ELECTRONIC DISCOVERY ARTICLES
ASK OUR EXPERT:
What Can Computer Forensics Do For You?
The following are frequently asked questions pertaining to computer forensics and answers from our resident expert, Lee Neubecker.
What do you recommend as a best practice for preserving electronic data on a computer?
One of the most important things that companies need to do is to make
sure that they do not spoil the evidence by looking to see what the employee
was doing. In many cases, right after someone departs, the manager or
someone from IT will look through the computer to see what files were
recently accessed. The problem with that is the employee may have downloaded
files to CDs to take with them. If someone surfs through a computer to see
what was stolen, they are altering the file metadata, such as the date the
file was last accessed. It may cause a file that was burned to CD along with
other collection of files to have its last access date altered. In computer
forensics, we often look for clustering of files with similar dates and
times. For instance, if someone burns a number of files to CD, the last
accessed time may be a second apart on files that were recently burned to
CD. Frequently, we can figure out what was burned to CD by looking at the
access dates because when the computer reads the file to write it to CD, it
alters access dates. The manager who accesses the computer to look around
has just caused the access dates to be modified, so it makes it more
difficult for forensic experts to piece evidentiary information together.
The most important step is first to make sure the evidence does not get
altered, and in most situations (e.g. Windows operating systems), simply
pulling the plug from the computer works. Pulling the plug prevents evidence
spoliation and preserves relevant last accessed dates. Exceptions to that
are Linux, servers and other more complex file structures that do not
recover well from a power loss.
If someone needs to reuse the computer, they should remove the hard drive in
question and buy a new hard drive for the computer. That way the evidence is
reasonably preserved. They can keep the evidence hard drive in an envelope
sealed by a signature and clear tape, and that way any evidence alteration
can be detected by tampering of the package.
What is the most effective method of authenticating evidence?
The first step in authenticating evidence is that you need to preserve
the original evidence by removing it from normal use and sealing it from
possible tampering. Once you preserve the evidence, it needs to be
forensically copied in a way that does not alter the original. The copy is
then used by experts to perform their analysis. Before performing the
analysis, the evidence needs to be authenticated. To authenticate the
evidence, in essence, is to certify that the copy is exactly the same as the
original.
In our profession, a hash value is used to authenticate evidence. A hash
value is generated when you apply a hash algorithm against a collection of
0's and 1's that exist as data on a hard drive or any other type of storage
media. That value is such that altering a single character in a Word
document, for example, changing an upper case S to a lower case s, would
cause the collection of 0's and 1's on the storage media to be altered. This
would then cause the hash value generated to be something totally different.
Therefore, when we copy data, we are copying all the 0's and 1's on the most
micro level of the storage media. We are applying the hash algorithm, and as
an end result, we are getting a unique hash value, which is much like a
digital fingerprint. After copying, we apply that same algorithm to the
copy, for the same number of sectors. If the hash values match, we know we
have a perfect copy. Once we have copied the evidence and authenticated it,
then we are ready to work with the data.
If the judge allows electronic discovery without limitations, is it advisable to ask for a printout of all files on the computer?
Before doing a print production, it makes a lot of sense to apply technology to eliminate a lot of the unnecessary information. Unique to computer forensics is the ability first to tell what is on the hard drive - files that exist on the hard drive, deleted or not, when they were accessed and created, how large they are, etc. That is a great starting point because it allows you to assess, if you were to print the files, how many pages would result and what the universe of data is.
Once we know what is on the hard drive, we can perform a hash analysis
whereby we analyze every individual file's hash value and compare the
fingerprint of the individual file against the NIST (National Institute of
Science and Technology) database, which publishes a database with the hash
values or fingerprints of all known files that exist. The NIST hash database
contains files that appear on operating system CDs and software
applications. After analyzing and comparing all the files on the subject
hard drive against this database, we can eliminate gigabytes of information
that are in no way pertinent to that user's created data. We can remove
those files from the list, which eliminates useless help text files and
other files that come with your computer. That saves the client a lot of
time, as well as money.
In addition, if our client provides us with the universe of intellectual
property data (e.g. CAD drawings, price books and customer directories) on a
CD, we can generate the hash values for each of the individual files. These
values are then used to compare with that of all the files that exist on the
subject hard drive we imaged. If there is a match, it is evident that our
client's intellectual property exists on the subject computer. At that
point, we can begin to explore how it got there, when it got there, what
other places the file was stored and other critical information.
Download Article [PDF]
