Watching the detectives
1 April 2005 | 0
Shakespeare knew a thing or two about guilty people who try and cover their tracks. As he told it, Lady Macbeth was fond of scrubbing her hands to wash away bloodstains, but she never quite managed to get them clean.
So it is with computer forensics: You might think you have deleted a file, but traces of your past deeds may remain. Appropriately enough, Dan Quealy of Ernst & Young’s Computer Forensics Division, used to analyse blood found at crime scenes for the Chicago County Police. His career path has since taken him away from one type of analysis to another and for the past number of years he has specialised in computer forensics.
Ernst & Young defines this area as using computer science and legal procedures to identify and gather evidence in criminal, civil or administrative matters.
Less than two years into his post in Dublin, Quealy has overseen some 35 cases and surprisingly, he has seen far more instances here than in a similar capacity in the US. ‘There are three times as many cases as we had in Chicago, easily,’ he relates.
Why is this so? Quealy suggests a few possible reasons. In recent times, the Irish economy has become increasingly based on intellectual property, given the volume of software exported. There is a related reliance on computers which in turn has fed a massive growth in the use of e-mail.
A large proportion of the workforce — one of the youngest in the EU — is technically competent. Another unwanted legacy of the post-Celtic Tiger era has been the amount of layoffs and redundancies from technology firms, which has fostered some resentment among certain sets of people and a desire to get even. Partly to blame too, Quealy adds, is a very Irish mindset that says ‘if I can get away with it, fair play to me’.
Where employees may find their jobs at risk, the situation may be ripe for fraud or the theft of commercially sensitive information. Ernst & Young’s security practice has also been called in to investigate a variety of cases ranging from employee misconduct (distribution of pornographic material or bullying) to civil litigation (unfair dismissal cases, sexual harassment or contract violation).
What Ernst & Young provides is not a police-style service of prevention, instead it can identify and collect evidence according to defined processes. ‘We usually get called as a reactive measure. Most of the time, companies trip across it,’ says Quealy.
Ernst & Young’s team gathers evidence of bad behaviour by examining a variety of sources: Network connections, routers, firewalls, Web servers, file servers, individual workstations and PCs, telephone switches, networked printers, databases, storage systems and backup media.
Within those areas, the places to look include the file system, unallocated space, swapfiles, browser caches, hidden files, browser history logs, mail remnants, registry entries, audit logs and Internet relay chat records.
Slack spaces in memory or storage spaces can often be crucial in helping to unearth clues or find supposedly ‘missing’ data.
Even files that have supposedly been deleted are not beyond the reach of computer forensics experts. The ‘delete’ command removes the file table entry but crucially does not eliminate the data. ‘We exploit what could be considered vulnerabilities of the file structure commonly used by computers,’ explains Andy Harbison, manager with Ernst & Young’s computer forensics team. As he points out, the fundamental design of the PC has changed little since it was first introduced in the 1980s.
Disks are optimised for speed and for that reason they are organised into clusters and sectors; a cluster being a multiple of sectors. To make searches faster, disks just search the start of each cluster. All of which results in wasted space, or slack: If a 400byte file is stored on a disk with a cluster size of 1,024 bytes, there will be 624 bytes of slack space. ‘There is stuff on a disk you never realised you had on the computer,’ says Harbison.
Not fade away
What does it take to uncover ranges from hidden files, damaged or corrupted files, password-protected files, e-mail, Web mail, Web browsing data and Internet chat?
‘A lot of systems use log files and cache files,’ adds Harbison. ‘One which I’ve proven most people on is the Internet Explorer History. It time-stamps everything. Daily and weekly files are concatenated and they turn up in slack space or cluster slack.’ Harbison says he has been able to rebuild Websites from a disk, although he uses programs other than Internet Explorer to do so.
One case last year involved the theft of corporate data. By the time the matter was discovered, some evidence appeared to have been eliminated, but closer inspection revealed traces of Winzapper, a tool used to edit event records from the Security Log in NT 4 and Windows 2000.
Despite taking apparent care to cover any tracks, the perpetrator had forgotten to delete the Web browser cache. When these files were uncovered by Ernst & Young, they revealed searches on Google for Winzapper, along with a request to find ways to read other users’ mails in Microsoft Exchange.
This apparent contradiction in methods is not lost on Harbison. ‘We come across people being very clever in one sense and dense in another,’ he wryly says.
Another case, details of which were seen by ComputerScope, involved a company acquisition in the financial services sector. After the deal, many employees left to form a new competing company; it turned out that the CEO who remained, negotiated a new contract and shortly after, resigned to earn benefits. However an investigation revealed that the CEO had been passing sensitive information to the new company run by his former colleagues.
Ernst & Young was able to recover messages sent via Web mail accounts. E-mails recovered by the forensics team from deleted and unallocated hard disk space revealed the extent of the fraud. Amazingly, correspondence between the CEO and employees of the new company openly discussed passing customer details and recruitment of staff from the old company. ‘People are incredibly indiscreet on e-mail,’ Harbison observes. ‘They think Web mail is impenetrable; it’s not.’
On seeing the evidence, the firm was able to cancel the severance terms for its outgoing CEO and take action against the new company for breach of the original takeover agreement.
Both Quealy and Harbison emphasise that their role is not to pass judgement but simply find fact. To that end, the more information a company supplies about a particular incident, the easier it will be to find what Ernst & Young refer to as the ‘smoking gun’. ‘We need to have a context to put things in; we need business intelligence,’ says Harbison.
If companies fear they have somehow been compromised — whether through hacking or inappropriate use of PCs at work, there are steps which can be taken to ensure the situation is handled appropriately. Everything should be documented and decisions taken as to who needs to be notified that an investigation may begin — and who doesn’t. ‘If word gets around, there is a risk of files being deleted,’ Harbison advises.
No attempt should be made to gather evidence without expert advice — suspect computers, if switched on, should not be switched off, and vice versa, as this action can alter some of the files on the disk or in its memory.
If a computer forensics investigation proves successful, the benefits include minimal damage to a company’s reputation and revenue as well as better chances of recovering possible losses. Ernst & Young claims it offers a greater percentage of successful prosecution and on the other side of the coin, it can help lower a company’s exposure to possible lawsuits.
To date, much of the work undertaken by Ernst & Young has been behind the scenes, gained through word of mouth, and it is only now that the firm has started to market its computer forensics service. And that’s bad news for anyone who has something to hide.