All businesses, large or small, eventually encounter some sort of litigation, investigation or a business dispute. Many times records and data need to be examined to answer the questions of what happened, when, where and why. Enter computer forensics, which is the use of specialized and analytical techniques to identify, acquire, preserve and examine electronically stored information.
Businesses use computer forensics techniques during an investigation to ensure the integrity of the original media. Any changes to file date-time stamps, last computer log-in and log-out times, or worse yet, actual file data are avoided when sound forensic techniques are employed. An audit trail is also established, so if needed for legal purposes, procedures and results can be verified and validated.
For high-profile cases such as criminal investigations or civil litigation, computer forensics can play a key role in determining what kind of data resided where and what happened to that data. Often, this can be pivotal in a case. Take, for example, a recovered deleted file documenting a fraud. This is the smoking gun. But computer forensics can also play an important role in solving problems that a business might face on a more regular basis.
Often investigations are not large in scale. A business might want to see if an employee has been browsing inappropriate sites or had unauthorized files on their computer. Such instances might include small violations of a company policy, or they might be fraudulent actions that could cost the company millions of dollars in damages. Business-use cases can vary, but forensics techniques generally remain the same.
The following is a list of possible ways computer forensics can be used to help businesses solve a dispute or an investigation:
Employees might visit websites that are prohibited by company policy. Many people think that clearing their web history and web cache is enough to cover their trail, but there are artifacts left behind that might shed light on web browsing activity. The index.dat file is a system file that keeps track of every site that a user has visited through Internet Explorer.
This file cannot be easily deleted by manual methods, and even if deleted, forensic tools can be used to recover the entries in this file. By parsing this file and using data analysis methods, it’s possible to mine the entries to get an idea of what sites were visited, how often sites were visited and during what time frame these sites were visited.
Forensic tools and techniques can also be used for keyword searches of allocated, unallocated and slack space on a hard drive. A lot of interesting things can be found in unallocated and slack space as well as inside system files, such as the pagefile.sys file. These are clusters on the hard drive that were at some point used by a file or held information from temporal processes.
Because these portions of the hard drive are not easily accessed by the average employee, they might hold a treasure trove of information. For instance, if someone is interested in wiping programs that might have been installed or used, it’s possible to run a keyword search on the entire hard drive for certain terms related to wiping — for instance, “wipe,” “clean,” or “eraser” — as many such programs have these keywords in their names or program files. Weeding through the results can be a manual process.
With the prevalence of electronically stored information, it is very easy to transfer files from a hard drive to a USB thumb drive or other external storage device, or a device with USB ports. It’s easy to imagine a scenario in which an employee who is exposed to key company documents or designs plugs in a personal USB storage device to his or her computer and copies these files. The process of copying might take only a few seconds, and there would be very few traces, if any, remaining on the surface.
These files could be used for personal gain or sold to a competitor; in either case, the company suffers. Forensic analysis can aid in determining whether a file was copied onto an external device if subsequent events occur. For instance, if the file is opened from the external device on the computer, then a linked file is created. These files are, in effect, shortcut files; they keep track of when a file sitting on an external device was opened, and they can be, to some degree, identifiers linked to the external device.
There are also registry entries created on the computer that keep track of which USB devices were attached to the computer, including tracking the first and the last time the USB device was plugged in. With this type of collaborative information, it’s possible to make an educated determination as to whether a file was copied onto an external drive.
Usage patterns can also be gleaned from computer logs and system files. For instance, parsing the security event log will give log-in and log-out dates and times for each user on the machine. The event log typically logs events until purged, so a forensic analysis can be done by comparing historical usage patterns with usage patterns of a particular time period.
Abnormal behavior can be highlighted in this fashion. Other types of events that can be tracked include the number of web visits, number of file modifications, number of files last accessed and the number of files created on a given day, week or month.
Finally, forensics can be used to recover deleted files. When a file is deleted from a hard drive, the space that this file occupies is marked as “free” or “unallocated.” This tells the system that it can reuse the space.
Traces of this file are left on the hard drive until the sectors it resides on are either overwritten or wiped. Using forensic tools and techniques, a forensic technician may be able to “undelete” or recover these files. Depending on the amount of usage, it may be possible to recover only fragments of the deleted file.