(IDG) -- Early this year, the audit manager for a financial services company suspected a former employee of embezzling nearly a million dollars. He took the suspect's PC to his office to analyze its hard drive, then got called out of town. Unaware of the investigation, his trusty assistant reissued the suspect computer to the word processing pool to replace a broken one.

"That guy's evidence - and his case - was toast," says Michael Anderson, former IRS investigator and founder of New Technologies (NTI), a cyberforensics firm in Gresham, Ore. "All the ambient data was overwritten." Earlier, the audit manager had considered outsourcing the forensics work to NTI but decided to forego the $215-per-hour fee and do it himself.

There's a lesson here: Thou shalt not bungle computer evidence intended for a court of law.

MORE COMPUTING INTELLIGENCE

IDG.net home page

Network World Fusion home page

Free registration required to access Network World

Free Network World Fusion newsletters

Get Media Grok and The Industry Standard Intelligencer delivered for free

Reviews & in-depth info at IDG.net

IDG.net's bridges & routers page
IDG.net's hubs & switches page

IDG.net's network operating systems page
IDG.net's network management software page

IDG.net's personal news page

Questions about computers? Let IDG.net's editors help you

Search IDG.net in 12 languages

Subscribe to IDG.net's free daily newsletter for network experts

News Radio

Fusion audio primers

Computerworld Minute

Crimes committed via computer leave distinct evidence trails. If you so much as access, download or open suspect files, you could taint the evidence and render it inadmissible. That type of activity alters backup files and system logs and overwrites date and time stamps, says Bill Boni, director of IS for PriceWaterhouseCoopers in New York.

Draft a contingency plan for when cybercrime strikes and take the proactive measures Boni suggests. Regularly print and save log files from critical servers. Establish a tamper-proof backup system to capture activity and audit trials.

Your policy should also include thresholds of what magnitude of loss or crime would trigger a call to law enforcement. Not all crimes should be reported for reasons of shareholder confidence and public image.

There are two schools of thought when it comes to actually handling the computers. Anderson advises his clients to leave the system running. Boni suggests shutting it down.

Warren Kruse, investigations manager for Lucent's computer and network security department in New Jersey, laughs when he hears those options.

"The golden rule of computer evidence is there are no golden rules," he says. "The person who tells you to keep the computer on worries about losing everything in RAM, which could contain valuable evidence in temporary files. The person who tells you to turn off the machine worries about hidden processes like timed viruses destroying the hard drive."

Lucent's seven-person computer and network security department works like a security help desk for the vendor's 136,000 employees. When users report suspect activity on their machines, team members are dispatched to investigate.

Don't count on your audit manager or administrator to know the correct methodology for preserving evidence. In a recent court case, the defense retained PriceWaterhouseCoopers' forensics experts because the victim had badly damaged the evidence.

The aggrieved firm's management told IS to get proof that an employee had misappropriated intellectual property. "IS copied e-mail and log files but didn't create forensics copies - a bit-stream backup of the hard drive of the laptop, desktop and e-mail server," Boni says. "We had to tell the court that their copies were totally inadequate."

Forensics backups take a mirror image of the hard drive, grabbing all of the file slack and erased space - which traditional backups miss - as well as named files. This ambient data is often the smoking gun in cybercrime prosecutions, Anderson says. He suggests using Sydex, Inc.'s SafeBack to perform mirror-image backups.

The method of attack is another factor that determines what action you should take. If the crime stems from inside the network, Boni recommends suspending all access to the affected server or database until law enforcement can make evidentiary copies of relevant files.

"There's evidence in the database log, activity records or the operating system that could be affected by automated backup jobs or other routine activities," he says.

For external attacks launched from the Internet, start by printing an evidentiary copy of firewall logs. Then see what evidence you can gather from your firm's ISP - perhaps the ISP could freeze records or provide additional logs and auditing. However, Boni says most ISPs aren't too helpful because they put the burden of security on their clients.

Finally, know when you're in over your head, Lucent's Kruse says. If there's any question, call in the big guns: either a cyberforensics expert or law enforcement.

Cyberforensics consultants from the com-puter security divisions of the Big Five accounting firms charge upwards of $2,500 per day for their services. One alternative is to teach an IT staffer or a team of auditing, security and legal workers the appropriate methodology for handling computer evidence. NTI offers a three-day training course for $2,000, including software.

Most large metropolitan police forces and federal agencies have well-trained cybercops among their rank and file.

If your company does go to the authorities, be prepared to allocate a lot of time and resources to work with the police, Boni says. Above all, he says, "if evidence is in the machine, leave it in the state it's in."

Radcliff is a freelance writer in Northern Calif. She can be reached at DeRad@aol.com.