The Secret Lives of Computers:
The things you find in a digital forensic investigation
It is often asked “Why would I ever conduct a forensic investigation on a computer?!” Well if you are concerned about what people are doing on a computer (or cell phone), what is going on it, coming from it, or happening to it then it benefits you to conduct an investigation. A digital forensic investigation sounds like a big complicated procedure, but an initial examination can have a relatively quick turn around and give you plenty of information. In some cases involving white collar crime, a single investigation (with an affidavit) can be brought to civil court to produce injunctive relief or even settlements.
So let's begin to answer the mysteries of a computer investigation and see if it is something that would benefit you, your company, or legal situation. In a preliminary forensic investigation many questions can be answered if you are concerned about something specific, but typically we like to try and shed light on the following:
No, unfortunately I can't show you files jumping around or being active, but I can show you creation, deletion, and modification. In most cases this file activity drives the rest of the investigation. When we plot out file activity on a timeline it begins to tell a tale of what was going on with the computer at the time. For instance if we see large file creation on a certain date, then that usually indicates things like installing programs or copying files from one place to another. If we see a lot of file deletion, then that could mean that someone is trying to “burn” or “shred” the evidence. If you couple large creation and deletion together then that could point to someone copying files from one place (let’s say your company’s network server) to the local system, copying off the computer (maybe to a thumb drive) and then wiping them clean. Or so they think.
USB devices are becoming more ubiquitous and increasing to incredibly large capacities. The amount of data that used to be contained in several servers is now placed onto one 2TB external hard drive. While their capacity is very large, their physical size gets smaller and smaller. Are you aware of all the things that your employees are carrying on a thumb drive? Very few companies implement a policy to control the flow of information to external devices. In my experience, a majority of my investigations have included someone plugging a thumb drive into their computer days, if not hours before they leave the company. Are you sure they only took their personal photos and music, or did they just clean out all of your client records and proprietary information?
Internet history can sometimes be the most telling of all the information in a computer. How often do you go to work, log into your computer, and then go directly to Gmail and log into your personal email? Few companies restrict this type of personal access (although they may frown upon it). Today many applications and services are becoming “cloud ready”. This means that information is no longer stored on your local systems. Instead this information travels out over the Internet and is stored on some other company’s servers. Is it secure in travel? Is it safe when sitting on those servers? Many services like Dropbox also offer huge amounts of storage space for people to upload information to. An employee could easily upload information from their system, to Dropbox, and then access it from anywhere else in the world.
If you aren’t concerned about movement of data through the Internet, maybe you are concerned about what your employees are doing on their computers as far as spending too much time on Facebook or playing games. Plenty of HR people lose sleep over what is being done and said over things like Facebook or Instant Messaging. In many cases a computer investigation can collect and parse this type of information and even give you remnants of the pages that the person looked at. For investigations pertaining to harassment, chat logs can be collected and produced for legal counsel (in many cases even if they had been deleted).
Wait, there’s more…
These are just a few of the things that a standard preliminary investigation could offer you. If you have a concern about what is happening on your work or personal computers, then please give Wapack Labs a call to find out how we can help. Whether you are in HR, legal, IT, or own your own business, there are several ways that we could help put your mind at ease or solidify a legal action. Our certified and experienced digital forensic examiners can assist with almost any type of digital investigation. We specialize in helping even those that have never heard of digital forensics or are wary of technology in general. Don’t worry, we speak English too and won’t get overly technical! Wapack Labs is located in Manchester, NH and services all of New England. Call us at 603-606-1246, email me at firstname.lastname@example.org, or stop by our lab at 250 Commercial St. Suite 2013.