COMPUTER FORENSICS
“We’ve just had a little look…“
Kathryn Owen, Computer Forensic Consultant, U.K. Region, Ontrack Forensics
Forensic - from the Latin forensis meaning forum.
In ancient Rome, disputes were brought before a forum which was made up of a group of public individuals. Both parties would argue their side of the story and the one with the best argument and delivery would determine the outcome of the case. In other words the best forensic skills would win the day.
Forensic science is the application of a broad spectrum of sciences in order to answer questions of interest to the courts in relation to both criminal and civil law. This application requires the highest professional standards of forensic practitioners. Some forensic sciences are grounded in antiquity (the Greeks, Romans and Egyptians are all known to have dabbled in pathology) and some, like computing, are very new.
Forensic computing is concerned with the securing, investigation and production of evidence as well as the formation of opinion on data from electronic sources. These all must satisfy the standard of proof required and good forensic computing practitioners will always aim to achieve the higher standard of proof demanded in the criminal courts.
Given the complexities, when should you consider instructing a forensic computing professional?
Imagine a murder mystery scene where we find a dead body and a gun lying nearby. A passer-by stumbles on the scene, picks up the gun to examine it, moves the body and walks around the area before calling the police. As forensic investigators, we would shake our heads and say ‘there goes the evidence’.
In the less sinister environment of the workplace, suppose you suspect one of your employees has been misusing your computer system. As this could be anything from infringement of company policy to an offence under the Computer Misuse Act or worse, how would you deal with it? If an employee leaves and you suspect that they may have taken with them company records, software or a client database, what would be the first action to take? When your legal team undertakes an internal investigation, how are they going to deal with the huge amount of data residing on your computer systems?
These three scenarios may appear to be so unrelated as to have little common ground in terms of coping strategies. However, in each case legal proceeding could ultimately ensue and proper handling of the evidence is paramount.
When carrying out any investigation involving electronic data there is quite often the temptation to use internal resources in the initial stages. This can be out of a desire for discretion, an attempt to keep costs to a minimum or simply a lack of understanding of what is involved. Unfortunately there are occasions when we are called in after attempts at an investigation have been made and failed. We dread hearing the words “we’ve just had a little look” or “we’ve already carried out our own investigation”. On those occasions, there is a possibility that, as well intentioned though it may be, the ‘little look’ can seriously compromise the effectiveness of any subsequent investigation because it of possible tampering.
As a rule, if there is any possibility of future legal action, it is advisable to seek the advice of experts immediately. Take the three scenarios above. If an employee is dismissed for breaching company policy he may claim unfair dismissal and take the case to the employment tribunal. A more serious offence may have taken place which should be reported to the authorities. In both instances it would be advisable to secure any data which may become relevant in the event of legal proceedings. In the event of suspicion of intellectual property theft, you may need to investigate the systems used by the suspect in order to gather information for a civil action or even a civil search order. Internal investigations can now be speedily and effectively undertaken on a scale which would not have been possible before the advent of powerful tools. However, before this can happen the data must be secured in a manner that will enable anyone to return to it to verify conclusions drawn from the investigation.
The key feature is the preservation of the evidence or ‘freezing the scene’. The first step is to obtain a sound forensic copy of electronic data in a safe environment using tools that cannot alter or corrupt that data. This will most often take the form of creating what is known as a forensic image of the media but can also include forensic selective copying. In the case of data held on a server, the simple expedient of securing a backup can sometimes suffice but it is crucial to consider these options within the context of the case. The experienced forensic practitioner deals with a wide variety of casework on a daily basis and is in the best position to advise on a strategy which will ensure the smooth running of your investigation.
The best forensic skills will win the day.
 |
 |
Electronic Disclosure |
 |
 |
Computer Forensics |
|
 |
Courtroom Services |
Learn how to efficiently manage large volumes of electronic information and quickly find evidence.
Electronic Disclosure Services |
Learn how to find hidden or hard-to-find data, recreate past computer-related conduct, or access data that you think is forever lost.
Computer Forensics Services |
Learn how Kroll Ontrack can help you present evidence throughout the legal process.
Courtroom Services |
| |
|
|
Printable Version