IT Forensics: When crime scene investigations go digital

Digital forensics has been around for at least a decade, but in the commercial sector it is still a relatively unknown and unexploited discipline

The concept of digital forensics was originally spawned by law enforcement agencies, which started to realise that traditional forensics techniques, where the focus was on physical evidence such as fingerprints and ballistics traces, was no longer sufficient to fight crime in a world that was becoming increasingly digitised.

As a result, police officers started developing techniques to find out about information held on computers and to investigate who did what, when and how in such a way that the evidence could stand up in court.

By the late 1990s, however, large commercial organisations began to understand that their computers also held important information that could be exploited in relation e-crime and other potential workplace incidents. This trend, coupled with the growing importance of legislation such as the Data Protection Act and the European Convention on Human Rights, which put a duty of care on employers to handle staff-related matters in a fair and just manner, also led to increased interest in digital forensic concepts.

According to John Douglas, a forensic computing specialist at risk advisory consultancy, QCC Information Security, a sea change occurred in 2004 when Operation Ore hit the headlines and more than 600 UK sex offenders were convicted following a probe into Internet child pornography.

"While digital forensics had been around for about 10 years, it had grown very slowly in an organic way until Operation Ore. Once that hit, however, it gave the impetus for the police to set up high tech crime units in each constabulary and that helped to drive forensics quite a lot because people became aware of what was possible," explains Douglas.

Nonetheless, outside of law enforcement, the market still remains small and somewhat niche. Although growing public awareness has started to infiltrate at boardroom level, the discipline still has some way to go before it achieves mainstream adoption and the number of practitioners in the UK, including those found in police forces, numbers no more than 300.

This is not least because, unlike fields such as disaster recovery and data back-up that involve all areas of the business, it is a relatively narrow area of interest, which is only employed in certain limited circumstances. This means that digital forensics is, in the main, something that technical staff are more likely to be cognisant of rather than their senior managers.

Moreover, many organisations are reluctant to go down the digital forensics route because of the fear that information about potential incidents will leak out if they pursue them and this will cause damage to their reputation.

"We've all heard stories about investment banks that hush up fraud, pay people off to find out how they did it and then plug the gap because they don't want things in the public domain. They don't want to involve the police because then it goes public in major way and once they're involved, the judicial process can drag on for years," adds Douglas.

Nevertheless, many large global organisations employing more than 10,000 personnel and particularly those that operate in the investment banking or accountancy sector, tend to have their own internal digital forensics teams. While it may not be in their interest to sue individual staff members for small-scale fraud or information theft, such teams do swing into action to try and identify and track miscreants involved in suspected industrial espionage, serious and organised crime, large-scale fraud, hacking and abusive email or Web access.

"While this can be quite expensive, it's chicken feed compared to reputational loss if an incident hits the headlines or enterprises receive an adverse judgement in court over something and have to pay out large amounts for fines or damages," Douglas says.

Furthermore, since the introduction of legislation such as Sarbannes-Oxley in the US and Basel II in Europe, companies are increasingly using digital forensics as a risk management tool. For example, when a trader leaves, many large investment banks now routinely take an image of that individual's hard disk before it is handed on to a new staff member. The idea is that if any illicit activity has taken place, the copy can be examined for evidence at a later date and legal action taken, if necessary.

But the situation is quite different for smaller companies, which find it hard to justify the cost of maintaining a dedicated forensics team and investing in their on-going training. Organisations here, if they are aware of the discipline at all, tend to hire consultancies to undertake the work – although some large corporates may also go down this route if investigating internal personnel to be seen to maintain impartiality.

The problems with this approach, however, are several-fold. On the one hand, such services do not come cheap. Day rates start at £1,000 and can be as much as four times that, depending on the agency. Moreover, investigations can take anything from a couple of hours to check out whether a particular staff member has sent a damaging email to several months if trying to establish whether another has been running a rival business from their desk.

As a result, the Department of Trade and Industry is now advising that organisations, and small to medium businesses in particular, consider creating a contingency fund of between £20,000 and £40,000 to help them tackle such information security issues with more equanimity.

On the other hand, however, companies, and especially those that have not previously been involved in an investigation, often find it tricky to find a reputable consultant who is suitably qualified and experienced. The situation is not helped by the fact that, at the moment, the market is completely unregulated and anyone with a PC and a few forensics tools can call themselves an analyst with little fear of being taken to task.

"There are a phenomenal amount of cowboys in this sector, many of whom run their businesses from their garage and think they can do the job simply by sticking a hard disk in a metal filing cabinet and locking the door. The problem is people think it's easy, but for every one that's doing the job well, there are probably two or three that are appalling," explains Charles White, managing director at consultancy Information Risk Management.

White believes there is a clear requirement for a guild or professional body for IT forensics, equivalent to the Law Society for lawyers, which would oversee professional development and be authorised to take disciplinary action for incompetence or for bringing the profession into disrepute.

While the Council for the Registration of Forensics Practitioners (CRFP) set up a register for digital forensic specialists in November 2005 with the backing of the British Computer Society, according to Brian Collins, head of the information security department at Cranfield University, it is still in the process of working on an accreditation scheme.

As the man responsible for running the initiative, Collins is currently trying to get key practitioners around the table to work out what such a scheme should look like, but the aim is to have the programme in place within the next six to nine months, complete with disciplinary procedures.

In the meantime, however, the best course of action for organisations wanting to hire a specialist is to look up the handful of members currently on the CRFP register, to go to the Law Society to view their expert witness registers, use word-of-mouth recommendations or, as a last resort, undertake an online search that will at least provide names.

After having located a practitioner, the next stage is to check out whether they are suitable to carry out the task in hand. As Douglas points out: "Any old engineer with a few years of computer experience doesn't make for a good forensic analyst."

While a deep and highly technical understanding of computers is essential, candidates also need to have investigative skills, be good at writing reports and have the presence and authority to present findings in court as expert witnesses. This means that, while recent graduates of highly regarded MSc courses from universities such as Glamorgan and Cranfield may have the right academic background, they are unlikely to have garnered the necessary experience, particularly of being cross-examined in court. This means that if they are taken on, they should ideally be under the guidance of a more seasoned investigator.

"An examiner has to have many strings to their bow, which is why most of the good ones tend to be in their 30s and 40s. It's not a hard and fast rule, but in my experience, investigators tend to be a bit older as younger people don't have the life experience and such an in-depth knowledge of IT over a wide subject area," says Douglas.

Another thing to look out for, however, is knowledge of the Association of Chief Police Officers' guidelines, which are used as the de facto standard for digital forensics investigations worldwide and lay down four key principles for the gathering and usage of evidence.

But before even getting to the stage of hiring an expert, there are certain considerations that organisations themselves need to be aware of. The first and most important one is that computer evidence is very fragile and that it is easy to corrupt evidence by mishandling it. Simply turning on a Windows XP-based PC, for example, changes approximately 600 files of potential evidence such as dates and fields, which in one fell swoop become inadmissible in court.

Once a problem is suspected, it becomes important to preserve the potential crime scene and prevent the computer from being played about with further. If someone inexperienced fiddles around to try and find traces of illicit activity themselves, it immediately becomes too late to pursue the case because the chain of evidence has been destroyed.

As a result, the normal procedure for examiners is to isolate the machine by bagging and tagging it and placing it in a locked room so that they cannot be accused in court of polluting evidence. They subsequently take an image of the hard disk using specialised tools and analyse it in accordance with the parameters set by the customer. An audit log is also created so that a work trail can be followed and a report of the findings is submitted to the client at the end of the investigation.

A decision can then be taken based on the evidence as to whether to pursue legal action or not, but a rule of thumb is to assume that the case will go to court and to approach the matter with that in mind from the outset.

In the commercial sphere, many such investigations simply comprise searching through emails and documents or looking for evidence of files being downloaded or copied, but it can also include searching for items that have been deleted in an attempt by miscreants to cover their tracks.

As Simon Janes, international operations director at digital forensics consultancy, ibas, points out: "Much of the real value evidence is not what you'd find on the screen. It's often in the system files and unallocated areas where you find the real facts so you have to know what you're doing."

One of the problems with undertaking investigations of this type, however, is that it can cause disruption to the business, especially if a number of machines are involved, and so it has to be worth the organisation's while to make such a serious commitment.

As to what the future holds, meanwhile, it seems probable that over the next three to five years, as risk mitigation continues to creep higher up the corporate agenda, digital forensics will become more commonplace as companies of all sizes discover that incident management is no longer enough.

This is not least because digital technologies, ranging from mobile phones to PDAs and global positioning systems in cars, are becoming ever more integrated into people's daily lives and so demand for specialists that can analyse data to establish exactly what happened, how and when is only likely to grow.

As Douglas concludes: "When the outcome has a high stake, then it becomes only natural that the boardroom will want to deploy every tool that it can in order to get a handle on the situation."