Handling crime in the 21st century
(IDG) -- It's a gray day in Portland, Ore., where 10 of us are up to our elbows in the arcane terms of data recovery: file allocation tables, rogue clusters and slack space, or traces of evidence left by a deleted file. Terms such as "evidentiary copy" and "smoking gun" float through the room.
We are wrapping up a three-day course on computer forensics -- dissecting hard drives and diskettes to find evidence of crime or employee misuse -- at New Technologies Inc. (NTI), in Gresham, Ore. (www.forensics-intl.com). In so doing, we're arming ourselves with software and techniques to catch the bad guys where they work: on their hard drives.
Increasingly, criminals are raiding corporate servers, electronically transferring intellectual property, or harassing employees via e-mail. They're using PCs and Macs to commit felonies such as embezzlement, drug trafficking, money laundering, or distributing child pornography.
And they're seizing valuable assets. Theft of intellectual property is costing U.S. businesses more than $250 billion annually, according to the American Society of Industrial Security (ASIS), in Alexandria, Va. Much of this property drain is conducted electronically.
The FBI is juggling more than 500 open computer crimes cases, excluding child pornography. And, during the past year, child pornography cases jumped 185 percent for the Cybersmuggling Unit of the Department of Customs in Sterling, Va.
Don Huyke, special agent in charge, attributes this increase mostly to the Internet.
"Part of the problem is you're dealing with a more knowledgeable criminal," says Sgt. Jimmy Doyle, of the New York Police Department's Computer Investigations and Technology Unit. "And, electronically speaking, the bad guys are usually one step ahead of the law."
Unlike the NYPD, many local law enforcement agencies are lucky to have one computer expert among their rank and file. So if your company has suffered from electronic theft of trade secrets or employees who download child pornography or harass other employees, don't count on the local sheriff to round up a posse. Especially because "the typical criminal investigation means sitting on 20 to 25 computers" -- something most police departments just don't have, adds Michael Anderson, a former IRS high-tech investigator who founded NTI in 1997.
For emphasis, Anderson points to a case involving a corporate client that happened on the last day of our course. At the client company, a female executive had suffered two terror-filled years of e-mail death threats. It turned out that the cyberstalker was none other than another employee who, with the help of her hacker husband, purposely set out to electronically drive the executive nuts.
"The cops aren't going to touch this case," Anderson says after getting off the phone with the authorities. "They only have enough resources to go after the big cases."
Call Anderson a self-taught Sherlock Holmes for the 21st century. In his past life, Anderson developed tools to aid him in his job as a computer investigations agent for the IRS. Those tools were requisitioned by the Federal Law Enforcement Training Center, in Glyco, Ga., which is where Anderson was also charged with creating a computer forensics training course. Currently, the class is taught to investigators from federal agencies such as the FBI, the Customs Service, the Department of the Treasury, and even military and spook agencies.
Anderson's toolkit typifies the goods cyberenforcers need in their battle with hackers and corporate criminals. Along with developing methodologies for finding hidden or lost files with standard utilities, Anderson has created software programs such as IP-Filter, which uses fuzzy logic to track down e-mail addresses and URLs associated with Internet use.
The tool has become a must-have for law enforcement agencies that chase after online frauds and pedophiles. But it's also useful for corporate security specialists such as course attendees Joe Best, of Lockheed Martin; Mike Guffey, of security firm Pinkerton; and David Chester, of Southwestern Bell. These corporate computer security specialists say they need ways to curb computer misuse -- employees who run their own businesses on corporate time or repeatedly visiting pornography sites.
Upon hearing this, Anderson perks up, saying, "When users in corporations hear an auditor is coming in, they try to `Tidy Bowl' their hard drives. Computer forensics people love this."
Then, in reference to the federal antitrust case in progress against Microsoft, Anderson adds, "But even Bill Gates can't hide his incriminating e-mail."
Corporate IT picks up the scentSince NTI's inception, more than 300 people have passed through its three-day, $2,000 course. All are experienced computer security specialists or investigators. Most hail from Fortune 500 companies looking to solve internal security issues of their own. Others come from Big 5 accounting companies developing internal auditing and client security consulting services. NTI discounts courses for those in law enforcement.
"There's limited training in computer forensics out there," says attendee Richard Marchewka, a special agent at the Kansas Bureau of Investigations. Between barbs, he and his partner, David Schroeder, also a special agent, say they had previously attended computer investigations courses at the National White Collar Crimes Center and International Association of Computer Investigative Specialists.
Although methodologies may differ, all attending NTI's three-day course agree on one thing: looking for evidence on computers is like trying to find a needle in a haystack. Incriminating data can reside in snippets on swap files, in slack and unallocated space, or even in bad clusters and boot sectors. And the clues may not always be overt.
"I had one case, a theft of trade secrets investigation, in which an individual had loaded LapLink [a transfer program for very large files]," explains instructor Joseph Enders, who spent 25 years as a special agent/computer specialist at the IRS' Criminal Investigation Division. The very existence of the program linked the suspect to large files containing product development information previously e-mailed out of the company. The suspect had erased the program, but remnants lingered in the registry, which Enders found using Microsoft's RegEdit utility.
Computer forensics, much like criminal detective training, is designed to help investigators shrink that haystack while following basic rules for evidence recovery that would hold up in court.
Lesson 1: Seizing the computer
"If you are at a crime scene and you see a computer turned on, what's the first thing you do?" Enders asks.
Ahh. To unplug or not to unplug? Is it nobler to lose all temporary files by cutting off power without a proper shutdown? This is a problem if criminals use an uninterruptible power supply and do all their work in memory. Or is it nobler to shut down properly and risk a booby trap that wipes out data at the touch of a key?
This question stumps us all, and Enders never fully answers it. The consensus: It is best to properly shut down the desktop (booby traps are still relatively rare), especially if the machine is a file server, because pulling the plug could cause major corruption.
"There are no absolutes," Enders explains. "The biggest issue will be to explain to a judge why you decided to pull the plug."
Lesson 2: The contingency plan
Always work from a copy, Anderson says. Not just any copy, but a mirror image of everything on the hard drive which includes all data hidden in ambient space and slack files. Copy it onto clean media -- another hard drive, zip drive, or CD-ROM. Then benchmark the copy to show the original hadn't been tampered with, which is key in preventing prosecution fiascos such as the O.J. Simpson debacle.
To do this, Anderson recommends a tool called SafeBack by Sydex, which takes the mirror image and restores it. An NTI tool, CRCMD5, benchmarks the original by reporting what state the data is in -- which is compared later with the data on the restore disk. Then copy the mirror image into a working drive or disk.
This is not so easy. In one case during Anderson's government days, investigators at a crime scene actually reversed the copy, overwriting the suspect's computer with the contents of the investigators' hard drive. When the lead investigator at the scene called Anderson panicking hysterically -- with "a Mickey Mouse voice" -- all Anderson could do was tell him how to prevent a lawsuit: The computer was part of a corporate network.
Lesson 3: Digging up the dirt
Here's where things get really interesting -- especially when, on the third day, we apply our previous sessions to finding our diploma, which happens to be broken into pieces and buried deep in slack and unallocated space.
We had already learned how to use Norton's DiskEdit to view erased files; how to use NTI's Filter-I to cleanse binary information, allow us to examine plain text lurking in slack and unallocated space, and swap files; how to use TextSearch Plus to keyword search through the reams of data uncovered with Filter-I and IP-Filter; and how to use Norton's DiskEdit to piece the data together.
However, Anderson throws us a curve: He has encrypted the directory. Working from previous lessons, my partner, Lockheed's Best, and I found the bad guy's file encryption cracker (hidden in a file called fun.exe) and loaded it. It did the trick.
Now it's time to see what we've got in the directory. A couple of files, including one deleted file (recognizable by the telltale Greek Sigma) look suspect to us, so we make a note of them. When we run Filter-I to view plaintext lingering on unallocated space, we see the word "diploma" on a few headers of what are obviously zipped files. We word search the rest of the file allocation table for the word "diploma."
At this point, Pinkerton's Guffey pipes in, saying the tools alone have saved him significant time looking for evidence of employee misuse.
"Before I met Anderson, I was tasked with eyeballing all this data [including binary] in large quantities scrolling up and down my screen," Guffey says. "He showed me this cool software and it took me about one and a half hours to do what previously took me two very, very long nights to do."
Now Guffey is learning how to properly use the tools so he can train others in his organization to do likewise.
Lesson 4: Piecing it together
A bleary-eyed Best and I merge together two cluster fragments and try to unzip our file. But we can't, because we have accidentally overwritten some of the clusters in the erased file fragment. Thank goodness for backups. We start again, use a standard password cracking tool that forces open the password, and nab our diploma.
It takes us about four hours. The youngsters -- Gerry Zepp of Worldspan and Jennifer Sutherland of Ernst & Young, beat us all to it and cinch the free bottle of wine.
Throughout the exercise, I realize Anderson is fond of booby traps. One, a file header titled sexslave.exe, opened a rogue program that took over our machine.
"I don't know a cop in the world who would not open a file like this," Anderson quips.
Lesson 5: Court techniques
When a case goes to court, be prepared for an audience that lacks technical understanding, Anderson says.
"You've got to keep the language simple. Tell the jury, 'I looked at this cluster and matched it up with this cluster,'" Anderson explains.
In so doing, well-trained investigators might just lead the rest of the judiciary system into the 21st century. But just as high-tech cops, agents, and corporate security folks get smarter, hackers and their ilk will challenge them with new tricks. The latest is stenonography -- hiding data inside .gif and other types of image files -- for which NTI has no cracking solutions.
For these reasons, high-tech investigators in both the public and private sector will be in high demand well into the future. According to ASIS, 63 percent of 552 security managers, product providers, and service providers responding to a hiring practices survey plan to hire security specialists in the next year. Thirty-seven percent say they will hire between six and 20 such workers. But just where will they get these people?
"Everyone I talk with in human resources says they're all fighting for skilled security professionals," says Richard Brewer, a senior analyst at International Data Corp., in Framingham, Mass.
No wonder those studying at NTI put in such long hours at their day jobs. But they wouldn't change their cybersleuthing ways for anything.
Says Lockheed's Best with a wry smile, "I love this stuff."
Deborah Radcliff is a free-lance writer based in northern California. She can be reached at DeRad@aol.com.
Back to the top
© 2000 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.