Check out our latest podcast at:
Computer Forensics: An Overview
By: Reese Kimmons, MS ISA
When you delete a document or file from your computer, it doesn’t just go away. Your operating system merely marks the space the data occupied as being available for use again. Until that space is overwritten, and sometimes even after it is, all or part of that “deleted” information may be recovered and reconstructed. Computer forensics investigators specialize in retrieving data such as this using procedures that ensure the recovered information will be admissible as evidence in court should that become necessary. Forensics specialists apply their skills to retrieve deleted, encrypted, hidden, lost, and protected files from personal computers, servers, storage devices, phones, and tablets. In many cases, a forensics investigation can also reveal how the recovered data was used, the origin of that data, and how and with whom it was shared. The evidence these investigations uncover often becomes the deciding factor in both civil and criminal proceedings.
The process and the people
Forensics engineers must adhere to detailed policies and procedures regarding preparation of the systems they examine and how the evidence they retrieve will be handled. These include processes for identifying and collecting the evidence, ensuring its authenticity, and maintaining chain of custody documentation. Failure to follow these procedures can result in the evidence being excluded in court.
Once collected, the evidence is examined and evaluated using a variety of tools at the investigator’s disposal. The investigator must document the processes used to examine the data. Information that was tagged with a date of origin, includes a timestamp, or appears to have been intentionally hidden is often the most valuable. Investigators record characteristics such as these in their reports.
Many forensics investigators possess industry certifications in the field, have advanced degrees relating to information security, and/or have a law enforcement background.
Computer forensics in the corporate environment
Common applications for computer forensics in the corporate environment include, but are certainly not limited to, cases involving fraud, intellectual property, sexual harassment, and corporate espionage.
As an example, if you work in the corporate world, you’ve probably been provided with notification that whatever you create on the company computer belongs to the company, even if it is personal in nature. Computer forensics is being successfully utilized in cases wherein an employee claimed to be the owner of intellectual property and denied that it was actually created using company resources. Even if the employee tries to hide or delete the evidence, an investigation will frequently yield the data necessary to prove that the employer is the owner of that disputed property.
In some cases, the conspicuous lack of evidence is evidence enough. A computer forensics investigator was asked to review the records of a New York brokerage firm to look for evidence of criminal activity. As it turned out, the brokerage firm’s IT personnel possessed the knowledge required to completely remove the pertinent files in a way that prevented the investigator from recovering them. The investigator, although unable to produce the incriminating data, was able to report to the court that emails and other files that should have been stored on the company’s systems were no longer there and that they had been intentionally removed. This was enough to cause the judge in the case to convict those involved in the cover-up, ruling that they had tampered with evidence in an effort to conceal their criminal activity.
High profile criminal cases
One of the more memorable cases wherein computer forensics investigations provided critical evidence was that of the BTK Killer. In this cold case, police worked for three decades to locate the murderer of numerous women during a 16 year crime spree. After 10 years without much progress, the killer made the mistake of sending police a floppy disk containing a Microsoft Word document. Metadata recovered from that file by a forensics investigator led police to the killer within a matter of hours. He later confessed to the murders.
In another case where computer forensics played a significant role, investigators found medical data on a doctor’s computer indicating he had authorized the administration of lethal levels of propocol to his patient, who subsequently died. The doctor was Conrad Murray. His patient was Michael Jackson.
In 2010, the wife of Baptist minister Matt Baker died from an apparent suicide. She ingested an overdose of sleeping pills and left a suicide note, or so it seemed. Although this appeared to most to be an open and shut case, investigators kept it open for four more years as they searched for, and examined, evidence. A forensics investigation of Reverend Baker’s computer eventually revealed information leading to his conviction and a 65 year prison sentence for his wife’s murder. The data recovered not only called his character into question, but also revealed that, shortly before his wife’s death, he had researched sleeping medications, overdoses, and pharmaceutical sites.
Evidence gathered during computer forensics investigations is used in divorce cases, murder trials, identity and intellectual property theft proceedings, fraud, forgery, tax evasion, and sex offense cases, to list only a few. If a computer, tablet, phone, or storage device was utilized at any point during the planning or commission of an act that results in civil or criminal proceedings, a computer forensics investigation may yield key evidence needed by the court to render the appropriate decision. Should you require the services of a computer forensics investigator, find one that has the experience, training, credentials, and tools necessary to provide quality results while following procedures to ensure the evidence they uncover is not tainted and is admissible in court.
Financial institutions collect personal information from customers every day, from names and addresses to bank account and Social Security numbers. The Gramm-Leach-Bliley Act’s Safeguards Rule requires those institutions to develop, implement, and maintain a comprehensive information security program. As part of its regulatory review process, the FTC has proposed changes to the Rule. Join us on July 13, 2020, for Information Security and Financial Institutions: An FTC Workshop to Examine the Safeguards Rule, where FTC staff and guest speakers will explore the issues. And take a look at the just-released agenda to check out what’s up for discussion.
WASHINGTON, D.C. — Director of National Intelligence (DNI) John Ratcliffe today released the following statement:
“I have confirmed that neither the President nor the Vice President were ever briefed on any intelligence alleged by the New York Times in its reporting yesterday.”
FOR IMMEDIATE RELEASE
ODNI News Release No. 25-20
June 27, 2020
Statement by DNI Ratcliffe Statement on Recent Press Reporting
WASHINGTON, D.C. – Director of National Intelligence (DNI) John Ratcliffe today released the following statement:
“I have confirmed that neither the President nor the Vice President were ever briefed on any intelligence alleged by the New York Times in its reporting yesterday. The White House statement addressing this issue earlier today, which denied such a briefing occurred, was accurate. The New York Times reporting, and all other subsequent news reports about such an alleged briefing are inaccurate.”
WASHINGTON D.C. – Director of National Intelligence John Ratcliffe today issued the following statement:
“U.S. and coalition force protection is a critical priority for both the President and the Intelligence Community. The selective leaking of any classified information disrupts the vital interagency work to collect, assess, and mitigate threats and places our forces at risk.”
FOR IMMEDIATE RELEASE
ODNI News Release No. 26-20
June 29, 2020
DNI Ratcliffe Statement on Impact of Unauthorized Disclosures on Force Protection
WASHINGTON, D.C. – Director of National Intelligence John Ratcliffe today released the following statement:
“U.S. and coalition force protection is a critical priority for both the President and the Intelligence Community. The selective leaking of any classified information disrupts the vital interagency work to collect, assess, and mitigate threats and places our forces at risk. It is also, simply put, a crime. We are still investigating the alleged intelligence referenced in recent media reporting and we will brief the President and Congressional leaders at the appropriate time. This is the analytic process working the way it should. Unfortunately, unauthorized disclosures now jeopardize our ability to ever find out the full story with respect to these allegations.”
A large-scale scam involving phony unemployment benefits claims has been making headlines. Criminals, possibly based overseas, are filing claims for benefits, using the names and personal information of people who have not lost their jobs. The investigation is ongoing, but this much is known: the fraud is affecting tens of thousands of people, slowing the delivery of benefits to people in real need, and costing states hundreds of millions of dollars.
Ostriches get a bad rap. The popular perception is that the species Struthio camelus bury their heads in the sand. But, in fact, they flee from perceived danger at speeds that top 60 miles per hour. An FTC proposed settlement with a payment processor that ignored signs that certain clients were engaged in fraud suggests that more companies should follow the real-life example of the ostrich and hightail it away from any association with illegal conduct.
With the flight to remote work happening so suddenly, senior decision makers at small and medium sized businesses simply haven’t come to reality with their cybersecurity capabilities, and in turn, vulnerabilities. The big question becomes: are executives ready to address the onslaught of cybersecurity needs that come with indefinite remote work?