The television series CSI has given millions of viewers an appreciation of the role and importance of physical evidence in conducting criminal investigations. Each week, we see the confluence of fingerprints, DNA tests, autopsies, microscopic examinations and ballistic evidence used to solve a murder or explain the circumstances surrounding an unusual death. The drama lies less in the events that are portrayed than in the thinking that lies behind the collection, preservation and interpretation of the evidence needed to solve the case and support prosecution.
IT managers aren't likely to confront dead bodies on the job, but a rudimentary knowledge of evidence, as it relates to computer data, can help protect your organization's operations, data and processes.
In today's computer-driven world, where networked e-mail and instant messaging are the communication norms, knowing how to collect, handle and analyze information on a miscreant's computers can be critical to a successful civil or criminal prosecution.
There are two categories of computer crime: criminal activity that involves using a computer to commit a crime, and criminal activity that has a computer as a target, such as a network intrusion or a denial-of-service attack. The same means of gathering evidence are used to solve both types of crimes. And the same kinds of skills used by the lawbreakers are needed to track them down.
It takes an expert
Computer forensics is not a task to be undertaken lightly by just any IT worker. Instead, it calls for specialized skills and careful, documented procedures. A forensics expert knows what signs to look for and can identify additional information sources for relevant evidence, including earlier versions of data files or differently formatted versions of data used by other applications.
Computer data is fundamentally different in some respects from other types of information, and this affects how we have to handle it as evidence. Unlike a traditional paper trail, computer evidence frequently exists in many forms, and often different versions of documents are accessible on a computer disk or backup tapes. Data stored on a computer or network is difficult to destroy completely, because the data is likely to coexist on multiple hard drives, and deleted files and even reformatted disks can often be fully recovered. In addition, computer data can be replicated exactly for special analysis and processing without destroying the originals.
Any type of data can serve as evidence, including text documents, graphical images, calendar files, databases, spreadsheets, audio and video files, Web sites and application programs. Even viruses, Trojan horses and spyware can be secured and investigated. E-mail records and instant messaging logs can be valuable sources of evidence in litigation, because people are often more casual when using electronic communications than they are when they use hard-copy correspondence such as written memos and snail-mail letters.
And finally, digital data can be searched quickly and easily by machine, whereas paper documents must be examined manually.
Like other information used in a case, however, the result of a computer forensics investigation must follow the accepted standards of evidence as codified in state and federal law. In particular, an investigator must take special care to protect evidence and to preserve its original state. It's especially important to prevent suspect files from being altered or damaged through improper handling, viruses, electromagnetic or mechanical damage, and even booby traps. To accomplish this, it's necessary to do the following:
- Handle the original evidence as little as possible.
- Establish and maintain the chain of custody.
- Document everything that's done.
- Never go beyond what is known and can be proved from direct, personal knowledge.
Failure to protect evidence might mean that original data is irretrievably lost or changed and that results and conclusions may not hold up or be admissible in a court of law.