| Author: |
Josh Ellis |
| Publication: |
Czech business weekly |
| Date: |
9. 10. 2006 |
The IT industry is one of the fastest evolving; the technological advances that we see year on year are matched by few other industries. Every week there is a new breakthrough resulting in the development of new hardware and software - leaving in their wake a trail of obsolescence.
The nature of the industry is highly competitive, with software and hardware firms playing a constant game of one-upmanship. Every new product launched by one firm is quickly damned to obsolescence with the release of a competing product. What of, however, those organizations which are pitted in a battle of mutual destruction? Take, for example, the nefarious individuals and groups who build viruses to disrupt our everyday lives. These viruses often infect and temporarily debilitate a number of organizations until one of the security firms (e.g. Symantec, McAfee, Brno, South Moravia-based Grisoft etc.) develop a “cure“ (removal tool / patch) and a “vaccination“ (virus definitions updates).
Forensic technology is a discipline that has developed alongside the law-enforcement and investigative teams over the years to cope with the increasing volume of evidence and information stored in electronic form. The discipline aims to preserve, capture and analyze electronic evidence in such a way that the presented findings may be later admissible in a court of law. Whenever IT technology is used as a tool to help commit a crime, is the target of the crime, or harbors data which supports a crime, the ability to provide evidence from these systems using forensically proven methods can provide critical support to an investigation or legal proceeding.
As with all industries associated with technology, the ability to adapt and grow with technological advances should separate those who fail from those who succeed. However, forensic technology specialists, while subject to the ebb and flow of the IT industry, don't quite fit the “adapt or die“ model.
If one was to extrapolate from this current trend, we might expect that there will be a continuous battle for these competing organizations to stay one step ahead of each other in a seemingly endless battle of oneupmanship. This would presumably mean the end of a viable role for the forensic technologist, given that the information is “so well-protected“ that without illegal means we wouldn't be able to penetrate the layers of security to gain access to the underlying data to support (e.g.) one of our corporate fraud investigations.
The trail of evidence However, it could be argued that this isn't the case. There is an underlying theme, which we investigators and forensic technologists rely upon, when considering any form of investigation. People make mistakes. These “mistakes“ often fall into three categories when considering information technology:
First, the target organization’s IT department hasn't implemented suitable measures to protect their colleagues’ data. Alternatively, they have implemented it - but badly. During my career in forensic investigations, I have only come across a handful of instances where there has ever been any form of encryption implemented on a firmwide scale across all workstations. Only one of these instances required discussion with the IT department to circumvent the protection with an administrator override.
The reason, perhaps, for this apparent shortcoming of the IT department is that the implementation of such solutions is costly, involve much time, and require highly skilled personnel. This “cost“ often outweighs what senior management considers to be the benefits that such a solution provides.
The second mistake is simply a lack of understanding of how a computer system works. A key example of this would be in relation to the deletion of data. In the days of the quill and parchment, it was straightforward - in order to destroy the information “encoded“ on the parchment, one would simply have to offer the parchment to the table candle; instant destruction. However, today when someone deletes some information from the computer, it doesn't mean that the information is gone. The fact is that the only thing deleted when we drag-and-drop the file into the recycle bin is the “index card“ to that file. The underlying content is still there, fully intact. When we delete an e-mail, the email may still reside in your local email system, simply with a “deleted“ flag against the data. Additional countless copies of that e-mail may be in other people’s mailboxes on the company’s e-mail server. Gone are the days of risk-free destruction of information. Until users fully understand the machine that they are using, and the implications of their actions, there will always be information scattered across computers in unexpected places.
Third - and perhaps, in my mind, most importantly - human nature is the biggest and most significant weakness in any attempt to tie down and secure data. When we are asked to think of a secure password, we are disappointingly predictable. Given a choice between the password “09jaDSd“ and “letmein,“ I know which one most people would choose. We aren't good at remembering purely “random“ strings of information; we much prefer a pattern to follow. Therefore statistically, passwords tend to contain names, dates of birth, addresses with perhaps some variations on those to make them marginally more complex (e.g. letmein becomes l3tm3in). Even if the password isn't located on a post-it note on the edge of the user’s computer screen, it's not usually a large problem to use recovery tools to quickly identify such straightforward passwords. The fact remains that the most complex and secure encryption suite, with a complexity designed to require x-thousand years of computing power in order to break, is rendered entirely useless by our own inability to remember a suitably complex password.
In conclusion, I believe that the forensic technology profession will have a place in future investigations, regardless of the technological leaps in the area of data security that we see happening around us on a daily basis, simply for the reason that a combination of prohibitive cost to firms (in implementation), the lack of the users’ IT knowledge, and our human nature will always provide the necessary “chink in the armor“ to enable our investigative goals. *
