Wayne T. Miles - Atlas Information Research, Inc.
When someone mentions the term "Computer
Forensics", a lot of people have no idea of what it really is. At least
most people outside of the investigative business anyway. Regardless,
I thought I would start out by giving my definition of what is is . . .
"Computer Forensics" involves the preservation,
identification, extraction, documentation and interpretation of computer
data. It all sounds very simple put into words, but there's a lot more
to it than that. It's really more of an "art" than a "science".
As with most investigative procedures,
computer forensics specialists need to follow strict guidelines and procedures
when performing their work. Because of the different computer operating
systems out there today, one has to be extremely careful when poking around
a computer system looking for clues. I know from being a computer consultant
for many years, that various operating systems have come and gone. It seems
that as soon as you learn all the new tricks and think you know everything,
someone comes along with a newer version and you have to start all over
again. One thing is for sure - when it comes to computers - the learning
curve never seems to end!
Computer forensics has not been around
for a long time. It's only been a few years since the largest hard drives
were able to be copied or backed up on zip drives. That made collecting
data simple. Today, hard drives are much larger and they involve networks
and the internet. Much more to add to that learning curve I mentioned .
. . The thing to remember is that although the computer systems change,
the basic method in which you conduct your investigation does not change.
Develop a winning methodology now and stick to it.
A good method to use is commonly known
as the "Three A's" . . .
1. Acquire the evidence without altering
or damaging the original.
2. Authenticate that the evidence is the
same as the original.
3. Analyze the data without modifying
And of course, keep very good documentation
along the journey. I know, you hate writing reports! But as any good investigator
knows, you have to treat every investigation as if it will end up in court.
Document everything right from the very beginning.
The very first step in the computer forensics
process is acquiring the evidence. To do that you have to gain access to
the subject computer. There are many ways to do that of course - you could
have someone bring it to you. That would be real easy and you would have
all the time and space you need to conduct your investigation. Normally
that is not the case for the Private Investigator . . . we get to sneak
in and use our immense stealth capabilities to gather our information and
leave without waking the dog! Remember the "old days" before computers,
when all you needed to do was break in to the Watergate Hotel and rummage
through the files? Times have sure changed since then.
I was asked one time "What do you do when
you get inside someone's computer and mess things up?". My first response
to that question was "Run - run fast!". But after a brief moment of flash
backs I said "Know what you are doing before you go in - or don't go in
at all". It's kind of like doing surveillance on someone and letting them
get away because you don't want to blow your cover - you can always pick
them up another day. But if you blow your cover it's over - at least for
you. Don't be afraid of backing away from a situation that you don't know
enough about. Call in some help if you need to. As a Private Investigator,
you are not expected to be an expert on all the different operating systems
and networks that are out there in today's business world. You may find
that all you are able to do is gather information about the system and
then return later with the proper tools and knowledge to gain access to
In some cases you may not have access to
a "system administrator" or even someone that can tell you what kind of
network system they have! I have been to businesses where all they can
tell you about the computer system is "that's the server thing under the
desk". That's about all they know.
The tricky thing about computers is that
no two are ever alike. You have to be very careful and analyze what is
going on with it before you dive in and snoop around. It's possible to
set up different types of networking within the same operating system.
For example, with Microsoft Windows 2000 Professional, you can have the
network configured in many different ways. It could be set up as a simple
peer to peer network or as a dedicated server. These are things that you
will have to determine right away and will determine what level of expertise
you are going to need before you dive in and start playing around.
I was doing some consulting work with another
agency once and I received a call from a female agent who unknowingly was
about to make a very big mistake. She was assigned the task of installing
some monitoring software on a computer and had never even seen the software
work before! Also her basic computer skills were lacking to say the least.
Needless to say this was going to turn into a total disaster so I helped
her through it by going with her and making it a training assignment for
her. The lesson here is this . . . Just because you are an "Investigator",
that doesn't mean you can poke around anywhere you want to. Know your limitations.
Know your skills. If you have doubts about your computer skills practice
at the office. And don't be afraid to call for backup! The best time to
do that is before you get in over your head.
The most important thing to remember about
computer forensics is that it requires special skills. That's what makes
it an "art". Every case will be different and require a different approach.
You as an investigator will be required to have a good sets of skills to
draw upon once you get in from of the computer. Don't think that because
you can log onto AOL and get your eMail, that you are qualified to enter
a corporate network system, collect your evidence, and leave without a
trace - It ain't gonna happen! Know what you are doing and know your limitations.
Don't be afraid to ask for assistance or bring in the experts. It's always
better to hand off the assignment than to blow your investigation and damage
the evidence. Once you do that, it's pretty much over.
A lot of agencies have not had a need to
do computer forensics, or they have just avoided it up until now. But the
day will soon come that you are asked to investigate an incident and you
will have to be prepared. As you learn more, you will gain confidence and
acquire new skills. Even if all you do is a low level assessment, follow
the "Three A's" and I am sure that your efforts will be a success.
Be flexible. Be cautious. Know what you