CASE HISTORIES

One of the fundamental principles of computer investigation is the need to follow established and tested procedures meticulously and methodically throughout the investigation. At no point of the investigation is this more critical than at the stage of initial evidence capture. Reproducibility of evidence is the key. Without the firm base of solid procedures, which have been strictly applied, any subsequent antirepudiation attempts in court will be suspect, and the case as a whole will likely be weakened.

There have been several high-profile cases recently where apparently solid cases have been weakened or thrown out on the basis of inappropriate consideration given to the integrity and reproducibility of the computer evidence. There are several reasons why this may happen. Lack of training is a prime culprit. If the individuals involved have not been trained to the required standards, or have received no training at all, then tainted or damaged computer evidence is the sad but inevitable result.

Another frequent cause is lack of experience. Not only lack of site experience, but also inappropriate experience of the type of systems, might be encountered. One of the most difficult on-site skills is knowing when to call for help. It is essential that a sympathetic working environment is created such that peer pressure or fear of loss of status and respect does not override the need to call for help. Easier said than done, perhaps, but no less essential for that reason.

Finally, sloppiness, time pressure, pressure applied on-site, tiredness, or carelessness have all been contributory factors in transforming solid computer evidence into a dubious collection of files. These totally avoidable issues are related to individual mental discipline; management control and policy; and selecting appropriate staff to carry out the work. There are issues with which one cannot sympathize. This is bad work, plain and simple.

Ultimately, anytime the collection of computer evidence is called into question, it is damaging to everyone who is a computer forensic practitioner; it is ultimately in everyone’s best interest to ensure that the highest standards are maintained.

To use a rather worn phrase from an old American police series (“Hill Street Blues”): Let’s be careful out there!

Taken for a Ride

A sad, but all too frequent story from prospective clients: I’ve just spent $5,000 on a Web site and got taken for a ride. I cannot find the con man now and all I have is an alias and a pay-as-you-go mobile number. Can you help me please?

WHAT CAN YOU DO?

It is strongly recommended that anyone dealing with entities on the Internet needs to make sure they know who they are dealing with before they enter into any transaction or agreement. If you cannot obtain a real-world address (preferably within the jurisdiction in which you live), then think twice about going any further. Always question the use of mobile phone numbers—they should set alarm bells ringing! This task is made easier in the UK now as all mobile numbers^{[xiii ]}start 077xx, 078xx, or 079xx. Pagers start 076xx. From April 28, 2001 on, all old mobile, pager (those that do not begin 07), special rate, and premium rate numbers stopped working.

If you feel you do want to proceed with the transaction, then use a credit card rather than a debit card or other type of money transfer; then at least you will have some protection and only be liable for $50 rather than having your entire bank account cleaned out. In terms of tracing a suspect like the one in the preceding, your computer forensic experts should be able to trace e-mails around the world; and, by acting quickly and in conjunction with legal firms, they should be able to track individuals down to their homes. An application for a Civil Search Order can then allow entry and the experts are thus able to secure all electronic evidence quickly and efficiently. Internet Cafés are sometimes more of a problem, but it is remarkable how many users go to the trouble of trying to disguise their tracks only to end up sitting in exactly the same seat every time they visit the same Café.

So, yes, your computer forensic experts can help, but by taking the proper precautions, you would not need to call them in the first place!

Abuse of Power and Position

This message is by no means new, in fact, it could be said that it has been repeated so many times in so many forums that it is amazing that management still falls foul of the following circumstances.

In recent months, investigators at Vogon International Limited^[xiv] have been asked to examine computer data for evidence of fraud. On one occasion, the client was a charity, on the second, a multinational company.

In both cases, fraud, totaling hundreds of thousands of dollars (pounds) was uncovered. The modus operandi of the suspects was very similar in both cases. Bogus companies were set-up and invoices were submitted for payment. The fraudsters were in a position to authorize the payment of the invoices and had the power to prevent unwelcome scrutiny of the accounts.

In addition, one of the fraudsters was paying another member of staff to turn a blind eye to what was happening. On further investigation, this member of staff was obviously living beyond his means.

The message is simple, whether you are a multinational company or a small business, the possibility of fraud is ever present. And, while not wishing to fuel paranoia, traditional checks and balances must be in place to ensure that those trusted members of the staff who have power cannot abuse their position.

Secure Erasure

Now, let’s touch on this old chestnut again, because it appears to be the source of considerable confusion and misinformation. Vogon’s customer base seems to be polarized into two main camps:^[xv] those who desperately want to retain their data and fail, often spectacularly, to do so; and the other camp who wish to irrevocably destroy their data, and frequently fail in a similarly dramatic manner.

The latter may be criminals who wish to cover their tracks from the police or legitimate business organization who wish to protect themselves from confidential information falling into the wrong hands. Fundamentally, the issues are the same. When considering the issues of the legitimate destruction of data, this is ultimately a matter of management responsibility, which requires a considered risk analysis to be carried out.

To the question can data be securely erased? The answer is, self-evidently, yes. If you were to ask: Is it straightforward or certain? It depends, would be the answer.

There are many systems in use for securely erasing data from a wide range of media. Some are effective, some completely ineffective, and some partially effective. It is the latter situation that causes concern, and, frequently, not an inconsiderable amount of embarrassment.

Those systems that absolutely destroy data do so in a manner that is total, unequivocal, and final; there can exist no doubt as to their effectiveness. Systems that are sold as being completely effective, but which are fundamentally flawed, are obviously flawed. With only cursory analysis, this is evident, and so these are (or should be) swiftly disregarded.

Vogon is regularly asked to verify the destruction of data by many of their large clients.^[xvi] What they find is that frequently only a fraction of a sample sent is correctly or accurately deleted. RAID systems are a prime candidate for chaos. Certain revisions of drive firmware can present special challenges; in some cases, even the software used defeats the eraser. The list is long and growing.

Vogon is often asked for advice on this issue.^[xvii] The answer is always the same. If the destruction of data has more value than the drive, physically destroy the drive. Crushing is good; melting in a furnace is better. If the drive had more value than the data, what are you worrying about?

^{[xiii ]}John R. Vacca, i-mode CrashCourse, McGraw-Hill, 2001.

^[xiv]Vogon Forensics Bulletin, Vol. 3, Issue 3, Vogon International Limited, Talisman Business Centre, Talisman Road, Bicester, Oxfordshire, OX26 6HR United Kingdom, 2001.

^[xv]Ibid.

^[xvi]Ibid.

^[xvii]Ibid.