We regularly see it in daily news media across our region: Singapore National Kidney Foundation's CEO is charged for corruption; Hong Kong public hospitals lose 16,000 patient records; New Zealand teenage hacker infects 1.3 million computers; naked celebrity photos stolen from PC appear in the Asian press. In every case where data theft is suspected, forensics experts will be imaging hard drives, analysing data and preparing evidence that will stand up in court.
Computer forensics is the most secretive part of the IT industry. Individuals and companies damaged by cyber crime know that their reputations depend on remaining silent. So, when MIS Asia asked computer forensics professionals about their latest cases, they explained that if they breached client confidentiality, they'd never work again.
The primary concern of forensics experts is to collect evidence that meets well-established criteria laid down by the law. "The rules of evidence are not new for computers," says Sean Lin, a director, Information Security Audit & Control Association (ISACA). "If digital photos are stolen, for example, we may need to prove which computer they were stored on and who copied and distributed them. In the old days, we needed to track down the people who processed and printed a roll of film. In both cases, the collection and protection of evidence must be legally acceptable. The standard of proof is the same, just the technology has changed."
But computer forensics is also being increasingly used by enterprises for applications such as preventing employees' Internet abuse, tracing the unauthorised disclosure of corporate information, and collecting evidence for industrial espionage or breach of contract cases. Forensics can also evaluate damage assessment following any kind of incident.
Any expert can investigate a computer, but it's difficult to search through gigabytes of information, and if evidence uncovered is to be valid, no changes at all can be made to the hard disks or storage media.
To achieve this, many software vendors offer forensic products.
One of the tools widely used by police forces is EnCase Forensic, from Guidance Software, a program that offers an integrated set of forensics utilities. This software can safely make a complete image of the information on a drive from a Windows, Macintosh, Linux or DOS machine and can help users examine areas of the disk hidden from the operating system and present the results in a legally valid form.
Unfortunately, online criminals have access to exactly the same expertise on computer forensics as do the legal investigators. In extreme cases, people with incriminating information to hide may 'booby trap' their PCs, so that any attempt to turn them on, or copy the hard disk results in the deletion of the sensitive information.
Sign up for Computerworld eNewsletters.