Tech View John Agsalud

---

How a computer forensic investigation works

Many stories have come to light lately about people getting caught using their computer for nefarious purposes. Possession of confidential business secrets, child pornography or spreadsheets to track gambling activities have gotten a wide variety of folks in hot water.

How did these people get caught? By now, most lay people know that a specialized form of technical analysis, most often referred to as computer forensics, facilitated their capture. Forensic investigations also assist corporations and other organizations in their efforts to prevent theft or tampering of sensitive information.

It's not hard to see why forensic investigations are becoming more necessary. After all, it doesn't take a rocket scientist to figure out that virtually all business records are created electronically. Whether its a Bishop Street business or a Chinatown gambling house, computers are being used to to run the operation.

So what really happens during a forensic investigation?

Typically, the investigation starts with gathering the data to be investigated. Copies are made, and depending upon the type of investigation, different methods are used.

For example, in a criminal investigation, exact copies of the hardware or media involved are necessary. Typically, the information we look for is in files used for word processing, spreadsheets, e-mail, Internet usage, and databases. Such files are usually quite easy, from a geek's perspective, to identify. Partial files or files that have been deleted can also be recovered. Software to assist in this process has been around for years.

More advanced investigations look further than files and file fragments. Such efforts are targeted around servers used for e-mail, applications, and relational databases (such as Oracle or SQL Server). Software exists to work with popular applications, such as Exchange, but less common software typically requires much more effort to deal with.

All information sources are then indexed and reviewed. This is often done manually, i.e., a bunch of folks sit down in a room and sift through the files looking for the proverbial smoking gun. More often, though, advanced investigations employ software specifically designed to assist with these efforts.

Finally, the relevant data is produced for use in court or with the audit committee.

Computer forensics is an ever-growing field. PDA's, cell phones, cameras, embedded systems (such as those in automobiles) and other electronic devices are becoming part of the landscape. The methods used to investigate such technologies also continue to evolve.