Think of it as CSI: Silicon Valley.
Computer forensics is gaining popularity in both the law enforcement and corporate communities, and a Vancouver forensic investigator waded through a maze of training and certification options before settling on the EnCase certification from Guidance
Ryan Purita of Vancouver’s Totally Connected Security Ltd. said he already had expertise in forensics, and was looking for a certification that would recognize that expertise.
“I looked around, and the only thing that had any value was EnCase,” said Purita. “It’s the top recognized certificate for computer forensics.”
EnCase is a software solution from Pasadena, Calif.-based Guidance Software designed to assist in computer forensic investigations, and is recognized by Canadian and US courts for authentication of technical evidence. The company also offers an EnCase certification, which involves expertise in computer forensics investigations and the Encase program
Purita said EnCase can help establish the integrity of a hard drive in court, and prove that the information presented in court matches what was seized from the drive.
“Think of it like a fingerprint — it has to match that of the original drive you’ve taken,” said Purita. “When you go to court you have to be able to show that nothing has been altered.”
But Purita said there’s more to forensic investigation then just software. Legal and technical expertise is needed to pull together and interpret the data. In once case, Purtia said he was called in by the defence in a fraud trial, where the prosecution claimed a contractor illegally billed for over time claiming he was overworked while his computer showed he was surfing the Web all day.
The prosecution ran a script on the man’s hard drive and claimed the data showed he’d racked-up 300,000 Web hits in a manner of months. When Purita examined the data, he realized that figure included every hyperlink on each page the man visited, whether he clicked it or not, vastly inflating the real number.
“The investigator wasn’t well trained, he just ran an automated script,” said Purita. “They didn’t do it properly and they ended up loosing the case, and now they’re being sued for wrongful dismissal.”
Purita said he is often called in by the prosecution to assist in their investigation, or the defence to poke holes in a case. He’s also called in by corporations that suspect they’ve been hacked, or by insurance companies that suspect a cognitive disability claimant is really running a business from their computer.
Another growing area of investigation is examining the hard drive of a company insider after they leave the company, to see if they’ve removed sensitive data that may make its way to a competitor, or sales information they could use to compete against their old employer.
“It’s so new, it’s a virgin science and people are still finding uses for it,” said Purita.
Jonathan Bair, Guidance Software’s senior director of product development, said when the EnCase certification was created in late 2001, the goal was to create something robust that involved both academic and real world experience. It’s also the only certification that involves a software program.
The company offers a range of courses at different levels, and before someone can write the EnCase exam they require 18 months of real world forensics experience and an intermediate level Guidance course.
The EnCase exam itself consists of two parts, a written test assessing knowledge of both examinations and the software, and a practical component where the student is given an image of a hard drive on a CD, and are required to examine the information and submit a report.
Bair said many consultants have taken the certification, and many of the big consulting firms such as Deloitte and Touche use EnCase and have their examiners certified. As well, major companies are also having their security staff trained. While it started out on the IT side, Bair said computer forensics is increasingly becoming a function of the corporate security department.
“After a company gets a bill for several hundred thousand dollars for a computer forensics outsource then they often decide it’s cheaper to have that in house,” said Bair. “There’s lots of problems with insiders, intellectual property, sexual harassment, keeping customer information confidential.”