Computer Sleuth: Beating down the evidence trail with computer forensics.Think Sherlock A Macintosh utility starting with Version 8.5 of the operating system that provides a common facility for searching the local hard disk, the local network and the Internet. Holmes sans the goofy Goofy bumbling, awkward dog; originally named Dippy Dawg. [Comics: “Mickey Mouse” in Horn, 492] See : Awkwardness hat and magnifying glass magnifying glass: see microscope. magnifying glass traditional detective equipment; from its use by Sherlock Holmes. [Br. Lit.: Payton, 473] See : Sleuthing . Today's digital sleuths enlist the tactics that once were only the purview The part of a statute or a law that delineates its purpose and scope. Purview refers to the enacting part of a statute. It generally begins with the words be it enacted and continues as far as the repealing clause. of FBI and police investigators. The tools of computer forensics The investigation of a computer system believed to be involved in cybercrime. Forensic software provides a variety of tools for investigating a suspect PC. Such programs may include a function that copies the entire hard drive to another system for inspection, allowing the original to play a vital role in resolving matters in the corporate world and litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. process by enhancing the evidence pool, establishing truths otherwise left undiscovered and, consequently, contributing to more efficient and rapid resolution, judgments or settlements. But as computer forensics and electronic discovery--its legal-oriented practice subset--are becoming more a part of the litigation fabric, lawyers, CPAs and other professionals are exclaiming, "I wish I understood this a month ago. We really could have used these tools!" Well, your wish has come true. The following is a guide to computer forensics--what it is and when it should be used. WHAT IS COMPUTER FORENSICS? Put simply, computer forensics focuses on the acquisition, restoration and analysis of digital data. In the business world, computer forensics can be used to restore corrupted or lost data, resurrect outdated systems and software environments, and analyze common security breach activities. Such steps are generally taken when, despite a company's prudent efforts, something has gone wrong in its computing environment. Also, attorneys use computer forensic-based methods, or electronic discovery, when they are searching for digital evidence that will help them with their case. For CPAs, computer forensics can be used with forensic accounting Forensic accounting, sometimes called investigative accounting, involves the application of accounting concepts and techniques to legal problems. Forensic accountants investigate and document financial Fraud and white-collar crimes practices to provide a more thorough, corroborated cor·rob·o·rate tr.v. cor·rob·o·rat·ed, cor·rob·o·rat·ing, cor·rob·o·rates To strengthen or support with other evidence; make more certain. See Synonyms at confirm. evidence position. DIGITAL DATA Digital data is electronic information that is created in, and utilized by, computer systems and their related applications. Such data is found in everything from hard drives, laptops and PDAs (such as Palm Pilots and iPaqs), to backup tapes, e-mail servers, CDs, DVDs and other computer network components. This data is found in "active" files, such as e-mails and documents stored on hard drives. Typically, these files are ones that can more easily be accessed and are those that employees tend to use most often. Data also lives in other forms that are not so simple to find. Think hitting the "delete" button has purged that e-mail forever? Think again. Computer forensics can track down deleted files, hidden files, files created by the system or by software that users are not aware of (such as an automatic backup of a document), or fragmented files that are scattered throughout the storage devices we use. ELECTRONIC DISCOVERY PRACTICE When digital data is compromised--either lost, stolen, deleted or otherwise manipulated--and can be of evidential ev·i·den·tial adj. Law Of, providing, or constituting evidence: evidential material. ev value for a potential lawsuit, electronic discovery practices come into play. Electronic discovery is accomplished through several steps, including: * Strategizing: Collaborating with counsel, CPAs, corporate officers and others to understand the objectives of the claim, learn the specifics of the computing environment and determine how to best use computer forensics. This strategy can include digitally corroborating nondigital findings, such as paper evidence, as well as drafting discovery requests related to the information technology of an enterprise and participating in related depositions. * Acquiring: Gathering the digital data that supports the objectives of the issue at hand or claim. Acquisition targets should include all "states" of data--active files, as well as hidden or deleted files, and backup files. * Searching: Seeking attributes, patterns or other key data elements, such as key words, phrases or patterns that are consistent with the objectives of the claim or issue at hand. * Analyzing: Strategically deploying proprietary and other tools and methodologies to accomplish agreed-upon objectives. * Reporting: Combining the written, oral, and expert witness presentation of findings to support engagement objectives. COMPUTER FORENSICS AND ELECTRONIC DISCOVERY PITFALLS From a risk perspective, two factors are key: the timing of the acquisition of the digital data in question, as well as the quality of the acquisition. With regard to the timing risk, be aware that computer systems aren't picky pick·y adj. pick·i·er, pick·i·est Informal Excessively meticulous; fussy. picky Adjective [pickier, pickiest] Brit, Austral & NZ about what deleted or other nonactive data is written over when drive space is required for an active file. Thus, it is critical that the components of the computer environment which hold the digital data in question be taken "offline" from other system activities as soon as computer forensic activities are initiated and until the data can be acquired. With regard to the quality risk, courts have held that when digital data was not acquired in the proper manner, it may not be considered the strongest or best evidence. Always consult an expert before sending out a nearby office network administrator who is not familiar with computer forensics tools and data search and retrieval. CASE STUDIES The following are brief summaries of sample cases in which electronic discovery has played a successful role: Accounting Revenue Recognition Dispute--In advancing funds under a credit facility, an entity's lending institution Noun 1. lending institution - a financial institution that makes loans financial institution, financial organisation, financial organization - an institution (public or private) that collects funds (from the public or other institutions) and invests them in relied upon the consistent application of revenue recognition policies, including those related to the shipment of products, as reported in the internal financial statements produced by the entity. A dispute arose about whether or not certain shipments by the entity occurred within a certain accounting reporting period. Computer forensics and forensic accounting tools were deployed to resurrect the accounting systems in place at the time of the dispute and ultimately discovered that the entity had intentionally not complied with its stated revenue recognition policies. Rather they had accelerated the recording (and thus the reporting) of certain transactions related to product shipments so as to obtain funding earlier. Contract Dispute--A plaintiff argued that, based on certain correspondence, he was owed a certain percentage of the proceeds from the sale of a business. The defendant argued that the percentage was significantly less than the plaintiff contended. Through deposition inquiries surrounding digital data and use of computer forensics tools to analyze nonactive and active files, evidence was discovered that provided proof of correspondence and a percentage to support the claim. Sexual Harassment sexual harassment, in law, verbal or physical behavior of a sexual nature, aimed at a particular person or group of people, especially in the workplace or in academic or other institutional settings, that is actionable, as in tort or under equal-opportunity statutes. and Termination of Executive--Electronic discovery techniques provided proof that a terminated high-ranking executive was indeed engaging in pornographic and other nontasteful activities during business hours BUSINESS HOURS. The time of the day during which business is transacted. In respect to the time of presentment and demand of bills and notes, business hours generally range through the whole day down to the hours of rest in the evening, except when the paper is payable it a bank or by a and on business premises. Marital Dispute--A wife claimed that prior to the divorce, the husband was actively involved with a company that, subsequent to the divorce, filed a registration statement with the SEC for a large sum of capital. Electronic discovery techniques, combined with effective discovery requests surrounding the relevant digital data, helped determine the merit of the wife's claim. AT WHAT PRICE? Computer forensics and electronic discovery services See service discovery. often are provided in a "baby step" approach, and can range from several thousands of dollars to hundreds of thousands of dollars. The initial steps--acquisition, initial inspection and general strategy--usually require several thousand dollars to target a single computer. After initial findings, the extent of hourly services depends on how much forensic activity is necessary. SUMMARY Computer forensics and electronic discovery have proven to be valuable tools for the business community and litigators. They are most effective when performed by professionals who collaborate with executives and their professional advisers from both a technological and business perspective. This expertise can ultimately provide evidentiary ev·i·den·tia·ry adj. Law 1. Of evidence; evidential. 2. For the presentation or determination of evidence: an evidentiary hearing. Adj. 1. matter that otherwise would go uncovered and is crucial to resolving issues and claims. Robert Green This article is about the English footballer. For other people with the name "Robert Green", see Robert Green (disambiguation). Robert Paul Green (born January 18, 1980 in Chertsey, Surrey) is an English professional footballer who currently plays for West Ham , CPA/CITP, and Scott Cooper
1. , are principals at INSYNC Consulting Group Inc., an information technology professional services (job) professional services - A department of a supplier providing consultancy and programming manpower for the supplier's products. firm. You can reach them at Bob@INSYNCusa.com and Scott@INSYNCusa.com, respectively. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion