Computer forensics: fighting fraud bit by bit.
As the field of computer forensics has evolved, the morbid fear of newer technology has yielded to practical curiosity. This is true especially among special investigators, adjusters, and counsel involved in the evaluation of potentially fraudulent claims.
Now, the most common question that we hear is, "Why use computer forensics?" More often than not, we have little time to answer the question before being challenged by the inevitable follow-up: "What can computer forensics do for me?" Technical answers might be both complete and accurate, but nothing is more illustrative than a few real-life examples.
A few months ago, an SIU investigator from a commercial carrier suspected that his insured's business interruption claim was significantly inflated. Realizing that key financial evidence might reside on the business owner's computer, the investigator called in an expert to "copy some files to floppy disk of CD." Although the investigator possessed the technical knowledge to copy the files himself, the potential importance of the evidence persuaded him to seek professional assistance.
The forensic specialist began to remove the cover from the insured's computer shortly after arriving on the scene. When the investigator called a halt, the specialist assumed that he was concerned about the dismantling of the computer. As it happened, the investigator was concerned about the costs of what appeared to be an elaborate procedure. All he needed was the copying of a few files, he insisted.
When asked, the investigator confirmed that the data to be gathered would be used in court. The forensic specialist explained that, without a forensically sound copy of the data on the hard drives, opposing counsel would have little trouble arguing that the information on the hard drives had been despoiled of changed and, therefore, should not be admitted as evidence.
The issue in this example, and nearly every case, is spoliation of electronic evidence. Every time a computer is started, files ate "touched" and changed on the hard disk drive. Important information can be lost. A forensic copy ensures that a bit-by-bit snapshot is taken of the entire contents of the hard drive. This includes deleted and overwritten areas, as well as unused sections.
Once the forensic copy is made, it is hashed. A hash is simply a digital fingerprint of the data that is unique to that data. A forensically sound copy will have the same hash as the original data. Changing a single bit in the copied data will alter the fingerprint such that the hash of the copy no longer will match that of the original. If, on the other hand, the hash values match, the contents of the original and the copy are completely identical and there can be no claim of spoliation.
Ideally, the original computer should not be rebooted after the forensic copy has been made. Otherwise, any change to the original data, including those changes that can occur when a computer is booted, can alter the original data and change its hash value. If practical, it is best to store the original evidence in a secure location so that it cannot be rebooted after the forensic copy has been made. In addition, the chain of custody of the computer, as well as any copies of the data that might be produced at trial, should be documented just like any other important evidence.
When dealing with electronic evidence, the following questions should be asked. Will the data obtained be presented in court? Where is the critical data stored? Is all of the data on the hard drive, or might it also be stored on other computers, servers, PDAs, or cellular telephones?
Could insureds possibly have deleted key information, of e-mailed it to third parties? Is data possibly stored on backup media such as tapes, CDS, DVDs, or one of the newer Universal Serial Bus drives?
An effective search of electronic evidence should not be limited to the reviewing of e-mail. As shown in the next example, information often is in the last place that it would be expected.
An electronic commerce retailer suspected that several employees were using a customer's credit card to order items for themselves. With the information available on the firm's computers, management was able to identify the misused credit card numbers and ascertain the web sites from which the suspicious purchases were being made.
Forensic copies of each hard drive were created. The copies were searched for credit card numbers and the web sites. The search returned several instances of numbers that resembled the customer's credit card and visits to the suspected web sites. All of the information was reviewed and analyzed.
The credit card number and employee information was found in a web page confirming an order of merchandise. The credit card number was not visible in the web browser, but was hidden in HTML code, along with the name and address of the person ordering the product. The employees had not saved this information intentionally; it was found in temporary files that usually are hidden.
All other references to the credit card number and the order had been erased deliberately. Additionally, the pattern of activity showed that the employees also had emptied the web cache and deleted temporary files after they had completed the order. After deleting all traces of the order, however, they visited the web page to confirm the order. This page was viewed on several of the forensic copies taken from different computers, indicating that multiple employees were involved in the purchases.
Computers store extraordinary amounts of information. Frequently, data can be stored in multiple locations. In this example, the people committing the crime were somewhat computer savvy and tried to erase their tracks. What they did not realize is that web pages contain more information than is visible. The data that they were trying to hide was not necessarily where they thought that it was stored. If critical information or electronic evidence exists, computer forensic science can find it.
When properly applied, computer forensics can perform time-line analyses to show how computers were being used, when users were logging in of out, and what they were doing. Using forensics, technicians can retrieve deleted or even re-formatted information; search for file names, file contents, of key phrases; find inappropriate material, images, or web-browsing activity; and determine what time and date individual files were created, deleted, moved, or downloaded. Forensics also can uncover the intent to hide or destroy evidence, open password-protected or encrypted files, and show when and to whom e-mail was sent.
Computer forensics is a powerful tool that should reside in the toolbox of every investigative and claim professional. When considering electronic evidence in claims, experts should become involved as soon as possible. They can assist with the required steps in an investigation, and can make forensic copies of data before original data is changed, lost, of deleted.
It is best to arrange for a conversation with experts and attorneys to review the full context of the case. The more the expert is familiar with the details of the case, the better prepared he will be to expect the unexpected. Crucial evidence is not always where it is anticipated, or in the presumed form. In a thorough investigation, however, electronic evidence can be a critical aid in gathering all of the facts, bit by bit.
Brad Davis, PE, is a technical supervisor at LWG Consulting, in Columbus, Ohio. Mark Burge is manager, data recovery and analysis at the firm's branch in St. Louis Park, Minn.