Digital forensics is changing the way crimes are investigated and it’s also being used by businesses looking to clamp down on unpleasant or illegal staff behaviour.
Detective sergeant John Finan admits to watching the occasional episode of CSI and what amazes him most is how the producers can telescope months of painstaking forensic investigation into an hour of television.
He knows how it really happens; as part of the Garda Computer Crime Investigation Unit, he has seen how digital evidence taken from PCs, servers, disks and mobile phones is a growing part of law enforcement.
Recently, web searches and internet chat data recovered from PCs helped to secure a murder conviction in this country (DPP v Colin Whelan, 2001).
Other garda work involving forensic technology included operation Amethyst, a co-ordinated effort to round up traffickers in child pornography holding illegal material on their PCs.
Luckily for investigators, computers are a bit like elephants — they never really forget. Pressing the delete key, removing a website from the browser favourites list or moving a document to the recycle bin might seem to make something disappear forever.
In reality, the way computers are designed to store information means that traces of the data still remain in the empty spaces of a hard disk. Computer forensics’ role is to recover, analyse and present computer-based material in such a way that it is usable as evidence in court.
Now, the Gardai and private IT security firms have powerful forensic software tools such as EnCase to obtain information the original user thought was long gone.
Forensic technology is also playing an increasing role in the business sector, according to Colm Murphy, technical director with the security consultancy Espion. Irish solicitors are now accustomed to dealing with this information and they accept this kind of forensic evidence.
It’s also used in employment appeals tribunals, with Espion staff regularly called to give evidence in cases involving sexual harassment or bullying, corruption and fraud, data theft or information leaks. Other times companies call for IT forensic services to help resolve internal disciplinary matters.
The bulk of forensic technology work takes place in the latter case, says Murphy. “The vast majority of incidents have been internal to the organisation — involving employees, contractors or temporary staff. It’s not necessarily always a criminal activity. A lot of the time it involves policy breaches or gross misconduct.”
Such cases can range from sexual harassment and bullying to corruption, fraud, data theft or leaks. Some organisations use computer forensics as a form of due diligence, such as ensuring that sensitive information hasn’t left the organisation prior to tying up a large contract. “A lot of what we work on don’t become legal cases — many are handled internally with disciplinary processes,” Murphy adds.
He emphasises that in private cases, the company and not the forensic analyst runs the investigation — the detection software is merely one part of that. Due process must still be applied and forensics can’t be deployed as a kind of Big Brother tactic by employers. It is illegal for companies to “spy” on staff without suspicion or proof, he says.
In some cases, forensics has proven the absence of wrongdoing. Murphy recalls one incident involving a large Irish organisation. A female member of staff sent her PC to the firm’s internal helpdesk to be repaired and when it came back, she found offensive websites in her browser favourites. She then called the technician, accusing him of putting the material there. With just allegations and finger-pointing to go on, life could have become very difficult for the staff involved. Instead the company called Espion and conducted a technical investigation.
A forensic exam on the PC uncovered a spyware kit which had unknowingly been loaded on to the computer by the original user. “We were able to show nobody had clicked on the links, or had downloaded anything,” says Murphy.
Computer forensics is commonly used in more serious cases involving corruption and fraud, as it is often possible to retrieve incriminating information from PCs or storage media — even printers now have hard disks so there are many locations where this data might live.
“There is some level of a digital trail, be it spreadsheets or email. Data theft is becoming more of a threat as people create and store documents electronically,” Murphy says.
Although some private cases can be relatively straightforward, retrieving data in a criminal investigtion can be a time-consuming process, as Finan points out. Not only does potentially incriminating data have to be identified, it has to be tied to a person’s computer and it must be proven beyond a reasonable doubt that the person accused of the offence was the one who used the computer.
What is most important, Finan stresses, is to treat any evidence appropriately. Instead of examining the original media, an exact replica should be made. This is known as a bitstream copy which is forensically sound, protecting the original data source while allowing investigators to read the information from the copy.
There is a possibility that a potential case could be at risk if the original data is tampered with or has been moved, so Finan emphasises that it’s important to treat an area as a crime scene.
Companies who suspect they may have to investigate an incident shouldn’t feel they have to go it alone. They can contact the Garda Computer Crime Investigation Unit if they have any questions about potential cases and want confidential advice about how to proceed with an investigation.
Human resource managers who may be interested in finding out more about the subject can download the Good Practice Guide for Computer-Based Electronic Evidence, which is available from a number of sites via search engines. A slow process it may be, but wherever there is any doubt, computer forensics can help to uncover the facts.
By Gordon Smith
Pictured left to right- Detective sergeant John Finan, Colm Murphy, technical director, Espion and Jim Friars, chief executive of the Irish Comuter Society.