| < Day Day Up > |
|
No matter how careful they are, when people attempt to steal electronic information (everything from customer databases to blueprints), they leave behind traces of their activities. Likewise, when people try to destroy incriminating evidence contained on a computer (from harassing memos to stolen technology), they leave behind vital clues. In both cases, those traces can prove to be the smoking gun that successfully wins a court case. Thus, computer data evidence is quickly becoming a reliable and essential form of evidence that should not be overlooked.
A computer forensics professional does more than turn on a computer, make a directory listing, and search through files. Your forensics professionals should be able to successfully perform complex evidence recovery procedures with the skill and expertise that lends credibility to your case. For example, they should be able to perform the following services:
Data seizure
Data duplication/preservation
Data recovery
Document searches
Media conversion
Expert witness services
Computer evidence service options
Other miscellaneous services
Federal Rules of Civil Procedure let a party or their representative inspect and copy designated documents or data compilations that may contain evidence. Your computer forensics experts, following federal guidelines, should act as this representative, using their knowledge of data storage technologies to track down evidence.[ii] Your experts should also be able to assist officials during the equipment seizure process. See Chapter 5, “Evidence Collection and Data Seizure,” for more detailed information.
When one party must seize data from another, two concerns must be addressed: The data must not be altered in any way, and the seizure must not put an undue burden on the responding party. Your computer forensics experts should acknowledge both of these concerns by making an exact duplicate of the needed data. Because duplication is fast, the responding party can quickly resume its normal business functions. And, because your experts work on the duplicated data, the integrity of the original data is maintained. See Chapter 6, “Duplication and Preservation of Digital Evidence,” for more detailed information.
Using proprietary tools, your computer forensics experts should be able to safely recover and analyze otherwise inaccessible evidence. The ability to recover lost evidence is made possible by the expert’s advanced understanding of storage technologies. For example, when a user deletes an e-mail, traces of that message may still exist on the storage device or media. Although the message is inaccessible to the user, your experts should be able to recover it and locate relevant evidence. See Chapter 4, “Data Recovery,” for more detailed information.
Your computer forensics experts should also be able to search over 100,000 electronic documents in minutes rather than days. The speed and efficiency of these searches make the discovery process less complicated and less intrusive to all parties involved.
Some clients need to obtain and interrogate computer data stored on old and unreadable devices. Your computer forensics experts should extract the relevant data from these devices, convert it into readable formats, and place it onto new storage media for analysis.
Computer forensics experts should be able to explain complex technical processes in an easy-to-understand fashion. This should help judges and juries comprehend how computer evidence is found, what it consists of, and how it is relevant to a specific situation (see sidebar, “Provide Expert Consultation and Expert Witness Services”).
Computers
EXPERT TESTIMONY
Have testified multiple times as an Expert Witness in Computers/Computer Forensics in Circuit Court
Regularly testify as an Expert Witness in Computers/Computer Forensics in Federal Court for U.S. Attorney’s Offices
COMPUTER EXPERTISE
Computer Crime Investigators Association
Trained in the forensic examination of computers (PC & Mac), having conducted examinations in countless cases including: child exploitation, homicide, militia, software piracy, and fraud
Testify in state and Federal Courts as an expert in computers, computer forensics, the Internet, and America Online; often as an Expert Witness for U.S. Attorney’s Offices
Is thoroughly familiar with both computer hardware and software, having written software and repaired and assembled computers
Teach computer crime investigation, including computer search and seizure, for the Institute of Police Technology and Management
Regularly consult with law enforcement officers in the search and seizure of computers
Have provided forensic training to numerous law enforcement officers and corporate security officers
Regularly consulted by other forensic examiners for advice in difficult cases
TRAINING GIVEN AS EXPERT IN COMPUTER CRIMES
Law Enforcement and Corrections Technology Symposium and Exhibition
Bureau of Justice Statistics/Justice Research Statistics Association
Electronic Surveillance
Theft by employees or others
Time
Property
Propriety information/trade secrets
Embezzlement
Inappropriate employee actions
Burglary
Your computer forensics expert’s experience should include installing cameras in every imaginable location. This would include indoors/outdoors, offices, homes, warehouses, stores, schools, or vehicles; for every conceivable crime—theft, burglaries, homicides, gambling, narcotics, prostitution, extortion, or embezzlement (under every conceivable circumstance) controlled settings or hostage crisis or court-ordered covert intrusion.
If you need to know what your employees are doing on your time and on your premises, your computer forensics experts should be able to covertly install video monitoring equipment so that you can protect your interests. This even includes situations where employees may be misusing company computers. By using video surveillance to document employees that are stealing time, property, or secrets from you, you should protect yourself if you plan to take appropriate action against the employee.
Child Exploitation
Child sexual exploitation
Child pornography
Manufacture
Use
Sale
Trading
Collection
Child erotica
Use of computers in child exploitation
Search and seizure
Victim acquisition
Behavior of preferential and situational offenders
Investigation
Proactive
Reactive[iii]
Your computer forensics experts should offer various levels of service, each designed to suit your individual investigative needs. For example, they should be able to offer the following services:
Standard service
On-site service
Emergency service
Priority service
Weekend service
Your computer forensics experts should be able to work on your case during normal business hours until your critical electronic evidence is found. They must be able to provide clean rooms, and ensure that all warranties on your equipment will still be valid following their services.
Your computer forensics experts should be able to travel to your location to perform complete computer evidence services. While on-site, the experts should quickly be able to produce exact duplicates of the data storage media in question. Their services should then be performed on the duplicate, minimizing the disruption to business and the computer system. Your experts should also be able to help federal marshals seize computer data and be very familiar with the Federal Guidelines for Searching and Seizing Computers.
After receiving the computer storage media, your computer forensics experts should be able to give your case the highest priority in their laboratories. They should be able to work on it without interruption until your evidence objectives are met.
Dedicated computer forensics experts should be able to work on your case during normal business hours (8:00 a.m. to 5:00 p.m., Monday through Friday) until the evidence is found. Priority service typically cuts your turnaround time in half.
Computer forensics experts should be able to work from 8:00 a.m. to 5:00 p.m. Saturday and Sunday to locate the needed electronic evidence, and will continue working on your case until your evidence objectives are met. Weekend service depends on the availability of computer forensics experts.
Computer forensics experts should also be able to provide the following extended services:
Analysis of computers and data in criminal investigations
On-site seizure of computer data in criminal investigations
Analysis of computers and data in civil litigation.
On-site seizure of computer data in civil litigation
Analysis of company computers to determine employee activity
Assistance in preparing electronic discovery requests
Reporting in a comprehensive and readily understandable manner
Court-recognized computer expert witness testimony
Computer forensics on both PC and Mac platforms
Fast turnaround time
Computers systems may crash. Files may be accidentally deleted. Disks may accidentally be reformatted. Computer viruses may corrupt files. Files may be accidentally overwritten. Disgruntled employees may try to destroy your files. All of these can lead to the loss of your critical data. You may think it’s lost forever, but computer forensics experts should be able to employ the latest tools and techniques to recover your data.
In many instances, the data cannot be found using the limited software tools available to most users. The advanced tools that computer forensics experts utilize allow them to find your files and restore them for your use. In those instances where the files have been irreparably damaged, the experts’ computer forensics expertise allows them to recover even the smallest remaining fragments.
Business today relies on computers. Your sensitive client records or trade secrets are vulnerable to intentional attacks from, for example, computer hackers, disgruntled employees, viruses, and corporate espionage. Equally threatening, but far less considered, are unintentional data losses caused by accidental deletion, computer hardware and software crashes, and accidental modification.
Computer forensics experts should advise you on how to safeguard your data by such methods as encryption and back-up. The experts can also thoroughly clean sensitive data from any computer system you plan on eliminating.
Your files, records, and conversations are just as vital to protect as your data. Computer forensics experts should survey your business and provide guidance for improving the security of your information. This includes possible information leaks such as cordless telephones, cellular telephones, trash, employees, and answering machines.
Whether you’re looking for evidence in a criminal prosecution, looking for evidence in a civil suit, or determining exactly what an employee has been up to, your computer forensics experts should be equipped to find and interpret the clues that have been left behind. This includes situations where files have been deleted, disks have been reformatted, or other steps have been taken to conceal or destroy evidence.
As previously mentioned, your computer forensics experts should provide complete forensic services. These include: electronic discovery consultation; on-site seizure of evidence; thorough processing of evidence; interpretation of the results; reporting the results in an understandable manner; and court-recognized expert testimony.
Your computer forensics experts should also be able to regularly provide training to other forensic examiners, from both the government and private sectors. When other forensic examiners run into problems, they should turn to your experts for solutions.
In today’s high-tech society, bugging devices, ranging from micro-miniature transmitters to micro-miniature recorders, are readily available. Automatic telephone-recording devices are as close as your nearest Radio Shack store. Your computer forensics experts should have the equipment and expertise to conduct thorough electronic countermeasures (ECM) sweeps of your premises.
Your computer forensics experts should have high level government investigative experience; and, the knowledge and experience to conduct investigations involving technology, whether the technology is the focus of the investigation or is required to conduct the investigation. The experts should be uniquely qualified to conduct investigations involving cellular telephone cloning, cellular subscription fraud, software piracy, data or information theft, trade secrets, computer crimes, misuse of computers by employees, or any other technology issue.
So, what are your employees actually doing? Are they endlessly surfing the Web? Are they downloading pornography and opening your company to a sexual harassment lawsuit? Are they e-mailing trade secrets to your competitors? Are they running their own business from your facilities while they are on your clock?
Your computer forensics experts should be uniquely qualified to answer these questions and many more. Don’t trust these sensitive inquiries to companies that don’t have the required expertise. Trust No One!
For a detailed discussion of the preceding computer forensics services, please see Chapter 3, “Types of Vendor and Computer Forensics Services.” Now, let’s examine how evidence might be sought in a wide range of computer crime or misuse, including but not limited to theft of trade secrets, theft or destruction of intellectual property, and fraud. Computer specialists can draw on an array of methods for discovering data that resides in a computer system, or for recovering deleted, encrypted, or damaged file information. Any or all of this information may help during discovery, depositions, or actual litigation.
[ii]John R. Vacca, The Essential Guide to Storage Area Networks, Prentice Hall, 2002.
[iii]“Computer Forensics,” Rehman Technology Services, Inc., 18950 U.S. Highway 441, Suite 201, Mount Dora, Florida 32757, 2001. (©Copyright 2002, Rehman Technology Services, Inc. All rights reserved), 2001.
| < Day Day Up > |
|