|
In
This Issue:
 Welcome to Kroll Ontrack's Cyber Crime & Computer
Forensics News
Welcome to
the first edition of Cyber Crime & Computer
Forensics News, Kroll Ontrack's monthly
newsletter providing information to people who have an
interest in learning more about cyber crime and computer
forensics technology. Today's newsletter will give you a
hint of things to come in future newsletters as we
strive to bring you the very latest news and information
on this exciting topic.
Enjoy this
first issue of Cyber Crime & Computer Forensics
News, and please feel free to pass it along to a friend.
The Kroll
Ontrack Electronic Evidence Team
From
the Kroll Ontrack Forensic Files: Computer Forensics is
Sometimes a Matter of
Time
Sometimes,
the data present in a computer may not be the only
evidence available in an incident. Stepping outside the
computer box and thinking about evidence in a broader
context is often the key to soundly proving the facts of
an incident. A project recently conducted by a team of
Kroll investigators and Kroll Ontrack technology
specialists proves this
point.
The case
involved the sabotage of a large system, with commands
entered into the system to make it crash and deny
service to thousands of users. The corporation's
investigators had focused their attention on one suspect
who had the technical skills and the opportunity to
carry out the act. But they had a problem: a videotape
from the lobby surveillance cameras contained an
on-screen clock that clearly showed their suspect was
outside the building smoking a cigarette at the time of
the incident. They called for our
assistance.
The Kroll
team was staffed by investigators from the Kroll
Consulting Group and by electronic evidence technology
specialists. The Kroll team recognized a number of
sources for potential evidence, including: network
transaction logs, the suspect's local PC hard drive,
lobby videotapes, the building access control system,
and the phone system. Working with the corporate
security team, we collected the logs and imaged the
appropriate machines. We recognized that putting the
pieces together would require building a timeline
consisting of the various pieces of evidence.
All the
systems we looked at - PCs, network logs, videos, phones
and access control - recorded the time the events took
place, but our experience told us not to trust the
clocks. Clocks are often set inaccurately, and over
time, drift further from the actual time. We got a very
accurate reading of time, then checked every source of
evidence and noted the time discrepancies. For example,
the videotape recorder's clock was almost five minutes
slow, so if you were on camera at an indicated time of
2:43 p.m., the actual time was 2:48 p.m. There are
several sources for obtaining the exact time: www.time.gov, which is the U.S.
Government Web site that provides the official time as
computed by the atomic clocks of the U.S. Naval
Observatory and the National Institute of Standards and
Technology or by using a simple Global Positioning
System tracking device, which depends on very accurate
atomic clocks aboard satellites.
With the
time-offset measurements for each device, we constructed
a corrected timeline. With this, we showed that the
suspect had left the outside smoking area several
minutes before the incident, used the card key system to
enter the work area, and that at the time of the
incident, someone was on the phone in the office talking
to the suspect's mother. We also included witness
statements in the timeline. A supervisor had told our
investigators that she had seen the suspect at his desk
around the time of the incident.
This
illustrates the importance of both integrating the work
of all parts of the investigative team and understanding
that digital evidence can be found in many forms from
many sources. The difference between the time claimed on
a log and the accurate time figure may be the key to
proving your case.
Notes
from the Forensic Lab: You Don't Get a Second Chance
to Make a First Copy
The first
step in any forensic process is to make a copy of the
original media you are analyzing. But in our experience,
not everyone recognizes this important tenet. Often,
companies ask their technology people to "take a quick
look" to see if they could find something on a hard
drive. Even the most well meaning and experienced
technician -- who may or may not be familiar with
forensic protocols -- can make mistakes that can cause
trouble later. Even where great care is taken, "last
accessed" or "last modified" dates can be changed by
informal examinations. Such actions can elicit questions
of whether the evidence was somehow tainted or tampered
with by the technical people.
We have
seen far more serious problems including when a
technician loaded new software onto a computer he was
examining. The new software overwrote other files on the
hard drive that could have contained significant
evidence. This kind of action does not lead to a
favorable court experience or a desirable litigation
outcome. To overcome this problem, corporate technology
people should work with corporate counsel to prepare a
set of guidelines by which the technical team can
safeguard computers, drives or files when they are
needed as potential evidence in a civil or criminal
matter.
Kroll
Ontrack computer forensic experts and legal consultants
are always available to consult on incidents and to help
chart the course of action that will best meet the
company's objectives. This is a case where acting before
you think carefully about the possible forensic effects
of what you are doing can result in irreparable damage.
The
People Who Make It Happen: Meet Jason
Paroff
Jason
Paroff is Director of Computer Forensics for Kroll
Ontrack, with overall responsibility for the forensic
work carried out at all of our laboratory facilities.
Jason joined Kroll Associates six years ago and was
Managing Director of Computer Forensics at the time of
the Kroll/Ontrack merger.
Prior to
joining Kroll, Jason served as Senior Assistant District
Attorney for Rockland County, New York, and supervised,
among other responsibilities, the county's high-tech
prosecutions. With a strong interest in electronic
evidence, Jason moved from spending most of his time as
a prosecutor in courtrooms to serving clients as part of
Kroll's High Technology Investigations Group.
Jason has
testified in a number of important cases as an expert
witness on digital evidence. In one case, which became a
front-page story in American Lawyer magazine, Jason's
work proved to a U.S. District Court judge that not only
was Kroll's client not liable for the damages claimed in
a lawsuit, but that the plaintiff had deliberately faked
the evidence. The judge ordered the record sent to the
U.S. Attorney for possible
prosecution.
One of
Jason's key responsibilities is making sure that our
forensic work is performed to the highest standards of
quality and that tight chain-of-custody control is
maintained from the time we acquire data until it is
returned to the client or securely destroyed. "In
forensics" Jason says, "quality is not an option, it is
absolutely essential to our work. Reputation is not
enough, you have to work on quality every
day."
Jason is a
popular instructor of computer-evidence related subjects
at continuing legal education presentations and at
conventions. He serves as an officer in the Northeast
Chapter of the High Technology Crime Investigations
Association. He and his wife have three children, and he
enjoys playing golf and softball (where he was one of
the stars of the Kroll office team).
From
the Courts: This
Judge Understands What "Deleted" Really
Means
While
computer forensic people often correctly worry about
explaining technical issues to judges and juries,
sometimes you run into a judge who not only understands
the issues, but can characterize them as well as or
better than any expert could. Such was the case in an
appellate decision handed down in Washington State in
November 2002.
The issue
revolved around whether a police officer violated the
State's privacy law when he saved and printed electronic
mail and instant messages between the defendant in the
case and the police officer (acting as a fictitious
child). The Washington Supreme Court found that the
privacy law was not violated and upheld the conviction.
In a concurring opinion, Supreme Court Justice Bridge
provided her views on how computers store and delete
messages. As Chair of the Judicial Information System
Committee and a board member of the Shidler Center for
Law, Commerce and Technology at the University of
Washington School of Law, the Judge is no stranger to
technology. Justice Bridge summed up her understanding
of what really happens when a computer file is "deleted"
when she wrote "A deleted file is not a deleted file, it
is merely organized differently." State v. Townsend,
2002 WL 31477600 (Wash. Nov. 7, 2002) (Bridge, J.
concurring).
Kroll
Ontrack News and Events
Kroll
Ontrack experts will be speaking on electronic discovery
and computer forensics at the following events:
Click on http://www.krollontrack.com/upcomingevents/
for more information
Mike
Cherkasky, President and CEO of Kroll, has written a
book due out in April. Entitled Forewarned, it is a
frank discussion of a step-by-step plan to protect the
U.S. in these dangerous times. The book can be
pre-ordered from Barnes and Noble (www.bn.com)
and from Amazon (www.amazon.com).
Kroll
Ontrack Requests Your Input
If you have
a legal or technology issue that you would like to see
addressed in this newsletter, or if you are aware of a
case, statute, or local rule addressing e-evidence,
please contact us at: electronicdiscovery@krollontrack.com.
We look forward to hearing from you!
Our legal
consultants, project managers, and technology experts
strive to stay on top of e-discovery law. If you are
aware of any additional local court rules or new cases
in this area of the law, please do not hesitate to
contact us by writing to abrill@krollontrack.com.
For more
information about electronic discovery and computer
forensics services, contact Kroll Ontrack at
1-800-347-6105 or www.krollontrack.com.
|
