Data detectives

Data detectives

In the corporate world, where your computer can be a crime scene, fast-evolving criminal and technological threats require constantly updated tools, strategies and techniques.

Digital forensics has been steadily expanding in the past 18 months, extending beyond the domain of law enforcement and shadowy government

agencies around the world to embrace the business community. Many

point to the introduction of the Sarbanes-Oxley Act in the United

States on July 30, 2002, as the tipping point. Also known as the

Public Company Accounting Reform and Investor Protection Act, it was a

response to a series of corporate and accounting scandals involving

the likes of Enron, WorldCom and Tyco International, which rocked the

US corporate sphere.

Under the terms of Australia's free-trade agreement with the US, any

local companies wishing to do business with American counterparts must

comply with Sarbanes-Oxley's accounting and reporting standards. They

must also be able to track and account for such information, which can

touch almost all aspects of business and international trade. These

requirements will become all the more pressing in light of the

unfolding global economic meltdown, which is throwing more light on

the section of the act covering corporate fraud and accountability.

In an increasingly wired world, this has created three major headaches

for organisations caught up in corporate scandals, criminal actions

and civil court cases. They must know how the required information is

stored, which means more thorough tracking of all information,

including email; they must be able to accurately - and quickly - map

where this data resides within the organisation; and they must be able

to retrieve it in formats suitable for submission as legal evidence.

Where police and other law enforcement agencies use digital forensics

to track criminals such as drug traffickers, pedophiles and money

launderers, companies must increasingly use it to protect themselves

and their staff against the theft of intellectual property (IP),

inappropriate employee access to corporate data, fraud, the

distribution of salacious materials via email and a host of other

human resources issues.

Something as seemingly innocent as John Doe leaving Company A to work

for Company B could pitch both organisations into an expensive legal

stoush - especially if Company A suspects its rival now has access to

IP that John Doe had been working on, and sues both Company B and John

Doe. Both organisations need to establish their cases as quickly and

cost effectively as possible.

Companies worldwide are also embracing forensics to help recover data

in the event of hardware or software failures, and to analyse systems

after such crashes. This will, most likely, become increasingly

important as they adopt concepts such as cloud computing.

Little wonder then, that e-discovery has become the most important

aspect of digital forensics, says the managing director of

Sydney-based Fulcrum Management, David Lewis. He believes

e-discovery is growing at least 50 per cent a year in Australia.

Fulcrum, which represents more than 17 suppliers of digital forensics and

e-discovery tools and services in the Asia-Pacific region, says its

discovery business is expanding at about 30 per cent a year.

"In the case of John Doe allegedly stealing IP from his previous

employer," Lewis says, "it may be necessary for that company and his

current employer to sift through several hundred thousand emails and

other documents to get to the truth.

"Apart from the cost of the court case itself, this discovery process

- at upwards of $3 to $5 a document - can cost each side hundreds of

thousands of dollars. The loser could wind up paying it all, if costs

are awarded against it."

Although Lewis says the corporate world is embracing internalised

forensics as an integral part of day-to-day business, third-party

organisations offering forensic ser-vices are not suffering.

And it's long been a growth business: professional services firm

PricewaterhouseCoopers says as many as 78 per cent of companies it

surveyed several years ago had experienced a security incident, yet 27

per cent had no plans in place to deal with such problems. On average,

each event costs more than $60,000, the survey found.

Deloitte has doubled its digital forensics and e-discovery

capabilities following its merger with specialist Australian

enterprise Forensic Data. Even before this marriage, Deloitte laid

claim to being the country's largest independent forensics practice,

featuring 125 staff and 17 partners.

One increasingly popular investigation and analysis tool is

AccessData's automated turnkey e-discovery kit, which the company

touts as "forensically sound and court validated".

But getting organisations to talk about threats they've faced, actions

they've taken and forensic tools and strategies they're putting in

place is akin to pulling teeth. This world is long on anecdote and

short on case specifics.

But Lewis suggests that chief information officers need a good working

understanding of the science of investigating computers and other

digital devices for evidence. "A growing number of larger Australian

organisations - especially banks and telecommunications companies -

are moving to establish their own digital forensics divisions, rather

than relying on third-party experts," he says.

Along with a steady shift into the corporate arena, Lewis notes a

change in perception among experts. Rather than computers and storage

devices being seen as substances needing to be identified, they are

now increasingly considered as digital crime scenes. Along with this

comes an understanding that digital forensics involves a number of

critical activities.

The crime scene is also expanding beyond desktop and notebook computer

hard drives to include all manner of storage tools, emails, the

internet and mobile devices such as personal organisers and mobile

phones. Adding to this complexity is the fact that the capacity of

storage units is growing rapidly, meaning more data may need to be

examined and analysed.

The advent of graphical user interface-based operating systems also

means more, and increasingly complex, data needs to be handled

delicately if it is to stand up in court. Furthermore, smaller

devices, such as smart phones and organisers, feature increasingly

powerful chipsets, capable of storing huge amounts of data - often

using proprietary operating systems and applications. Forensics can

also be applied to analysing web pages, blogs, wikis and radio

frequency identification tags. Even motor vehicle black-box computers

can hold information that may need to be analysed and assessed.

It's now readily accepted that the model for digital forensics must be

based on existing physical-crime investigation practices. It must be

practical and follow all the same steps as any other form of

investigation. It must also be general when it comes to technology -

and not constrained by any existing products and procedures - yet

specific enough to allow general technologies and the data they secure

to be admissible in court. Finally, it must be able to be applied to

both law enforcement and corporate investigation processes.

KPMG's national forensic technology leader, Rod McKemmish, says:

"Research and development into new techniques and tools is vital for

keeping abreast of changes in technology."

It all adds up to an increasingly complicated forensics environment

that those working years ago in the text-based DOS universe could

never have imagined.

McKemmish was formerly a computer-crimes detective working with the

Queensland and Victorian police forces, as well as law enforcement

agencies in the US, Canada, Europe and the Middle East. He has

outlined four major goals of admissible digital forensics:

  • digital evidence identification, knowing where and how data is stored.
  • evidence preservation, gathering and securing in the least intrusive manner.
  • data analysis, generally regarded as the central aspect of forensics.
  • data presentation, in a way that makes it legally acceptable.
And as far back as 2003, there was already universal acceptance of

four main rules that underpin the admissibility of data in a


The first rule is that minimal handling of the original data is

critical. Ideally, this means duplication of the information. If

mistakes are made during analysis, these copies can be destroyed and

fresh ones made without affecting the actual sources.

But these copies must be perfect reproductions of the originals, and

failure by forensics experts to authenticate duplication can lead to

questions of legality in court actions. A major snag here is that

experts may find such reproduction difficult where specific hardware

and storage media are called for.

The second rule is that all changes made during the examination

process need to be properly accounted for and documented. Obviously,

duplicate information may need to be tinkered with during the

analysis, and investigators need to understand these changes and be

able to explain the scope of any alterations made. Then these

processes need to be documented in ways that will stand up in court if


Third, everything involved in examination - tools as well as

techniques - must comply with the traditional rules of evidence in

prevailing jurisdictions. Nothing can be left to chance, and nothing

can lessen the information's admissibility.

Finally, examiners should never go beyond their current level of

forensic expertise. And if they get to a point where they find it

difficult to proceed, they should call on someone with greater skill.

For instance, the NSW Police is considered a world authority on

retrieving images and information from a wide range of mobile phones.

Its forensics team is called upon to help out across Australia.

So where to from here? Advances in technology and computing concepts -

smart phones, third-generation mobiles, cloud computing and so on -

are generating fresh challenges, and the law may struggle to keep up.

As Fulcrum's Lewis and international cryptography expert Bruce

Schneier (see "Human behaviour: the weakest link", below) view it,

there needs to be a constant balance between technology and the law.

The aforementioned operating system changes also have to be taken into

account. As the networks become larger, more powerful and increasingly

easy to use, experts are finding duplication of original data more

difficult. What used to fit on a single floppy disk in the DOS dark

ages may now take dozens of disks to house. The switch to DVDs for

duplicate storage has also led to fresh forensics admissibility


Also, platforms supporting plug-and-play capabilities are configured

for specific machines. Their operating systems record the nature and

configuration of all hardware and support devices installed.

Obviously, the system detects any addition or removal of hardware,

resulting in changes to relevant configuration files - another

potential forensics pitfall.

And as storage device capacity grows, so does the sheer volume of data

that needs to be sifted. Time is money, and analysis can become

extremely expensive, especially where courts and lawyers are


Yet as forensic capabilities develop, there is a concomitant development in the

ability of wrongdoers to try to sidestep it. Increasingly

sophisticated and complex encryption tools are readily available; and

apart from locking data away, they can be used to change the seeming

nature of what's being stored and transmitted, as well as the very

file names. Graphics and images can be disguised as vanilla data

files, for instance. And the use of longer encryption keys can mean it

takes months to crack them, sometimes even years.

There is little doubt, then, that digital forensics is around for the

long haul and that it will become increasingly important in the

corporate world, as well as in criminal environments.

Human behaviour: the weakest link

As organisations look to strengthen operational security, we need to

move beyond the basics of antivirus, anti-spam, intrusion detection

and firewall protection.

International cryptography expert Bruce Schneier says the mathematics

behind most security products is strong. However, poor programming

habits and implementation - coupled with our human tendency to want to

circumvent security measures - means malicious software and hackers

can still penetrate supposedly secure systems.

On the one hand, we tend to avoid security measures that we feel

impede our efficiency or speed of work; on the other, much security

fails simply because we don't implement it correctly - leading to

flaws such as programming back doors.

This is evident in the persistent flow of security updates to products

such as Microsoft's operating systems, and the constant need for virus

and malware signature updates.

Another major security problem arises when internal people with all

the appropriate security clearances abuse trust.

Schneier, author or co-author of nine books on digital security and

cryptography since 1994 and founder and chief technical officer of

security services provider BT Counterpane, is emphatic: these problems

will never be resolved satisfactorily, he says, and organisations need

to instigate policies and procedures for appropriate incident

responses to ensure evidence of security breaches and computer fraud

isn't lost.

Organisations also need to arm themselves with appropriate tools for

forensically sound investigations, the results of which must be able

to stand up in court if challenged, he says. Such tools should be

valuable for document retention and e-discovery compliance.

Developers such as AccessData, Tableau, Intelligent Computer Solutions

and others provide tools that allow organisations to investigate

security breaches without losing vital evidence that can stand up in


Fairfax Business Media

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!

Error: Please check your email address.

Tags new technologiessecurityForensics

Show Comments