Category: Computer Forensics

My latest column “Ghosts and Forensic Images” is up on InsideCounsel.com.

I’m obviously capitalizing on a popular upcoming Fall holiday, but I detail the important differences between a forensically-sound “image” of a hard drive and a “Ghost” copy.

Link to article.

I found a small treasure trove of articles on e-discovery and computer forensics today from Burgess Forensics. I especially liked the article “How is data written, stored on, and erased from hard disks?” by Steve Burgess, where he likens hard drives to “a hybrid of a record album and pizza pie … or a dartboard” in an attempt to describe how data is stored on computer hard drives.

Last week I had the pleasure to present a Webinar for LegalSpan (Manexa) entitled “How and When to Use Computer Forensics Professionals.” In my research for this presentation, I realized how difficult it is to explain how operating systems store data on computer hard disks to non-technical folks. It’s always made perfect sense to me due to my background, but it’s tough to smoothly explain how bits, bytes, sectors, and clusters build upon each other, and why hard drives have “slack space,” and why data is rarely saved in consecutive clusters, etc. etc.

The Steve Burgess article does a great job of introducing the terminology, but the masterful Craig Ball takes your hand and gracefully leads you through the woods of bits and bytes in his concise compendium entitled ”4 on Forensics: Four Articles on Computer Forensics for Lawyers.” If you’re a lawyer that needs to understand how to preserve a computer’s hard drive, Craig’s “4 on Forensics” is an absolute must read. And due to Craig’s easy style, I guarantee that you will have a solid foundation on computer forensics when you’re done reading. The first of the four articles, “Computer Forensics for Lawyers Who Can’t Set a Digital Clock,” is the longest and the most relevant. Read that one if you can’t get to anything else.

I would be remiss if I did not mention Sensei Enterprises, Inc., the digital home of Sharon D. Nelson, Esq. and John W. Simek. Not only have the two collaborated on the terrific The Electronic Evidence and Discovery Handbook: Form, Checklists and Guidelines ABA book, but Sharon Nelson now authors the informative (and often entertaining) electronic evidence blog entitled “ride the lightning.” You can find a wonderful chunk of articles on their Website, and I will specifically recommend “Finding Wyatt Earp: Your Computer Forensics Expert” which provides a compact set of suggestions to consider when you need the services of a computer forensics examiner.

Computer forensics has always had a ”CSI mystique” about it, mainly because so many people have never had to worry (or care) about how their computer stores data on the hard drive. And while you really don’t need to know how the innards of a computer works to send e-mail or type a document, you should have a basic understanding of the technology in use so you can confidently communicate with the computer forensics professional you hire.

The blanket rule when it comes to computer forensics is DON’T DO IT YOURSELF (or don’t let your client do it themselves). Many IT professionals wrongly assume that they can make a full copy of the hard drive themselves that will preserve the data. Unfortunately, many of these copies will NOT be considered forensically sound images of the hard drive, and will reveal changes made to the data, which could lead to claims of spoliation.

It’s never worth the gamble – always call a professional, certified computer forensics professional when you need to preserve the data on a computer hard drive.

A quick read from Inside Counsel magazine on how general counsel must have an increasing awareness of how technology and the law interoperate, including on topics such as computer forensics. The key quote from author Charles Blixt:

“For years, GCs have primarily focused on the law and protection of an organization from a legal standpoint, but now a GC also has to be somewhat of an expert on an organization’s networks and technology – whether we like it or not.”

A fantastic story that brings the world of computer forensics to the layman from Robert Mitchell at Computerworld.com. Mr. Mitchell had the unenviable task of attempting to recover 736 family photos from his mother-in-law’s computer. He details how he first tried free recoverable applications found on the Internet and eventually contacts and works with Ontrack’s specialists to gather the bulk of the missing photos.

I like how Robert uses his unfortunate experiences (i.e. he turns on the computer before making an image of the hard drive) to present a good lesson to others. Of course the story revolves around family photos, but it could just as easily involve discoverable files deleted by an unhappy employee.

Robert does a good job of following up on the story and responding to reader questions here and here.

A good article from CNET senior editor Robert Vamosi entitled “Cell Phone ‘CSI’” where he discusses using Guidance Software’s WaveShield box and EnCase software to get data off a cell phone.

The MPAA’s suit against TorrentSpy is taking an interesting curve into e-discovery. Gigalaw pointed to CNET’s story today on how the MPAA is requesting data that resides in the RAM of TorrentSpy’s servers.

Every Web server can log user activity, but that feature is commonly turned off. Fortunately the judge stated that her ruling should not be read to require all litigants to preserve information temporarily stored in RAM. TorrentSpy is appealing.

Update June 13, 2007

Law.com (via The Recorder) runs a story entitled “RAM Ruling Portends a New E-Discovery Brawl” that expounds a little more on the legal implications of the TorrentSpy case. Mind you, TorrentSpy does not directly offer the videos and downloads on their site, they simply operate as a search engine for the torrent files that will then allow you to download the allegedly infringing files. So in a way, we’re back to some Napster arguments.

The MPAA is quotes as saying that

“the [RAM] data would show the number of requests for torrent files corresponding to the studios’ works, and the dates and times of such requests which demonstrates exactly how TorrentSpy is used to facilitate massive copyright infringement.”

Fortunately, the judge has ordered that the RAM data be encrypted so that customers’ names would not be revealed.

An excellent article from CIO magazine on “anti-forensics” entitled “How Online Criminals Make Themselves Tough to Find, Near Impossible to Nab” (thanks to TechDirt). Good quote:

“Computer crime has shifted from a game of disruption to one of access.”

The article mentions how illegally gaining access to systems is now at “hobby level.” In other words, almost anyone can download the tools they mention in the article and use them for malicious purposes.

There is a short discussion on how computer records are used to establish a presumption of reliability and the article ends declaring a shift in how forensics investigations should be conducted from now on.

Forensiccs professionals have historically relied on the technology (the hard drive image and data dump) to piece together the story on criminals, but now with the rise of anti-forensic tools, investigators will have to rely more on the “people” side – looking for physical cracks in the methods used by computer criminals; finding associations willing to turn on their criminal counterparts; and conducting interviews.

Bret Thielen complained that the Blinko service (owned by Buongiorno but take caution in visiting the site) was sending text messages to his cell phone that he didn’t ask for. He was mad enough to sue the company in the Western District of Michigan (download from Thelen Reid Brown Raysman & Steiner LLP blog, found via George Socha’s In Re Discovery blog).

Blinko/Buongiorno insisted that customers must subscribe to its service to receive messages, so they wanted to search through Thielen’s computer hard drive to prove he visited the Blinko site and subscribed to their service. In electronic discovery, this is how forensics can be helpful – a forensics expert can go through a hard drive and re-build the story or timeline of how the events happened (the story metaphor is a favorite of good friend and computer forensics expert Craig Ball).

Judge Brenneman, Jr., however, recognized that giving defendants “unrestricted access” to Thielen’s hard drive would “certainly constitute an undue burden” and would result in a “wholesale rummaging through plaintiff’s filing cabinet.”

Judge Brenneman also lamented:

“‘Unlike the not so distant past, when individual file folders pertaining to specific subjects could be readily identified and removed from a file drawer for inspection without disclosing the rest of the contents of the file cabinet to the opposing side, inspection of an opponent’s computer may open up countless files to the searcher that are not relevant and may be proprietary or privileged.”

The end result was the Judge ordering an “experienced forensic examiner” to look over the hard drive and then provide a “hard copy of his proposed findings to plaintiff’s counsel for review prior to furnishing them to defendant’s counsel.” I am a little confused why the Judge is requesting a “hard copy,” but that is the Judge’s prerogrative.

The lesson here, according to Michael Overlay on the CSO blog is to be careful what you ask for. The other side could just as easily come back and ask for everything resulting in MAD (Mutally Assured Destruction) as applied to electronic discovery.