The practice of interacting with information facilitates early case assessment by allowing access to documents and correspondence that meet specified criteria. Finding critical information early saves you and your clients money. Processing a hard drive can quickly provide information to evaluate how to proceed with a case, and sometimes, whether to proceed at all. For example, the existence or absence of the words “Enron,” “Madoff,” or “cement shoes” in email correspondence on a computer may make a difference in the direction of a case. This triage process is intended to quickly allow the potential evidence, or in this case, containers of evidence (hard drives), to be quickly included, eliminated, or ranked in order of importance to the overall case. The earlier days of computer forensics allowed for casting a wider net when fishing for digital evidence, as the ponds were much smaller. It wasn’t that long ago when 20-gigabyte drives were the norm.
Now that we are dealing with oceans of data, (Terrabyte size drives are not uncommon), a process must be employed to quickly verify:
1. If there is relevant data;
2. Whether or not the data is actually useful;
3. Its importance to the overall case.
The focus must be on genuine investigation as opposed to data review, and be outcome-specific, instead of process-oriented. The expected result would be a more focused pool of files with greater evidentiary value, instead of a large-scale production of documents that simply meets keyword criteria. The relative ease of access to data today is challenged by the rate at which data is created and stored, even that which is relevant. The potential for reducing overall case costs is in the triage process of inclusion, elimination and ranking.
Another tip for saving money in computer forensics is to have the hard drive copied in your analyst’s office, but sometimes that is not possible. We imaged a 500GB hard drive yesterday that we billed just an hour to remove from the computer, hook up to ours for imaging, verify the image and reinstall in the case. All the imaging was being done in another room while we were employed on other matters. In the field, that would have taken seven or more hours on site, plus any travel time and expenses.
Conducting Surveillance
It might be the economy, but there are two types of assignments where we’ve seen a marked increase: surveillance and asset searches. We’ll save the latter subject for a future newsletter.
Surveillance is the simply the monitoring of behavior. Sub rosa investigations are often critical to evaluating the validity of a worker’s compensation claim or personal injury lawsuit. Videotape, photograph or eyewitness testimony provides valuable evidence to support or impeach a person’s testimony.
Surveillance is also used in domestic cases when infidelity is suspected, employee theft or productivity, child custody, insurance fraud, staking out to serve process, etc.
It is important to get the right people doing this work. There are many to be found in the Yellow Pages at a pretty low hourly rate. Our investigators are mainly former local law enforcement in narcotics, retired DEA agents, and workers comp investigators. We have an active case right now where, just this morning, our investigator surveilled the subject to the home of his ex-wife, who is his client. We just spoke to the client, who looked for our investigator and was left was wondering why the subject wasn’t being followed. Our investigators are that good!
To increase the chances of success, the following should be provided:
Pictures of the subject
Description of subject’s vehicle
Home & work address & all phone numbers
Places the subject may frequent
Best times to catch the subject
Sometimes the subject may require more than one investigator due to his expecting to be surveilled and other difficult situations such as erratic driving, etc. Other times we may have to temporarily terminate efforts if we think that the subject may have noticed he was being followed, or there are increased risks to that effect.
But in terms of visual evidence, a picture is certainly worth a thousand words. Video? Even more.
Copiers today are less like the mimeograph machines that we grew up with and more like computers. Many copiers scan in the documents before printing, and can temporarily suspend copying while changing paper, fixing a jam, etc. The copier is actually storing the image on a hard drive so it can be printed once the problem is resolved. Many copiers also serve as printers, so documents sent by a single computer, or multiple computers on a network, are also stored on the hard drive.
What does this mean to us? If your copier is ever used to duplicate confidential or sensitive information, then you might be interested to know that the data is still there: http://www.cbsnews.com/video/watch/?id=6412572n&tag=api
A Source and a ThreatThe images that remain on a copier’s hard drive can contain evidence that can be acquired through computer forensics tools. When searching for evidence, the copier seems like an obvious place to look, and should be considering when drafting demands for inspection.
There is also an obvious threat here . . . your data. Manufacturers are now realizing that threat, and are including an option to erase the image from the hard drive after printing. When returning a leased copier, or selling one, steps should be taken to sanitize the hard drive to protect your or your clients’ sensitive data. We have provided a couple ideas on data wiping software on an earlier email. One may have to purchase a new hard drive from the manufacturer, but the efforts and costs involved with securing your data is miniscule to the potential costs if that data was compromised.
By now, most people are aware of cell phone tracking programs, such as FlexiSpy (http://www.flexispy.com/), which allow for remote monitoring and tracking of cell phones and PDAs. Computers can also be compromised with programs such as eBlaster (http://www.spectorsoft.com/). There are ways to detect these through computer and cell phone forensic examinations.
The need for also detecting intelligence gathering devices at homes, offices, vehicles and telephones appears to be on the rise. . . at least judging by the amount of calls we are receiving. The U.S. State Department once estimated that at least 800 million dollars of illegal bugging and eavesdropping equipment is imported and installed into corporations in the United States each year.
Technical surveillance counter measures (TSCM), broadly referred to as “bug sweeps,” are designed to detect listening devices, hidden video cameras, wire taps, GPS tracking, etc. Trained personnel with an arsenal of expensive equipment regularly identify these surveillance devices
How do I know if I need a TSCM inspection?
Warning signs are if your secrets not secure to the media or your business competitors; sounds come from your phone’s handset after it has been hung up; your radio has suddenly developed interference; you’ve been burglarized but nothing was taken; electronic wall plates appear jarred; white drywall dust is on the floor; furniture has been moved slightly; service or delivery trucks are starting to park nearby; TV, cable, air conditioning or plumbing repair people appear to do work when no one calls them; certain items appeared at your office or home such as a lamp, clock, exit sign, radio, sprinkler head, picture frame, etc.
What is the cost?
We have two levels of service, depending on your need and budget.
One of our subcontractors has over $100k into his equipment, and if there is a bug, he will likely detect it. He has successfully completed the best training available in private industry. Fees start at $1500 to $2000.
Our other subcontractor spent a career in the FBI doing TCSM inspections to Department of Defense standards, and has spent nearly $2M on his equipment. If there is a bug, it will be secured. Fees start at $4500 to $5000.
Some of the variables influencing cost are the number of rooms, square footage, number of vehicles, number of telephones, etc.
A word of Caution . . .
There are “security consultants” who offer these services at a much lower rate. There are some rudimentary techniques and inexpensive equipment available for people desiring to provide TCSM services. Inquire as to how many hours of training they have, where they trained, how many cases they worked, how much they’ve invested in their equipment, etc. If they are retired from one of the various alphabet agencies, (FBI, CIA, DEA, etc.) ask how much of that time was actually dedicated to TSCM.
