Computer Forensics Gear

Internal Auditor,  August, 2001  by Mark Bigler

• E-mail
• Print
• Link

A wide range of tools are available to internal auditors charged with investigating illicit computer-related activity.

OHN WANTED TO GET EVEN WITH MANAGEMENT FOR NOT APPROVing his bonus. He typed an anonymous, threatening letter to the company president on his computer, printed a hardcopy, and then placed it in the mail. To cover his tracks, John exited the word processing program without saving the document on his hard drive. No incriminating evidence, he thought. Wrong! Several copies of the letter were saved automatically by the computer's word processing package and operating system. When John was later identified as a suspect for this incident, company auditors seized his computer, performed forensics procedures, and found the information they were looking for. The "smoking gun" existed in the form of digital evidence on his computer.

Most Popular Articles in Business

Research and Markets : Tesco Plc - SWOT Framework Analysis

Do Us a Flavor - Ben & Jerry's Issues a Call for Euphoric New Flavors

eBay made easy: ready to start an eBay business? These 5 simple steps will ...

Katrina's lawsuit surge: a legal battle to force insurers to pay for flood ...

Wal-Mart's newest distribution center opened last month near the southwest ...

More »

This scenario is just one example of a situation where internal auditors may be called upon to perform electronic forensics procedures. Computers are often used in committing crimes or acts contrary to company policy, and finding the smoking gun may require the auditor to delve deeply into the company's systems.

Depending on the nature of the act, evidence can be found in many different locations. For instance, auditors investigating an abusive e-mail may find evidence in an e-mail virus scanner server, a mail server, the miscreant's PC, or the victim's workstation. Mainframe and database systems contain transaction logs that may also provide evidence. Without the proper equipment, however, the evidence-gathering process can be daunting.

To facilitate the preservation, collection, analysis, and documentation of evidence, internal auditors can use a number of different technology tools. The following hardware and software devices comprise some of the options available to auditors charged with performing computer forensic investigations.*

PRESERVING THE EVIDENCE

Material gathered from an investigation may be used in a criminal or civil court action; or, it might be examined by an independent expert to provide further details for the company's files. Regardless of what follows the auditor's computer forensics work, one of the most critical elements of the investigative process is the preservation of the evidence.

Computer evidence is very fragile and susceptible to damage from many sources. The best way to preserve data files is to make two "bit-stream" backup copies of the target computer's hard drive and any other seized storage media. Programs such as New Technologies Inc.'s (NTI) SafeBack and Guidance Software's EnCase can be used for this purpose. Both products are well-known in the court system and among computer forensics experts.

A backup storage device such as a DAT, CD-R, DVD-R, or Iomega Jaz drive should be used to record the bit-streamed data. After making the two copies, auditors should place one of them in an evidence locker and use the other for their analyses. The copy used for forensic procedures can be restored to a "clean" computer with a sufficiently large hard drive for examination.

If budget permits, a mobile backup system can be obtained complete with all the necessary hardware and software. Systems such as Computer Forensics Ltd.'s DIBS and Digital Intelligence Products Inc.'s FRED include a mobile backup unit and all necessary software to make bit-stream copies. Computer Forensics also offers a DIBS desktop computer solution, complete with forensic recognition, collection, analysis, and documentation software modules.

FILE RECOVERY

Recognizing what constitutes evidence and knowing where to find it is partly art and partly science. However, a sound approach and the proper tools will eliminate much of the guesswork.

To begin, a listing of all programs and files from the bit-stream evidence copy should be made. EnCase, NTI's FileList, or Maresware's DISKCAT can be used to help document file listings. The auditor should review the list to determine the presence of programs that are used to hide, delete, protect, or encrypt data. Encryption tools include, for example, "pretty good privacy" (PGP) freeware encryption packages and commercial utility packages, such as McAfee's POP Personal Security or NovaStor Corporation's DataSAFE. Additionally, there are freeware (Hide and Seek, S-Tools, STEGO, White Noise Storm) and commercial Steganos packages, such as CenturionSoft's Steganos, that can hide files inside digital images or music files. These programs show "intent" to conceal evidence and may help the auditor determine which additional forensics tools will be necessary. Evidence in deleted files, slack space, unallocated space, swap files, and password or encrypted files should then he collected for review.

DELETED FILES. Even when a user deletes files from his or her computer, that information may still be accessible on the system's hard drive. Deleted files can be recovered with software tools such as Norton Utilities, DIBS, or PowerQuest Corp.'s Lost & Found. After the files are located, they should be listed and reviewed for relevance to the investigation. EnCase, DIBS, and NTI's FileList are well-suited for this purpose. File characteristics should be noted, such as when the file was created, deleted, and last viewed. This type of evidence can be extremely important for determining time lines and showing relationships between computer files and storage media.

Find Research Guides for:

• Abortion
• ADHD
• AIDS
• Alternative Energy
• Alternative Medicine
• Cancer
• Capital Punishment
• Cloning
• Hate Crime
• Cryonics
• Drug Abuse
• Eating Disorders
• Gay Issues
• Global Warming
• Holidays
• Immigration
• Medical
• Men's Health
• Mental Health
• Real Estate
• Stem Cells
• Women's Health

Find Featured Titles for: Technology

• Advanced Battery Technology
• America's Network
• BT Catalyst
• Baseline
• CADalyst
• Cable World
• Channel 3
• Channel Insider, The
• Communications News
• Computer Technology Review
• Dev Source
• PC Magazine

Most Popular Articles in Business

• Research and Markets : Tesco Plc - SWOT Framework Analysis
• Do Us a Flavor - Ben & Jerry's Issues a Call for Euphoric New Flavors
• eBay made easy: ready to start an eBay business? These 5 simple steps will ...
• Katrina's lawsuit surge: a legal battle to force insurers to pay for flood ...
• Wal-Mart's newest distribution center opened last month near the southwest ...
• More »

Most Popular Publications in Business

• Business Wire
• Black Enterprise
• Real Estate Weekly
• Los Angeles Business Journal
• Communication World
• More »