The following are frequently asked questions pertaining to computer forensics and answers from our resident expert, Lee Neubecker.
What do you recommend as a best practice for preserving electronic data on a computer?
One of the most important things that companies need to do is to make sure that they do not spoil the evidence by looking to see what the employee was doing. In many cases, right after someone departs, the manager or someone from IT will look through the computer to see what files were recently accessed. The problem with that is the employee may have downloaded files to CDs to take with them. If someone surfs through a computer to see what was stolen, they are altering the file metadata, such as the date the file was last accessed. It may cause a file that was burned to CD along with other collection of files to have its last access date altered. In computer forensics, we often look for clustering of files with similar dates and times. For instance, if someone burns a number of files to CD, the last accessed time may be a second apart on files that were recently burned to CD. Frequently, we can figure out what was burned to CD by looking at the access dates because when the computer reads the file to write it to CD, it alters access dates. The manager who accesses the computer to look around has just caused the access dates to be modified, so it makes it more difficult for forensic experts to piece evidentiary information together.
The most important step is first to make sure the evidence does not get altered, and in most situations (e.g. Windows operating systems), simply pulling the plug from the computer works. Pulling the plug prevents evidence spoliation and preserves relevant last accessed dates. Exceptions to that are Linux, servers and other more complex file structures that do not recover well from a power loss.
If someone needs to reuse the computer, they should remove the hard drive in question and buy a new hard drive for the computer. That way the evidence is reasonably preserved. They can keep the evidence hard drive in an envelope sealed by a signature and clear tape, and that way any evidence alteration can be detected by tampering of the package.
What is the most effective method of authenticating evidence?
The first step in authenticating evidence is that you need to preserve the original evidence by removing it from normal use and sealing it from possible tampering. Once you preserve the evidence, it needs to be forensically copied in a way that does not alter the original. The copy is then used by experts to perform their analysis. Before performing the analysis, the evidence needs to be authenticated. To authenticate the evidence, in essence, is to certify that the copy is exactly the same as the original.
In our profession, a hash value is used to authenticate evidence. A hash value is generated when you apply a hash algorithm against a collection of 0’s and 1’s that exist as data on a hard drive or any other type of storage media. That value is such that altering a single character in a Word document, for example, changing an upper case S to a lower case s, would cause the collection of 0’s and 1’s on the storage media to be altered. This would then cause the hash value generated to be something totally different. Therefore, when we copy data, we are copying all the 0’s and 1’s on the most micro level of the storage media. We are applying the hash algorithm, and as an end result, we are getting a unique hash value, which is much like a digital fingerprint. After copying, we apply that same algorithm to the copy, for the same number of sectors. If the hash values match, we know we have a perfect copy. Once we have copied the evidence and authenticated it, then we are ready to work with the data.
If the judge allows electronic discovery without limitations, is it advisable to ask for a printout of all files on the computer?
Before doing a print production, it makes a lot of sense to apply technology to eliminate a lot of the unnecessary information. Unique to computer forensics is the ability first to tell what is on the hard drive – files that exist on the hard drive, deleted or not, when they were accessed and created, how large they are, etc. That is a great starting point because it allows you to assess, if you were to print the files, how many pages would result and what the universe of data is.
Once we know what is on the hard drive, we can perform a hash analysis whereby we analyze every individual file’s hash value and compare the fingerprint of the individual file against the NIST (National Institute of Science and Technology) database, which publishes a database with the hash values or fingerprints of all known files that exist. The NIST hash database contains files that appear on operating system CDs and software applications. After analyzing and comparing all the files on the subject hard drive against this database, we can eliminate gigabytes of information that are in no way pertinent to that user’s created data. We can remove those files from the list, which eliminates useless help text files and other files that come with your computer. That saves the client a lot of time, as well as money.
In addition, if our client provides us with the universe of intellectual property data (e.g. CAD drawings, price books and customer directories) on a CD, we can generate the hash values for each of the individual files. These values are then used to compare with that of all the files that exist on the subject hard drive we imaged. If there is a match, it is evident that our client’s intellectual property exists on the subject computer. At that point, we can begin to explore how it got there, when it got there, what other places the file was stored and other critical information.