Unlike the crime scenes in the hit television series CSI: Miami, the locales prowled by Darren James aren’t peopled by the victims of drug-overdoses or gang-related shootings.
Instead, James and his team meticulously gather evidence from the less gruesome, but equally dark world of electronic
misdeeds, methodically collecting information, without leaving any indication someone has been sniffing around.
It’s not fingerprints James is worried about preserving, it’s time stamps. And the crimes are more white- collar such as internal fraud, theft of intellectual property and other subversive activity.
James, senior manager with the enterprise risk services group at Deloitte & Touche can sometimes be found skulking about offices at unusual hours when the client’s needs demand a forensic team go in under the cover of darkness.
“”We’re often called in during the wee hours of the morning to take a snapshot — an exact copy of the computer — in a forensically safe manner,”” he says.
In a recent case, James found himself and a few colleagues from Deloitte’s security team at a financial institution around midnight (he would not divulge the company name). The objective was to copy the drives of 10 computers. Management at the company were investigating a case at the time and had reason to suspect incriminating evidence was stored in e-mail on the machines. Only a few individuals from management knew the Deloitte team would be there but after six hours of work, some early bird members of staff began arriving to start their day. James’ team had to come up with a story.
“”I think we said we were doing an upgrade,”” says James.
While many investigations today involve electronic evidence, forensic computing is generally used to collect information in circumstances such as disciplinary action, dismissal for breach of company policies and civil law matters. In addition, it can include cases where there has been disclosure of intellectual property or network intrusion.
The greatest demand for Deloitte’s forensic services is when a company suspects employees are up to no good. Behaviour ranging from fraudulent activity, the inappropriate use of chat rooms or when someone is suspected of running a business from office computers.
Typically, says Paul Lewis, associate director, security, privacy and technical risk group with Fujitsu Consulting, the CIO is involved in any discussion about uncovering digital information, as well as the HR department. “”Despite what you hear about people spying on employees, in many of the cases we see there has been other evidence that has kicked it off and this is supporting it. If you have had a complaint of an employee surfing for porn or something, and somebody has seen it over their shoulder and complained that’s probably the starting point rather than people trolling around disks looking for pictures,”” says Lewis.
At Fujitsu Consulting the demand for forensic services is growing as companies become more aware of what is possible and start worrying about their liability to shareholders for failure to take action, says Lewis.
“”For us it’s a specialty practice that resides with our security practice. We’re called upon by existing clients because of the delicate nature of the work and time constraints in reacting. Organizations who need this type of service don’t tend to send out an RFP for it, they turn to us because they trust our integrity from working with them before,”” he says.
It’s not always the goal of a company to gather information and head to court. In fact Lewis says e-evidence is usually not admissible as primary evidence. That means making a case with the way you collect data, ensuring it’s not been altered.
But the Canada Evidence Act has recently been modified to allow use of electronic documents in place of originals if certain criteria are met, says Coreen Lawton, a lawyer with McCarthy Tétrault in Toronto. That means showing that the computer system used was operating properly and “”that the document was recorded and stored in the usual course of business by a person not a party to the litigation and who did not record or store it under the control of the party seeking to introduce it to litigation.””
Even the most innocuous e-mail with a personal message or joke can be valuable or harmful, depending on the side you’re on when building a case for litigation, says Lawton. “”If it’s an employer who has dismissed an employee for harassing behaviour, e-mail evidence of the employee’s harassment towards other employees would be maintained if the employee sued for wrongful dismissal.””
Electronic evidence has quickly become a central point of focus for legal disputes. In litigation opposing parties will ask each other to produce copies of past e-mails containing words that might produce “”the smoking gun.””
In some cases, e-mail files can reveal more than was expected. James says e-mail trails can place people in meetings and places at specific dates and times, showing they had correspondence with other individuals about specific subject matter.
Recently, e-mail files gathered from the computer files of senior City of Toronto officials showed the executive director of IT and the CFO were being entertained on the golf course by hardware and software vendors in the months leading up to Y2K decisions. Those e-mails are now part of an on-going public inquiry.
“”Leaving e-mail around for extended periods can be quite dangerous,”” says Lewis. “”It’s a bit of a liability.””
If someone deletes a computer file, generally the file isn’t erased; instead it’s the entry in the file index that’s been deleted and the actual file information remains until the free space gets reused. In a similar fashion, e-mail programs may not overwrite the data when you delete the e-mail and may be backed up for disaster recovery purposes. So even when you think it’s been deleted it may exist in multiple places.
Recovering electronic information as evidence of wrong-doing is by no means a new practice: it became the backbone of the Iran Contra scandal of the mid-80s, when a vast quantity of mainframe e-mail had been backed up nightly even though everyone involved thought it had had been deleted. As the Iran-Contra scandal broke, national security advisor John Poindexter and Oliver North began deleting more than 5,000 e-mail messages in the memory banks of the White House computer system. What they didn’t know was the messages were still retrievable from the system’s backup tapes. Investigators from the FBI and the Tower Commission used the tapes to reconstruct the illegal trading of drugs for guns scandal.
Today the pursuit of e-mail records and other digital documents is on the rise, says Lewis.
“”I think it has become more sophisticated by necessity because of the technologies and the increased ability to transmit things,”” says Lewis.
While not difficult to do, collecting e-evidence has to be done correctly, as electronic data can often be considered unreliable by the courts; it has to be presented in a pristine fashion. “”You have to be able to show it has not been altered during the collection process.””
Any tampering of systems by those who don’t know what they’re doing can damage evidence. In many cases, James says, companies have asked internal IT staff to gather information from employee computers, only to have its authenticity compromised.
According to Lewis, a good practice is to use open source tools because then the company can be sure, from looking at the source, that the information has been correctly represented and not modified in any way. As well as the remaining files that are there, investigators may be looking to see what type of application evidence is still left: e-mail files, database structures and browser caches that contain Web pages that were visited.
If the computer is operating, the first step is to capture information still in the computer memory. When a computer has been switched off you then remove the hard drive of the PC or server you are looking at — because to boot the computer changes aspects of the information in the process.
“”Information may be lost and you can argue whether it’s changed information or whether that’s the original information,”” says Lewis. “”So you would attach the disk to another computer and take a disk image.””
The original disk (in the computer) would then be bagged and labeled as being potential evidence and from then on investigators would work with the disk image that had been taken. Lewis says notes must be taken at each stage of the process so handlers can attest to what steps were taken.
And while the actors who play investigators on CSI analyse evidence to vindicate those who can’t speak for themselves, forensic computing investigators work to find the goods on those who said too much.