Covert Searches

A company might be able to narrow down the range of suspects to a small group . For example, network logs might indicate that harassing emails came from a specific subnet, but logs might be unavailable to further refine the specific client. Access logs might implicate a certain group of administrators, all of whom had a common administrator account. The company could choose to call in all of the suspects , advise them of the situation, and seize their computers for examination. The company could also decide to examine the computers covertly without the employees ' knowledge. A company can also choose to covertly examine a computer if it doesn't want to directly confront the employee until it has more evidence.

In such a covert search, there are two major considerations ( neither of which is related to forensics). First, the company must have the authority to conduct such a search. In most cases, if the system is owned by the company, it has this authority and does not require the explicit consent of the employee. ^[1] Second, the company should carefully consider the human implications of conducting an unannounced, covert search on its employees. It is likely that employees will eventually discover that such a search occurred. Those employees who were searched might feel that the company violated their trust, and there might be significant human costs to such an action.

^[1] Again, the disclaimer about legal advice applies. Consult with competent legal counsel before undertaking any action involving search or seizure.

There are two major ways to conduct a covert search. The first, and most invasive, is to make an exact copy of the computer's hard drive and place that replacement copy back into the computer. The original drive is then preserved as evidence and is used to make further copies for forensics examination. Other than the fact that a replacement drive is provided and the actual replacement occurs without the user 's knowledge, this is essentially a standard forensics search.

The second option is to make a copy of the disk for examination while leaving the original disk in the computer. Although this does not preserve the evidence on the original drive, it could be used to conduct an initial examination to determine which computer or computers warrants further investigation. The disk can be removed for copying and then replaced , or tools can be used to make imaged copies via an external cable (such as a parallel cable). SafeBack and EnCase (discussed in the preceding chapter) both support this method. Note, however, that imaging a large disk over a null modem cable takes an extremely long time (on the order of one to two hours per gigabyte), so this method might be difficult if the time window is small.

It is also possible, using some tools, to make an imaged copy of the computer over a network connection. Given that the target computer will be running at the time, it is unlikely that this image will be an exact copy. The admissibility of such a copy has yet to be challenged, but it is probable that a skilled attorney, using expert witnesses, can cast significant doubt as to its accuracy. However, if this copy is used for an initial search, a true image can be made later (using more conventional methods ) for the formal investigation.

Prior to conducting a covert search, the company must develop a cover story. The story should explain the presence of people in the facility during nonworking hours and any minor changes or disturbances they cause that might be noticed by employees. For example, if a user shuts down his computer, it is a simple task to remove the hard drive for examination. If, however, he locks the workstation, it must first be shut down. When the imaging task is complete, the workstation could be rebooted but will not display the Locked Workstation screen. The employee might wonder why his computer was rebooted during the night. The company could advise all employees that facility maintenance personnel are making modifications to the power equipment and that all power will be shut off for a brief period. Employees would be told to shut down all computers prior to leaving for the evening. It is highly recommended that, after the examination is complete, the power actually be cycled to reset all clocks and any computers not examined ( otherwise , the employees might wonder why nothing else was reset).