|
|
|
August 2002 - Cover Story
Computer Forensics
Detecting the Imprint
by Illena Armstrong
|
|
 Ferreting out evidentiary imprints left behind by cybercriminals is a tall order in the virtual world of zeros and ones. But, this digital realm is proving a ripe and ready stomping ground for crooks of all kinds.
Electronic crime’s appeal runs the gamut, as exemplified by some recent illegal acts:
- Discovered in June, an unidentified person — believed to be a Chinese national — hacked into 21 accounts at the Development Bank of Singapore Ltd. He reportedly transferred thousands of dollars to his own account, according to a Singapore Sunday Times newspaper article.
- A man, possibly tied to the Russian mafia, was arrested in June for allegedly installing keystroke-capturing software onto computers at various universities in the U.S. He was allegedly seeking to capture credit card numbers and other personal data, according to a piece in The Chronicle of Higher Education.
- After receiving tips from the Federal Bureau of Investigation (FBI), Polish police say they have tracked down the PC used by the hacker who gained illegal access to NASA’s computer network, causing some $1 million in damage, according to recent Polish television reports. If arrested and charged with the crime, the man — a Polish citizen and known computer expert — could be sentenced with up to eight years in jail under the country’s cybercrime legislation. This does not take into account the possibility of the alleged hacker being extradited to the U.S.
In Riptech’s Internet Security Threat Report, released in July 2002, about 20 percent of the several hundred companies monitored by the service provider experienced at least one severe attack during the six-month analysis period that started in January. Adding to these attack types, which seem to be occurring at a more frequent pace, fears of cyberterrorist assaults have heightened since the Sept. 11 strikes. A Business Software Alliance survey in June 2002, commissioned by Entrust, revealed that 49 percent of the 395 IT professionals surveyed believe that the U.S. federal government is highly vulnerable to attacks by cyberterrorists. Further, one third of these say they think such attacks are very likely to happen within the next year.
Given the innumerable digital threats plaguing organizations today, experts say they have seen an increased interest in the merits of computer forensics technology — from forensics pre- and post-planning to the collection of electronic evidence for purposes of formal litigation and simple internal investigations. At the same time, however, Meta Group estimates that only a mere five percent of its corporate clients use computer forensics tools or techniques.
"Computer forensics is an area where many companies fear to tread — until they have to," says Michael Bacon, evangelist and principal of archolutions.com, an architectural solutions company based in the U.K. "It requires specialist training, not only in technology, but also in evidence gathering and presentation in court. Few corporates are prepared to invest the time and money in their own staff to train them up."
Still, says Bacon, organizations are seeing the value of computer forensics procedures for business activities, such as recovering data on systems used by former employees or conducting internal investigations — "often into abuse of acceptable use policies." Too, they find such forensics technologies aid in supporting "some aspects of corporate governance."
Just acknowledging the volume of data stored on networks should be enough reason to prompt enterprises to begin examining the validity of using forensics, says Clive Carmichael-Jones, operations director at Vogon International, a developer of computer forensics technology.
"Key to understanding the role of computer forensics in the modern corporate organization is the fact that virtually all documents that are handled today originate in electronic form. From this realization comes the logical conclusion that the destruction of paper documentation is almost incidental in terms of consequential impact next to the intent, and subsequent attempts made, to destroy the original electronic data," he says.
As part of this logic, a company must realize that in support of the security policies and the various security technologies they have in place, computer forensics provides the means of investigation when these plans and tools are compromised in some way. As an example, Alyn Hockey, vice president of future products for Clearswift in the U.K., explains, "Monitoring products act as an early warning sign, alerting management to the possibility that they need to use forensics to investigate the source of a possible threat more thoroughly."
Just as prevention, planning and deployment of security tools are necessary steps for businesses of all sizes to take these days, so too is the use of computer forensics tools and plans. "The ability to respond to an incident, understand its causes and effects and take the appropriate remedial actions, is fundamental to effective information security," says Robert Brown, technical director for DataSec Limited in the U.K.
Taking Steps
Ensuring that a company is on the right computer forensics path begins with an understanding of the tools and protocols associated with this area of infosec. This is an important move since forensics can mean many things to many people.
"Forensics, used to its potential, can provide both pre- and post-event benefits," says John Suit, CTO of SilentRunner. "Forensics enables IT security staff to understand who is using the network, how they are using the network, and for what purposes. If a violation occurs, from internal or external sources, computer forensics is the cornerstone of reconstructing the event that took place. The focus is on obtaining and analyzing information. Using technology in combination with policy, corporate investigative units are fulfilling their models of ‘protect, detect and respond,’ while rounding out their models with corporate accountability."
Hackers seeking to compromise web applications "don’t schedule their movements," says Ory Segal, a security specialist and developer in Sanctum, Inc.’s security group. He believes that in today’s world of mission-critical, web-enabled information, it’s vital for IT professionals to have full insight into the activity on their sites. "Web forensics," he says, "has become a vital Internet security component" in this analysis.
The addition of the computer forensics component to business planning helps in building and maintaining a strong security posture, notes Larry Lunetta, vice president of marketing for ArcSight, Inc. All the "rubble" of the various security tools most companies have in-house — such as IDS, firewalls, and more, contain "clues to how the attack happened, why it was successful, and how to detect and prevent similar incidents in the future."
One of the best tactics for which computer forensics techniques and technologies should be used is the simple protection and recovery of information, says Adrian Reid, managing director of DataSec. In the U.K. alone, 76 percent of corporations store critical or sensitive data on their networks, according to the Department of Trade and Industry (DTI). As such, organizations must take measures to protect this information and investigate an incident when it involves this data."[We have] seen an increase in the number of investigations instigated by corporate victims and a trend towards an aggressive approach to recovering stolen information, which might involve court orders to seize and examine computers that allegedly hold stolen data," Reid says. "Basic forensic principles that lead to appropriate first action being taken when an incident occurs, and an increased likelihood that information will be recovered, preserved and admissible as evidence, are beginning to be implemented in the corporate world."
To execute this process properly, planning is integral, says Larry Kanter, a partner with Ernst & Young who manages legal technical services for the U.S. Such planning, he says, must begin with senior management, because IT security and forensic technology plays across all departments. To begin the process, the general counsel’s office must initiate and maintain an open dialogue with the IT department in order to establish appropriate policies that address such issues as document retention, email/Internet usage, and more.
From there, companies can take measures which will be quite helpful when something does occur, says Barry Stauffer, CEO of Corbett Technologies, Inc. in Virginia. Such pre-planning includes:
- Setting up a retainer contract with a business that specializes in computer forensics in advance of major events. A contract of this kind should offer a 24/7 guaranteed response.
- Educating system administrators and/or other IT professionals on how they should respond to an incident before the forensics experts arrive. This is pivotal so that these employees avoid taking actions that "pollute the evidence before the computer forensics team arrives," making it inadmissible in a court setting or impeding the team from discovering important information.
- "Having the network architecture include a system that logs all data from most network devices."
To be sure, adds Cliff May, principal consultant with Integralis in the U.K., setting up an incident management plan will be helpful in preventing panicked behaviors. An important part of such a plan involves designating certain people with the responsibility to monitor and report on anomalous behaviors. By defining specific roles such as these for employees, companies can offer adequate training on the various forensics technologies and how to properly deal with potential digital evidence so it can hold water in a courtroom.
"The most important lesson that companies should consider is not to panic, jump to conclusions or make accusations until they know all of the facts. Often, the issue is only the tip of the iceberg and you need to dig deep to find out exactly what has gone on," he says. "But, companies are not doing this. [They are] still too reactive, dealing with issues as they come up. Pressure makes people do the wrong thing. If you have a procedure in place, then this won’t happen, as you’ll have primary [people who are responsible]. And, if they aren’t around, there will be back-up options, as well."
Such awareness and definition of roles should cover everyone from end-users to the response staff, notes Ben Rothke, senior security architect with QinetiQ Trusted Information Management, Inc. By having end-user awareness policies, incident response staff and a comprehensive set of incident response policies and procedures in place, "an organization has a good chance of success." (Read more details on each of these components in the accompanying sidebar Parts of the Plan at the foot of this page.)
Also, as part of the proactive mode, says Stauffer of Corbett Technologies, computer forensics tools can be used to do the following. Examine corporate systems, first, to see if an incident is about to take place. For example, tools could be used to find out if a disgruntled employee is planning to commit corporate espionage by selling secrets to competitors. Then, examine corporate systems to see if an incident is taking place now, such as discovering that "a trusted … employee is running [a] business via the corporate link to the Internet." As for the role of being responsive, forensics tools "can be utilized to … rescue … some corporate entity that knows their network has been violated in some manner," he notes.
Moving onto the reactive mode, DataSec’s Brown says that there are quite a few specific actions to take when a hacking incident takes place. A few of his main steps are shown in the accompanying sidebar When You’ve Been Hacked. He notes that organizations cannot underestimate the importance of pre-planning. The time to consider what actions to take should not happen when the company has been hacked.
"By preparing a planned response, the reaction can be swift and coordinated rather than blind panic," he explains. "According to the CERT Coordination Center, hacking incidents are on the rise. During 2001 alone they dealt with over 52,000 incidents, a 160 percent increase on the previous year. With such a dramatic increase it is inevitable that many companies will not have a prepared response to deal with an intrusion. However, the growing press coverage of high-profile incidents is helping to alert businesses to the danger that exists and, hopefully, spur them on to build their defenses and prepare for the inevitable first successful attack."
Working the System
All of these steps that experts suggest are inordinately helpful to any forensics investigation. However, adds Reid of DataSec, many companies still fail to report hacks and other digital crimes to police agencies. As such, some investigative bodies are attempting to create systems that will encourage organizations to report cybercrimes. For example, Reid says that the U.K.’s National Hi-Tech Crime Unit is reviewing "a crime-reporting system that will protect the identity of the corporate victim." Not operating yet, this type of system could "receive objections" from legal officials, though.
Another problem with making reports to law enforcement is that they may lack the resources — money, equipment, trained personnel and more, to properly investigate a computer crime, says John Wiechman, president of TLSI, a computer forensics organization in Texas. While this may be true, adds Dave Schultz, electronic evidence legal consultant for Kroll Ontrack, investigators in most technologically advanced countries are beginning to get a handle on cases involving digital evidence. Typically in the U.S., the federal agencies are far more advanced than local bodies, he notes, but all are making changes for the best.
Whether companies are worried about policing agencies’ expertise or not, sometimes matters little in many regions. In these areas, it is not optional to report a criminal act, notes Alan Sterneckert, a retired FBI agent who now owns consultancy Risk Management Associates. Due to this fact and others, it is important that executives decide before an incident occurs whether or not it is appropriate for them to report it. Also, before something goes down, Sterneckert suggest that executives "establish liaison with local, state or federal law enforcement authorities." By doing this, organizations can learn "under what circumstances [law enforcement agencies] wish to be notified and how they wish to have evidence handled in preparation for their arrival."
And while it may be true that some policing agencies may still be grappling with investigations, most are quite familiar with the role of such digital equipment in committing crimes.
"Agents, officers and technicians have actively sought specialized training in collecting, processing, storage and presentation of digital evidence. There are many academies sponsored by private and public sectors that have been providing this type of training for many years," notes Sterneckert. "In smaller jurisdictions, there are working groups and task forces to address technical issues. As always, it is the responsibility of law enforcement agencies to upgrade their training and personnel to address emerging technologies impacting crime. Agencies are very aware that exchanging information will greatly assist in addressing crimes that are traditional or white color in nature. I think most agencies are taking steps in that direction as fast as their budgets and legislatures will allow."
Above and beyond reporting incidents to various police agencies, Jack Wiles, president of TheTrainingCo., says that companies in the United States also have the option to go to one of the local Infragard chapters or the Electronic Crimes Task Force. The former is an FBI program and the latter a U.S. Secret Service program. Both groups combine the knowledge and expertise of their respective agencies and business members. Similar organizations exist in other countries.
Crossing the Lines
"The police find it easier to prosecute speeders than electronic crime — cynical, but true," maintains Bacon. "More countries are setting up specialist units to investigate electronic crime, and this should become the norm in all countries over time. However, as the balance shifts in favor of the police — as they understand more about how to investigate and prosecute successfully — the criminals will switch to other forms of crime. Lawmakers and enforcers will always be on the back foot. I use the analogy of a motorway, the digital highway; the criminals are racing up the outside lane in a stolen Jaguar, [people] like myself are driving their company cars in the middle lane flashing our lights and blowing our horns trying to attract attention. [Meanwhile,] the users are pootling along in the inside lane towing their caravans, [and] manufacturers are pulled up on the hard shoulder tinkering with the engine, while the lawmakers are stuck in traffic jams in the city center [and] the police … [are pulling over] cars for not displaying a tax [tag] on the near-side [windshield]."
When cybercriminal reports cross international borders, organizations must recognize that policing agencies all over the globe are doing their best to work together to bring Internet crooks to justice, however. "Countries are already working together to track and destroy cybercrime," says Clearswift’s Hockey. "There was a global example of this recently when agencies from an array of countries, including the National Hi-Tech Crime Unit from the U.K., worked together to smash a child pornography ring."
In addition to U.K. and U.S. agencies making great strides in computer inspections, Scandinavian countries and Canada are also doing quite well in efforts to spearhead international investigations, says John Patzakis, president and general counsel to Guidance Software in the U.S. While these countries and others are trying to crack cases together when necessary, there are still problems in pursuing criminal and civil investigations involving digital evidence when some countries lack cybercrime laws or have no standing investigative agreements with others.
No matter if hacked by locals or hit by those from foreign soils, notes Integralis’ May, it is important for organizations think about filing a report. "They should be reporting all crimes of this nature. The police will help in these matters, but companies need to be more open and come to them when these incidents take place," he maintains. The problem arises when crime must be tracked down into developing nations, since laws from country to country differ greatly. For instance, in some countries penetration testing is illegal, or legislation, such as the Computer Misuse Act in the U.K., disallows you from accessing information that might be critical to an investigation.
"A major problem that policing agencies have from a global perspective is the lack of any international laws on cybercrime," says Corbett Technologies’ Stauffer. "This is being worked on, but currently hacking into another nation’s computers is encouraged and kept legal by some governments while totally illegal in other countries. Therefore, to prepare to take on electronic crime committed by white collar and traditional criminals, the first major thing that is needed is solid international laws that focus on cybercrime. Once we have that, we need a solid computer forensics training program for these agencies, with the necessary budget."
But, achieving this will take time, commitment and much effort on the part of agencies. Too, political hurdles that often impede development of such international cooperation will need to be overcome.
"As in many things, law enforcement and judicial systems perform to the best of their abilities and are frequently limited by budgets, treaties and legislatures. I sincerely believe that most agencies are acutely aware of the impact of digital evidence in criminal and civil investigations," says Sterneckert. "Most are actively seeking training, expertise and resources to address these matters."
In the meantime, says Simon Platt, national partner in charge of computer forensics with Deloitte & Touche, since cybercrime knows no physical boundaries, "any step for countries to take to work together is in the right direction."
What to Remember
"Companies are painfully aware that everything they [have done] was probably created on a computer," says Ernst & Young’s Kanter. "This data virtually permeates the entire organization."
As more and more data is stored in the digital medium, notes Ian Hameroff, director of security solutions for Computer Associates, it is important that companies enlist the help of the many computer forensics tools available to them. They must establish policies before an incident happens, ensure they get the right personnel involved and that these folks have been trained so that the company can learn from the attack and recover from it.
To be sure, they must call in the experts to help with collection and preservation of evidence, if they don’t have a team of their own in-house experts on staff. In retaining sound professionals, Vogon’s Tony Dearsley, computer investigations manager, says companies must count on a "reputable firm with a proven track record and … strong technical support."
And, says archolutions.com’s Bacon, pre-planning is the step that makes investigations of all kinds run smoothly. "Identify the internal or external experts, set up a means of calling them, and work this sort of incident planning into your crisis plan," he says.
Too, this step is key because "computers are playing an increasingly important role for the criminal as data storage devices and instruments of unlawful behavior," says Sterneckert. "It’s important to note that law enforcement agencies don’t usually deal with civil and administrative issues that may be important to business and government organizations. Consequently, having computer forensic resources available is gaining importance. We have replaced filing cabinets and communication systems with computers, servers and related equipment. Our organizational need to audit, monitor and, at times, research these devices and data, greatly depends upon technology and forensic experts."
Businesses, notes SilentRunner’s Suit, are comprehending this notion and are beginning to depend on such technology to speed up and protect their various technological processes, but also meet outside legal and regulatory mandates.
"Organizations should have defined policies around incident handling," Suit warns. "Regardless of whether an organization chooses to call law enforcement or just clean up the broken glass, it is essential it has appropriate processes in place to identify the issue and respond to it all levels in the organization, from executive to technical."
|
|
August 2002 - Special Feature
Collecting Evidence from Providers
|
 Unearthing and preserving digital evidence is a painstaking process by any investigator's standards. But, whether a company is involved in an internal or criminal investigation, staying on the trail of clues can prove even more complicated when the tracks lead to a service provider. We have gathered opinions from experts in the U.K. and U.S. on what corporate executives, investigators and attorneys should be mindful of as they pursue clues that might be offered up from a provider's electronic cache. |
Some Notable Points
by John Weichman
One of the most important things to remember when dealing with digital evidence from an Internet service provider (ISP) is to try to obtain the data as quickly as possible. Most ISPs only keep back-ups for a very short period of time — sometimes only days.
The second most important factor is knowing the appropriate person to contact within an ISP company and realizing that you are likely to need a court order specifying the exact data you want — such as the IP address in question, the name and address of the client, logs showing the usage of the account and copies of emails. Do not be surprised if ISPs seem uncooperative. Their job is to take care of their client’s needs, not yours.
Third, know where to serve your subpoena or warrant. Getting the necessary paperwork from your local judge is only part of the battle. Finding exactly who to deliver the paperwork to is almost as complicated as obtaining it. You cannot just walk up to, call or fax the nearest office. Most ISPs have procedures in place that must be followed, and if you’re not aware of the exact steps to take, you’re wasting your time. For example, you may need to contact the ISP’s security department. In many instances, local law enforcement officials can point you in the right direction.
Lastly, don’t expect to deliver the court order and walk away with the information you need. The reality is that it may be several days or even several weeks before you receive the information you need. Delays can result from the logistics involved in getting to the supervisor in charge of the servers or the back-ups that you are requesting. Additionally, the ISP may need time to duplicate information.
The most important thing to remember is to start the Internet data acquisition process as soon as possible. If not, by the time you complete the required tasks, the data you need may no longer be available.
John Wiechman is CEO and president of TLSI, Inc., a data recovery and computer forensic firm based near Dallas, Texas. He can be reached at (800) 465-TLSI or at john@tlsi.net.
|
Business Technology
The Digital Detective
Clients range from disaster victims to lawyers
07/28/2002
By CHERYL HALL / The Dallas Morning News
GRAND PRAIRIE — Calls from San Antonio streamed into TLSI Inc. as soon as the South Texas floodwaters subsided.
Unfortunately, many of the businesses that were desperate to save soaked hard drives had already made a fatal mistake. They dried out their computers, wiping out any shot John Wiechman and his crew might have had to recover their data.
"It's like retrieving undersea artifacts," explains Mr. Wiechman. "You have to keep it wet because the plates that store the information are made of iron ferrite that turns to rust when it dries out."
The counterintuitive answer, says TLSI's 52-year-old owner, is to put the soaking wet hard drive in a sealed baggie and ship it to a full-time data-recovery company like his.
These days, a different type of disaster is lighting up the 16-year-old company's phone lines. The seven-person company has developed an expertise in computer forensics.
Just as TV's medical examiner Quincy used forensic sleuthing, these digital coroners perform hard-drive "autopsies" to detect and intricately piece together e-mails, word processing files and computerized calendars.
Data discoveries are being used as evidence in cases involving employee sabotage, intellectual piracy, embezzlement and even murder.
'Delete' isn't the end
"People think when they hit the delete key that the data is gone. It isn't even close to being gone," Mr. Wiechman says. "We can go back and tell what you did, when you did it and how you did it."
Just ask the analysts who thought they got rid of e-mails at Merrill Lynch & Co. or the Arthur Andersen folks who shredded Enron documents.
"The joke in our business is that they would have been better off taking a hammer to the hard drives and leaving all that paper," Mr. Wiechman says of the Andersen trial. "No. 1, it made them look guilty, even if they weren't. And No. 2, there were literally thousands and thousands of pages of data that were 'lost' that have been found."
In lay terms, hitting the delete key simply tells the computer that this tiny bit of storage space on the hard drive is now available.
But most computers today have such huge capacity it could take years before the data is actually overwritten, if ever. And even then, only parts of that file might disappear from the hard drive.
Since its inception, TLSI has fixed hard drives and restored data for major corporations such as American Airlines Inc., Exxon Mobil Corp., Frito-Lay Inc., Texas Instruments Inc. and Microsoft Corp.
Major insurance companies know about TLSI's capabilities, so a number of computer innards damaged in New York on Sept. 11 and by the tornadoes in Fort Worth two years ago made their way to its laboratory and repair facility on North Belt Line Road.
"The average computer when we started out in 1986 had 20 megabytes [of] hard-drive storage," says Mr. Wiechman, noting that that's equal to about 1,000 sheets of paper. New desktops often have 20 gigabytes of hard-drive memory, enough to store a million pages of info.
When asked whether TLSI is retrieving some of the Andersen-Enron evidence, Mr. Wiechman answers indirectly, trying to maintain client confidentiality. "We are big and popular enough in this arena that when big things happen, we get phone calls."
Computer forensics is TLSI's growth line: The company has picked up 10 new cases in just the last two weeks.
One of those was a panicked local law firm. A disgruntled worker wiped out a directory containing 10 years of pleadings, case folders and court schedules. The firm not only wants to restore the vital information, it wants to nail the person who did it.
Dozens, perhaps hundreds, of forensic companies are popping up on the Internet, say lawyers who've used this type of service.
But they also note that it's one thing to retrieve data and quite another to recover it in a totally clean forensic environment with set procedures that can stand up in court. There's also the tough task of understandably explaining it so that it will sway the verdict.
Maintaining the integrity of computer evidence was key in Dallas lawyer Mike Wright's decision to hire Mr. Wiechman in a breach of contract case. "John has such a tight system and process in place I knew that the evidence was never going to be questioned," says the partner with Winstead Sechrest & Minick.
Mr. Wright was right. He obtained a "very favorable settlement" for his client, the employer, in a he-said, they-said case by retrieving deleted files from the employee's laptop.
Mark Burge, a principal in the Fort Worth law firm Bodoin Burnside & Burge PC, says Mr. Wiechman was "absolutely critical" last year in obtaining a $1.4 million jury award for his client who had been falsely accused of child pornography by his former partner.
The jury bought Mr. Wiechman's evidence and expert testimony that the partner had planted the kiddie porn on the plaintiff's computer.
"The really cool thing," Mr. Wiechman says, "is we did such a good job, they didn't even appeal."
Damaging evidence
Mr. Wiechman started doing legal forensic work about five years ago when he was hired by a defendant in a murder case. Ironically, the information he unearthed actually convicted his client.
The defendant had faked evidence intended as his alibi, not realizing that deleted files proving the contrary were still in the computer.
"You can hire us, but you can't buy us," Mr. Wiechman says. "We'll give you anything that's on that hard drive, but we ain't lying about it. If it turns out you're guilty, we'll make that public, too."
For this former Marine and Vietnam veteran, the funky line of computer work allows him to be part sleuth, part expert witness, part repair guy and big-time geek — all of which plays to his independent personality.
Since returning from Vietnam in 1970, he's hawked vacuum cleaners door-to-door, managed restaurants and tried his hand at accounting and restoring antiques before finding his passion in 1985, when he earned an associate degree in computer science from North Lake Community College.
"After three months of programming, I discovered I didn't like sitting in a 4-by-6 cube like Dilbert," he says. "But I also discovered I was very good at hacking into systems and disassembling games. And I was technically proficient at servicing and repairing computers."
That was the foundation for TLSI, which started out rebuilding hard and floppy drives. By 1991, the company waschurning out 1,000 rebuilt drives a month for Texas Instruments and Tandy alone.
Then, in mid-1994, a new generation of hard drives came to market that were cheaper and faster with many times the storage capacity — but also with a tendency to crash more frequently. Within a year, recovering data accounted for two-thirds of TLSI's revenue.
It costs between $150 to retrieve data from a diskette to $20,000 for extensive recovery work on high-end storage servers.
Painstaking forensic work costs $250 an hour and can quickly mount into thousands of dollars.
A nasty divorce case Mr. Wiechman is working on is apt to run between $20,000 and $50,000 "depending on how much digging I have to do." He's hunting for e-mails, calendar entries and financial statements to prove the husband had extramarital affairs and stripped assets from the couple's company.
This year, TLSI will bring in $2 million in revenue, 40 percent of it from data recovery and 60 percent from forensics work. That's a complete switch from this time last year.
"Computer forensics will become the DNA of criminal investigations," predicts Mr. Wiechman, who owns TLSI outright after buying out two original partners a number of years ago. He figures that forensics will account for up to 90 percent of his business in less than two years as more lawyers learn how powerful this evidence can be in court.
Helping get rid of files
Another interesting piece of business has cropped up as more companies learn that deleted doesn't mean departed.
"Now companies want to make their data really go away," he says, adding that there's nothing necessarily nefarious in these requests.
A major Dallas law firm, for example, routinely donates older computers to charitable organizations, not realizing that confidential information was still sitting in the computer. TLSI is cleansing the hard drives for about $100 apiece before they get recycled.
One of his toughest challenges as a small business is to stay on top of technology, he says. "We'll spend 100 to 200 man-hours per year on additional outside training for each technician." The bill last year for hardware upgrades was $100,000.
"I have no idea where this business is going," Mr. Wiechman says. "I grabbed a tiger by the tail nearly 20 years ago, and I've been hanging on for dear life ever since."
|
|
| From the July 10, 2002 edition
Plan calls for jail time for execs
In Wall Street speech, the president calls for new checks on corporate fraud.
By Francine Kiefer and Ron Scherer | Staff writers of The Christian Science Monitor
WASHINGTON - President Bush's newest plan to clean up corporate America is heavily dependent upon simply exhorting the business elite of the nation to live up to its own better nature.
Mr. Bush's proposal, laid out Tuesday in a Wall Street speech, does contain some potential new enforcement sticks — notably the threat of more time in jail for executives caught in wrongdoing.
But actually convicting company officers of malfeasance has always been a difficult task. And US capitalism is such a complex structure that catching all corner-office crooks is impossible.
These realities, perhaps combined with the MBA president's laissez-faire beliefs, produced an address that calls largely upon American business to heal itself, lest it lose the public trust so crucial to its operation.
"I don't think it's very dramatic," says Cynthia Latta, an economist at DRI-WEFA in Boston.
In his speech, Mr. Bush called for a "new ethic of personal responsibility" in corporate America. He outlined a series of proposals that would double the jail time for executives who break the law and suggested boosting funding for government oversight by 20 percent next year. The president took aim at issue of executive compensation, called on companies to end the practice of making loans to CEOs, and urged the nation's stock exchanges to insist corporate boards be independent. "With strict enforcement and higher ethical standards, we must usher in a new era of integrity in corporate America," Bush said.
It was the third time this year the president has put forth proposals to address corporate malfeasance, and reflects the high stakes — both political and economic — as company after company is found to be manipulating its books.
On the surface, his prescription looks to mirror a traditional GOP approach by emphasizing tough penalties and better law-enforcement over increased regulation and oversight. But the White House is also signaling that it is not far apart from a bill sponsored by Sen. Paul Sarbanes (D) of Maryland moving through the Senate.
Interviews with law-enforcement experts, however, show just how tough it would be to follow up one one key aspect of the president's plan — the emphasis on criminal treatment for fraudulent executives. Most CEOs can afford some of the best lawyers in the country — many of them former federal prosecutors.
The defense lawyers can ask for delays that stretch into years. And, many times, the CEOs are delving into gray areas of the law involving complex accounting issues well beyond the capability of many jurors to understand. "The key thing is the intent with which it happened," says Frank Velie, a partner at Salans, an international law firm. "Was he cynical or did he have his professional advice?"
Even if the CEO is a crook, catching him will be even more difficult today because of the FBI's new focus on terrorism: The Justice Department can't count on the agency to devote a lot of resources to the case. "There is a huge problem in enforcement resources," says Jack Coffee, a professor at Columbia University Law School.
When the government decides to prosecute a case, it can take years for it to come to trial. For example, four years ago, Cendant Corporation was shocked to discover that it had acquired a company, CUC International, that had inflated itself by $400 million. Since then, three lower-level workers have pleaded guilty to wire fraud but the president, Kirk Shelton, and the chairman, Walter Forbes, have yet to go to trial.
"It may take the prosecutor three or four years to bring the case and then the defense comes in and says quite reasonably, I need one to two years to get up to speed," says Lawrence Goldman, president-elect of the National Association of Criminal Defense Lawyers in Washington.
In fact, the government itself is not likely to want speedy trials. This year, it rushed to try accounting firm Arthur Andersen and barely won a conviction.
The prosecutors, however, have one advantage: They can threaten to send a college-educated person to jail. That is a powerful inducement to negotiate. "The first thing a defense lawyer says when they walk into the office is how can I keep my guy out of jail, he can't go to jail," says Randall Eliason, a former fraud prosecutor.
Finding the evidence, though, can be difficult. Companies often shred documents, and e-mails are deleted. Computer forensics companies can spend weeks or months trying to retrieve files. "Digital information is so new that a lot of DAs don't know what they have in their hands," says John Wiechman, president of TLSI, Inc., a Dallas-based computer forensics company.
Despite all these obstacles — and the certainty that some CEOs will be acquitted — the government now is likely to be more aggressive in pursuing corporate crooks.
|
Electronic Evidence
It's Becoming Indispensable - But Most Lawyers Still Have No Idea What It Can Do
By Michael M. Bowden
Paper documents can be shredded; physical evidence can be "lost;" human testimony is only as strong as the witness's credibility - but electronic evidence is virtually impossible to destroy.
That's because the information (including attempts to delete it) is "remembered" by the computer at four levels of electronic storage. The average computer user can delete activity on the first level; the more advanced computer enthusiast might also be able to eliminate much of the second level. But the third and fourth levels belong strictly to the realm of the cybersleuths.
"If you are tremendously familiar with computers, it is possible to commit 'the perfect crime' - to totally hide your tracks," said Doug Rehman, a computer forensic expert in Mount Dora, Fla. "But to succeed, you've got to sequentially close about 13 'back doors' to the information, without a single error," he said. "If you make just one mistake, I can detect it. So my odds of success are vastly better than yours."
Furthermore, electronic evidence is increasingly accepted as gospel by the courts, thanks to its built-in time signatures and other highly reliable tracking data.
"If you want to see a real difference that's taken place over the last three years, look at the judges," said John Wiechman, president of TLSI, Inc., a computer forensics firm in Grand Prairie, Texas. "They're getting a lot more technically savvy about computers and electronic data. It's part of their jobs; they don't have an option."
That, he said, ups the ante for lawyers because they now have to face judges who expect a level of electronic sophistication.
But only 25 percent of all lawyers know "something" about electronic evidence and a mere 5 percent are "very knowledgeable," according to Joan Feldman, president of Computer Forensics Inc., in Seattle, Wash.
The fact is, the traditional world of paper evidence is quickly being replaced by electronic data, and the legal world has no choice but to catch up. To ignore these developments can be professionally disastrous, regardless of the merits of a given case.
"I have gone into cases where one side understood electronic evidence and the other side didn't," said Wiechman. "And the side that knew, literally tore up the side that had no understanding of information technology, and no idea of what to do with what was coming down the pike at them. We sent out a tremendous amount of data to these attorneys, in response to their interrogatories and requests for production - and they would get it and not have a clue about what to do with it."
What Kind Of Evidence
Digging for hidden and deleted documents remains the profession's bread and butter - almost always in cases involving business transactions, employment law or family law.
And this work is becoming more affordable thanks to better, faster technology. For example, three years ago, searching the hard-drive of a spouse's computer in a divorce action could cost up to $10,000, effectively placing it beyond the reach of all but the wealthiest litigants. Today, the same examination can cost $2,500 or less.
"In smaller civil cases, the expense still can't be justified sometimes," said Rehman. "But as it starts getting larger, it almost becomes a necessary expense - because without electronic discovery, you cannot know what evidence you missed that might have won the case for you."
Rehman cites a case in which the board of directors of a large corporation suspected that two high officers in the company had formed a secret agreement with a competing corporation.
Rehman found several deleted e-mails in which the officers alluded to the arrangement, one of which contained instructions to destroy the e-mail immediately upon reading it. Faced with this evidence, the officers immediately confessed to their double-dealing.
This illustrates the ubiquity of electronic evidence. People are using computers more than ever before - often for communications that would have once taken place in person or over the phone.
Factor in the growing popularity of cell phones (which store past-activity on their computer chips) and hand-hand electronic devices like Palm Pilots and Blackberries, and future possibilities of electronic evidence recovery seem limitless.
"These devices are slowly coming into focus in the electronic discovery arena," Rehman said. "But they still have a way to go because the people at the top of a business - the ones we'd usually be targeting - aren't as technologically savvy as the lower-level people, and don't use the devices as much as those below."
Electronic building-access systems are another fast-growing source of electronic evidence in business litigation because these "electronic doormen" record who was where at a given time.
"This allows you to reconstruct someone's movements," said Rehman.
He said this could be used to establish that the person was present to commit the act in question, or to establish an alibi.
Perhaps the most fascinating aspect of computer forensics still involves the tracing of altered documents.
Ken Shear of Electronic Evidence Discovery in Seattle tells of a child rape case in which the alibi of prime suspect was that he was home typing e-mail during the two-hour window in which the attack occurred. By digging deep into the hard-drive records, Shear was able to prove that the suspect had reset the clock on his computer to shift the time signatures backward by several hours. Faced with this evidence, the rapist confessed to his crime.
Such alterations frequently figure in civil cases as well.
"You'll have litigation going on for two years and then suddenly some old memo miraculously appears that just happens to totally destroy the other side's case," Rehman said. "Then our issue becomes: Is this a genuine document, or was it created after the fact in order to win the case?"
Powerful Family Law Tool
Outside the world of business, electronic evidence has made its greatest impact in family law.
Typically, it comes into play in divorce cases, where one spouse believes the other is hiding assets. By burrowing into the depths of the opposing spouse's hard drive, cybersleuths have found secret bank accounts, real estate and other assets that their client never knew about.
But electronic evidence can affect more than just money matters. Hard drive contents are increasingly used in child custody battles to show that one spouse isn't a fit parent - often by showing that one parent has been downloading pornography and storing it where the children could see it.
This is what happened in a pending case that Wiechman is investigating. But the husband hasn't conceded an inch. His lawyers came back with a technically sophisticated argument involving the use of "push" and "pull" technologies by pornographic websites.
The husband claims to have stumbled onto the notorious pornographic website, Whitehouse.com, which many innocent users have discovered while looking for the President of the United States (i.e., whitehouse.gov). The pornographic "Whitehouse" site employs "push" technology, meaning that, without any instructions from the user, it automatically opens a series of additional browser windows on the user's computer, opening related sites.
The result is a "popcorn" effect, in which the user watches as a half dozen porn sites suddenly open on his or her computer - and each time one is closed, it generates a few more. The only reliable way to stop the effect is to shut down the browser program entirely and restart it.
By the time that's done, however, the user's computer will have recorded all of the porn sites opened by the "push" technology as having been visited by the user. This, the father claims, is what happened to him.
"So we had to establish whether the spouse was being pushed to these sites by accident, or whether he'd actively sought them out," Wiechman explained.
To do that, he had to recreate everywhere the husband had gone on the Web, and the sequence of the sites opened, and then compare it against the "push" sequences employed by a number of porn sites.
The investigation is ongoing, and has been complicated by the fact that the husband has been caught deleting files in violation of a court order. In addition to the contempt issues, this creates an appearance of impropriety - and makes it almost impossible to determine the sequence.
"I think he's really hurt his case," Wiechman said.
In that case, the electronic data sought by litigants was very recent, and generally speaking, success is more likely when the investigation is done close to the time the files were created. However, it is not unusual for cybersleuths to dig up files that were created months or even years earlier.
In one case, for example, a woman had waited until the very end of a two-year statute of limitations to sue her former employer, saying she'd been pushed out by sexual harassment. Her evidence? A series of sexually explicit e-mails (printed out on paper while she was still employed at the company) received from male co-workers.
Wiechman located the computer the woman had used while employed there. Fortunately for the employer, it was in storage and subsequent employees had not overwritten its old files with new data. There in the forgotten depths of the hard drive, Wiechman found hundreds of raunchy letters (many with pornographic pictures attached) that the woman had written to provoke the sexually explicit responses.
When a stack of these were dropped in front of her at mediation, the woman immediately dropped her case.
Do-It-Yourselfers Beware
Computer forensics can be very expensive. The average expert charges between $200 and $300 per hour and the average case involves 10 to 50 hours of work. That's a range of $2,000 to $15,000 per case.
"You can run into some real numbers real fast," noted Wiechman.
Large corporate cases can cost even more, running up millions of dollars in forensic expert fees, according to Feldman. Even an average business case can run $50,000 to $100,000, he said.
As a result, there are a growing number of do-it-yourself programs available.
If you spend any time at all on the Web, you've probably come across numerous ads for these affordable software products that promise to reveal whether your spouse is having an online affair, whether your kids are looking at pornography or engaging in inappropriate online chats, etc.
That is, indeed, a form of cyber-sleuthing, and some of these programs work very well, experts say. One of the best is Computer COP (http://www.computercop.com), an easy-to-use program that can be purchased for as little as $9.95 for the basic home-use version, up to $495 for a professional suite designed to assist corporate IT departments, law enforcement professionals and private investigators.
But lawyers should proceed with caution. First, such programs can't provide nearly the same experience, instinct and creativity that a professional forensic expert can bring to the table.
"The problem isn't so much in using the software, but in knowing how to apply it, what to look for, and how to interpret what you find," Rehman said. "It really is very much a forensic science, as well an art form and a matter of gut instinct. It doesn't really lend itself to the do-it-yourself approach."
For lawyers, these programs are rife with dangers. For example, when you cybersleuth the information yourself, you risk becoming a witness in your own case. And if you have a paralegal or secretary in your firm do the job - or even your client - that can also create an appearance of bias that your opponent can exploit. Further, these individuals won't be able to authenticate the data like an expert can. If asked to explain fine points about the chain of evidence, they might be able to say little more than, "Well, I pushed 'Find' and this is what the program found."
A forensic expert, on the other hand, could explain why the information was found where it was, how it got there, how the computer generates copies, why the date and time stamps are reliable or why they are not.
Another danger is that it is very easy to break the golden rule of computer forensics, which is: Do not alter the data in any way, since this will destroy its value as evidence.
Every file on a computer contains a time and date signature that automatically notes when it was created, and when it was last opened or manipulated. If a forensic examiner touches the original file, that time signature is overwritten and lost, and the evidence is tainted or lost.
As a result, forensic experts first make a copy of the hard drive or database in question and leave the original intact. Also, the pros don't rely on any single "cyber-sleuthing program" in their work. Rather, they employ an entire "tool kit" that includes functions of the computer's own operating system, along with a host of other devices and techniques - tcpdump, Argus, NFR, tcpwrapper, sniffers, nstat, tripwire, etc. - that are incomprehensible to most laypeople.
"The concept is exciting to many people," said Feldman. "But the reality makes them say, 'Huh?'"
Questions or comments can be directed to the writer at: mbowden@lawyersweekly.com
Fighting Web Fraud
Security: The Internet has made it easier for crooks to rip our company off. Here’s how businesses can protect themselves and their customers
By Erik Sherman
NEWSWEEK
June 10, 2002
It was almost too easy. All the young woman had to do was pick a stolen credit-card number and go online.
ACCORDING TO U.S. postal inspectors, she then bought computers and other electronic gear. A measure of the extent: when police swooped down on her New York apartment two years ago, they found $20,000 worth of gear. And she was identified only because of fraud-detection software. When she made an $800 purchase at the IKEA furniture and household-goods Web site, a program called eDetective noticed that the shipping address she gave was in a different state from the billing address for her card. This raised a red flag for IKEA fraud manager John Barry. He noticed, too, that the cell-phone number she gave as a contact was in yet a third state. He launched the probe that ended in her arrest for possession of stolen property. She pleaded guilty, apparently to a lesser charge (the case is sealed). But Barry counted it a win for his software. "Anybody who hangs their sign out front to do business on the Web takes a tremendous amount of risk," he says. "The Web gives the thief the edge. We can’t see your body language, hear the tone of your voice, see the sweat on your palms."
Fraud has always been a problem for businesses. The Internet has made it easier. According to Visa USA, the rate of online credit-card fraud is three to four times higher than fraud overall. Some industries are peculiarly vulnerable, such as telecommunications. "In the entire telecom industry, the current estimate is that $15 [billion] to $20 billion of fraud happens on an annual basis," says Peter Smith, manager of AT&T’s global fraud-management center.
But new technologies enable companies to fight back. Given the sheer volume of e commerce today, software is the only solution. "You may have a suspicion that something is going on, but even if you do see some, it may only be the tip of the iceberg," says Colin Shearer, vice president of data mining at statistical-software company SPSS. "In areas like e-commerce, it’s way beyond human capability to check each one of [the transactions]."
One widely used tool is known as rule-based-detection software. Merchants who use it create what is sometimes called a "negative file," stating the criteria each transaction must meet. These might include price limits and matches of the cardholder’s billing address to the shipping address for the purchase. The rules might flag an order for an unusually high number of a single item. And they should always maintain current lists of stolen credit-card numbers. The software then screens incoming orders and uses the rules to approve or reject purchases.
A related tool is predictive-statistical-model software. It examines mountains of data from previous transactions to create mathematical descriptions of what a typical fraudulent transaction looks like. It then looks at incoming orders and assigns each one a "risk value" based on its resemblance to the prototypical fraud. AT&T, for example, uses predictive models to sort through its more than 350 million calls a day, identifying a thousand cases of questionable activity. An average of 50 investigators are on duty at any given time examine them to find the 200 cases of actual fraud. "You’re literally trying to find the needle in the haystack," says Smith. " [But] if you don’t find that needle... you could end up losing tens of millions of dollars within hours." It’s worth the effort and expense, though: Smith estimates that AT&T’s software blocks "at least" 100 frauds for every one it lets through.
Consumer fraud is not the only threat. In such industries as auto insurance and health insurance, service providers often file fraudulent claims. A body shop, for example, may include in its estimates repairs the car doesn’t need. In health care, according to estimates by the Center for Medicare and Medicaid Services, $100 billion a year is lost in health care to fraud from physicians, hospitals and other agencies that might, for example, use false diagnostic codes in their electronic filings to suggest costlier procedures than were actually done. Detection software can be "tuned" to flag frauds characteristic of a particular industry. "Ninety-six percent of the estimates we review are changed, and the average percent or reduction is anywhere from 11 to 13 percent," says Eric Seidel, president and CEO of eAutoclaims Inc., whose software lets auto-insurance firms track claims and repair estimates.
Outside help is available. "It’s valuable to have a trusted network outside your company, because that’s where the expertise will be," says David Fisher, manager of the Verizon Communications fraud-prevention center. Few companies can afford expertise in fraud prevention on the scale of AT&T, so turning elsewhere makes sense. For example, Experian, one of the three big credit-reporting companies in the United States, has developed a cross-industry fraud database. Member companies can check credit applications against problems reported by other members. One of the clients recently ran a week of tests, checking credit applications against the database. "That client had a 2 percent hit rate on the national fraud database," says vice president of fraud solutions Lyn Porter. "We identified around $50,000 in savings a day."
Of course, all the software in the world will be ineffective if the enemy is within. A national retail chain found that its Dallas store suddenly went bankrupt after hiring a new manager. He was diverting sales revenues to himself through an elaborate combination of false invoices and doctored credit-card charges. His inside knowledge helped him sidestep the company’s detection software. "He got away with it for 18 months," says John Wiechman, president of TLSI Inc., the computer-forensics firm hired to find the evidence. "The company was being run, but it wasn’t being watched real close. [Corporate management] walked into the Dallas warehouse and it was empty." Even the best systems won’t work for people asleep at the on-off switch.
© 2002 Newsweek, Inc.
BUSINESS LAW ADVISOR
Computer Forensics
By Ken Silverstein
May 4, 2002
Mission Impossible might need to be renamed if it was airing today. The 1960s hit television show used cutting-edge technologies to crack difficult cases but lacked the type of sophistication now present, specifically computer forensics. The ability to retrieve the digital fingerprints of any electronic information means that justice is better served.
With computers ubiquitous and information stored and moved digitally, forensics has become an essential science. Attorneys and their investigators can preserve almost any information that has ever been stored on a computer, even files that have been ostensibly deleted. It’s a service once used exclusively by government investigators trying to crack major cases. Now, its commonplace among corporations of all sizes trying to prevent sabotage, the disruption of personnel records or the stealing of trade secretes.
"Discovery has been changed forever by data technology and recovery technology," says Mark Burge, partner in the firm of Bodoin, Burnside and Burge in Fort Worth, Texas. "It allows attorneys to prove their cases in ways they have not even thought about."
Burge worked a case where his client had been accused of keeping child pornography on his computer — a charge that didn’t just jeopardize his good reputation and freedom but also his career and his financial stake in the company that he co-owned. After the initial accusations, law enforcement confiscated the hardware and began to make its case. With such obscene pictures on his hard drive, it seemed like an easy one to prove.
But was it? The client, who never knew any pictures existed, insisted that it was sabotage. To aid the matter, Burge called in the Dallas-based computer forensics firm TLSI, which worked with police to establish the method and the time that those photographs were placed in the system — a process made more difficult because the hard drive had been tampered with.
But with lots of diligence, the forensics specialist determined that another party had planted the pictures illicitly. Moreover, they had been stored on the hard drive at a time when a major dispute was occurring between two of the firm’s principals — one of whom was the accused and the other was the one who had wanted control of the business.
Through a combination of computer forensics and the circumstantial evidence, justice was done. In this case, Burge had represented the accused in a slander and defamation suit where he won $1.25 million — and a moral victory. "Without the forensics, we could not have proved our case."
The Science
A computer’s operating system writes data and stores it on the hard drive. Hitting the ‘delete’ key only wipes it off the so-called file application table -- not the hard drive. It can only be permanently erased if the material is "written over" with new information or if a special utility program is installed that prevents it from staying on the hard drive. With the size of today’s hard drives, it is unlikely that any information will be "copied" over.
It’s similar to the card catalogue system at the library. The card that details exactly where the information is and what its details contain can be lost but the books and other materials will still remain on the shelves. With the right skills and some detective work, the information can be captured.
Computer forensics is a growing science. U.S. companies spent $118 million on it in 2000, says International Data Corp., a consulting firm in Framingham, Mass. That will jump to $277 million by 2004, it says. Lost data is a huge problem, says TLSI, as 74 percent of all companies that have a major or complete loss of data will be out of business in 12 to 18 months.
Most such failures are the result of human error and hard drive failures. But others are the result of theft and sabotage. According to TLSI, only 10 percent to 20 percent of all attorneys are even aware that forensic evidence exists and that it is accessible to clients of almost any means. The cost to recover data depends on the size of the hard drive. But those between 10 gigabytes and 40 gigabytes — most sold in the market place today -- cost generally between $550 and $3,000 to analyze, says TLSI.
"Forensics has doubled our business," says John Wiechman, president of TLSI. "It’s a matter of self defense for a lot of companies and it’s a matter of catching criminals for law enforcement."
California investigators confiscated the computer of a man charged with child molestation and murder in a case now pending in San Diego. The accused had deleted all child pornography from his computer but the data was recaptured by forensics specialists. While the information is circumstantial, it is being used as evidence by prosecutors in combination with other and more direct evidence.
Similarly, investigators often pour through deleted emails in search of incriminating evidence. Deloitte & Touche has a whole computer forensics unit. In a recent case, an employee at a firm it represented had been fired and had demanded severance pay. The client, who argued that no such pay was deserved because the dismissal was for misconduct, turned the computer over to investigators. They found lots of pornography that been downloaded and then deleted. With such evidence in hand, the firm’s denial of benefits was upheld.
Far Reaching Implications
To be sure, the field has it shortcomings. Investigations can be impeded or even stopped by new software that prevents data from being held on hard drives after it has been deleted. It’s analogous to the criminal that wears gloves to prevent his fingerprints from appearing at a crime scene.
But a more prevalent issue is the lack of experts who know not just how to retrieve information on hard discs but also those who are savvy as to how to preserve and present evidence so that it holds up in court. At present, computer forensic companies are recruiting from the ranks of law enforcement and paying as much as $100,000 annually.
But the free market will respond. Universities are starting forensics programs and companies are training those with the acumen to succeed. Companies like TLSI train their investigators to go to court and to testify so that judges and juries accept their findings. They further stay on the cusp of forensics methodologies by attending instructional programs for at least 100 hours a year.
Undoubtedly, the field will evolve and have far reaching implications. While it is the high profile cases that are now winning attention, — Kenneth Starr recapturing emails between President Clinton and Monica Lewinsky and the U.S. government preserving old emails within Microsoft to try and prove it plotted to thwart competition — it is the mainstream businesses that will constitute the expansion of this new industry. That growth will no doubt be fueled by lawyers trying to win justice for their clients. In doing so, they will continue to employ a powerful new tool in the court room.
|
