Deadly Pursuit

Computers are playing a major role in an increasing number of real-world crimes, fueling a need for investigators with strong technology skills.

By Zachary Tobias

Computerworld |

South Dakota,1999. A woman is found drowned in her bathtub. An autopsy shows a high level of the sleeping pill Temazepam in her bloodstream.

It looks like a suicide - that is, until investigators take a close look at her husband's computer. Turns out he's been researching painless killing methods on the Internet and taking notes on sleeping pills and household cleaners. Armed with that evidence, prosecutors are eventually able to put him behind bars.

Law enforcement agencies across the country are realizing that computer-related evidence is valuable in catching all kinds of criminals, not just hackers.

That's why they're scrambling to hire and train officers skilled in computer forensics, the discipline of collecting electronic evidence.

In the corporate world, demand for these IT sleuths is increasing, as well. They usually work as consultants. For example, a company might call a forensics examiner in to investigate how a hacker got into an IT system or to find out which employee walked off with confidential files.

But whether he works for law enforcement or the business world, a computer forensics examiner must be able to thoroughly scour an IT system for evidence while following a strict protocol, so that the evidence can be used in a court of law.

We talked to one forensics examiner with exactly that set of skills - the kind of employee who's sure to be in high demand in both worlds for years to come.

The investigator: Patrick Lim, computer forensics examiner at the Regional Computer Forensics Laboratory (RCFL) in San Diego

Previous experience: Lim has been a special agent at the Washington-based U.S. Naval Criminal Investigative Service (NCIS) for the past 17 years. But it was only about four years ago, when he was transferred to the NCIS's Computer Investigations and Operations unit, that his career took a turn into the world of IT.

In January of last year, Lim helped launch the RCFL, a task force that pools the computer forensics resources of several law enforcement agencies in the San Diego area.

Lim says all examiners at the RCFL must have strong investigative and problem-solving skills, as well as a solid foundation in operating systems and computer imaging.

Responsibilities: Lim spends much of his time working on cases that directly involve computers, like child pornography on the Web or Internet fraud. Increasingly, though, all kinds of cases involve computers, he says. "In the past, people thought that computer forensics applied strictly to computer crimes," says Lim. "But since computers are now such a part of everyday life, we're finding that almost every crime at some point touches a computer."

For example, at the site of a bank robbery, investigators recovered demand notes that were written using a notepad application. Examining one suspect's computer, Lim found that the thief had been careful to delete the files. Looking deep into the hard drive, however, Lim was able to find copies of the notes that were automatically made by the printer.

No matter what the nature of the case, it's essential to leave all of the evidence exactly as it was found - "just like a crime scene," says Lim. For that reason, forensics examiners never work directly on suspects' computers. Instead, they use computer imaging to make a complete bitstream copy of an entire machine, and they then comb the copy for whatever incriminating evidence they can find.

Tobias is a freelance writer in Santa Cruz, Calif.

Security Risk and Reward

Stories in this report:

Security

Bing’s AI chatbot came to work for me. I had to fire it.