in her client's
supply department is accepting kickbacks from a vendor. Evidence the
team finds could lead to an employee's quiet dismissal or a lawsuit in
which Haworth might testify as an expert witness.

Computer forensics, once a discipline restricted to a small cloister
of law enforcement officers, is now a booming business. Demand for the
services is exploding as electronic evidence becomes more widely used
in court and as companies become increasingly concerned about the use
of computer networks for corporate spying and other mischief.

Deloitte & Touche is one of a growing number of consulting firms,
security vendors and companies devoted to computer forensics that are
stepping forward to fill the demand for electronic investigations.

STAGING A RAID

On this particular evening, the plan is to copy the contents of
several computers; the process takes 20 minutes per computer. The team
will then replace the hard drives, being careful to leave the desks
without a Post-It note out of place. When the employees return on
Monday, they will have no clue that, in a narrow, stuffy lab at
Deloitte & Touche's office in San Francisco, Haworth's team is poking
around at data from their PCs, looking for incriminating letters,
memos, e-mails and personal finance spreadsheets.

But for Haworth's team, this day will be disappointing -- the raid was
postponed. Haworth is not sure why it was delayed, but she wasn't
surprised -- plans change often under circumstances like this because
the client is nervous,

she said. Conditions also have to be perfect: A raid might be called
off because one of the suspects takes home a laptop for the weekend or
because employees are working late in the office.

But there will be a next time: Haworth's team gets several new cases
each day.

The cases Haworth takes on are as varied as Raymond Chandler gumshoe
Philip Marlowe's. Her team has pored over thousands of e-mail messages
for evidence that employees are spilling trade secrets; they've
searched for a "back door" to a computer network that a fired security
manager might have left himself; and they've recovered spreadsheets
and letters that embezzling executives thought they had deleted.

"It's one of the fastest-growing areas in information security
services spending," said Richard Dean, a program manager for
International Data Corp. in Framingham, Mass. IDC combines computer
forensics with other services that help companies respond to network
security breaches, whether those incidents are hacking intrusions or
employee misbehavior.

SPACIOUS NEW OFFICE

U.S. companies spent $118 million on computer forensics and other
incident response services in 2000, and are expected to more than
double that to $277 million by 2004, according to IDC.

Like many accounting firms, D&T is expanding its forensics operation,
which it started three years ago. The eight investigators on the San
Francisco team will soon move from a single room to a spacious lab
occupying most of a floor in the company's high-rise office space on
Fremont Street. Soon they will be joined by several additional
investigators.

The biggest limit on the growth of computer forensics is the shortage
of investigators with the training and expertise to follow a digital
trail and present evidence that is acceptable to the courts.

"There's not a lot of places we can hire these people from," said Joan
Feldman, founder and president of Seattle's Computer Forensics Inc.
"We overcome the experience threshold problem by hiring from law
enforcement."

The Central Intelligence Agency, the Federal Bureau of Investigation,
the Secret Service and even large city police agencies are all sources
of recruits.

By leaving the force and joining a computer forensics firm, computer
forensics investigators can make $100,000 more than what they used to
make annually, said Sean Walsh, president of the High Technology Crime
Investigation Association.

There are a handful of universities that offer classes and programs in
computer forensics, including George Washington University and Purdue.
But these programs have not yet become a major source of new recruits,
forensics managers say.

Most members of Deloitte & Touche's forensics team are young
technology professionals who have received several months of
investigation training and are learning more as they go along.
Exceptions are Gail Ospedale, a 20-year CIA veteran, and Haworth
herself, who has worked as a computer network designer and holds a law
degree from the Seattle University School of Law.

DISPUTE OVER SEVERANCE PAY

For some team members, the Friday night raid was to be their first.
While disappointed that it was called off, the crew had plenty of
other cases to investigate back at the lab. Investigator Ospedale went
through the data of a computer used by another client's employee. In
this case, the team was hired to find proof that the employee was
running a pornographic Web site from his office computer. The worker,
who had been fired, was seeking severance pay, and the client was
looking for grounds to deny it.

Ospedale used an investigative software program called Encase to
search every document and image on the computer, including things that
have been deleted. The difficult part is not recovering data, but
sorting through the thousands of documents to find the relevant ones.
She searched for the word "adult" and came up with 28,000 documents.
Many of them were pornographic images downloaded from the Internet.

Wading through such images wasn't pleasant, but with 20 years at the
CIA, Ospedale has seen worse. In a way, the team members are like
employees in photo developing shops -- in the course of their work,
they come across very personal and sometimes embarrassing things.

NO SUCH THING AS DELETE

In five years of working as a computer investigator, Haworth has found
that most people still have no idea that their e-mail might be read by
others, or that their workplace computers belong to their employers
and can legally be searched without a subpoena.

"In e-mail, people say the most astounding things," she said.

And people -- even executives -- are still naive about how difficult
it is to truly delete something from a computer, Haworth said. In
fact, hitting the delete key simply moves a file to the recycle bin on
a Windows PC. Even after emptying the recycle bin, deleted documents
are still stored in the computer's memory and are easy for
investigators to recover. In fact, Haworth said, deleting a file only
draws investigators' attention to it.

"The first thing I always do is say, 'What did they delete?' " Haworth
said.

"We look for people trying to hide files by removing them."

What Haworth does is perfectly legal, because she always either has a
subpoena or is examining property that belongs to a client. Unless a
company has a privacy policy that promises not to do so, it's an
employer's legal right to monitor anything workers do on company-owned
equipment, said Cindy Cohn, legal director of San Francisco's
Electronic Frontier Foundation, a civil liberties group.

"(But) once you step beyond that there are some ethical issues that it
raises," Cohn said.

While teams like Haworth's can dig up valuable evidence, they can also
be used to intrude on employees unnecessarily, she said. "Technology
allows companies to do much more monitoring than they traditionally
did. I think that it demoralizes people and ultimately will have some
impact on productivity."

Haworth said that seeing what she's seen on work computers has changed
the way she uses her PC at Deloitte & Touche.

"Previous to this, I would go on my personal e-mail account at work.
Now I never would," she said.


---------------------------------------------------------------------

THE NEW PAPER TRAIL

E-mail has proved to be such compelling evidence, both in and out of
court, that computer investigators spend much of their time sifting
through stacks of backup tapes holding months or even years of old
e-mails. Here are some cases in which e-mail evidence played a key
role:

-- February 1998: E-mail messages in which Monica Lewinsky discussed
her affair with Bill Clinton were among the reams of evidence gathered
by Independent Counsel Kenneth Starr in his investigation of the
former president.

-- 1998-1999: In its antitrust case against Microsoft, the U.S.
government used e-mail messages from Bill Gates and other executives
to prove that the company was secretly plotting anti-competitive
measures.

-- February 2000: Northwest Airlines searched flight attendants' home
computers and obtained e-mails showing that the workers had
coordinated an illegal sick-out.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".