Computer Forensics: Beyond the Magnifying Glass

Computer forensics gave Michael Fiola his life back. Fiola is the former investigator with the Massachusetts Department of Industrial Accidents who found himself summarily dismissed after an IT check uncovered pornographic images of children on his laptop’s hard drive. Criminal charges followed.

It was only after a defense-sponsored forensic investigation that it became clear Fiola had been given a sloppily configured laptop and that malware was the probable source of the images. By then, of course, Fiola and his wife had gone through severe emotional and physical stress.

Fiola’s ordeal drives home a number of truths about our society circa 2008, many of them uncomfortably related. They start with the growing ubiquity of child porn, to the devastation a criminal investigation and prosecution can wreak on an innocent person, to the blind power computers and digital data and media have over our lives.

In that context, highlighting the central role computer forensics has assumed in law enforcement seems almost beside the point. However, it warrants attention, almost as much as a discussion of a misplaced prosecution does. Very quickly, computer forensics has assumed a major role in many law enforcement investigations, though many people hold little if any understanding of the discipline.

A Separate Discipline

“As of 2008, the American Academy of Forensic Science — the most respected professional organization in this space — recognized the field of digital and multimedia evidence as being a separate independent forensic discipline on the par of fingerprints, DNA and trace evidence,” Alan Brill, a senior managing director at Kroll Ontrack, told TechNewsWorld.

“The last time AAFS recognized a new section was 27 or 28 years ago with DNA. It is a huge indication of how rapidly this field has evolved,” he added.

In large part, the discipline is now deemed a credible source of evidence because of the leaps the technology has made over the last few years.

“There have been a lot of advances in computer forensics technology,” Keith Jones, owner and senior partner with Jones Dykstra & Associates, told TechNewsWorld. However, the basic data collection methodology is a process that has been around for 10 years or more: a byte-by-byte duplication of a suspect’s hard drive. It doesn’t alter the hard drive and it allows investigators to do their own analysis of the copy, he said.

“Once you have this image you are able to do the forensics on it for whatever purpose — maybe you trying to track down a missing child or maybe you are trying to determine whether Bob, who gets paid a huge salary, is really surfing eBay all day,” Jones commented.

Second-by-Second Analysis

Of course, the technology has advanced beyond that basic standard, especially in the last few years as new vendors introduce additional tools and upgrade the ones currently on the market.

Live forensics, Brill said — the examination of data that is actively running in memory,” is a subdiscipline that is evolving right now.”

Most computers back up live data — words being typed into a computer at the moment, for instance — every few minutes or so. “But they don’t do it on a second-by-second basis, and we have discovered that sometimes it is necessary to have that second-by-second look,” he added.

“If you ignore what is actively running in memory and just focus on what is on the hard drive, you may miss things — so one of the active areas of R&D in computer forensics is a focus on capturing and analyzing what is actually running in the volatile memory of a computer,” Brill commented.

He pointed to recent malware that does not reside on the hard drive in a recognizable form but is actually assembled in memory from various pieces on the hard drive.

However, not all of the changes are welcome, in Jones’ opinion. For instance, some vendors are promoting tools that — instead of copying byte by byte what resides on the hard drive — duplicate data over a network. This means someone could request and get just a few documents as part of e-discovery. [*Editor’s Note]

“Network-based acquisition which only acquires specific documents and single files rather than the full bit-for-bit image of a hard drive is a dangerous trend for the computer forensics industry,” Jones explained in an e-mail to TechNewsWorld. “The reason I say this is because this type of network acquisition can miss relevant documents, cause multiple acquisitions to occur if documents are missed during the first acquisition attempt, and is generally not flexible for the investigator if he or she needs to reinvestigate new leads.

“It is a better scenario for forensic investigators if they have the full bit-for-bit forensic duplication of the computer system during their analysis rather than a subset of that data selected with a network acquisition tool,” he continued in the e-mail message. “To my knowledge, most law enforcement agencies acquire the full bit-for-bit forensic duplications of a suspect’s computer system at this time. Law enforcement agencies usually need all of the data from the computer system in order to uncover any exculpatory information as well as attempt to prove their case.”

Legal Upgrades

The legal system itself has kept up, more or less, with these advancements in the technology. At the end of 2006, for instance, changes in e-discovery laws mandated that both prosecution and defense include electronic data — including in civil cases.

“Now a lot of states are starting to change their rules for civil procedure, and many are mirroring what is happening in [the] federal system,” Matt Curtin, founder of Interhack and forensic computing practice leader, told TechNewsWorld. “Ohio, for example, has just updated those rules, and they went into effect the first of July.”

These two trends — tech improvements and the growing inclusiveness of such evidence into the legal system — are forcing a lot of records custodians to look more closely at how information is stored and managed, he added.

From the Other Side

Or otherwise. For just as computer forensics advancements have helped law enforcement, new tools continually come onto the market that people can use to thwart such investigations.

For instance, there are commercial and open source products that allow a user to wipe the data off of a hard drive, Brian Dykstra, co-owner and senior partner with Jones Dykstra & Associates, told TechNewsWorld.

Some are targeted tools, allowing one to erase passwords and other sensitive user information before a computer changes hands, for example. Others provide a clean sweep, allowing one to erase an Internet history or a general file.

However, sometimes such activities can be seen as evidence as well, Dykstra said. “A lack of activity is indicatory as well — if you see a hard drive filled with random characters, you know that is not supposed to be there. Or let’s say you can see the Internet activity for an entire year except the month of May. That isn’t normal behavior either.”

Brill tells of an international case in which he examined a computer that did not have the data one would expect on it. “So we took a more extensive look at the data structures on the hard drive and found a repeating letter pattern that we recognized to be the final result of a specific type of wiping program.”

Eventually, he said, they were able to determine that the defendant had not only erased the hard drive but used a new version of a software package that had not been released to the public until after the court order directing the defendant to preserve the hard drive. “So not only could we testify that a program was used to destroy data, but because of manufacturer’s release date, it happened after the court order,” Brill commented.

*ECT News Network editor’s note: The original publication of this article quoted Jones as saying, “But law enforcement doesn’t collect data that way,” in part because it can affect the data on the hard drive. “But commercial companies are starting to collect data in this way, which could be a dangerous trend for future investigations.” Jones did not provide the explanation suggested by the paraphrased statement, “in part because it can affect the data on the hard drive,” and does not agree with it. He provided TechNewsWorld with his actual opinion in an e-mail statement following publication of the article, and that statement is now incorporated in lieu of the original objectionable text.