Information Security News mailing list archives
CYBER SLEUTHS: Computer forensics booms as importance of electronic evidence grows
From: InfoSec News <isn () C4I ORG>
Date: Mon, 26 Feb 2001 13:15:50 -0600
http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2001/02/26/BU69784.DTL Carrie Kirby, Chronicle Staff Writer Monday, February 26, 2001 Kris Haworth is sitting around at the office, waiting for the day to end so her work can begin. When night falls, Haworth and several staff members plan to go to a client's office, where the chief financial officer will be waiting to let them in. Once inside, the team will open up several desktop computers, pull out the hard drives and copy their entire contents onto portable computers. Haworth, 31, is one of Deloitte & Touche's computer forensics investigators, private eyes for the digital age. For this case, her team of eight is looking for evidence that an employee in her client's supply department is accepting kickbacks from a vendor. Evidence the team finds could lead to an employee's quiet dismissal or a lawsuit in which Haworth might testify as an expert witness. Computer forensics, once a discipline restricted to a small cloister of law enforcement officers, is now a booming business. Demand for the services is exploding as electronic evidence becomes more widely used in court and as companies become increasingly concerned about the use of computer networks for corporate spying and other mischief. Deloitte & Touche is one of a growing number of consulting firms, security vendors and companies devoted to computer forensics that are stepping forward to fill the demand for electronic investigations. STAGING A RAID On this particular evening, the plan is to copy the contents of several computers; the process takes 20 minutes per computer. The team will then replace the hard drives, being careful to leave the desks without a Post-It note out of place. When the employees return on Monday, they will have no clue that, in a narrow, stuffy lab at Deloitte & Touche's office in San Francisco, Haworth's team is poking around at data from their PCs, looking for incriminating letters, memos, e-mails and personal finance spreadsheets. But for Haworth's team, this day will be disappointing -- the raid was postponed. Haworth is not sure why it was delayed, but she wasn't surprised -- plans change often under circumstances like this because the client is nervous, she said. Conditions also have to be perfect: A raid might be called off because one of the suspects takes home a laptop for the weekend or because employees are working late in the office. But there will be a next time: Haworth's team gets several new cases each day. The cases Haworth takes on are as varied as Raymond Chandler gumshoe Philip Marlowe's. Her team has pored over thousands of e-mail messages for evidence that employees are spilling trade secrets; they've searched for a "back door" to a computer network that a fired security manager might have left himself; and they've recovered spreadsheets and letters that embezzling executives thought they had deleted. "It's one of the fastest-growing areas in information security services spending," said Richard Dean, a program manager for International Data Corp. in Framingham, Mass. IDC combines computer forensics with other services that help companies respond to network security breaches, whether those incidents are hacking intrusions or employee misbehavior. SPACIOUS NEW OFFICE U.S. companies spent $118 million on computer forensics and other incident response services in 2000, and are expected to more than double that to $277 million by 2004, according to IDC. Like many accounting firms, D&T is expanding its forensics operation, which it started three years ago. The eight investigators on the San Francisco team will soon move from a single room to a spacious lab occupying most of a floor in the company's high-rise office space on Fremont Street. Soon they will be joined by several additional investigators. The biggest limit on the growth of computer forensics is the shortage of investigators with the training and expertise to follow a digital trail and present evidence that is acceptable to the courts. "There's not a lot of places we can hire these people from," said Joan Feldman, founder and president of Seattle's Computer Forensics Inc. "We overcome the experience threshold problem by hiring from law enforcement." The Central Intelligence Agency, the Federal Bureau of Investigation, the Secret Service and even large city police agencies are all sources of recruits. By leaving the force and joining a computer forensics firm, computer forensics investigators can make $100,000 more than what they used to make annually, said Sean Walsh, president of the High Technology Crime Investigation Association. There are a handful of universities that offer classes and programs in computer forensics, including George Washington University and Purdue. But these programs have not yet become a major source of new recruits, forensics managers say. Most members of Deloitte & Touche's forensics team are young technology professionals who have received several months of investigation training and are learning more as they go along. Exceptions are Gail Ospedale, a 20-year CIA veteran, and Haworth herself, who has worked as a computer network designer and holds a law degree from the Seattle University School of Law. DISPUTE OVER SEVERANCE PAY For some team members, the Friday night raid was to be their first. While disappointed that it was called off, the crew had plenty of other cases to investigate back at the lab. Investigator Ospedale went through the data of a computer used by another client's employee. In this case, the team was hired to find proof that the employee was running a pornographic Web site from his office computer. The worker, who had been fired, was seeking severance pay, and the client was looking for grounds to deny it. Ospedale used an investigative software program called Encase to search every document and image on the computer, including things that have been deleted. The difficult part is not recovering data, but sorting through the thousands of documents to find the relevant ones. She searched for the word "adult" and came up with 28,000 documents. Many of them were pornographic images downloaded from the Internet. Wading through such images wasn't pleasant, but with 20 years at the CIA, Ospedale has seen worse. In a way, the team members are like employees in photo developing shops -- in the course of their work, they come across very personal and sometimes embarrassing things. NO SUCH THING AS DELETE In five years of working as a computer investigator, Haworth has found that most people still have no idea that their e-mail might be read by others, or that their workplace computers belong to their employers and can legally be searched without a subpoena. "In e-mail, people say the most astounding things," she said. And people -- even executives -- are still naive about how difficult it is to truly delete something from a computer, Haworth said. In fact, hitting the delete key simply moves a file to the recycle bin on a Windows PC. Even after emptying the recycle bin, deleted documents are still stored in the computer's memory and are easy for investigators to recover. In fact, Haworth said, deleting a file only draws investigators' attention to it. "The first thing I always do is say, 'What did they delete?' " Haworth said. "We look for people trying to hide files by removing them." What Haworth does is perfectly legal, because she always either has a subpoena or is examining property that belongs to a client. Unless a company has a privacy policy that promises not to do so, it's an employer's legal right to monitor anything workers do on company-owned equipment, said Cindy Cohn, legal director of San Francisco's Electronic Frontier Foundation, a civil liberties group. "(But) once you step beyond that there are some ethical issues that it raises," Cohn said. While teams like Haworth's can dig up valuable evidence, they can also be used to intrude on employees unnecessarily, she said. "Technology allows companies to do much more monitoring than they traditionally did. I think that it demoralizes people and ultimately will have some impact on productivity." Haworth said that seeing what she's seen on work computers has changed the way she uses her PC at Deloitte & Touche. "Previous to this, I would go on my personal e-mail account at work. Now I never would," she said. --------------------------------------------------------------------- THE NEW PAPER TRAIL E-mail has proved to be such compelling evidence, both in and out of court, that computer investigators spend much of their time sifting through stacks of backup tapes holding months or even years of old e-mails. Here are some cases in which e-mail evidence played a key role: -- February 1998: E-mail messages in which Monica Lewinsky discussed her affair with Bill Clinton were among the reams of evidence gathered by Independent Counsel Kenneth Starr in his investigation of the former president. -- 1998-1999: In its antitrust case against Microsoft, the U.S. government used e-mail messages from Bill Gates and other executives to prove that the company was secretly plotting anti-competitive measures. -- February 2000: Northwest Airlines searched flight attendants' home computers and obtained e-mails showing that the workers had coordinated an illegal sick-out. ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- CYBER SLEUTHS: Computer forensics booms as importance of electronic evidence grows InfoSec News (Feb 26)