Our agency has assisted many Fortune 500 Corporations around the world with their computer forensics needs. In a Corporation, the needs are many and varied as can be seen by the chart below. We stand by ready to assist in any way we can.
The table below indicates how Rick Crouch & Associates can assist you:
Forensic Computer Analysis
Hidden Assets and Money Files
Digital Storage Devices
Breach of Contract
Breach of fiduciary duty cases
Class Action Suits
Contract and commission claims
Implied employment contract claims
Negligence and negligent retention claims
Non Compete Clauses
Slander and libel claims
Theft of Intellectual Property
Wrongful discharge cases
The situations when a company usually needs a computer forensics analyst involve people as much as computers. Well before a lawsuit is filed, you must often make decisions on how to deal with situations involving employees. Notification from a competitor that your new employees are accused of taking proprietary data or receiving a visit by law enforcement concerning employee misconduct are situations where you must carefully consider what your next steps should be. It is always most cost-effective to take action early to understand your company’s exposure and, at a minimum, preserve the right data.
Without the assistance of a computer forensics professional, you may be seeing only a small portion of the ultimate picture. Do not short-change yourself.
All businesses, large or small, eventually encounter some sort of litigation, investigation or a business dispute. Many times records and data need to be examined to answer the questions of what happened, when, where and why. Enter computer forensics, which is the use of specialized and analytical techniques to identify, acquire, preserve and examine electronically stored information.
Why Computer Forensics?
Businesses use computer forensics techniques during an investigation to ensure the integrity of the original media. Any changes to file date-time stamps, last computer log-in and log-out times, or worse yet, actual file data are avoided when sound forensic techniques are employed. An audit trail is also established, so if needed for legal purposes, procedures and results can be verified and validated.
For high-profile cases such as criminal investigations or civil litigation, computer forensics can play a key role in determining what kind of data resided where and what happened to that data. Often, this can be pivotal in a case. Take, for example, a recovered deleted file documenting a fraud. This is the smoking gun. But computer forensics can also play an important role in solving problems that a business might face on a more regular basis.
How Can Computer Forensics Be Used in Your Business?
Often investigations are not large in scale. A business might want to see if an employee has been browsing inappropriate sites or had unauthorized files on their computer. Such instances might include small violations of a company policy, or they might be fraudulent actions that could cost the company millions of dollars in damages. Business-use cases can vary, but forensics techniques generally remain the same.
The following is a list of possible ways computer forensics can be used to help businesses solve a dispute or an investigation:
Identifying unauthorized access by employees to Internet sites, intranet sites or files;
Identifying employee fraud, including detection of documents related to fraud and keyword searches;
Identifying IP theft by employees, including copying and transporting company files onto external devices, linked-file analysis and registry analysis;
Highlighting general employee usage patterns and behaviour;
Spotting employee deleted files, including the recovery of deleted files and file carving.
Mining Website Data
Employees might visit website's that are prohibited by company policy. Many people think that clearing their web history and web cache is enough to cover their trail, but there are artefacts left behind that might shed light on web browsing activity. The index.dat file is a system file that keeps track of every site that a user has visited through Internet Explorer.
This file cannot be easily deleted by manual methods, and even if deleted, forensic tools can be used to recover the entries in this file. By parsing this file and using data analysis methods, it’s possible to mine the entries to get an idea of what sites were visited, how often sites were visited and during what time frame these sites were visited.
Forensic tools and techniques can also be used for keyword searches of allocated, unallocated and slack space on a hard drive. A lot of interesting things can be found in unallocated and slack space as well as inside system files, such as the pagefile.sys file. These are clusters on the hard drive that were at some point used by a file or held information from temporal processes.
Because these portions of the hard drive are not easily accessed by the average employee, they might hold a treasure trove of information. For instance, if someone is interested in wiping programs that might have been installed or used, it’s possible to run a keyword search on the entire hard drive for certain terms related to wiping — for instance, “wipe,” “clean,” or “eraser” — as many such programs have these keywords in their names or program files. Weeding through the results can be a manual process.
Keeping Track of Storage Devices
With the prevalence of electronically stored information, it is very easy to transfer files from a hard drive to a USB thumb drive or other external storage device, or a device with USB ports. It’s easy to imagine a scenario in which an employee who is exposed to key company documents or designs plugs in a personal USB storage device to his or her computer and copies these files. The process of copying might take only a few seconds, and there would be very few traces, if any, remaining on the surface.
These files could be used for personal gain or sold to a competitor; in either case, the company suffers. Forensic analysis can aid in determining whether a file was copied onto an external device if subsequent events occur. For instance, if the file is opened from the external device on the computer, then a linked file is created. These files are, in effect, shortcut files; they keep track of when a file sitting on an external device was opened, and they can be, to some degree, identifiers linked to the external device.
There are also registry entries created on the computer that keep track of which USB devices were attached to the computer, including tracking the first and the last time the USB device was plugged in. With this type of collaborative information, it’s possible to make an educated determination as to whether a file was copied onto an external drive.
Usage patterns can also be gleaned from computer logs and system files. For instance, parsing the security event log will give log-in and log-out dates and times for each user on the machine. The event log typically logs events until purged, so a forensic analysis can be done by comparing historical usage patterns with usage patterns of a particular time period.
Abnormal behaviour can be highlighted in this fashion. Other types of events that can be tracked include the number of web visits, number of file modifications, number of files last accessed and the number of files created on a given day, week or month.
Finally, forensics can be used to recover deleted files. When a file is deleted from a hard drive, the space that this file occupies is marked as “free” or “unallocated.” This tells the system that it can reuse the space.
Traces of this file are left on the hard drive until the sectors it resides on are either overwritten or wiped. Using forensic tools and techniques, a forensic technician may be able to “undelete” or recover these files. Depending on the amount of usage, it may be possible to recover only fragments of the deleted file.