Introduction to Computer

Forensics
Make sure you know the basics.

By J. Frank Grindstaff, Jr.

CPA, CIA, CISA, EnCE
 Item Covered
• History of Computer Forensics
• The forensic process
• Laws effecting Computer Forensics
• Computer Forensics to e-Discovery
Brief History of Computer
Forensics
 History of Computer Forensics –
1980’s
• Norton Utilities, “Un-erase” tool
• Financial investigators began to discover
all the records being review were only on
computers. How do you get this into
court?
• Groups like Assoc. of Certified Fraud
Examiners began to seek training in what
became computer forensics
 1980’s Continued
• SEARCH High Tech Crimes training
created
• Classes began to be taught to Federal
agents in California and at FLETC in
Georgia
• HTCIA formed in Southern California with
12 members
 Computer Forensics - 1990’s
• Expert Witness released
• International Association of Computer
Investigative Specialists (IACIS) formed
• National White Collar Crime Center
(NW3C) develops computer forensics
training
• EnCase is released
 Computer Forensics – 2000’s
• SMART by ASR Data
• FTK by Access Data
• EnCase matures & releases Enterprise
edition
• Case law begins to develop
• Computer Forensics emerges from a
cottage industry into a young profession
The Computer Forensic
Process
 Overview
• Nature of Cybercrime
• Definition of Computer Forensics
• Scope of Engagement
• Preservation
• Examination & Analysis
• Presentation
 Cybercrime
•Hacking
•Virus
•Trojans
 Common Crime = Cybercrime

• Homicide • Identity Theft

• Fraud • Email Threats
• • Narcotics
Extortion
• Domestic
• Gambling • Violence
• Prostitution
• Software Piracy
 What can you get?
Digital Evidence
Digital Evidence is not necessarily a
smoking gun, but it:
• Provides leads to other evidence
• Corroborates other evidence
 Digital evidence: Today's fingerprints
Electronic world increasingly being used to solve crimes

(CNN) -- Police and prosecutors are

fashioning a new weapon in their
arsenal against criminals: digital
evidence. The sight of hard drives,
Internet files and e-mails as courtroom
evidence is increasingly common.
By Michael Coren
CNN
 Peterson team disputes prosecutors'
timeline
REDWOOD CITY, California -- A computer
forensics expert who studied Scott
Peterson's Web-surfing habits in the weeks
surrounding his wife's disappearance told
jurors it was possible that Laci, not Scott,
was using the couple's laptop computer the
morning of December 24, 2002.

By Lisa Sweetingham
Court TV
 Types of Evidence
• Documents
• Spreadsheets
• Emails
• Programs
• Attachments
• Databases
• Internet Activity
• Temporary Files
”In short, the average computer is about as secure
as a wet paper bag, and it is one of the last places
where you would want to hide valuable data or use
to communicate secret or sensitive information.”

Rick Maybury
Bootcamp week 182: Email and PC security
Connect
July 5, 2001
 Fun Statistics
• About 31 billion emails are sent daily and is expected to double
by 2006
(IDC Email usage forecast and analysis, www.sims.berkeley.edu/research/projects/how-much-info-2003)

• Emails can be on the senders computer, servers in between, the

recipient's computer, and backups.

• 70% of electronic documents are never printed

(U. S. News and World Report)

• A 80 GB hard drive can have 18,181,820 pages of data to

review

• To print the data on a new 1 TB hard drive would require 50,000

trees to be turned into paper
 Other Activity
• Computers are everywhere, used by everyone
for everything
– Internet Surfing, Messaging, Email, Financial
applications, online banks, Paypal, Shopping, etc.
– Over 90% of the documents created never make it to
a physical format, they are stored on hard drives,
floppies, CD’s, Zip disks, etc.
– Evidence is all over the place, and in places the
creator may have no control over.
– FBI estimates 50% of their investigations will require
the examination of at least one computer.
 From the Federal Bench
Judge Loretta Preska “responding to a question, Judge Preska
explained that it is ‘hard to say’ whether an attorney’s failure to seek
electronic discovery in a case could support a finding of legal
malpractice. ‘The rules talk about the production of relevant
information,” she said, “so we seem to create the burden to seek e-
data.” While noting that the increase cost associated with electronic
discovery ‘have changed the game,’ she added that she can’t image
how counsel who is responsible cannot seek relevant electronic
information.

Dorrian, Patrick F. “Jurists Offer Perspective, Tips on Electronic Discovery”. Metropolitan

Corporate Counsel, Nov. 2003
 Definition
• Computer Forensics is the art and science of
gathering, retrieving and presenting digital
based evidence.
• It is a science in the sense that forensic
imaging must follow certain recognized
standards and protocols.
• It is an art in the sense that no two forensic
examinations are the same although they
should arrive at the same conclusion.
How can Computer Forensics help?
 Sexual harassment cases - memos, letters, e-
mails, chat
 Embezzlement cases - spreadsheets, memos,
letters, e-mails, on line banking information
 Corporate Espionage - memos, letters, e-
mails, chat
 Fraud - memos, letters, spreadsheets, e-mails
 Tools of the Trade
Best to use commercial software, available
to anyone
– EnCase by Guidance Software
– Forensic Tool Kit by Access Data
– SMART by ASR Data
– Maresware by Mares & Associates
– DataLifter by StepaNet Communications
 Scope of Engagement
• Identify what needs to be preserved and
what needs to be analyzed.
• Get a copy of the client’s policy regarding
computer resources
• Develop a game plan with the client

• Basically this is similar to a risk based

audit.
 IDENTIFY
• What is the evidence?
• Where is it stored?
• How is it stored?
• How long will it be there?

Stand alone Server

Laptop Handheld Remote Storage

Relevant Policies & Procedures
• Ensure the Client’s policy states that the
user has no expectation of privacy on any
computer that is owned by the company or
access the company’s network or email
systems.
 Game Plan
• Develop keyword searches to run against
the data
• List the file types you are interested in
• Determine which computers need to be
imaged and then a priority for each
computer for analysis work
• Set benchmarks where you will give the
client reports on work in process
 A Few Common Mistakes
• Not making a bit-stream image
– Gates Rubber Co. v. Bando Chemical Industries, Ltd., 167 F.R.D. 90 (D. Colo. 1996).
Plaintiff had a technician install Norton’s Unerase on the defendants computer & destroyed
about 7% of the recoverable items in the process.
– In 1996 they got away with this, now a judge familiar with computer forensics could have
anything found thrown out.
• Booting the computer
• Poking around before making an image
• Not using a person that is not properly train in computer
forensics
• Not making forensically sound images as soon as
possible
• Not notifying the right people in IT
– In today’s environment of outsourcing, a third party may need to
be notified for preservation – is this in your plan? Keir v. Unumprovident
Corp., No. 02 Civ. 8781, 2003 WL 21997747 (S.D.N.Y. Aug. 22, 2003).
 Preservation
• Securing the potential evidence
• Preservation
• Imaging the items
• Documentation
Securing the potential evidence
• Preservation is the first step
• Know your rights and responsibilities
• Review ISPs and/or ASPs website to see
if they have any policies and procedures
concerning request for information.
 Preserve
• The key to a forensically sound examination
hinges on the pristine condition of the
evidence/information.
• This examination insures there are no changes
to the original evidence.
• Destination drive preparation
• Write Blocking Software
• Read Only Attribute
• Digital Intelligence
• DOS EnCase
 Image Validation
• Encase
– MD5, CRC (every 32K)
• FTK
– MD5, SHA-1
• ProDiscover
– MD5 or SHA1 hash
• Winhex/X-Ways Forensic
– Mass hash calculation for files (CRC32, MD5,
SHA-1, SHA-256, PSCHF, ...)
 Chain of Custody
• Very important documentation
• Inadequate documentation may result in
all the forensic work being thrown out
• Guard the original evidence
 Examination & Analysis
• What can be recovered & Why
• Differences in the Forensic Tools
• Tool validation
 Why can data be recovered?
 Windows operating systems can not securely
remove data from a hard drive.
 The way data is stored allows data to be
recovered long after an individual thought it was
gone.
 Data is stored on a hard drive in “clusters.”
 Windows uses fixed-size clusters.
 Even if data being stored doesn’t completely fill
the cluster, the entire cluster is used for the file.
 Unused space is called slack space.
 Slack Space
Cluster

Remaining space is “slack space”

Data is written to the cluster

 Slack Space II
Using this concept, if a cluster is filled with data, and then
is only partly overwritten by new data...

Cluster is filled with data

Data gets partially overwritten
Data in slack space is recoverable
How long can data remain in slack space?

Theoretically, it could stay there forever!

Important concept for:

SecurityReasons
Evidence discovery reasons
 Why be concerned about slack space?

The large hard drives in use today can have slack space as
large as:

32255 bytes (32K)

The equivalent of a two page word document!

 Finding data the user doesn’t
intentionally create
 Temporary Files  Related Links
 Spooler Files  Log files
 Virtual Memory  Metadata
and Swap Files  Info Files
 Internet Browser  Web based
and History Files emails
 Temporary
Internet Files
 Data in temporary files

The temporary files are ‘deleted’ when the

program using them is finished with them.

The data contained in these files remains on the

hard drive until it is overwritten. The operating
system views this space on the hard drive as
‘empty’ and available to be written to.
What happens to Deleted Files?

When a file is created, a directory entry for that

file is also created.
When the file is deleted and not sent to the recycle
bin, the first letter of the file name in the directory
entry is changed to a special character, the Greek
Sigma character (HEX E5).
 Deleted Files Continued -

All entries in the File Allocation Table (FAT)

assigned to this file are then cleared.
The data contained in the file remains on the hard
drive in unallocated space.
 So, you think they are gone..
• Deleting
• Formatting
• F-Disking
 A Judge’s thoughts on Delete
[A] computer’s DELETE key acts somewhat like a
thief who steals a card from the old library’s card
file. When the card was in place, the librarian
could decode the library’s filing system and find
the book. If the card was gone, or unreadable,
the book was still in the library, but it could no
longer be found amidst the library’s stacked
shelves. In a computer, the “lost” book can be
found with very little effort.
Judge James M. Rosenbaum, D Minn
 Unallocated Space?
• This is the part of the hard drive that the
computer’s operating system thinks is
empty and available for use.
• Often unallocated space and a
tremendous amount of data in it that the
computer cannot ‘see’, but is recoverable
 Unusual Activity Stands Out
• “…Usenet news system, fewer than 10
percent of the files were used within the
last 30 days.”
• “…Windows PCs and other desktop
systems. We find that often more than 90
percent of files haven’t been touched in
the past year.”
Forensic Discovery by Dan Farmer and Wietse Venema, page 5. Addison-Wesley/Pearson
Education, first printing December 2004
MetaData: Data about Data???
• Email, Ms-Word, Excel, and many other
documents have it
• Gives the ‘behind the scenes’ information
about the document
• Metadata may include the document’s
creator, who revised the document,
various time stamps, email recipients
(including BCC) etc.
 Viewing deleted files and
metadata
• Multiple tools exist -
– EnCase works very well, but is expensive.
– Forensic Tool Kit (FTK) will work, but is also
expensive
– Symantic’s Disk Edit will work, is affordable,
but require more work and knowledge.
– Metadata Assistant – Will retrieve metadata
for Microsoft files
 File Extensions
• File Extensions tell the system what
program to use to open the file
– .doc - Microsoft Word Document
– .pdf - Adobe Acrobat File
– .bmp - Image file
– .jpg - Image file

• Individuals will change the file extension

to hide particular files.
 File Extensions - Not always
what they appear
• Commonly stated that investigators should
filter files by “file extension”
• Actually they should filter by file header
• Tools available to view files outside of
native application
– Quick View Plus and Conversions Plus
 Where email may reside
• Sender’s computer
• Sender’s company email server
• Sender’s ISP
• Recipient’s ISP
• Recipient’s company email server
• Recipient’s computer
• Backup tapes
 Problems with email
• No review by a second person
• Too conversational
• Too easy to create
• Possibly travels in public domain, Internet,
hence limited or no expectation of privacy
• Emails reside in to many places
 Web Browsers
• Cookies
– Little bits of info a program stores on your
computer
• Cache Files
– Temporary storage of web pages by the
browser on the hard drive
• History
– Index.dat
 Recycle Bin
• When in Windows, a “deleted” file is sent
here instead of being deleted.
• Entry added to the info2 file
 Encryption & Steganography
• Encryption
– Need keys &/or passwords to decrypt
– Zip Files, PGP

• Steganography
– Hiding in plan sight
– Need the correct tool & maybe password to
retrieve
– S-Tools
 Password Breaking
• Passwords
– MS-Office Files
– Compressed Files (*.zip)
– Applications like Quickbooks
– Web mail logins
– Other logins via web interfaces
• Utilities
– PTK, Password Tool Kit
– Lost Password
 Difference in Forensic Tools
• No one tool does everything
• Know the tools strengths & Weaknesses
• Example
– FTK preprocesses and builds and index &
EnCase post processes – no index

– ProDiscover has remote acquisition, others do

not. (not counting EnCase Enterprise)
 Tool Validation
• Use one tool to validate another
• If you can get the same results with 2 or
more different tools, then the tool can be
validated
 How to Find this Stuff
• Keyword searches
• File carving utilities
• File viewers for ‘picture’ files
• Time Line Analysis
• File hashing & hash set comparison
• File signature analysis
• Running of scripts
 Presentation
• Informal to client
– Phone call
– Email
– Meeting
• Report
• Courtroom
– Powerpoint
– Live demonstrations
 Reports
• EnCase
– Can be created with Bookmarks and
outputted in RTF or HTML formats
• FTK
– Report Wizard, HTML Report
• ProDiscover
– Automatically generated
• Winhex/X-Ways Forensic
– Automated log and report generation
 Courtroom Presentation
• Documented
• Chain of Custody
• Repeatable
• Verifiable

• Resist the temptation to tell

more than you know.

• Where do I start?
???QUESTIONS???
Laws stuff & Computer
Forensics
Computer Forensics vs Electronic Discovery
Computer Forensics
• Investigate & detailed analysis
• Typically targets selected hard drives
or PCs
• Searching for “deleted” information
• Determine who, what, & when
• Re-creation of time critical events
• discarded, or hidden data
Reporting & expert testimony
• Breaking of passwords/encryption
• May include backup tapes
• Includes Meta-data
Electronic Discovery
• Gathering, searching, filtering, and
producing large amounts information
for review
• Data is accessed, but not analyzed
• Active and archived data
• Normally does not include deleted,
• Backup tapes, email servers, network
servers
• May or may not include Meta-data
 Cases that use Computer Forensics

• Sexual Harassment
• Wrongful Terminations
• Divorce
• Child Custody
• Corporate Fraud
• Employee Terminations
• Pornography
 A Few Cases
• Electronic production may be required
– Anti-Monopoly, Inc. vs Hasbro, Inc., 1995 WL 649934
(S.D.N.Y. Nov. 3, 1995)

• Backup tapes must be produced if relevant

– In re CI Host, Inc. 92 S.W. 3d 514 (Tex. 2002)
• Copies of files are not enough – bit-by-bit
forensic images are the standard
– Taylor vs State, 93 S.W. 3d 487 (Tex App. 2002)
• Before you BS the court, know the consequences
– Coleman (Parent) Holdings, Inc. v. Morgan Stanley & Co., No. CA 03-
5045, 2005 WL 679071 (Fla. Cir. Ct., 15th Cir. Mar. 1, 2005), 2005 WL
674885 (Mar. 23, 2005).
 A Few more Cases
• Don’t wait until the last minute to make a e-
discovery request.
– Marcin Engineering, LLC v. Founders at Grizzly
Ranch, LLC, 219 F.R.D. 516 (D. Colo. 2003).
• Sampling of backup tapes in discovery
– McPeek v. Ashcroft (“McPeek I”), 202 F.R.D. 31
(D.D.C. 2001).
• Don’t Spoil the potential evidence
– Rambus, Inc. v. Infineon Technologies AG, 220
F.R.D. 264 (E.D. Va. 2004).
 Some of the Federal Rules of Civil
Procedure
• Rule 16(c) – Pretrial Conference Agenda
• Rule 26 – Initial Disclosures
• Rule 33 – Interrogatories & Written Depositions
• Rule 34 – Document Productions
• Rule 30(b)(6) Depositions
• Rule 34(a)(2) On-site inspections
• Rule 37(f) – Safe Harbor
Rule 16(c) - Pretrial Conference
• Allegations involve computer-based
records
• Authenticity or completeness of computer
records questioned
• Substantial amount of discovery/disclosure
will involve information in electronic format
• When expert witness will develop
testimony based in large part on computer
data and/or modeling
 FRCP 26(a) Required Disclosures
(1) …a party must, without awaiting
discovery request, provide to the other
parties:
(B) A copy of, or a description by category and
location of, …data compilations … that the
disclosing party may use to support its
claims of defenses … identifying the
subjects of the information.
 Rule 26(f) Meet and Confer
• Subject matter
• Relevant time period
• Identify from whom ED may be sought
• Identify people needed to access potentially responsive data
• Identify the universe of potentially responsive data, including
platforms, applications, etc.
• Document accessibility issues
• Determine if data is to be produced electronically or on paper
• Obtain data retention policies
• Preservation issues, including the suspension of normal data
retention policies
• Possible key term to be used to search the data
• Consider the joint use of an independent computer forensics
specialist
 Rule 34 - What can you get?
• Requesting party may be able to receive a copy not only
of business data but of the opposing party’s personal
hard drive. Superior Consultant Co. vs Bailey, 2000 WL 1279161 (E.D. Mich. Aug. 22, 2000)
• Opposing party must produce all data relevant to
material facts and preserve data compilations and
computer data. Kleiner vs Burns, 2000 WL 1909470 (D. Kan. Dec. 15, 2000)
• Requesting party should have access to active and
deleted data alike. Simon Property Group vs mySimon, Inc. 194 F.R.D. 639 (S.D.
Ind. 2000)
• Sampling of backup tapes to determine if the burden &
expense is justified to recover all the tapes.
– Hagemeyer North America, Inc. v. Gateway Data Sciences Corp., 222 F.R.D.
594 (E.D. Wis. 2004)
– Zubulake v. UBS Warburg, 217 F.R.D. 309 (S.D.N.Y. 2003)
 Rule 37(f) – Safe Harbor
• No penalties for deleting ESI due to
routine operations of IT systems, and if
reasonable preservation steps taken
– Procedures must be established,
documented, and properly implemented
– System for implementing a litigation hold must
be in place
– Company must make a good faith effort to
preserve ESI
Be Careful with Discovery Request
• Subpoena of records from an ISP resulted in sanctions
and lawsuit on privacy grounds from the owners of
records produced
– Failed to state or restrict time frame
– ISP provided a separate database that the requesting attorneys
reviewed the records prior to owner of records review for privacy
and privilege
– Resulted in lawsuit against attorneys, malpractice, State Bar
notification, carrier notification
Theofel vs Farey Jones, 341 F.3d 978 (9th Cir. 2003)
• Don’t go on a fishing expedition
– Make sure you can show a cost benefit to the request
– Make sure you know what you are looking for (emails, documents,
Internet history, etc.)
– Fennell v. First Step Designs, Ltd., 83 F.3d 526 (1st Cir. 1996).
 Rule 30(b)(6) - Depositions
• Prepare by consulting with your computer
forensics specialist and the answers to your
preliminary interrogatories
• Obtain clear understanding of back up
procedures, computer system configuration and
data retention policies and procedures
• Begin EARLY in the process consulting with a
computer forensics specialist
• Depositions of the opposition can help frame
additional information requests based upon
results of depositions
 More on Rule 30(b)(6)
• Number, types, and locations of computers currently in use/no
longer in use.
• Past and present operating systems and application software
• File naming and saving conventions
• Disk/Tape labeling schemes
• Backup and archival inventories and schedules
• Location of records that are most likely to be relevant to the subject
matter of the action
• Electronic records management policy and procedures
• Corporate policies on appropriate or allowable use of company
computer resources
• Name and computer user-ids of and relevant people

Source: adapted from Computer-Based Discovery in Federal Civil Litigation by Kenneth J Withers. 2000
 Sedona Conference
• a non-profit, non-partisan law and policy think-
tank - http://www.thesedonaconference.org
• WG1: Electronic Document Retention and
Production, purpose is to develop principles and
best practice guidelines concerning electronic
evidence retention and production.
• 14 proposed guidelines that were developed as
a joint collaboration between attorneys in the
public and private sector, judges, and other
experts.
 Criminal - FRYE
• This later evolved into the Frye Standard, Frye v. United
States 293 F. 1013 (DC Cir. 1923). The Frye standard
basically looks for ‘general acceptance’ in the related
field. The court’s gatekeeper role was to be
conservative in nature. This gate keeping function was
to keep unproven ‘science’ out of the courtroom. This
works well until a case came before the court that
involved a scientific issue that was new, thus there had
not been enough time to gain ‘general acceptance’. This
was becoming an issue in the courts and then finally
there was Daubert.
 Criminal – FRE702
• Rule 702. Testimony by Experts
• If scientific, technical, or other specialized knowledge will
assist the trier of fact to understand the evidence or to
determine a fact in issue, a witness qualified as an
expert by knowledge, skill, experience, training, or
education, may testify thereto in the form of an opinion or
otherwise, if (1) the testimony is based upon sufficient
facts or data, (2) the testimony is the product of reliable
principles and methods, and (3) the witness has applied
the principles and methods reliably to the facts of the
case.

• http://www.law.cornell.edu/rules/fre/rules.htm
 Criminal – Daubert/Kumho
• In Daubert the Court charged trial judges with
the responsibility of acting as gatekeepers to
exclude unreliable expert testimony
• Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579
(1993)
• Court in Kumho clarified that this gatekeeper
function applies to all expert testimony, not just
testimony based in science.
• Kumho Tire Co. v. Carmichael, 119 S.Ct. 1167 (1999).
 Searching – Legal Stuff
• Work with the attorney/investigator to
develop reasonable search terms &
criteria
 E-Discovery Pitfalls
• Having no electronic discovery plan or pursuing discovery of
electronic evidence in a haphazard manner.
• Not understanding that delete does not mean delete.
• No backup policy or documented retention policy
• Failure to fully discontinue document destruction practices.
• Ignoring certain “hard to deal with” sources of evidence
• Underestimating email use
• Claiming to have produced everything or turning over electronic
evidence late in the game
• Failure to image hard drives of departing employees
• Inexperienced people conducting well-intentioned computer
forensics investigations
• Shouldering the electronic discovery burden alone

– Michele Lange & Linda Sharp, Daily Journal, June 16, 2003
 Chain of Custody
• Guard yours/Question theirs
• Was the file altered during the imaging process?
• Was the file altered during the analysis?
• How sound was the capture process?
• Was the image forensically sound? Did it need to be?
• How secure is the data during analysis? While it was
stored?
• From what media is the analysis being done? From the
original? From an image?
• Who handled and processed the data? Can you prove
the data is still sound?
 The Chain
• There needs to be a process in place to
preserve the Chain of Custody.
– Have client document everything done to or
on the computer from the time on the incident
and the time a computer forensic specialist
receives or images the computer media.
– NEVER work on original media
– Never trust the suspect’s operating system
– Maintain Chain of Custody
– Document Everything
Preserve the potential evidence
• QZO, Inc. vs Moyer, 594 S.E. 2d 541 (S.C. Ct App.
2004)
– The specialist discovered the hard drive had been reformatted a
day before the defendant delivered the computer to the
corporation, which erased any evidence that may have been on
the computer. The trail court granted the corporation’s motion
for sanctions and entered the default judgment in favor of the
corporation.
• Renda Marine, Inc. v. United States, 58 Fed. Cl. 57 (Fed.
Cl. 2003).
– The US Army Corps of engineers did not change its policy or
procedures to preserve emails after it had been put on notice
that litigation might be pending. Thus the court order that they
produce the backup tapes at their own expense and provide
access to relevant hard drives.
 What can come down from the
Bench?
• Decisions on preservation & spoliation
• Defining scope of discovery
• Issues on on-site inspection, imaging, and
backup tapes
• Cost allocations
• Sanctions or unfavorable instructions
 Sarbanes-Oxley
• Companies are required to have a game plan for preserving any
potential evidence
• The most severe penalties are for those who destroying records
(including electronic) with fines up to 5 million and up to 20 years in
jail
• Section 802 – Evidence preservation duties (includes deleted
documents)
• Section 301 – Must receive and investigate complaints and
allegations of fraud
• Sections 302, 404, & 806 – Effective Internal Investigations
• Sections 301, 302, & 404 – Evidence of due diligence
• Sections 302, 404, 409 – Rapid Response, Expedient, efficient, &
thorough
http://www.encase.com/corporate/whitepapers/downloads/Sarbanes-Oxley.pdf, by John Patzakis and Victor Limongelli

http://www.encase.com/corporate/whitepapers/downloads/SarboxOnlineSeminarTranscript.pdf by victor Limongelli and Manuel Abascal

 Sarbanes-Oxley Act of 2002
• Requires companies to implement policies
that prevent & respond to fraudulent
events
• This means companies must be able to
quickly investigate and contain financial
fraud at the company
 SOX – Section 404
• Implement effective internal controls
• The SEC requires that internal controls
include policies & procedures that”
– Provide reasonable assurance regarding
prevention or timely detection of unauthorized
acquisitions, use or disposition of the
[company’s] assets that could have a material
effect on the financial statements.
(* 68 FR 36636, 36638, June 18, 2003)
 SOX – Section 302
• ID’s internal fraud as an event that
management is required to disclose
• The internal control structure must have
controls that are designed to prevent,
identify, and detect fraud at the company.
 SOX – Section 806
• Whistleblower Protection
– Whistleblowers must be protected
– Event reported must be investigated
– If a whistleblower believes they are being
harassed, how do you investigate this?
 SOX – Section 409
• Basically this section says you have to
investigate and report any relevant issues
in a timely manner.
• Delays in the investigation & disclosure to
the public could be very costly.
 HIPAA
• Companies must have an incident
response plan to investigate any attempt
or successful access, use, disclosure,
modification, destruction, or other
inappropriate use of information.
• NIST & ISACA specify computer forensics
as part of any reasonable incident
response team.
 Gramm-Leach-Bliley Act
• Establish an operational response capability
• Perform ‘prompt’ and ‘reasonable’ investigations
when the institution is aware of an incident
• Notification of customers if the investigation
determines that misuse of its information about a
customer has occurred or is reasonably possible

* New Incident Response Mandates under Gramm-Leach-Bliley, Guidance Software, March

2005
 GBL – Agencies Thoughts
• Agencies = OCC, Federal Reserve Board, FDIC,
& OTS

• Specifically note the importance of computer

forensics capability to comply with these rules
– Citing principle 14 of the Basel Committee’s “Risk
Management for Electronic Banking” and ISO 17799

* New Incident Response Mandates under Gramm-Leach-Bliley, Guidance Software, March 2005
 Websites worth a Look
• http://www.law.cornell.edu/rules/frcp/overview.htm
• http://www.kenwithers.com/ *a good one that I like*
• http://www.e-evidence.info/
• http://www.nsrl.nist.gov/index.html
• http://www.ojp.usdoj.gov/nij/sciencetech/ifs.htm
• http://www.ojp.usdoj.gov/
• http://staff.washington.edu/dittrich/forensics.html
• http://www.usdoj.gov/criminal/cybercrime/searching.html
• http://www.fbi.gov/hq/lab/fsc/backissu/april2000/swgde.ht
m
• http://www.atlccs.com/index.html
Two Worlds Collide
(Lawyers & Geeks)

Is it computer forensics or …..

is it e-Discovery?
 What are they?
• Up til a few years ago they were viewed as
different professions that rarely crossed
over into each others turf.
• E-Discovery was on documents. The
paper copy was tiff’ed and loaded into a
review tool. Electronic documents were
printed out & tiff’ed.
• Computer forensics was for LE, CSI
shows, and geeks.
Computer Forensics vs Electronic Discovery
Computer Forensics
• Investigate & detailed analysis
• Typically targets selected hard drives
or PCs
• Searching for “deleted” information
• Determine who, what, & when
• Re-creation of time critical events
• discarded, or hidden data
Reporting & expert testimony
• Breaking of passwords/encryption
• May include backup tapes
• Includes Meta-data
Electronic Discovery
• Gathering, searching, filtering, and
producing large amounts information
for review
• Data is accessed, but not analyzed
• Active and archived data
• Normally does not include deleted,
• Backup tapes, email servers, network
servers
• May or may not include Meta-data
 Why the change?
• CSI, CSI Miami, CSI Las Vegas, Law &
Order, etc.
• 12/01/06 – New FRCP
• Someone told the attorney that when all
else fails, demand the documents Meta-
data.
• Cyber-Attorneys make more, so everyone
wants in.
 Problems – Opportunity - Both
• Attorneys want native file format, they may
not know what it is BUT they went to a
CLE presentation and were told they
needed it.
• Many e-discovery vendors & Litigation
support companies are scrambling.
• Guidance Software (EnCase) went public.
 Problems
• Most forensic tools were designed to handle 1 or
just a few hard drives (or images) at a time, with
1TB or 2 TB in total storage space.
• Tools have problems with
– # of images in a case
– GB’s in a case
– Hash sets
– Not enough RAM, thus it crashes
– Exporting emails, but not the attachments
– Exporting invalid MSG files
 Future
• FTK 2.0
• EnCase v6.x & EnCase Enterprise
• ProDiscover – Enterprise Solution
• SMART
• X-Ways
• LiveWire/Gargoyle
• Dan Mares
 Summary….

What can you do to be ready?

 Litigation Hold Procedures
• Have a well documented Litigation Hold
Policy and Procedures
• Ensure that these have Executive
Management and Board of Directors
support
• Make sure that the procedures have been
implemented and are effective
• Do NOT allow exceptions to the
procedures!!
 Who to Call…
• The Internal legal department needs to
know who to call as soon as they get a
legal hold request or know they might
(within an hour or so).
• Legal may need to call HR, IT, internal
and/or external forensic specialist, …
 What to ask about/do
• Have relevant backup tapes taken out of
rotation and preserved.
• Image the identified employee’s
computers (at night if needed)
• Image the PDA’s and Blackberry devices if
needed
• Image relevant or requested servers
 Examples
• Anytime an employee at or above a pre-
determined level leaves the company,
Image (or preserve) their computer’s hard
drive.
• Anytime an employee leaves in a Hostile
or under questionable circumstances –
Image their computer’s hard drive.
???QUESTIONS???