Forensics Policy: Looking for Evidence

Previous page
Table of content
Next page

  < Day Day Up > 


Experience Note 

Imagine Alice, a senior manager, rarely takes vacations, voluntarily works many hours in excess of her scheduled duty-day, and recently acquired a condominium at a prestigious European resort. Alice's accounts payable unit has been previously audited with few findings.

For economic reasons, Alice's company is reorganized with the audit unit under different leadership. During the next audit, the auditors are encouraged to look outside routine programs. One of the auditors takes the time to thoroughly reconcile the accounts payable with business addresses, discovering several disparate companies with the same Post Office box. Closer examination reveals more than nine paid accounts with the same physical address and the same mailing address.

The company's security office conducts a preliminary investigation; Alice is suspended and sent home. The company has a policy precluding any personal expectation of privacy regarding her workstation, office space, or its contents.

A security officer contacts the contracted computer forensics investigator, Bob, with whom he has established a business relationship. The company has a policy that this professional will be notified under these circumstances. Additionally, the company's legal department notified the police department. Because Bob is a retired police computer forensics officer, he will conduct the initial investigation and report his findings to the police department.

After arriving, Bob asks if the company has the authority to enter Alice's office. Conferring with the human relations management and legal units, it is determined the company has a policy where its employees waive privacy rights as part of their employment and there is a document acknowledged by Alice to this effect. It is also the company's policy that its equipment may be used only for official purposes and nothing of a personal nature is permitted.

As part of any investigative process, the forensic investigator initiates an activity log where he documents his investigative steps. This document contains a schedule where the time he was notified is noted, as well as the time he arrived at Alice's office, the organization's employees with whom they spoke, and the results of those conversations. His experience and training have taught him that his words and actions are subject to scrutiny should he testify later.

As with all evidence, a chain-of-custody schedule is initiated by the forensics officer, where he documents the location, time, date, item name, and identifying number, the seizing person's identity, and the person to whom the evidence is released.

Upon entering Alice's work area, Bob notices that the door is locked. Without entering the office, the officer begins taking photographs at the office doorway. He takes special care to photograph the location of papers left on the desk, walls, and Post-It notes near her computer. He carefully photographs the back of Alice's computer and makes notes regarding the cabling. He notes Alice's bookcase containing many books about computer programming, computer architecture, and networking.

Returning from his van, the investigator retrieves a forensics workstation he purchased as part of his professional forensic examiner's certification process. He removes Alice's workstation hard drive while logging each step. Using specialized software already installed on his workstation, he makes exact bit-by-bit duplicates of the workstation hard drive. In anticipation of making these copies, he had prepared three new compatible hard drives by subjecting them to a cleansing process, completely removing the possibility of any data being present on them before he uses them as evidence.

With the duplication process underway, the detective goes about the process of seizing relevant documentation and other media, including CDs, floppy disks, and a box of accounting software. This is not the accounting software authorized for use on Alice's machine. After the box's contents are quickly inspected, a series of floppy disks are found near the box marked "Oro." One of the floppy disks is labeled "Particulares."

All of the items seized are marked with an identification tag and are inventoried. A copy of this inventory will be provided to the security officer upon completion and will be treated as evidence. Plainly marked on the inventory is name of the item, its tag number, location where it was found, and the name of the officers who found it.

For several hours the process continues. The investigator suggests to the security officer that he should contact his superiors and determine if there is someone who can retrieve Alice's network activity logs over the past six months. He also asks to be present so he can later testify as to how they were accessed and that he witnessed the process. Interviewing Alice's co-workers reveals that Alice announced the receipt of a large inheritance, and stated that she would not need to work in the future.

The investigator contacts the police department and delivers all the evidence along with his logs and notes. The police perform an analysis of the materials. They discover the accounting software was used by Alice and is secured by a password. The police examiners have specialized commercial software to "crack" the password, finding the "Oro" floppy disks contain a list of real estate properties along with their purchase price and location. The disk marked "Particulares" is a list of personal identification numbers for bank accounts and passwords for Internet e-mail accounts. The matter is presented to the district attorney's office, which authorizes prosecution. Simultaneous to her indictment, the company's legal unit, acting in conjunction with the prosecutor's office, files a lawsuit naming Alice as the defendant.

There are many compelling reasons for employing computer forensics, but before business managers make the decision to do so, they need to understand what it is and when to use it. Risk management is the leading reason for deploying computer forensics. Any business that does not have a policy and procedure to stop malicious behavior may count on being victimized with little recourse against the perpetrator. Computer forensics is the investigative practice of collecting, examining, and analyzing evidence retrieved from computers and computer-related equipment. At times it would seem that computer forensics analysis is akin to magic in that trained, experienced professionals can find relevant evidence through sophisticated collection and restoration techniques. More than one competent analyst has been called "a miracle worker."

Collecting and analyzing computer evidence is useful for confirming or dispelling concerns about whether an unlawful act has been committed. Further, this type of work has been able to document workstation, applications, and network vulnerabilities after a critical incident.

Organizations today must have policies regarding when computer forensics examiners should be called in. Usually information-related threats involve a computer of some kind or a communication's network because they are the means by which companies conduct their business and information processes. Businesses employ computer forensics when there is a serious risk resulting from compromised intellectual property, a threat of lawsuits stemming from employee conduct, or potential damage to their reputation or brand. There are many organizations that regularly use forensic means to audit employee workstations with the idea that employees who know and recognize they are being monitored are less likely to stray from policies and procedures. When a random selection of employees' computers is made monthly, and forensic examinations are conducted, the appropriate steps are taken if unauthorized use, pornography, or abuse is discovered.

Any experienced computer forensics examiner starts and completes assignments with his or her testimony in mind. This means the examiner must always collect, analyze, and preserve evidence according to the rules of evidence. A good standard for this professional is the Federal Rules of Evidence. Basically, the examiner has three important tasks: finding, preparing, and preserving evidence.

Another aspect of forensic computer examination is the testimony of the forensics professional. This person must never attempt to perform an examination for which he or she is not trained. There are times when untrained or inexperienced persons are tempted to conduct examinations, which can corrupt or damage potential evidence. Just because a person has a detailed knowledge of computers and networks does not mean the person is qualified to conduct forensics examinations. Following is a list of what to look for when selecting forensics computer examiners:

  • Prior experience in computer forensics examinations

  • Specialized training

  • Specialized experience in collecting, analyzing, and preserving evidence

  • Experience as an expert witness

  • Possession of pertinent professional certifications

  • Personal and professional integrity; examiners must withstand thorough scrutiny on technical and personal levels

  • A laboratory equipped with tools for evidence recovery

Another matter of significance: organizations should understand that reporting unlawful activities is required under many state statutes and is required under U.S. law. According to Title 18, USC 4, "whoever, having knowledge of the actual commission of a felony cognizable by a court of the United States, conceals and does not as soon as possible make known the same to some judge or other person in civil or military authority under the United States, shall be fined under this title or imprisoned not more than three years or both" (Exhibit 25).

Exhibit 25: Forensics Examination Policy

start example

The XYZ Corporation may employ forensics computer examination and analysis during the course of its business processes. Upon the discovery of any unlawful act, the XYZ Corporation will report allegations to the appropriate authorities. The XYZ Corporation may pursue legal recourse in the form of administrative, civil, and criminal processes against persons or entities sponsoring or committing unlawful acts. All unlawful acts will be reported to the authorities in a timely manner.

end example


 < Day Day Up > 


Previous page
Table of content
Next page
Critical Incident Management
Critical Incident Management
ISBN: 084930010X
EAN: 2147483647
Year: 2004
Pages: 144
Authors: Alan B. Sterneckert
BUY ON AMAZON
Inside Network Security Assessment: Guarding Your IT Infrastructure
Adobe After Effects 7.0 Studio Techniques
C & Data Structures (Charles River Media Computer Engineering)
Cisco CallManager Fundamentals (2nd Edition)
Lean Six Sigma for Service : How to Use Lean Speed and Six Sigma Quality to Improve Services and Transactions
VBScript in a Nutshell, 2nd Edition
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy