The new crime scene
Digital forensics proves ‘delete’ is not permanent
- May 30, 2014
When police investigators enter a crime scene, they carefully comb the area for clues while taking pains to ensure they don’t disturb anything. Digital forensics analysts use these same guidelines, but their investigations involve hard drives. 13
“Digital forensics involves going in and, just like a real crime scene, not changing anything about the system, just pulling information from it,” says Bryant Harrison, founder of the Charlottesville-based IT services group QuickFix.
While this type of investigation often is most useful in criminal cases or in divorces, many business civil cases today require digital forensics.
Harrison says that, although QuickFix only recently started offering digital forensics services, already about one-third of requests for these services involve business-related civil lawsuits. He expects that number to grow significantly as his company expands.
Digital forensics can help settle contract disputes, prove whether a former employee stole trade secrets, trace data breaches and much more.
“This is more than just an angle on the case; this is real evidence. Physical evidence,” Harrison says.
Wide range of clients
Michael Maschke is the CEO of Sensei Enterprises Inc., a computer forensics, information technology and information security firm in Fairfax that provides services to individuals, corporations and various arms of the government. He says businesses usually come to Sensei looking for help with data-theft lawsuits, and he sees cases that span all sectors.
“The businesses that we’ve worked with range from mom-and-pop small businesses to Fortune 500 companies,” Maschke says. “Pretty much any lawsuit nowadays is going to assume some kind of network interaction. That wasn’t the case 10, 15 years ago.”
Digital forensics can be performed on computers, tablets, mobile phones, USB drives, printers — even handheld video game consoles. It’s not a matter of how much information digital forensics can uncover, but what limitations exist at all. The answer is “not many.” Deleted search histories and erased files still leave their mark.
“Picture a hard drive as a huge warehouse full of boxes. Each is labeled with a sticker that says ‘Important’ or ‘Not Important.’ When you hit ‘delete,’ a robot comes along, takes off the ‘Important’ sticker and slaps on a ‘Not Important.’ The box doesn’t go away,” Harrison explains.
Following his metaphor, boxes marked “Not Important” eventually are smashed down to make room for new “Important” boxes. But anyone looking at that row of boxes would still be able to notice the flattened boxes. Digital forensics tools can access every piece of information on the drive, including small traces of former files — just as a visitor to the warehouse would be able to examine the layers of boxes.
“We generate vast amounts of data on a daily basis,” says Jesse Lindmar, forensic scientist section supervisor for the Virginia Department of Forensic Science’s Digital and Multimedia Evidence Section. “You leave a pretty significant data footprint, and eventually someone might want that data for some reason.”
Harrison was recently qualified as an expert witness by the Charlottesville Circuit Court. Though he will have to prove his qualification every time he is asked to testify, this designation is significant because it takes years of work and training to gain the necessary digital forensics skills and knowledge a court would determine to be expert.
“The most complicated structure ever made by man is the Windows operating systems,” Harrison says.
The complexity of the field is what makes comparisons to the popular show “CSI” all the more inaccurate, says Lindmar.
“[On ‘CSI’] there will be one individual trained in so many different things. It’s so much effort to be proficient in one discipline, let alone all these different disciplines,” Lindmar says.
Maschke prefers to hire employees who each have at least one digital forensics certification, and he encourages them to continue their education. Those in the field can pursue related college degrees, practical exams and tool-specific certifications.
However, the ability to give expert testimony in a case requires more than just the right knowledge.
“It’s not necessarily how much you know, because there are plenty of very smart people in this field. It’s also being able to articulate what you know in very simple terms,” Lindmar says.
Experts on the stand have to describe their findings in a way juries can grasp.
“It’s not just about getting the answers, because if you get the answer and nobody understands them, they’re worthless,” Harrison says. “The people who are good at getting data are often not good at talking about it. I can describe things in a way people find interesting. That’s very important when you sit in front of a jury.”
Harrison says he gets satisfaction from serving justice — even if the answers his team discovers do not help clients win the case.
“We’re not going to help cook the data,” he says. “We can say, ‘Here’s the truth about what’s on the computer.’ Good or bad, at least the truth is out.”