Frequently Asked Digital Forensics Questions

Over the years we’ve had a number of the same questions asked of us.  Sometimes they’re from business owners or management and sometimes from attorneys looking out for their clients.  This week we’ve chosen a few of the most frequent to answer.

How can computer or digital forensics help me?

Digital-forensics-investigationIt depends. No, really it depends on the type of issue you have. The vast majority of our work can be boiled down to theft of company data, be it IP (intellectual property), trade secret data or some other kind of information critical to the operation of the business. All of which is typically related in some way. If we want to further condense the work, we can just say theft. With that in mind, what kind of theft might affect your company or client that you would like to know about? Besides the aforementioned data theft (which we can break down shortly), time theft, resource theft, vendor theft (or more accurately a fake vendor also known as fraud but still theft) and just flat out theft of money. These are all areas where digital forensics can invaluable, from inception (or inkling of an issue) to conclusion (resulting in a jury verdict or even criminal charges being filed). Oftentimes the mere whisper of an issue with an employee is the only starting point we need to then dig into an investigation to validate or refute the accusations. The issue with the employee could be the aforementioned theft of IP and we can see if there’s smoke that may be indicative of a fire or it could be refuting a harassment claim by a fellow employee only to discover the actual one doing the harassing was the claimant! Suffice it to say we could do an entire post on all the types of cases we can (and oftentimes have) assisted with. Given the fact that almost all work is done on computing devices today, discounting a forensic investigations ability to assist or outright solve a case is shortsighted.

What’s the difference between forensics and e-discovery?

digital-forensics-vs-ediscoveryTo use an analogy, it’s a bit like dragging a fishing net in the water versus using a spear gun. Put another way, on the one hand we’ve got Tom Hanks in Forrest Gump using a huge net to catch shrimp in a shrimpin’ boat versus Tom Hanks in Castaway throwing a spear to catch a fish in the shallows just off the beach. To further elaborate, e-discovery deals with all kinds of active data on the computer that the user readily has access to and interacts with. Such active data typically consists of email, calendars, word processing documents, spreadsheet documents, PDF’s, and databases. Digital forensics however, not only will find all that data but also hunts to recover deleted data, pieces of data relevant to the case, interconnected data/devices and create a timeline. Even that description is a bit simplistic. How about this; e-discovery can answer typically the “what?” question while forensics goes on to try to discover the who, where, when, how, and why of the data in question. I can’t tell you how many times we have recovered incriminating evidence that an employee/suspect had deleted. Although e-discovery has its uses, this is really where computer forensics capability to locate the smoking gun shines.

Can you find everything that’s been deleted?

forensics-finding-deleted-filesWhile some less than scrupulous (or frankly less experienced) forensic examiners may claim they can find everything, the truth is that no one can always find everything. What we can do is find quite a bit of data, especially if it’s been done in the recent past. Outside of complete recovery of deleted files, there are quite a few places on a computer’s drive that retain pieces of deleted files as well. We routinely find information of great value to the case in swap files, unallocated areas and fragments of temporary files that are not so temporary because they are still on the computer’s drive. For instance, we’ve been able to reassemble 95% of a document to understand most all of what was going on. When I say reassemble, oftentimes it’s less reassemble and more so the removable of data that the operating system had intermingled with the tangible information of interest. Aside from being able to do that, what most people don’t realize, is the extent to which the operating system (Windows, OS X, etc.) keeps pieces of data that we’re able to extract and make use of. Places like the registry for Windows as well as system restore, which if the computer is not scheduled to make regular “snapshots” of are typically made when some types of software are installed or updated. Suffice it to say that while deleted files and emails are oftentimes recoverable, in the event they are not, there is still plenty of meat left somewhere. You just have to know how and where to hunt for it.

What pitfalls can someone avoid at the outset of a matter?

securing-digital-evidenceOne of the biggest landmines we see people unknowingly step on is not securing the machine(s) or device(s) as soon possible. In short, this creates a chain of custody issue which can lead to headaches and holdups later.  An example would be the company reissuing the suspect’s computer to another employee. Another example might be a well meaning IT professional booting up the computer and playing detective by searching with the computers built in search functionality. When any doubt exists, take it out of service and offline. We oftentimes encourage companies to have a waiting period when someone in a position to do them harm leaves, to put those devices on the shelf for a bit. Now one of the things we encounter, and it’s because most folks aren’t looking for a way to take advantage, is how do you know when someone is in such a position? Quite honestly, almost anyone within an organization can capitalize on data they shouldn’t have access to once they leave. This can mean a few things. First, people in an organization should only have access to the information they need to do their job. This is typically less an issue at larger places but more so at small to medium sized organizations where closer relationships formed with workers as well as lots of cross training can often create an unfortunate blind spot for the company. Second, there are varying levels of data and inherent risk associated with these different positions within the organization. For instance, while someone in HR has access to a multitude of critical data, unless they are planning on committing identity theft, the threat is typically lower that they will take information when they leave and hurt the business. However, someone from sales, operations or management typically has more to gain by taking information. Which makes sense, as these are the centers of productivity and in turn revenue. Whether it’s taking trade secret information regarding operations, the so called “secret sauce”, lists of vendors/clients, or recently completed plans/proposals/work product. All of these are all ripe for the picking and what we are frequently called in to investigate.

Why a computer/digital forensics expert instead of an IT professional?

forensic-investigator-experienceIT is skilled at enabling the business to function. In today’s business environment, they are critical, without a doubt. In the world we live in, if there’s no computer and no network, then no work gets done. But, investigators? That’s where the skills begin to fall short. Troubleshooting they can do, but following leads, while having similarities to investigating is not the same. Experience in not only knowing what we’re looking for but where the information resides and how to put the case together are oftentimes the areas where IT stumbles. And if I’m really honest, there has been more than one time that however well intentioned, I’ve had to tell counsel that IT already tried searching the computer before we got ahold of it. Not insurmountable sure, but then we should get an affidavit and account for what was done to the computer when it was secured. Then the technician may need to be deposed and/or give testimony in court. With their actions, hopefully there was only a minority of meta data that was affected. In short, IT, when operating outside of their wheelhouse just tends to muddy the water a bit. Oftentimes dates and times are critical in making a case and establishing a timeline. Not properly securing a computer and making a forensic image without affecting the original evidence is what I’m getting at here. What I typically end up suggesting (especially if the company has sufficient resources) is that we train someone in house how to establish a chain of custody, secure the machine or device then make a forensic bit for bit image. After this is done, there are several basic and free tools to allow an in-house IT tech to search all they want while not disturbing the original evidence. Doing it this way allows them to have a process that can be documented and is repeatable, something that is important when conducting a digital forensic analysis. Doing it this way means that we can take possession of the evidence (and chain of custody!), doing the heavy lifting, putting the case together, working with outside counsel and effectively doing the statements of fact, affidavits, depositions and testimony!

In the next post, we’ll resume our story of forensically investigating a computer when we continue delving into a number of ways that folks take data that doesn’t belong to them, also known as theft.  #DigitalForensics #IntellectualPropertyTheft #IPTheft #TradeSecretTheft #FAQ

Share this: