Outwitting the Disk Detectives
Headline
May/June Edition, 2008: Frank was confident he had completed the perfect electronic fraud. Not your average uninformed computer user, he knows all about the meaning of metadata.
So when he decides to try falsifying the age of an important document, Frank performed the electronic version of liquid papering out the old date headers and reinserting his own values.
For someone with a Gen Y or even a Gen X upbringing this was not too difficult a task to perform. There are plenty of free utilities available on the Web that will do the job with a minimum of fuss.
As the investigation into his misdeeds commenced, Frank relaxed in the knowledge that his deceit could never be unmasked. However the forensic experts hired by his employer had other ideas.
Nicholas Adamo, one of Australia’s leading experts in computer forensics and a partner at Deloitte, takes up the tale.
“A person had been accused of fabricating a document so that the metadata associated with that document was designed to convince another into thinking a document was created earlier that what it was,” said Adamo.
“The date of creation was critical as was the date the document was last viewed. For a general Microsoft Word document there is quite a bit of information associated with the file and this includes both internal and external metadata. That includes data created in Word and the file system information from the computer that it is on.
“We looked not only at the metadata but also what the file system showed us about the version of Word that was used to create this particular document. We soon worked out that the document was allegedly created on a particular date when the version of Microsoft Word allegedly used to create the document hadn’t yet been released.
“So if you understand what you are looking for and how to interpret it, the results can be pretty significant.”
In this case the good guys won the day, but Adamo and other forensic experts IDM spoke to agree that the increasing sophistication of electronic fraudsters and cyber criminals is making life more difficulty for prosecutors and the corporate world in general.
As a partner at Deloitte Forensic, Adamo is a member of Australia’s largest dedicated team of forensic investigators?in Australia.
Adamo was the founder of specialist firm Forensic Data, which has merged with Deloitte to create a dedicated team of 22 full-time forensic technology experts, as part of a complete forensic team of more than 147.
He acknowledges that the growing sophistication of the average computer user and their knowledge of systems is presenting ever increasing challenges, but believes it is possible for forensic professionals to stay a step ahead.
“My staff and I are extraordinarily good at what we do and we focus on an extremely narrow discipline in the computing field. I believe that like in medicine you can’t be expert in all areas: nor do we try to be.
“Its very hard to find someone who knows as much as a true computer forensics expert, and therefore they may be able to change one parameter but it tends to stick out more. It would take a fair amount to pull the wool over our eyes. We find that most people who try and falsify information really give the game away.”
Some of the major challenges facing forensic investigations include the widespread availability of high level of encryption and comprehensive file shredding tools. Then there is the huge volume of data that must be investigated.
“People now have a better understanding of their obligations to maintain data should the need arise in legal cases. The physical volume of what they are storing is increasing,”?said Adamo.
“There’s also a great deal more litigation between clients in the?open market.”
“The numbers of computers involved in any one particular action I’ve seen increase significantly. It used to be three or four PCs, now its 30-40 that we need to look at.”
Ajoy Gosh, a Security Solutions Executive at Logica, believes there the storage explosion is a double-?edged sword.
“On one side, evidence can be geographically dispersed and there is more data to process, on the other, the media to store copies on is cheaper and more versatile and the tools are getting better at automating many of the routine forensic tasks,” he said.
While the tools to allow people to delete information from a computer so that it is completely unrecoverable are much more accessible, Gosh points out this does not provide a blanket solution for electronic fraudsters.
“The problem is that we send information to many different places that it’s difficult and sometimes impossible to find and delete all copies. Also, with a computer there are a number of places where the data is copied and most people don’t know to delete all of them,” he said.
Gosh believes the biggest challenge to forensic investigators today lies in the potential for a company to take shortcuts with its procedures in order to save costs.
“The biggest challenge is not technical—it’s the expectation that a computer forensic examiner’s report will be unchallenged and the resulting short cuts taken. The emergence of the other side’s expert means that barristers are increasingly well-coached on how to discredit the evidence.”
Andrew MacLeish is a Senior Manager at PPB Forensics and has over 14 years of law enforcement experience, over seven of which have been spent in the field of computer forensics with both the Victoria Police and the Australian Federal Police. He is also concerned that storage growth is making the forensics job that much harder.
“Given that the average storage space is now growing to exceed 250GB and that 1TB drive is now only $299, then the average person can have the capacity to store data on their home PC which has more space than many company servers.
“A terabyte hard drive even 80% full would take weeks of analysis to identify all the information. The imaging process would also take considerable amount of time so much so that you would be forced to take a logical image in a ‘live’ environment of only those files relevant to a keyword search.”
McLeish is confident that most security incidents occur because of internal threats by the employees of that company.
“In my experience the employee are sometimes jealous of the CEO or owner of the business and this often is the basis to give the opposition trading lists, customers lists, price lists etc which often causes the business to suffer financial loss due to market share. Documents are often emailed and then the emails are deleted. Others use devices such as thumb drives, or other USB devices such as iPods or hard drives to copy data and then give it out.
“A Blackberry with enough internal memory can be used to extract documents of interest and remove them from the business computer system.
“Other types of threats are those by employees who use their skills and knowledge to build a client base and then leave the business with that knowledge to start up a business in direct competition. Prices, manufacturing costs and individual customer needs are often the cause of property or intellectual property theft.
“Unfortunately the criminal law doesn’t allow data to be stolen (Victoria Crimes Act, 1958) so many people are required to resort to Intellectual Property (IP) theft in the civil arena to prosecute the alleged offender.”
Encryption tools sourced over the Web?are presenting a problem for investigators, according to Adrian Brisco, general manager, Asia-Pacific, Kroll Ontrack, although this can be overcome with the help of an on-side corporate IT team.
“Firewall logs and proxy server information is also helpful—investigators need to access all data sources. If any media has been erased, then its very difficult to recover subject to the type of erasing.”
One of the essentials Brisco advises is that any organization that is contemplating a forensic investigation should consult a third party prior to imaging of desktop or sever hard drives.
“If data is destroyed in the process of their own imaging process then it could be construed to be deliberate therefore creating further legal issue or negating the use of the evidence. If they consult a professional computer forensics vendor, proper procedure is followed along with third party verification,” he said.
Deloitte’’s Adamo does find companies that think they can manage forensic investigations internally, but points out the tools and technique, while formidable, are only a small part of the overall picture.
“When people come to use they are seeking an expert who can stand up in court and explain how the forensic process has been undertaken. It takes away a lot of their liability, and its a big part of why they retain us,” he said.
Deloitte’s Adamo does find companies that think they can manage forensic investigations internally, but points out the tools and technique, while formidable, are only a small part of the overall picture.
“When people come to use they are seeking an expert who can stand up in court and explain how the forensic process has been undertaken. It takes away a lot of their liability, and it is a big part of why they retain us,” he said.
“Everything cannot be solved with a bit of software, we need to achieve results that we can verify and stand up in court and say - “This is the reason why we’ve chosen to do searches in such a way, these are the results and we can confidently say that is being done to provide that which we are obliged to provide and not waste the court’s time with data that is irrelevant.”
“My advice to people is simply try and gain an understanding of the issues you are about to face before you choose which way you want to go. I understand costs may be an issue or prohibitive in some cases.
“Clients can make the right decision if they take the time to ask the questions before starting anything. We find inevitably that those who rush in are in a much worse position than they should have been for any investigation.”