It could be a series of erroneous corporate earnings statements or the unwitting loss of valuable trade secrets or customer data. It could be a string of sexual harassment allegations all pointing to one senior manager. Or it could be improper Internet usage that forces you to terminate an employee, who then sues for wrongful dismissal.
Whatever the cause, these potentially disastrous scenarios can be solved or proven only with the help of IT professionals with the right set of skills to investigate computer crimes.
Once thought of as the exclusive realm of violent-crime experts, forensics is fast becoming a mandatory skills set for companies that need to show that computer crimes don't go unsolved or unpunished. It's the painstaking and methodical sifting of data with one goal in mind: to gather evidence that will stand up in court. Here are some tips from the experts to make sure you win your case.
Lay the Legal Groundwork
Computer forensics is the identification, extraction, preservation and documentation of computer evidence that will stand up to legal challenges about its authenticity, accuracy and integrity. Think of it as an autopsy of a computer system with the goal of determining whether a crime has been committed and by whom and later proving it.
"Computer forensics is a process or methodology to discover or refute an area of inquiry," says Morgan Wright, a senior information security specialist at Unisys Corp. in Blue Bell, Pa., and a board member of the International Association of Computer Investigative Specialists in Donahue, Iowa.
Computer forensics is knowing, for example, that your company's trade secrets have been leaked to a rival and then proving or disproving that the employee you suspect of committing the breach is responsible. "Once you understand what the objective is, that's when you start your forensic investigation," says Wright. "Forensics is neither pro-prosecution nor pro-defense; it's the pursuit of the truth."
Hire Trained Investigators
Wright says the key difference between standard employee monitoring and a forensics investigation is the goal of preserving evidence that will stand up to legal challenges in court. He cites as an example the investigation of an acceptable-use violation, which might include looking into the user's history and proxy servers.
"On the other hand, let's say that same employee downloaded child pornography. Now, a system administrator who is not trained in forensics can accidentally trample over a lot of key evidence," says Wright.
The most common mistake that companies make when it comes to computer forensics is thinking that their own systems administrators are capable of conducting a professional forensics investigation, says Thomas Aleman, national leader of analytic and forensic technology at Deloitte & Touche LLP's Computer Forensic and Investigative Services Group.
"The IT department is typically not trained and doesn't have the appropriate tools," says Aleman. "They turn on the machine under investigation, and as happens when machines are powered on, critical data starts changing."
In fact, Aleman recalls a case where the IT department at a large manufacturing firm was called in to recover data from the computer of a terminated employee who claimed to have been wrongfully dismissed. The administrators first turned on the suspect's computer. "The reality was that critical files had changed. And from a prosecution standpoint, the terminated employee was then in a position to argue that incriminating data was not in his system when he left," he says.
Aleman says other aspects of forensics investigations could trip up typical administrators. For example, local administrators at branch offices aren't always aware of the regional data backup schedules at larger companies, he says. That could pose a problem if defense lawyers question them about the version and timeliness of the data they're presenting in court.
Such oversights could seem minor to most IT managers, but they can mean the difference between a successful prosecution (or defense) in court and watching your case unravel, says Matt Yarbrough, a former assistant U.S. attorney who spearheaded the formation of the North Texas Regional Computer Forensic Laboratory, the largest of its kind in the U.S. Of the 10 economic espionage cases brought to his office, only one made it to court, Yarbrough says. The rest were undermined by tainted forensic evidence.
"As a prosecutor, there's nothing worse than a company that sponsors its own evidence in court," says Yarbrough, who is now an attorney at Fish & Richardson PC in Dallas. "Being a super system administrator doesn't make you a forensics evidence expert capable of bringing evidence into the courtroom."
The Security Action Plan
Stories in this report:
- The Security Action Plan
- The Story So Far: IT Security and Disaster Recovery
- Maximum Security Returns
- Manage Those Patches!
- Build a Computer Incident Response Team
- Let the Pros Investigate Computer Crimes
- Watch Out for Wireless Rogues
- For Disaster Recovery, Put Your IT Eggs in Different Baskets
- Denying Network Service
- Think Like a Terrorist
- Field Report: Out from the Shadows
- How to Thrive in the IT Security Market
- The Next Chapter: Predictions about IT security
- IBM's view of the hot trends in IT security
- Case studies in IT security and disaster recovery
- Intrusion-detection systems are evolving
- Reporter's Notebook: IT Security
- Top 10 Vulnerabilities in Today's Wi-Fi Networks