During his law enforcement days Harry Megerian got his hands on a lot of IT gear - by brute force.
"We probably did a raid once a week or once every two weeks," says Megerian, a former computer forensics specialist with the U.S. Treasury Department. "I would walk away with five computers, on average."
These days Megerian still scours computers for evidence, but he does it on a consultative basis through the firm he founded, Computer Investigative Services, in Rochester Hills, Mich. One thing he doesn't miss is the raids. "I got a little tired of running up flights of stairs, breaking in doors," says Megerian, who retired from the Treasury Department in 2003 after 29 years.
In his consulting practice Megerian works primarily with government clients, investigating financial fraud and other criminal activities. He's among a growing number of computer forensics specialists trained to pore through hard drives and device logs to find evidence of criminal or inappropriate behavior.
As digital evidence has become more important to civil and criminal cases, the field has gained recognition, says Alan Brill, senior managing director at Kroll Ontrack, in Minneapolis. Interest in computer forensics also has grown because of the state-of-the-art labs and slick extractions of digital evidence viewers see portrayed on television shows such as "CSI."
"It is not what it looks like on TV," Brill says. "When we watch some of these shows where the cops go in and they sit at a suspect's computer and they find all this evidence - it's not what happens."
Rather, computer forensics is all about protocol. Experts use established investigative and analysis techniques to uncover system data - including damaged, deleted, hidden or encrypted files.
"People think that it's glamorous. The reality is that 95% of the time it's about very routine analytics and executing projects in a very uniform way," Brill says. "It is certainly not for those who are not detail- and process-oriented. It is not for those who loathe documenting their work, because the nature of what we do requires very complete, careful documentation."
As projects unfold, the digital evidence accumulates. In one case Brill worked on, a company suspected an individual of sabotaging computer systems. It was clear from which machine the sabotage occurred, but to prove who was responsible took some digging.
"The bad guy claimed he couldn't have done it, he was outside smoking a cigarette," Brill recalls. Video from the building security system appeared to confirm that alibi, with a time stamp indicating he was there when the sabotage happened, Brill says.
After examining additional sources, however, Brill and his team found the time clock in the video system was inaccurate. They dug into the building's access-control system - which has a time clock of its own - and determined when the suspect used his badge to return to his office after a smoking break.
A check of phone logs supplied further evidence suggesting the suspect's culpability. "At the time of the incident, somebody was using the telephone on that very desk. And that somebody turned out to be telephoning the unlisted number of our suspect's mother," Brill says.
Rss FeedRss Feed
The Leader in Network Knowledge
Comment