Data forensics: You can run, but you can’t hide
November 2, 2009
When data forensics expert John Dodge goes searching for something, he claims he usually finds it.
“Short of pulling the hard drive out and throwing it into a furnace,” computer users almost always leave tracks, says Dodge, director of Business Risk Services for the New York accounting firm of Anchin, Block & Anchin LLP (and unrelated to the author of this article).
“Hiding or deleting data does not provide safe harbor,” he said. “If you want to ensure it’s gone, gone, gone, there are tools and technology to thoroughly scrub the hard disk. Short of that, fragments of data exist,” he said.
What is data forensics? Dodge, a lawyer and an electrical engineer, defines it as “the extraction and analysis of computer data in raw form.”
Dodge has the same skill-set and background as Joseph Looby, who searched through Bernard Madoff’s computers to help document the latter’s massive fraud. Looby, citing an active investigation, would not comment for this story.
But one investigation “into employee theft and fraudulent schemes for personal enrichment” Dodge is currently conducting has similar scale: It involves searching through two million e-mails. “Give me a pile of data and once we have a discussion about what we are looking for, there’s a very good chance we will find it,” he said.
Where does he start and what does he look for?
First, he takes a “forensic image” of the hard drives to preserve them as “bit for bit” originals using a hardware device called a “Write-block” that sits in between the target computer and the one to which the hard drives is being copied. Then investigators then hit “disk copy” on the menu screen. The duplicator Dodge uses is a model TD1 from Tableau LLC.
Assuming he understands what he is after, he defines his search terms. The tools of the trade include programs such as Encase Forensics, an application from Guidance Software that lets users capture images of what was once on a drive and turn it into a legally admissible piece of evidence in court as well as the Forensics Toolkit from Digital Intelligence which recaptures passwords and searches through e-mail.
“There’s a half dozen other tools depending on what we are doing. In most cases, we’re looking for deleted e-mail. You spend 80% examining or looking for e-mail trying to piece together a story in support of particular position,” he said.
The tools allow data forensicists to search through recovered content. Data remnants are interesting because they indicate deleted e-mails or documents.
Since the term “fraud” is rarely used in e-mail, he looks for phrases like “keep it under your hat” or “this conversation never took place.” On the other end of the spectrum, he sifts through e-mails that are too business-like and devoid of incriminating language.
Even if e-mail “custodians” manage to scrub one disk, they often don’t realize the same e-mails likely reside on different computers, he says.
He always validates his initial result by replicating it using another tool and method to make it more convincing to a judge or jury.
Therein lies one of his biggest challenges: making his findings understandable. And that there are many places on a memory drive where traces of content that once was stored on machine can be found.
