Techies under oath

What it's like to be a computer forensics specialist.

During his law enforcement days Harry Megerian got his hands on a lot of IT gear - by brute force. "We probably did a raid once a week or once every two weeks," says Megerian, a former computer forensics specialist with the U.S. Treasury Department. "I would walk away with five computers, on average."

During his law enforcement days Harry Megerian got his hands on a lot of IT gear - by brute force.

"We probably did a raid once a week or once every two weeks," says Megerian, a former computer forensics specialist with the U.S. Treasury Department. "I would walk away with five computers, on average."

These days Megerian still scours computers for evidence, but he does it on a consultative basis through the firm he founded, Computer Investigative Services, in Rochester Hills, Mich. One thing he doesn't miss is the raids. "I got a little tired of running up flights of stairs, breaking in doors," says Megerian, who retired from the Treasury Department in 2003 after 29 years.

In his consulting practice Megerian works primarily with government clients, investigating financial fraud and other criminal activities. He's among a growing number of computer forensics specialists trained to pore through hard drives and device logs to find evidence of criminal or inappropriate behavior.

As digital evidence has become more important to civil and criminal cases, the field has gained recognition, says Alan Brill, senior managing director at Kroll Ontrack, in Minneapolis. Interest in computer forensics also has grown because of the state-of-the-art labs and slick extractions of digital evidence viewers see portrayed on television shows such as "CSI."

Forensics

"It is not what it looks like on TV," Brill says. "When we watch some of these shows where the cops go in and they sit at a suspect's computer and they find all this evidence - it's not what happens."

Rather, computer forensics is all about protocol. Experts use established investigative and analysis techniques to uncover system data - including damaged, deleted, hidden or encrypted files.

"People think that it's glamorous. The reality is that 95% of the time it's about very routine analytics and executing projects in a very uniform way," Brill says. "It is certainly not for those who are not detail- and process-oriented. It is not for those who loathe documenting their work, because the nature of what we do requires very complete, careful documentation."

As projects unfold, the digital evidence accumulates. In one case Brill worked on, a company suspected an individual of sabotaging computer systems. It was clear from which machine the sabotage occurred, but to prove who was responsible took some digging.

"The bad guy claimed he couldn't have done it, he was outside smoking a cigarette," Brill recalls. Video from the building security system appeared to confirm that alibi, with a time stamp indicating he was there when the sabotage happened, Brill says.

After examining additional sources, however, Brill and his team found the time clock in the video system was inaccurate. They dug into the building's access-control system - which has a time clock of its own - and determined when the suspect used his badge to return to his office after a smoking break.

A check of phone logs supplied further evidence suggesting the suspect's culpability. "At the time of the incident, somebody was using the telephone on that very desk. And that somebody turned out to be telephoning the unlisted number of our suspect's mother," Brill says.

Spoliation happens

As important as what gets found is how it's found. "When you analyze a computer you're doing several things. The most important is preservation of evidence," Megerian says. If data isn't extracted properly - whether it's contained in router logs, hard drives, e-mail servers or any other electronic storage media - it can't be produced for evidence, he says.

"Getting data in a way that would be admissible in a court is different than just grabbing things. We run into cases all the time where the IT staff wants to capture data for their company but ends up making mistakes that render the data either questionable or inadmissible," Brill says. "There is a term for damaging or destroying evidence, whether it's done intentionally or not. It's called spoliation."

IT isn't the only culprit. Corporate investigators, internal auditors and legal staff have spoiled a crime scene inadvertently while snooping for information. "It's a very natural impulse. The only problem is that if you're looking at things forensically, there's a protocol you have to follow," Brill says. People dabbling with forensic evidence don't always recognize the limitations of their knowledge, he says.

Something as simple as printing a file can be damaging, because the creation of temporary files during the printing process can overwrite potentially significant content. "What was the content of the storage areas onto which those temporary files were written? We're never going to know because they covered it up with new data," Brill says.

Those in the trade use specialized tools such as write-blockers, which are designed to make an image of a hard drive without disturbing its contents. "It's a piece of specialized hardware that prevents us from sending any signal to the hard drive that would cause it to write any characters," Brill explains.

"We capture literally everything. If it's an 80GB drive, we capture 80GB of data whether there are files there or not. We have to capture every byte - because evidence may be in what a user might think of as empty space - and we have to do it in a way that we can document and testify to," Brill says.

For IT, there's an opportunity to play a pivotal, first-responder type of role in the early stages of a criminal or civil investigation. Having an IT staff member trained in computer forensics is a good way to protect potential legal evidence from being destroyed, Megerian says.

"IT people are the first ones on the scene when something goes wrong with the network, if a company is attacked or a rogue employee does something illegal," he says. One or two members of the IT staff should be trained to handle the situation without damaging evidence, while protecting the chain of custody of the evidence, he says.

"If a network goes down you need to get the network back up and running. But there's still time to do it in such a manner that you preserve the evidence," Megerian says. "It's like an accident scene or a robbery scene. Put that yellow caution tape all around and don't let anybody in."

Taking an oath

Procuring admissible evidence is critical, because discovery is just the beginning of the process. Computer forensics specialists turn over their findings to clients - criminal prosecutors, civil litigators, insurance companies and corporations that are investigating crimes (homicides, financial fraud and child pornography, for example) and civil matters (such as divorce, intellectual property theft and harassment).

Forensics experts may be asked to explain their findings via a deposition or court appearance. By most accounts, avoiding a court appearance is a good thing.

Testifying in court isn't a pleasant experience, because the opposing side will do what it can to discredit an evidence witness, Megerian says. "You're going to be going up against experts that the other side will put on. You have to be able to withstand the rigors in court," he says.

"It's pretty hairy," agrees Stuart Hanley, senior electronic evidence consultant at Kroll Ontrack. "The attorneys are not going to be nice. They are going to be as nasty as they can. They'll ask the same questions six different ways, trying to trip you up or get you to say something that's a little bit more in their favor."

A memorable court appearance for Hanley took place in 2000, when he was answering to a team of White House attorneys. His testimony involved technical issues related to the copying, restoration and retrieval of e-mail from the Clinton-Gore administration. When the attorneys couldn't find holes in his testimony, they asked more personal questions: Which candidate had Hanley voted for in the last presidential election? Had he been compensated for his trip to Washington, D.C.? "That was some very rowdy, stressful testifying," he recalls.

Fortunately it's rare that a court testimony is required, Brill says. "More often than being on the stand, we have to give depositions," he says. "In essence, you're testifying. Not in court, but to a court reporter and often a videographer. You're under oath, and that record is admissible."

Withstanding legal scrutiny isn't the only hard part of the job. An ongoing challenge is keeping up with hardware and software advances that can affect a forensic analysis. And it gets harder as bad guys get more industrious about obscuring their digital tracks. "In computer forensics, every day you realize how much you don't know. I've never seen anything like it," Megerian says. "Trying to stay on top of it probably involves 50% of my time."

It's also not a job for homebodies. Although some work is done in a lab setting, there's also plenty of time spent in the field extracting and analyzing evidence.

Got an idea for A Wider Net story? An offbeat technology industry-related topic? A fascinating personality we should profile? Contact Executive News Editor Bob Brown atbbrown@nww.com

Learning to be a first responderComputer forensics training is available from universities and professional organizations around the world. Here are a few U.S. sources.
ProviderOfferingLocationURL
George Mason UniversityComputer forensics training.Online course

http://ocpe.gmu.edu/certificate_

programs/online/forensic_computer.html
George Washington UniversityMasterÕs degree in forensic science with a concentration in high-tech crime investigation.Arlington, Va.

www.gwu.edu/%7Eforensic/

htci.htm#Top_page
Eastern Michigan University, Center for Regional and National SecurityComputer forensics training.Ypsilanti, Mich.

www.emich.edu/cerns/ec/ec_

forensic_overview.htm
InfoSec InstituteComputer forensics training.Chicago and around the United States

www.infosecinstitute.com/courses/

computer_forensics_training.html
Kennesaw State UniversityContinuing education program in computer forensics.Kennesaw, Ga

www.kennesaw.edu/coned/sci/

index.htm
University of Central FloridaGraduate certificate in computer forensicsOrlandowww.cs.ucf.edu/csdept/info/gccf/

Learn more about this topic

See our archive of offbeat and amusing Wider Net stories

Security jobs heat up

03/13/06

NetScanTools Pro: A networking Swiss Army knife

02/13/06

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Related:

Copyright © 2006 IDG Communications, Inc.