Computer Forensics Course Comes To Canada
by Lorna Rowland
Sneaking peeks at adult Web sites on company time? Checking baseball scores, trading stocks or searching for ``Star Trek'' trivia, and think the boss doesn't know? Think again.
A new piece of software developed by a former government computer sleuth allows employers to find out what Internet sites their workers have visited - even if that information has been erased.
Designed as a computer forensics tool to nab child pornographers, Internet Protocol Filter is now being used by Fortune 500 companies for everything from uncovering corporate espionage to catching employees who while away the day in a World Wide Waste of time.
Forensic Computer Science involves the preservation, identification and analysis of computer evidence stored in the form of magnetically encoded information (data).
Computer evidence is often created without the knowledge of the computer operator. Not accessible by usual methods, specialized software tools have been developed to read and evaluate it. These forensic computer science techniques and tools have been made available to computer security specialists, law enforcement and government agencies as they complete security reviews and internal corporate investigations.
Forensic tools and methods can be used to identify passwords, log-ons and other information dumped from memory. They can also be used to identify backdated files and to tie a diskette to the computer that created it.
Like most others, criminals are finding that personal computers are an effective way to further their activity. Criminal acts can easily be coordinated worldwide using the Internet and criminal communications can be encrypted and thus secreted from law enforcement officials.
Bomb making recipes and other tools of terror can be shared worldwide over the Internet. Some call the Internet the 'crooks' dream and a law enforcement nightmare. The Internet is not the only way criminals use computers - normally money gained from illegal enterprise has to be kept track of as do multiple bank accounts or name lists. Some criminals have even put their murder plots on disk!
A pretty bleak picture for law enforcement, you might say. That really isn't the case. Actually, the use of personal computers by the criminal element can create a wealth of valuable evidence that might not otherwise be available to investigators. The use of a computer to create and store information leaves behind 'electronic fingerprints' that can actually make or break a criminal case.
Fortunately for computer evidence specialists, personal computers were never designed to be secure. As a result, sensitive data, passwords, time and date stamps and other potentially valuable information is written to bizarre locations on computer hard disk drives and floppy diskettes as part of the normal operating process.
For corporate and government computer users, this can be the source of serious computer security concerns. But to an experienced cyber cop, such information can be a dream come true. Interestingly, most computer users are unaware that such information even exists.
Michael R. Anderson, President of NTI (New Technologies Inc.) remembers well his first testimony as an expert witness in a federal computer evidence case. It was back in 1985 and pertained to the defendant's use of a computer system that by today's standards would be considered a toy.
We have come a long way since then and have made substantial progress since creating the first computer evidence courses at the Federal Law Enforcement Training Center (FLETC) back in 1989.
With the help of seasoned software developers like Chuck Guzis, Steve Choy and Bill Haynes, New Technologies, Inc. has created automated forensic tools that automate the evidence processing of large computer hard disk drives.
The 'electronic crime scene' can now be preserved with programs like SafeBack, developed by Sydex Corporation. Obscure data segments containing binary (non-readable) data can now be intelligently filtered making the contents easy to view or print. Internet usage can be automatically determined on a given computer within a matter of minutes using specialized software.
Most importantly, new training courses have been spawned to deal with the demand for law enforcement and military forensic computer science training.
Just recently the University of New Haven in West Haven, Connecticut created a Forensic Technology Institute which is dedicated to such training. Also, a Training and Research Institute was recently created at the National White Collar Crime Center to deal with law enforcement computer evidence training issues.
Computer evidence is very fragile and can easily be altered or destroyed. Therefore, it is important that it is processed only by properly trained computer evidence specialists.. The processing of such evidence for use in trial by an individual without proper training is like a first aid technician performing brain surgery with a pocketknife.
Back in 'the good old days', we could get away with almost anything and trial attorneys didn't know enough about computer evidence to ask the right questions. We knew very little and the attorneys and judges knew even less. However, times have changed.
Computer evidence processing procedures have evolved into standards and procedures that must be followed. Furthermore, the expenses associated with the processing of computer evidence need to be included in law enforcement and corporate budgets. While the processing of computer evidence can be expensive, short-cuts invite serious evidence problems.
Technical evidence has become more important in proving criminal and civil cases. Its importance is tied, in part, to advances in science and computer technology. However, trials like the O. J. Simpson murder trial have called public attention to potential weaknesses in cases that rely upon technology to prove a case.
In the past, expert testimony tied to science and technology was accepted without question by the courts, juries and by defense attorneys. Because of heightened public awareness, things have changed and technical evidence processing techniques and methodologies are subject to challenge.
Forensic computer expert witnesses are now frequently required to defend their findings. As some consequences, computer evidence processing methods, tools and techniques are being challenged as well. Therefore, it is extremely important that computer evidence processing be done correctly in criminal cases.
An essential part of any evidence processing is the documentation of what was done. This is important so that memories can be refreshed as to the steps taken and so the results of processing can be duplicated. This is especially true concerning the processing of computer evidence.
Computer crime cases rarely go to trial. Such cases have typically resulted in negotiated guilty pleas because computer evidence has been thought to be irrefutable. Previously, defense attorneys did not understand computer evidence issues and therefore did not question the evidence or the qualifications of the expert witness. Most experienced forensic law enforcement computer specialists will admit that they have not had to testify in court. This has been the norm for years but things are changing.
Many computer cases now go to trial and the potential exists for the computer evidence to be subjected to close legal scrutiny by the defense counsel, the court and even the jury. Computer evidence issues may be extremely complex to a jury and it is the job of the forensic computer specialist to make complex technical computer issues seem simple. Good documentation, tied to sound and consistently applied processing methods, acts as a memory refresher for the computer specialist and can make the difference between success and failure when the case goes to trial.
Michael R. Anderson who is with NTI says, "Over the last ten years, I am proud to have trained over 1000 law enforcement computer specialists. Some of those individuals now head major computer crime units in federal, state, county and municipal law enforcement agencies throughout the world. Since my retirement from federal law enforcement, I have also had the privilege of training several hundred computer specialists from Fortune 500 corporations, government agencies, military agencies and Big 5 accounting firms. In all of my training sessions, I have always stressed the importance of consistently following good processing methodologies. I have also stressed the importance of good documentation. It is rewarding when I hear from former students who tell me that good procedures and documentation have been their keys to success when their cases have gone to trial."
Our one-day training courses are intended to be an overview of computer evidence processing techniques and the use of NTI's new and automated computer forensic software. Be aware that this training is not a sales pitch for our software products. It is intended to demonstrate forensic concepts, risks and techniques.
These courses are now being offered in Canada. This course consistently receives high scores from the participants and has a good track record with companies like Amgen, Boeing, Southern California Edison, and Government Technology Conferences as well as government agencies like NASA.
The cost of the courses is $495 (Canadian) with some software included. For more information about Canadian computer forensic training Lorna Rowland at clic business services (905) 578-3405 or email clic@icom.ca.
