Hard disk detective

25 May 2006

Andy Harbison’s business card may read ‘senior manager, enterprise risk services’ and his reputation is as one of the country’s foremost computer forensics practitioners but it’s hard to escape the impression that he could tell you a thing or two about human behaviour.

Despite a job description that suggests he spends his days staring at a computer screen, in fact Harbison would be the first to say that computers are never to blame for wrongdoing — the fault lies squarely with the people who use them.

“If someone’s used a laptop for more than a year, give it to me and I’ll tell you more about them than their wife knows,” he says, not in a boastful way but more as an acknowledgement that computers are now so embedded into our working lives that they end up harbouring all manner of information and even secrets. Ultimately computer forensics is a study of human nature — and usually its less worthy aspects: weakness, folly and greed. During an interview Harbison makes the point more than once that analysing a computer is like taking a cross-section of someone’s brain: what their interests are and what they think about is all there. By extension, if a person has done something wrong there is a strong chance that a computer retains a trace of this.

Essentially, IT forensics involves recovering and analysing data that has been deleted, cached or hidden from a range of equipment such as PCs, PDAs and servers. Deloitte’s IT Forensic Unit has a machine that can take an ‘image’ of a laptop or desktop in 20 minutes and a server in three hours, Harbison says with some pride. This piece of equipment is vital because the original computer must remain ‘untouched’ for any investigation to be successfully concluded.

Early in the conversation, to reinforce his point about how computers are central to most of what people do, Harbison states: “All crime is computer crime these days.” By way of illustration he cites the case of Colin Whelan, who was imprisoned last year for the murder of his wife Mary Gough. Evidence gleaned from a computer was crucial in helping to seal the conviction. Gardai who examined a computer that Whelan had used at work found that he had researched strangulation and asphyxiation on the internet before committing the crime. What is more, one of the sites he was discovered to have visited related to a killer in the US who used techniques to fool investigators about the time of death of his victims.

Search engine data, for example, can tell investigators a lot about a person, Harbison says. “Google searches are incredibly good at showing intent,” he notes. Where more than one person is involved in a crime, webmail sites are a Godsend to the forensically inclined. “I love Hotmail,” Harbison quips. “People are incredibly indiscreet. In order to have a conspiracy you’ve got to have communication.”

Ah, but isn’t it a matter of simply removing those traces — the electronic equivalent of wearing rubber gloves at a crime scene? Any files that could potentially prove guilt or even suspicious activity could get moved to the PC recycle bin and the trail goes cold. Not so, says Harbison. “Deleted isn’t erased; in computer terms they’re two different things.”

The humble Word document is a case in point, as it throws up all kinds of useful information that could aid investigators. “A Word document tells you who wrote it, when, the name of its last editor, the time of creation and last modification, the time of last printing, the names of the locations of the last 10 saves and possibly material deleted from the document,” Harbison says. Possibly the most famous example of this is the so-called ‘dodgy dossier’ on which Tony Blair’s UK government built much of its case for the war in Iraq. The document was published on the web in Word format, making it possible to see where alterations had been made to the original material.

Deloitte’s IT forensic team in Dublin primarily helps Irish companies to combat corporate crime, offering a range of services including: incident response, evidential data recovery, data analysis and reporting, post-incident lock-down of equipment and electronic intelligence manage- ment. In that context computer forensics can be brought to bear in a range of cases such as those involving bullying or harassment. Without disclosing names — “discretion is part of the job,” he remarks — Harbison gives the example of a current such case involving a large company in Ireland. He was able to retrieve data from email and instant messaging clients and the text he found “was like something out of a Victorian melodrama”, he says.

Also in the business sphere, intellectual property (IP) theft is a growing problem and is affecting more and more companies in Ireland. If the name makes it sound like major secrets are being stolen, Harbison reasonably points out that the material covered by the term IP includes customer databases, strategic business plans or production diagrams, right up to software code. “If you develop it for the company then it’s the company’s. It’s getting completely out of hand and things like these,” he says, holding up a USB storage key to make his point, “are making all the difference. You can get a 2Gb key for €80 now and the problem with these things is that it makes theft easy.”

The miniaturisation of technology extends to mobile phones. Many of the latest devices are kitted with serious computing power and storage capacity to match. They will provide another potentially important and rewarding area for investigators who know how and where to look for data — and, as should be obvious by now, that doesn’t just mean the trash folder on the hard drive.

By Gordon Smith