In important cases, forensics specialists will be aware of such strategies and take precautions against them. But suspects who delete incriminating information may be out of luck. Files deleted from hard disks can still be read easily. Even if files are completely overwritten several times, trace magnetism in the disk can be read by specialised equipment.
Surprisingly, the same is true of RAM memory. Vital cipher keys that are left in RAM for an extended period, for example, will disappear if the machine is turned off. But the chemical changes to the oxide films that store the binary information can be detected by forensics experts. These techniques are explained in Secure Deletion of Data from Magnetic and Solid-state Memory by Peter Gutmann, department of computer science, University of Auckland. Up until recently, to recover evidence from computers in criminal cases, the forensics specialist would often shut down the computer and take away the hard disk for imaging and analysis.
"The integrity of the hard disk would be protected by booting it from a CD using software that would block any writing to disk," says KP Chow, associate professor, centre for information security and cryptography, the University of Hong Kong. "But in enterprises, especially financial institutions, it would cost a great deal of money to shut the system down. So there is an increasing need for forensics people to retrieve evidence from computers that are still running. We need to work out a strategy to preserve the integrity of information retrieved from a live system. At HKU, we are doing research on how to achieve this."
For in-house work, CIOs and IT managers are under pressure to respond to their legal departments' requests for software tools to assist with the e-discovery process, but they need to choose carefully. "The e-discovery market (for software) is immature, over-hyped, over-crowded and uncertain," says Debra Logan, Gartner analyst. "Rapid functional consolidation is both desirable and inevitable." This was a key finding in the Gartner report: Choosing an E-Discovery Solution in 2007 and 2008.
Who uses it?
Computer forensics services were originally offered by specialised vendors, but the in-house forensics skills were soon adopted by police forces, intelligence services, large accountancy and law firms and universities. Nowadays, many enterprises are introducing in-house forensics.
The Singapore Police were early adopters of forensics methods, in 1996, and today, the technology crime division (TCD) has branches for investigation, forensics and research. "The division has successfully investigated and prosecuted a number of offenders under the Computer Misuse Act (CMA) for offences such as hacking, wi-fi mooching, Internet fraud, unlicensed online distribution of intellectual property and posting of fallacious and seditious comments," says Danny Tan, Singapore Police Force spokesperson. "TCFB's expertise in computer forensics has also brought about stronger evidence for prosecution."
Sign up for Computerworld eNewsletters.