Investigative Computer Forensics E-Book

Contents

Cover

Title Page

Copyright

Dedication

Foreword

Preface

Acknowledgments

Author's Note

Introduction: Investigative Computer Forensics

Changes in Technology

Changes in the Role of the Investigator

What Is Computer Forensics?

Chapter 1: The Glue

The Relevancy of Truth

Foundations of Digital Evidence

Investigative Objectives

The Investigative Process

Trust

Privacy

Chapter 2: A Primer on Computers and Networks

The Mechanics of Electronically Stored Information

Optical Drives

The Server

The Router

Application Data

Metadata

Databases

Internet Data

E-mail Mechanics

The IP Address

Computer Time Artifacts

Social Media

Tablets

Cellular Telephones and Smartphones

Audio and Video

The Global Nervous System: Worldwide Data

Fundamentals of Network Traffic

The Firewall

Data- and Traffic-Gathering Applications

Dynamic Data Capture

The Cloud

International Data Security and Privacy Issues

Chapter 3: Computer Forensic Fundamentals

The Establishment of the Computer Forensic Laboratory

Evidence and Access Controls

The Forensic Workstation

Current Tools and Services

Building a Team and a Process

Computer Forensic Certifications

The Human Quotient

The Devil Is in the Details

Chapter 4: Investigative Fundamentals

The Investigative Mind-Set

Case Management

Fraud and Investigative Analysis

Information Sources and Records

Investigative Techniques

Surveillance and Interviewing

Trade Secret Theft and IP Investigations

Human Resources and Interpersonal Investigations

Reporting and Testifying

Chapter 5: The Underpinnings of Investigative Computer Forensics

Seizure and Examination of Digital Evidence

Data Classification and Records Management

Deleted Data

Backups and Systems Preservation

Computer Crime Analysis and Reconstruction

The Who, What, Where, How of Data

Contracts Agreements, Third Parties, and Other Headaches

Ethics and Management

Chapter 6: Tactical Objectives and Challenges in Investigative Computer Forensics

Preparing for the Attack

Early Case Assessment

Investigative Pacing, Timing, and Setting Expectations

Working with Multinational Teams

Collections of Electronic Data in the Cloud and in Social Media

Investigating Internet Service Provider Records

Bridging the Actual World with the Cyberworld

Packaging the Findings

Chapter 7: The Cyber-Firefighters

Incident Response Fundamentals

Data Breaches

Theft and Fraud

Systems Failures

Internal Investigations

The Real-Time Predicament

Building a Global Resource Network

Honeypots and Other Attractive Intel-Gathering Targets

Databases and Structured Data

Organized Crime in the Cyber-Underworld

The Cyber-Underworld in Various Regions

State-Sponsored Cybercrime

Identity Theft

Intellectual Property and Trade Secret Theft

Botnets, Malware, Trojans, and Phishing

Data Breach Vulnerabilities

Hackers and Their Environment

Chapter 8: E-Discovery Responsibilities

Data Identification

Electronic Discovery Reference Model

E-Discovery Stages

Common E-Discovery and Foreign Data Challenges

Tools, Services, and Technologies

Emerging E-Discovery Realities

European and Asian Observations

Digital Evidence in the Courtroom

Chapter 9: The Future

Privacy and the Data Ecosystem

Access Controls and the Evolution of Trust

Global Communications Systems in the Cloud

Nanotechnology and Cognitive Computing

Digital Demographics and the Emerging Global Citizen

Extra-National Investigative Networks and the Information Union

Zero Day Forensics

Concluding Thoughts

About the Author

Index

Cover image: © Grzegorz Wolczyk/iStockphoto Cover design: John Wiley & Sons, Inc.

Copyright © 2013 by John Wiley & Sons, Inc. All rights reserved.

Published by John Wiley & Sons, Inc., Hoboken, New Jersey. Published simultaneously in Canada.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, electronic, mechanical, photocopying, recording, scanning, or otherwise, except as permitted under Section 107 or 108 of the 1976 United States Copyright Act, without either the prior written permission of the Publisher, or authorization through payment of the appropriate per-copy fee to the Copyright Clearance Center, Inc., 222 Rosewood Drive, Danvers, MA 01923, (978) 750-8400, fax (978) 646-8600, or on the Web at www.copyright.com. Requests to the Publisher for permission should be addressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, (201) 748-6011, fax (201) 748-6008, or online at http://www.wiley.com/go/permissions.

Limit of Liability/Disclaimer of Warranty: While the publisher and author have used their best efforts in preparing this book, they make no representations or warranties with respect to the accuracy or completeness of the contents of this book and specifically disclaim any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives or written sales materials. The advice and strategies contained herein may not be suitable for your situation. You should consult with a professional where appropriate. Neither the publisher nor author shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

For general information on our other products and services or for technical support, please contact our Customer Care Department within the United States at (800) 762-2974, outside the United States at (317) 572-3993 or fax (317) 572-4002.

Wiley publishes in a variety of print and electronic formats and by print-on-demand. Some material included with standard print versions of this book may not be included in e-books or in print-on-demand. If this book refers to media such as a CD or DVD that is not included in the version you purchased, you may download this material at http://booksupport.wiley.com. For more information about Wiley products, visit www.wiley.com.

Library of Congress Cataloging-in-Publication Data:

Laykin, Erik. Investigative computer forensics : the practical guide for lawyers, accountants, investigators, and business executives / Erik Laykin, CHFI, CEDS. pages cm Includes index. ISBN 978-0-470-93240-7 (hbk.) – ISBN 978-1-118-22141-9 (ePDF) (print) – ISBN 978-1-118-25988-7 (Mobi) (print) – ISBN 978-1-118-23522-5 (ePub) (print) – ISBN 978-1-118-57211-5 (o-Book) (print) 1. Computer crimes–Investigation. 2. Computer security. 3. Fraud investigation. 4. Corporations–Corrupt practices. I. Title. HV8079.C65L395 2013 363.25'968–dc23 2012038779

In memory of Melinda Laykin Brun Esq. (1942–2005), senior trial counsel for the State of California Department of Corporations, and known in the courtroom as “The Battleship.” A fierce fighter for the underdog, an advocate for victims, and an electronic data visionary who gave me the gift of inspiration to enter the field of computer forensics during its nascent days.

Foreword

Over the course of a 25-year career in corporate investigations that have required my expertise in places as diverse as San Diego to Shanghai and New York to New Delhi, I have witnessed a dramatic shift in the methodologies, technologies, and type of personnel deployed on fact-finding exercises. From traditional gumshoe-style investigations of larceny, fraud, and crime to sophisticated corporate electronic discovery boondoggles that require the analysis of mind-boggling volumes of electronic data, the world of investigations now requires a level of technical sophistication that was unimaginable a generation ago. The acronyms are daunting, the risks of taking missteps are found at every turn, and the ramifications of mismanaging data have been felt by plaintiffs, defendants, and corporations far and wide in recent years in the form of adverse inferences, sanctions, and default judgments.

One of my early major cases was the subject of a New York Times best-seller and film starring John Travolta and Robert Duvall titled A Civil Action, in which William H. Macy played my role, and he hit it out of the park. But what is interesting to me today these short 17 years later is that during that entire epic investigation and courtroom battle in which we were pitched against two of the nation's most fearsome litigation firms, the words electronic discovery were never uttered. Our world was of paper documents and the physical handling of evidence acquired the old-fashioned way.

A few years later I learned firsthand while working on the watershed Zubulake v. UBS Warburg matter under the watchful eye of Federal Judge Shira Scheindlin just how much things had changed, and scarier yet, just how out of touch so many of the players were with the complex terms, issues, and risks associated with this newly emerging world of managing electronic data in investigations and discovery.

Erik Laykin's book Investigative Computer Forensics zeros in on a real need felt by lawyers, jurists, accountants, administrators, management, and business executives around the globe. This need is to explain the investigative computer forensic process in layman's terms that the users of these services can understand so that they may be more well-informed while engaging the capabilities of a computer forensics professional. It is rare to meet a lawyer or business professional who has taken it on themselves to understand this landscape prior to their having an immediate and dire need for the services, so I believe there will be readers of this book who will find themselves far more empowered to make the tough decisions during an internal investigation or an electronic discovery exercise that they find themselves embroiled in involuntarily.

Having worked with Erik on some of the most challenging computer forensic investigations during the early years of this industry's formation as well as having competed with him earnestly in the marketplace, I am honored to provide this foreword. I can truly say that Erik is one of the unique pioneers of computer forensic investigations. He not only can distill complex technical information into easily understandable concepts, but he always retained a long-term global perspective on the relevancy of our work and on the impact of the information revolution on the social and business structures of tomorrow.

James Gordon Managing Director Navigant Consulting, Inc.

Preface

This book is different from other books on the topic of computer forensics insofar as the intended audience is not computer forensic professionals and technicians but instead the users of computer forensic services.

Much has been written on the topic of computer forensics from a highly technical perspective, but little exists to help guide an attorney, a judge, a regulator, an executive, or an accountant along important decision points and requirements for the deployment of computer forensic services for the purposes of investigation.

This volume seeks to demystify many of the computer forensic techniques and various technical terms and procedures used during the capture and analysis and presentation of electronic data within the context of investigation or litigation.

It also provides a viewpoint as to where the world of digital data is taking us. At times you may agree or disagree with some of the positions taken here and that is exactly the point. We are operating in a new world where the nuances of electronic data and its impact on our daily lives can no longer be adjudicated to one linear line of thought or reason. The reality is that the relationship that data has for each of us is often highly subjective and the investigative techniques that support fact-finding in this digital age are still developing their focus.

This book has nine chapters, each of which deals with various aspects of the world of investigative computer forensics. Many of the topics that are touched on could be the focus of an entire volume in their own right, and in fact there are excellent books written on each of the subjects covered, such as those that tackle broad-based topics ranging from The Foundations of Digital Evidence by George L. Paul to older classics like the Road Ahead by Bill Gates to highly specific volumes such as Building and Managing the Meta Data Repository by David Marco. This book provides the reader with a cross section of information gleaned from an expertise that covers vast and diverse realms of knowledge and experience. Computer forensic investigators are often confronted with diversity and challenge, which varies widely from case to case and forces the best of them to maintain an inquisitive and nimble mind.

In Chapter 1, I discuss some of the broader thematic issues that are felt throughout the “information ecosystem” and that are present-day drivers behind the converging worlds of business, technology, law, and fraud. This discussion on issues, such as privacy, trust, and the foundations of digital evidence, helps to provide a backdrop by which the significant changes in the investigative landscape being felt today can be better appreciated.

In Chapter 2, I discuss a broad range of topics that serve as a primer on computers and networks—how they work, what they are, and why certain things like metadata, databases, and IP addresses are relevant to an investigation.

In Chapter 3, I review some of the fundamentals of the computer forensic world, such as chain of custody, access controls, evidence handling, tools, technologies, and computer forensic certifications. In this section you get a taste of the many components that go into building and operating a successful computer forensic laboratory. Finally, I also provide an overview in this chapter of the various parties commonly found to play a role in a computer forensic investigation, from the bad guy to the judge and from the victim to the network engineer.

In Chapter 4, I detail a number of fundamental investigative issues from case management to trade secret theft. This section covers a variety of topics that a computer forensic investigator will be tasked with understanding and that a user of these services will need to have grasp of to better leverage the services of a forensic investigator.

In Chapter 5, I share some thoughts on the underpinnings of computer forensics—primary issues that are faced by investigators all over the world from deleted data to the proper seizure and examination of digital evidence. I cover topics as diverse as data classification and records management to ethics and social engineering.

In Chapter 6, I focus on some of the tactical objectives and challenges facing computer forensic investigations from early case assessment to the pacing, timing, and expectation setting within the investigative framework.

In Chapter 7, I deal with some of the real-time issues faced by what I term cyber-firefighters, those individuals who often find themselves on the frontline of digital defenses or investigations and who must perform highly challenging tasks in defending against cybercrime and other malicious online activity.

In Chapter 8, I outline the electronic discovery framework in which computer forensic investigation often finds itself. These emerging standards of care for the preservation, collection, processing, analysis, review, and presentation of electronic evidence can no longer be ignored and are no longer simply the province of the U.S. legal system as they are increasingly under the focus and scrutiny of participants in foreign jurisdictions.

In Chapter 9, I opine on some of the trends and issues that are affecting the future of the information revolution and society as a whole, particularly as it relates to the investigative process and the converging intersection of business, technology, law, and fraud.

Readers can also visit www.InvestigativeComputerForensics.com for more information and materials to use alongside this book.

Investigative computer forensics is playing an increasingly important role in the resolution of challenges, disputes, and conflicts of every stripe and in every corner of the world. Yet, for many, trepidation still prevails, like a veil of fear of the unknown, preventing those in need of these services from truly leveraging them to their best effect.

It is my hope that the technology-challenged and the expert alike, whether an attorney, a judge, a businessperson, an accountant, a teacher, or simply a citizen, will find some comfort in referencing this book to help guide the decisions that need to be made when considering deploying forensic teams to collect and analyze electronic data.

Acknowledgments

I would like to acknowledge the following individuals who have contributed to this book through their influence on my impressions of the converged world of business, law, technology, and fraud.

Jennifer Baker, Tom Gaeta, Peggy Daley, Greg Higgins, Bob Kirtley, Julie Howard, Julie Wilson Marshall, Charlie Balot, Dick Bernacchi, James Gordon, Manuel Beltran, Ron Lavender, Steve Wysong, Jana Cahn, Ben Leeds, Warren Reid, Sanjay Bavisi, David Stenhouse, Josh Buchbinder, Andrew Immerman, Marc Greenberg, Mud Baron, Eric Maurice, Mark Haas, Bobby Tomlin, Mary Mack, Richard Corgel, Richard Chew, Eiji Kosaka, Albert Allen, S. W. Laykin, Joel and Millie Laykin, Bill Gates, and most important, my ever-patient and encouraging wife, Lily Laykin.

In addition, I would like to thank Karen Hendry, my editorial assistant; J. Nino “Onin” G, my illustrator; Cerraeh Laykin, my photographer; Jennifer MacDonald, my most patient development editor; and John DeRemigis, my editor at John Wiley & Sons, who stood by this project through thick and thin.

Author's Note

Because of the evolving nature of technology, law, and business dynamics in the electronic discovery / computer forensic and investigative industry, it is important to bear in mind that many of the representations and issues outlined in this volume are in a state of development, and thus what may hold true in 2013 may be very different in only a few short years. In fact, there can be interpretations of some of the issues that are highlighted in this book where valid counterpoints or opposing opinions can be offered based on the context, geography, technology, legal principles, or other contextual facts that are being leveraged or contemplated at the time.

Consequently, I anticipate appending to this volume in forthcoming updates as the space develops, and it is important to note that the materials herein represent my opinions and observations in my individual capacity and are not to be interpreted as an endorsement by Duff & Phelps LLC or any other company or organization.

INTRODUCTION

Investigative Computer Forensics

The past 20 years have seen an explosion of investigations that involve computers and technology. This growth parallels the impact of the information revolution and has forced radical change in the skill set required to investigate everything from common crime to sophisticated corporate fraud.

One of the results of this change has been that investigators quickly found themselves lacking the primary skills required to manage even the most basic of investigations if there was a computer, a cell phone, or technology involved. Similarly, computer technicians who were called in to fill the vacuum were equally compromised by their lack of traditional investigative skills, which in many cases led to poorly managed investigations in which the human component of a crime was overlooked in favor of the technical “digital smoking gun.”

Changes in Technology

Throughout the United States, Asia, Europe, and elsewhere massive backlogs of investigation work in which computers and technology played a role began to pile up and fill evidence cabinets, rooms, and storage houses. In many cases, particularly in the public law-enforcement realm, crimes against victims went unpunished for years while the accused languished in jail waiting for trials that relied on a technology analysis by experts that law enforcement simply did not have enough of.

I can remember one instance that I found particularly troublesome when I was provided a tour of a major U.S. policing agency's evidence vault and found that it was loaded from floor to ceiling with hundreds of hard drives and computers. When I made the comment to the presiding officer that I was impressed with how many computer fraud cases the agency was undertaking by virtue of the massive numbers of computers in the evidence vault I was met with the following response: “Actually, Erik, these are the computers we have not been able to get to yet and that represent evidence in cases ranging from rape and murder to organized crime, theft, stalking, and Internet crime. We simply do not have the resources to work all of these cases.”