We live in a very technologically advanced society. These days everyone relies on computers in one way or another. Whether it is ordering your groceries online, buying a gift for your mother on an auction site, or doing your tax returns. We are all very dependent on computers. This trend has held true in the legal system as well. Everyday more and more computers and computer related accessories are being introduced as evidence in courtrooms around the world. This presents a daunting task for the computer forensics professional. This task is made even more difficult by myths and unrealistic expectations about a computer’s capabilities, as well as what a forensic professional can do with a computer, spawned by popular culture. Computers and the internet are the new fad. There are hundreds of books, movies, and TV shows about computers. Some of them true, but the majority of the material we see on TV shows and movies is very fictionalized and unrealistic.

I’m sure most people are familiar with CSI, the popular forensics show. At some point each season they use “computer forensics” to solve parts of their cases. I was recently watching an episode where the CSI crew used “computer forensics” to track down a suspect via the airline tickets he had purchased. The computer technician mashed furiously on his keyboard while the words “Computer Forensics” flashed in red on the top of his screen. Before I knew it, they had located their suspect. Unfortunately folks that is not really how it works. I am sure lawyers feel the same way about shows like Law and Order.

With all of this in mind I will attempt to dispel the most common myths about computer forensics. These are things we have been asked about time and time again. Computer Forensics isn’t nearly as sexy as TV and movies make it out to be and here is why:

A computer forensics analyst can recover any file that was ever deleted on a computer since it was built. This simply is not true. We can, however, recover deleted files, and/or parts of deleted files, but this number differs for every computer. When you delete a file or empty your recycle bin the file you have selected has its entry removed from the computer’s file system. The contents of the file has not been written over or removed from your hard drive, it simply has had its entry in the file system directory removed. This means that the file will hang around in unallocated file space until the file system writes a new file over it. A new file can be written over the old one because it no longer has a placeholder in the directory, in the form of a directory entry. For example, if you are in a movie theatre and decide you need to use the restroom, you will usually leave something in your seat, like your coat, in order to let others know that seat is occupied. You can think of the coat as the file’s directory entry. If you decide to take your coat with you when you go, there is no way for others to know that you are occupying that seat. There is a good possibility when you return from the restroom your seat will still be there, but there is a chance it may now be occupied by another person, and you just lost the best seat in the house.

Metadata is the all knowing, all seeing, end all piece of information on a file. Not even close. Most people think of Metadata like the slip that comes in a book you check out from the library. Those slips contain a list of all the people that have checked the book out recently, and for how long they had it. Metadata is not like that. While it does contain some useful information about the file, the scope of that information is much more limited than most people think. In general here is a list of the information contained in a file’s Metadata:

             I. The Author

             II. MAC Time (Modified, Accessed, Created)

             III. File Name

             IV. File Size

             V. File Location

             VI. File Properties (i.e. Hidden , Read-Only)

This is still very useful information but it is by no means the information rich tome that people make it out to be.

Having a forensic software license makes someone a computer forensics expert. If owning a hockey stick makes me an NHL all star than yes. I don’t know that I need to go into great detail on this issue. Since computer forensics is still such a new field, there is a lack of standards and guidelines for practicing computer forensics. If you want to practice law in America, you must pass the Bar. There is no system like this in place for the computer forensics field. Therefore, there are a lot of people out there that claim to be computer forensics experts, when in truth they have a decent understanding of a computer forensics program and that is about it. Simply put, would you want someone to perform surgery on you because they happen to own an MRI machine, or someone that went to school for it?

E-Discovery is an uncontrollable money eating machine. If you work with a veteran firm that has a lot of experience in this area, this is not the case. We do a lot of EDD work here at Jones Dykstra and Associates, I’d say about eighty percent of my time is spent doing EDD work for my clients. Most of the time when clients come to us with EDD request we spend a great deal of time getting background information from them, like the number of laptops, desktops, and servers they currently employ, as well as what types of information they need us to produce. Then we figure out, based on their needs, which systems we need to target. Based on this analysis we are able to give them a very accurate fixed price up front, with no hidden surprises. Our veteran experience allows us to judge very accurately the amount of work we will have to do, to produce the desired results for our clients, and thusly we are able to give them a fixed price on our work most of the time.

Cell phone forensics is easy. Not really. There are few programs available to do cell phone forensics. These programs also don’t work very well. This is due in part to the fact that new cell phones come out every day, and it’s very hard for these software vendors to keep up with the ever changing cell phone market. These programs are also targeted at older phone types, not the Smartphone/PDA/Espresso maker type that most business people use today. In our line of work these tend to be the type of people targeted for investigation. These new phones contain their own operating systems, like Windows Mobile and others, which causes problems for the forensic programs. Many of these newer Smartphones are still being tested by software vendors. Even if you are able to make a forensic duplicate of one of these phones, the data you get out of it is very hard to view.

The best available data is on running machines. Not always, there are options that a lot of people do not consider. It is not a problem to shut down an employee’s workstation and duplicate it, but what do you do if you need to pull information from a company’s main database? Can you shut it down? How will that affect daily operations? I’ve seen the fear in the faces of a company’s IT staff when we asked them to shut down their domain controller or Exchange Server. They know that those systems can be very temperamental and may not come back if we have to shut them down. A lot of the time when we are doing EDD work, the information we are looking for occurred in the past. Why not pull the information we need from backup tapes? Most responsible companies keep an accurate library of backup tapes. Isn’t that the point of a backup tape, to store important company information in a non-volatile format? In the case of the Exchange Server, do we really have to shut down the system to duplicate it, or can we pull the PSTs we need using Exmerge. These are very safe alternatives to shutting down vital running systems, and will most likely contain the information we are looking for, in these scenarios everyone wins.

Computer forensics experts catch the hacker every time. Most of the time they go untouched. When companies call us in after an intrusion, they usually want us to stop the bleeding but rarely care about catching the group responsible for the intrusion. Most of the attacks we have seen recently originate in China, and there isn’t really anything we can do to stop them. We have no jurisdiction there and the hackers know we can’t touch them. Most companies are not willing to put the time, the money, or the effort into catching the people that attack them. They want the intrusion to stop, the attacker removed, and they want information on how to better protect themselves in the future.

            Well I hope I’ve done a decent job at dispelling some of the myths about computer forensics. It’s not as sexy as CSI makes it sound is it? On the other hand we do get to do a lot of cool things in the field, and we do get to help a lot of people during their time of need. Those things definitely make up for the lack of flash that TV portrays.