agencies around the world to embrace the business community. Many
point to the introduction of the Sarbanes-Oxley Act in the United
States on July 30, 2002, as the tipping point. Also known as the
Public Company Accounting Reform and Investor Protection Act, it was a
response to a series of corporate and accounting scandals involving
the likes of Enron, WorldCom and Tyco International, which rocked the
US corporate sphere.
Under the terms of Australia's free-trade agreement with the US, any
local companies wishing to do business with American counterparts must
comply with Sarbanes-Oxley's accounting and reporting standards. They
must also be able to track and account for such information, which can
touch almost all aspects of business and international trade. These
requirements will become all the more pressing in light of the
unfolding global economic meltdown, which is throwing more light on
the section of the act covering corporate fraud and accountability.
In an increasingly wired world, this has created three major headaches
for organisations caught up in corporate scandals, criminal actions
and civil court cases. They must know how the required information is
stored, which means more thorough tracking of all information,
including email; they must be able to accurately - and quickly - map
where this data resides within the organisation; and they must be able
to retrieve it in formats suitable for submission as legal evidence.
Where police and other law enforcement agencies use digital forensics
to track criminals such as drug traffickers, pedophiles and money
launderers, companies must increasingly use it to protect themselves
and their staff against the theft of intellectual property (IP),
inappropriate employee access to corporate data, fraud, the
distribution of salacious materials via email and a host of other
human resources issues.
Something as seemingly innocent as John Doe leaving Company A to work
for Company B could pitch both organisations into an expensive legal
stoush - especially if Company A suspects its rival now has access to
IP that John Doe had been working on, and sues both Company B and John
Doe. Both organisations need to establish their cases as quickly and
cost effectively as possible.
Companies worldwide are also embracing forensics to help recover data
in the event of hardware or software failures, and to analyse systems
after such crashes. This will, most likely, become increasingly
important as they adopt concepts such as cloud computing.
Little wonder then, that e-discovery has become the most important
aspect of digital forensics, says the managing director of
Sydney-based Fulcrum Management, David Lewis. He believes
e-discovery is growing at least 50 per cent a year in Australia.
Fulcrum, which represents more than 17 suppliers of digital forensics and
e-discovery tools and services in the Asia-Pacific region, says its
discovery business is expanding at about 30 per cent a year.
"In the case of John Doe allegedly stealing IP from his previous
employer," Lewis says, "it may be necessary for that company and his
current employer to sift through several hundred thousand emails and
other documents to get to the truth.
"Apart from the cost of the court case itself, this discovery process
- at upwards of $3 to $5 a document - can cost each side hundreds of
thousands of dollars. The loser could wind up paying it all, if costs
are awarded against it."
Although Lewis says the corporate world is embracing internalised
forensics as an integral part of day-to-day business, third-party
organisations offering forensic ser-vices are not suffering.
And it's long been a growth business: professional services firm
PricewaterhouseCoopers says as many as 78 per cent of companies it
surveyed several years ago had experienced a security incident, yet 27
per cent had no plans in place to deal with such problems. On average,
each event costs more than $60,000, the survey found.
Deloitte has doubled its digital forensics and e-discovery
capabilities following its merger with specialist Australian
enterprise Forensic Data. Even before this marriage, Deloitte laid
claim to being the country's largest independent forensics practice,
featuring 125 staff and 17 partners.
One increasingly popular investigation and analysis tool is
AccessData's automated turnkey e-discovery kit, which the company
touts as "forensically sound and court validated".
But getting organisations to talk about threats they've faced, actions
they've taken and forensic tools and strategies they're putting in
place is akin to pulling teeth. This world is long on anecdote and
short on case specifics.
But Lewis suggests that chief information officers need a good working
understanding of the science of investigating computers and other
digital devices for evidence. "A growing number of larger Australian
organisations - especially banks and telecommunications companies -
are moving to establish their own digital forensics divisions, rather
than relying on third-party experts," he says.
Along with a steady shift into the corporate arena, Lewis notes a
change in perception among experts. Rather than computers and storage
devices being seen as substances needing to be identified, they are
now increasingly considered as digital crime scenes. Along with this
comes an understanding that digital forensics involves a number of
The crime scene is also expanding beyond desktop and notebook computer
hard drives to include all manner of storage tools, emails, the
internet and mobile devices such as personal organisers and mobile
phones. Adding to this complexity is the fact that the capacity of
storage units is growing rapidly, meaning more data may need to be
examined and analysed.
The advent of graphical user interface-based operating systems also
means more, and increasingly complex, data needs to be handled
delicately if it is to stand up in court. Furthermore, smaller
devices, such as smart phones and organisers, feature increasingly
powerful chipsets, capable of storing huge amounts of data - often
using proprietary operating systems and applications. Forensics can
also be applied to analysing web pages, blogs, wikis and radio
frequency identification tags. Even motor vehicle black-box computers
can hold information that may need to be analysed and assessed.
It's now readily accepted that the model for digital forensics must be
based on existing physical-crime investigation practices. It must be
practical and follow all the same steps as any other form of
investigation. It must also be general when it comes to technology -
and not constrained by any existing products and procedures - yet
specific enough to allow general technologies and the data they secure
to be admissible in court. Finally, it must be able to be applied to
both law enforcement and corporate investigation processes.
KPMG's national forensic technology leader, Rod McKemmish, says:
"Research and development into new techniques and tools is vital for
keeping abreast of changes in technology."
It all adds up to an increasingly complicated forensics environment
that those working years ago in the text-based DOS universe could
never have imagined.
McKemmish was formerly a computer-crimes detective working with the
Queensland and Victorian police forces, as well as law enforcement
agencies in the US, Canada, Europe and the Middle East. He has
outlined four major goals of admissible digital forensics:
- digital evidence identification, knowing where and how data is stored.
- evidence preservation, gathering and securing in the least intrusive manner.
- data analysis, generally regarded as the central aspect of forensics.
- data presentation, in a way that makes it legally acceptable.
four main rules that underpin the admissibility of data in a
The first rule is that minimal handling of the original data is
critical. Ideally, this means duplication of the information. If
mistakes are made during analysis, these copies can be destroyed and
fresh ones made without affecting the actual sources.
But these copies must be perfect reproductions of the originals, and
failure by forensics experts to authenticate duplication can lead to
questions of legality in court actions. A major snag here is that
experts may find such reproduction difficult where specific hardware
and storage media are called for.
The second rule is that all changes made during the examination
process need to be properly accounted for and documented. Obviously,
duplicate information may need to be tinkered with during the
analysis, and investigators need to understand these changes and be
able to explain the scope of any alterations made. Then these
processes need to be documented in ways that will stand up in court if
Third, everything involved in examination - tools as well as
techniques - must comply with the traditional rules of evidence in
prevailing jurisdictions. Nothing can be left to chance, and nothing
can lessen the information's admissibility.
Finally, examiners should never go beyond their current level of
forensic expertise. And if they get to a point where they find it
difficult to proceed, they should call on someone with greater skill.
For instance, the NSW Police is considered a world authority on
retrieving images and information from a wide range of mobile phones.
Its forensics team is called upon to help out across Australia.
So where to from here? Advances in technology and computing concepts -
smart phones, third-generation mobiles, cloud computing and so on -
are generating fresh challenges, and the law may struggle to keep up.
As Fulcrum's Lewis and international cryptography expert Bruce
Schneier (see "Human behaviour: the weakest link", below) view it,
there needs to be a constant balance between technology and the law.
The aforementioned operating system changes also have to be taken into
account. As the networks become larger, more powerful and increasingly
easy to use, experts are finding duplication of original data more
difficult. What used to fit on a single floppy disk in the DOS dark
ages may now take dozens of disks to house. The switch to DVDs for
duplicate storage has also led to fresh forensics admissibility
Also, platforms supporting plug-and-play capabilities are configured
for specific machines. Their operating systems record the nature and
configuration of all hardware and support devices installed.
Obviously, the system detects any addition or removal of hardware,
resulting in changes to relevant configuration files - another
potential forensics pitfall.
And as storage device capacity grows, so does the sheer volume of data
that needs to be sifted. Time is money, and analysis can become
extremely expensive, especially where courts and lawyers are
Yet as forensic capabilities develop, there is a concomitant development in the
ability of wrongdoers to try to sidestep it. Increasingly
sophisticated and complex encryption tools are readily available; and
apart from locking data away, they can be used to change the seeming
nature of what's being stored and transmitted, as well as the very
file names. Graphics and images can be disguised as vanilla data
files, for instance. And the use of longer encryption keys can mean it
takes months to crack them, sometimes even years.
There is little doubt, then, that digital forensics is around for the
long haul and that it will become increasingly important in the
corporate world, as well as in criminal environments.
Human behaviour: the weakest link
As organisations look to strengthen operational security, we need to
move beyond the basics of antivirus, anti-spam, intrusion detection
and firewall protection.
International cryptography expert Bruce Schneier says the mathematics
behind most security products is strong. However, poor programming
habits and implementation - coupled with our human tendency to want to
circumvent security measures - means malicious software and hackers
can still penetrate supposedly secure systems.
On the one hand, we tend to avoid security measures that we feel
impede our efficiency or speed of work; on the other, much security
fails simply because we don't implement it correctly - leading to
flaws such as programming back doors.
This is evident in the persistent flow of security updates to products
such as Microsoft's operating systems, and the constant need for virus
and malware signature updates.
Another major security problem arises when internal people with all
the appropriate security clearances abuse trust.
Schneier, author or co-author of nine books on digital security and
cryptography since 1994 and founder and chief technical officer of
security services provider BT Counterpane, is emphatic: these problems
will never be resolved satisfactorily, he says, and organisations need
to instigate policies and procedures for appropriate incident
responses to ensure evidence of security breaches and computer fraud
Organisations also need to arm themselves with appropriate tools for
forensically sound investigations, the results of which must be able
to stand up in court if challenged, he says. Such tools should be
valuable for document retention and e-discovery compliance.
Developers such as AccessData, Tableau, Intelligent Computer Solutions
and others provide tools that allow organisations to investigate
security breaches without losing vital evidence that can stand up in
Fairfax Business Media
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.