How to Be a Digital Detective

How to Be a Digital Detective

The search can get bogged down by organization bureaucracy, so it's important to have a policy in place that spells out what to do in case of an incident

It could be an insider suspected of a security breach. It could be a case of sexually harassing phone calls and e-mails. It could be an employee violating company rules on visiting gambling or porn sites.

Whatever the reason, it's possible at some point there will be an incident at your company that will require the IT department to conduct a formal investigation tracking the digital trail of an employee. Will you know what to do?

The good news is that there is plenty of forensic information available from a variety of sources, including security cameras, electronic card readers, computer hard drives, printers, landlines, mobile phones and so forth. In fact, it's almost impossible for an employee to avoid leaving a digital trail.

The bad news is that most of these are stand-alone systems. Camera systems don't know about network firewalls, which are separate from printer logs, which are separate from PBX-based phone records, which are separate from mobile phone records.

While many of these systems keep detailed internal logs with time and date stamps, the logs are often only stored for a week or two, which means a forensic investigation needs to happen fast.

One of the most difficult parts of pulling together information is getting permission from the process or content owners. Frequently, it requires a quick trip to different corporate groups, including the security desk, the PBX administrator, network administrators, administrative services group and the employee's supervisor.

The search can get bogged down by organization bureaucracy, so it's important to have a policy in place that spells out what to do in case of an incident.


So, what should those policies and procedures be?

1. Have an action plan.

Ideally, IT managers should have actively developed a checklist of corporate systems, log information, duration of active logs and the person who controls access to the system.

2. Don't contaminate the crime scene.

An external computer forensic expert might be called in, particularly if the incident is expected to result in some type of court action. Often, someone on the IT staff becomes a first responder and needs to be trained on what to touch and what to turn off.

"Unless you have the right tools, it's important not to touch the PC," says Karen Stein-Ferguson, an attorney and certified computer examiner in the US. "Even copying a file will change some of its attributes."

She says it's best to keep all equipment turned off until the forensics examiner arrives. Evidence can be easily contaminated, such as a file's "last accessed" timestamp, which changes by simply opening or copying a file.

A forensic image of a disk should be created if there is a need to look at computer data before a forensics professional arrives. This type of duplication captures an image of the disk with all files including original timestamps and hidden files, which can be viewed instead of the original disk.

3. Take physical possession of the equipment.

The PC or laptop of the employee suspected of wrongdoing should be taken off-line immediately. Some terminated employees will ask for permission to remove personal items from the computer; if access is granted, they should be watched carefully during the time spent on the PC.

4. Secure server logs.

Once the PCs are confiscated, it is important to look carefully at systems that might have been used. Then run - don't walk - to all servers that maintain logs.

5. Get phone logs.

Business PBX or telephone systems can provide detail such as call records, date, time, duration and caller ID information. Systems track call transfers and whether the call was incoming or outgoing. Because organizations usually don't store these records very long - sometimes only a week or two — it's best to get them immediately.

6. Get mobile phone records.

Logs from company-provided mobile phones are another place to look. If the company is paying for the mobile phone, it probably has access to the phone itself or use logs. The amount of data a device holds varies by model, so get to these records early.

The US-based National Institute of Standards and Technology offers a set of draft forensics standards for mobile phones. It advises turning off a mobile phone and putting it in a static-free bag. Some also recommend putting the phone into a second radio frequency isolation bag to attenuate a device's radio signal. Be sure to tag the phone and record when and where it was confiscated to start the chain of custody.

On the other hand, smart phones should be left on and powered up so no data gets lost. The best way to do so is to use a bag with a small slit so the charger can be plugged in. Tag the bag and put the phone into an RF isolation bag.

Keep in mind that the mobile phone itself carries complete logging information. It may also contain GPS or other location tracking information. The phone timestamps each time it moves from one cell area to another.

7. Handle PDAs with care.

Like mobile phones, PDAs store many time and date records, and the amount of information varies by product. Security measures are built into some PDAs. For example, the BlackBerry follows policies initiated at setup. By default, after three failed logon attempts, users are sent warning messages. Depending on configuration, after three to 10 failed logon attempts, the phone deletes all data and shuts down.

Palm operating system devices running third-party software InfoSafe Plus also can be configured to destroy data after a series of failed logon attempts. PDAs have volatile memory and no disk, so a user could booby-trap the device with key remapping software. If the wrong keys are tapped, it could trigger the phone to delete data or run a program to scramble information.

PDAs that are frequently synced with a PC may store a complete copy of their data on the PC. It is important to check the host PC to determine if a recent copy of the PDA data exists.

8. Confiscate portable storage devices.

Flash RAM products, Secure Digital cards, USB storage keys and external drives should be confiscated. Generally, these items can be inspected with standard PC forensic tools that inspect hard drives. It is important, as with hard drives, to make a bit-for-bit image of the portable storage device.

Some USB flash drives come with additional capabilities, such as a wireless interface. ZyXel's AG-225H, for example, is a three-in-one product with a USB Wi-Fi Finder, Wi-Fi adapter (with 802.11a-b-g) and an access point that will share an Internet connection.

Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

More about BlackBerryCanonEFFElectronic Frontier FoundationLaserPalmPLUSTechnology ResearchXeroxZyXEL

Show Comments