Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage Interviews Rebecca Mercuri on Computer Forensics

Rebecca Mercuri on Computer Forensics


1. My name is Ryan Slobojan and I am here with Doctor Rebecca Mercuri the owner and CTO of Notable Software. Rebecca what is computer forensics?

Computer forensics is a field of exploration, of study but it's basically a field that relates to the legal preparation of any type of computer data for use in court room purposes. So any type of forensics whether it be DNA forensics, ballistic, whatever, it's when they say the word "forensics" it means the special preparation for use as courtroom evidence. And it can also deal with generating reports, chain of custody of evidence, dealing with the evidence in particular ways that are considered to be forensically sound so it has all these aspects. But basically computer forensics itself deals with any type of computer related data, could also include hardware, etc but preparation of it and reports based on this data for courtroom purposes.


2. When I think of computer forensics the first thing that comes to mind is there is some kind of criminal activities and you are trying to bring somebody to justice or something like that. But what things fall within the wider scope of computer forensics such as intellectual property?

Correct, a lot of times we are especially exposed to the media these days and a lot of the TV shows like Numbers and CSI, are basically from the stand point of prosecution and law enforcement and so you basically see people doing computer forensics or trying to get data, digging data out and so you think of it as basically essentially the bailiwick of law enforcement, prosecution, and dealing with criminal cases and that is one aspect. But of course there is the other side of that aspect which is criminal defense so the criminal defense forensics is a whole different view of the data and it would be used to try to exonerate the person of whatever charges they would have and also maybe to try to lower those charges, to try and explain what happened with that.

So there is a double side of that in the criminal area but forensics could be used in a multitude different ways in civil cases, so again in the court and also in legal matters you have laws, you have dealings with criminal matters, you have civil matters, and you also have municipal matters, things that have to do with cities, town, states, international law, international forensics, so all of those aspects would be under the greater scope of forensics. So it doesn't have to be a criminal thing, people think of it that way, but it doesn't have to be just that.


3. What are some examples of forensics being used in intellectual property manner?

We had a lot of cases recently that are very similar and it's sort of a concern when you see multiple cases that are similar there is usually some sort of gap in understanding why are people doing this same thing? I don't think that they necessarily would be doing it deliberately if they knew they were violating some sort of law. We have copyrights, we have patents, we have ways of protecting intellectual property and it's basically for the inventors, the creators to be able to gain the most value sort of close up to when they created that item. And then later those items go into the public domain.

So we are concerned in particular about people using or infringing on this intellectual property before it goes out of the private domain of being assigned to a particular company or business or entity or person. As I said we are having a number of cases recently where you see a company that may have been bought up by another company, there are a lot of mergers going on so you see that all the time, when there is mergers, sometimes the general partners people who have been for a long time employees maybe some of the founders they find themselves on the outside they may be encouraged to leave or maybe they would be fired.

And unfortunately what we sometimes see is that people then take the data, they may take data, they may take files, they may take software in particular because you are interested in software, they may take the programs that they wrote thinking "I wrote this stuff I created these files, these are mine". But no they are not. There are all sorts of rules, and again they are different from country to country, they are different in particular settings, if you were considered a work-for-hirer, if you would sign an agreement to sign those seeds of intellectual property over or if you were a contractor depending on your instance, how were you working for the company, you could even be an owner of the company and you may not own your intellectual property on the other hand you may be an owner of the company and you may find that they own everything of yours and now you are not an owner of the company anymore and now you have to deal with all the loss of what you thought was your intellectual property.

These types of situations we are seeing more commonly now because of financial issues, companies are being takes over, they would find themselves on the outs and then all of a sudden they find themselves on the wrong side of a law suit, where they have gone out and started up another company in some cases very similar, could be a competing company they are using the information about the clients they may be using very specific information about the clients that they once had, and also in particular they are reusing the software.

I have had some cases where thousand of files have been removed, it's very easy these days you dump them off one of those USB drives, in the older days it was all on the server somewhere, it wasn't that easy to get out all that intellectual property but now on your way out if they haven't closed your account you start dumping this stuff down and now you are using it in another setting that again depending on the legal requirements, I am not saying it's wrong in all instances. But you need to check with a lawyer. And what people aren't doing is they are using this stuff, they may even be using the tools, for example they might be using some Microsoft compilers, and those compilers where purchased by the other company and they don't have the right to use it.

So all of this stuff is involved with when you have exited. If you are starting up another company or another business whether it's the same or different you really need to be careful and check with lawyers before you go ahead and use that because in the future you may find yourself on the back side of these law suits. As I say we see in this instances where you have thousands and thousands of files, and it's very very costly to have someone like myself someone who does expert witness work and provides forensics testimony to look through these thousands of files it could wind up costing the company a lot of money, to have me or a team of people that I work with look through all this code and come up with similarities and comparisons in order to try to exonerate you from that, if it's based in any way you might just use it as a template and now the structure is sort of the same as the code has been migrated and these people will really try to say you based this on something that you had from us before, or that you thought was yours. One of the problems they have is you sort of came blank of your mind you know how you designed a program.

We as programmers we tend to (I wrote programs for a living for many years before it got into this field) - but, we as programmers tend to do the same things all the time. So my code will look different from your code, but my code has my own personal flavor to it so it's very difficult to separate out if I have already solved a problem, I will solve it again in a very similar way, it's very difficult to separate out the fact that I have thought of this before and now I am just reconstructing it from scratch or am I reconstructing it from materials that I had, so if you happen to have these materials and then we are looking at time stamps and version controls, and things like that, that will actually work against you in showing that you had that material, if the comments are exactly the same if they happen to use customer names in the middle of your comments, things like that initials of people that weren't working at the new company, stuff like that.

When we see that in code it's a sticky situation because you are dealing with "Well there is some evidence here that shows that you did really use this code that you have before". So these are the types of things I think people need to be looking at for specially if they are migrating from company to company even just as a single employee you leave one company you go to another company you may be signing all these release forms, you really should keep copies of all those and any time you are thinking of reusing code that you had before you really need to have a lawyer look at it. So even when you are creating that when you are signing those agreements at the outset just because someone is giving you one of these agreements it doesn't mean that it's completely immutable and you will not get hired if you don't sign that, although in this climate with financial problems, maybe you should not argue about it.

But quite often, I mean in my company we have our own standard contracts but people will often want a change in that all contracts are changeable and you can work with an attorney or with the other side to have the contract written the way you want it. These are type of things that can protect you in the outset so that you don't wind up with these intellectual property issues later but they can be very very big problems and we've had cases where millions and millions of dollars almost spelled the end of a company when they lose their intellectual property that they thought was theirs which really wasn't theirs. So, that's the situation with that.


4. So we've talked about the software side of forensics where we have the source code available, are you also involved in forensics recovery of data from damaged storage?

Yes, it could just be damaged or it could be regular storage. A lot of times people have deleted files, as we know when you have deleted files it never goes away, it's sort of sitting there, hard drives are so big now that we used to, when you had like twenty MB and when that was big, you would overwrite whenever adding more files, they would overwrite them rather rapidly. Now you have got a terra byte hard drive and depending on how long you use it and how big the files are you may never overwrite the things you delete, it will just keep using new areas of the hard drive. So everything you ever did for the last two or three years may still be sitting there on the hard drive whether you thought you deleted it or not.

We often times have to recover those materials, again those could be used in the type of civil work that I was talking about, but also in the cases of criminal work often times we were asked to recover the materials that are on the hard drive to try again prove or demonstrate I usually work on the defense side, to exonerate the person and to provide additional evidence that shows that, well they really weren't there, because they were on the computer, or they were doing this, that and the other thing, and here are some of the things they were talking about on the computer that would also help the client in defending themselves. There is a whole host of reasons why people would be looking for that type of thing.

We also look for system files, like the page files, we look at thumbnails, thumbnail images, a lot of the different system log files especially on Windows computers, we look at Macintosh computers, we look at pretty much any type of computers and sometimes we have to recover completely damaged hard drives but the difference about this type of recovery, and the type of recovery you get when you got to your IT department, or when you go to some computer repair shop, they are just trying to recover what they can, doing the best they can with it, trying to get the filenames back if they can and just put them on another drive.

We have to follow forensic rules of protecting the evidence, keeping a trail of how we got this, using particular forensics methodologies, and we do things like authentication of the files, we'll create hash numbers for the files, and when someone asks us, we often get calls "Can you recover this hard drive?"and I say "Yes, we can recover this hard drive but you don't want to pay us to do that because forensics charge you five times as much as the guy down the street, so go to him for that type of thing". We could do it that way but we are not really geared for that, we have special computers that we use, special drive base, write-protected so that anything that we do to that drive cannot damage, or change or alter that drive in any way.

If we need to forensically recover something from a crashed drive space, we may read it multiple times, over and over again to see if we could get a stable area of that crashed spot. And as I said we are also doing other special things when we are doing the recovering process, from deleted areas, or even stack space and say you have a Microsoft Word file and it takes up a certain amount of sectors on the hard drive there is a little bit of the last sector left over and that could be stuff that was overwritten from a previous file.

So we will even recover that stuff too, so it's a lot of stuff on there, pretty much anything you have done recently and a lot of stuff from the past is on there, and so we are doing that type of extensive recovery effort but we also have to prepare the materials forensically for use in courts and that involves running reports about the methods that we use and that is a part of our forensic recovery process. So it's more than just your regular recovery a little bit additional and a lot of extra work and hardware that we use in order to do that.


5. So if I am in some company and I suspect for instance I had some kind of intrusion or that an employee might be doing something at one of the computers, what approach should I take if I want to essentially do forensics on it and to identify what's going on there?

Right, we hear about that we get that type of case as well. And it could even be in your home when you are suspecting your spouse some impropriety or something like that. The unfortunate things that people do is they are suspicious of something and they don't want to make a phone call or spend any money first so they start typing into the computer and looking at stuff. Well now they have affected the evidence, they may have changed dates, time stamps, they may have altered the evidence, and that will be used against that evidence in court by the other side they will, say "Well you planted it, the rest of the dates and time I wasn't even in town" etc., etc.

So we are very concerned about that when people come to us and say "We'd like you to look at this" and then I ask them some questions and we find out that things have been running rampant and people have been checking into what's on the hard drive and now all the dates and numbers and times have been changed. The best thing you can do you just freeze things. If you are really suspicious about something that is going on call someone, call a forensics person and then have them examine the drives so they would examine it in a forensics way, don't take it to your local computer store because they will not do it in a forensics way and then for big servers mainframes, that sort of thing, you have your backup tapes.

One of the things that companies do is backup, because every day you back up or if you back up more frequently, you have a day of the week or the month you back up, your backup cycle, you will not gonna keep all these backups so you usually over-write on a certain prescribed amount so you might overwrite all your daily backups after a month or you might overwrite your monthly backups after a year, whatever. The problem is that if you start overwriting you are now destroying the evidence that you have. So what I tell people to do is to freeze all your backups, you want to freeze all your backups, just buy more drives for your backups or whatever.

Don't be overwriting any of your backups and make sure that they are preserved, make sure everybody knows these are not to be used, put them in a lock down if you can. That is the first step, not destroy backups and then you also want to run your logs, so usually you have your system logs and if you have that type of service running you want to make sure you collect all that data as well. And again working with the forensics person, the forensics person doesn't necessarily have to be there but you need to get the advice early on and then work with them to have them counseling you, you may have to pay them to do that.

If you have good IT people the forensics person may be willing to work directly with the IT people and tell them what to do. So you really want to make sure that you preserve as much as this data as you can, in a forensic way. And that also includes live data on the live computers. So one of the things people have been accustomed to doing is shutting down the laptops or the PC and then bringing it in for the forensic service to do this examination or to take the data off it. Often times the information that you want is in the live LAN areas, and as soon as you shut that off, you have now lost this. So, new forensics practices are actually being adopted that really are focusing also on the live data acquisition, there are some really good tools out there, some software tools that you can buy. We write a lot of our own tools, you get stuff in the Linux arena you can get DOS tools, and there are Macintosh tools as well.

You need to purchase these right tools yourself that do this type of thing, but there are tools out there now that are really focusing specifically on the live acquisition you don't do one exclusive of the other, but you really want to do both, so basically it's a crime scene so you should think of it, not that it's necessarily a crime but it's an incident, it may be a crime or it may be a civil dispute or there may be other issues, but think of it as a crime scene you don't want to leave the door open and allow people to tromp around in a crime scene damaging the data, moving things around, removing the ashtrays where the cigarette butts are, stuff like that. So you really should think of it like a crime scene whether or not it's a crime but you really want to preserve the data in that way.


6. It seems that one of the challenges that you would face is say I have this system, it's on, and I leave it on because I want somebody with forensics background to look at it, but the computer is also still connected to the network, so it's possible to have remote access to it. What's the best approach in that situation?

That's correct. And there are a lot of issues with that as well. Isolating the computers from the network may be an important thing. One of the things that you might want to do though, it depends on what it is you are looking for: for example let's say you suspect that someone has remote access to your network and is now downloading massive dumps of stuff, you would actually want the evidence, so you might actually allow that to continue now that you have identified that that's going on. You may actually want to identify that and then have the forensics person in there collecting further evidence until you shut it down.

If you shut it down, you change passwords, you change things, and isolate these people out then their activities are going away. Again it depends if they are taking valuable things that you really don't want them to have, you might want to shut that down, but you really have to decide what it is that you are trying to do. In many cases you have to weigh what is being done and the need for evidence before making a decision. On another side, you'll have people that would set up honey pots, where you are luring people in to try to get them to attack your system to see what they are actually going to do, so people would leave files out there, there is sort of like a front line of files looking interesting and if those are attacked then you have an idea that someone has breached your firewall, they have been able to get in but you have your other stuff protected further so this is sort of like your front line defense.

So it's like a moat and you have some interesting stuff out here but then you have the walls of your castle around your real stuff. So again it depends on what you are looking for. In some instances yes you may want to separate yourself form the network, but in other instances you may still be able to continue to conduct businesses while this investigation is going on. Think about it this way: I like to look at it as a cost benefit analysis and I come from the world of computer security so that was the work I was doing prior to getting involved with computer forensics.

And in computer security we think about cost benefit analysis so let's say your data is worth a million dollars and you put up a two million dollar defense system, a computer security system to protect this million dollars, well that's a bit of waste of money, isn't it? Maybe you should have spent a hundred thousand dollars. I mean you need to think in terms of what is the cost of losing business, so if you need to be online and your whole business is related to being online, and now you have to shut things down in order to get this nefarious element out of there, change things around, and you are going to lose ten million dollars worth of business to avoid this person who may potentially steal a hundred thousand dollars worth of stuff; you have to look at it that way, so even any time you are going into a law suit type of situation these are very costly, so you need to look at what is the benefit of this.

Suppose you have employees who are leaving there should be human relations policies, very strict policies that are followed by the IT department where as the person leaves, then their password is changed they are basically essentially locked out. Again, I can't begin to tell you the number of times when that doesn't happen. So the person is escorted out the door and now they are really mad and now they are logging in from home. And it may take a couple of weeks before it's detected that now they have downloaded GB of data, and it's so easy to do that nowadays. So, yes you lock out their password but they also had twenty other passwords, for other accounts that they had access to, so you got be really careful about that to make sure that is going on.

But again, the person might be mad, they may have done a few changes made some interesting trails around or snoopping around in their old department see what was going on, but they may not have a deliberate intent to do anything really harmful in the end. So maybe just get an attorney to write them a cease and desist letter that type of thing, could cost you a couple thousand dollars as opposed to the downtime and all of this else, now if it doesn't stop then you'll have to get it further. So, there is a lot of ways of thinking about it and I would like to think about it in terms of cost benefit analysis, I have an article that I wrote about that, security people tend to like to do as much security as possible, but you really need to think about what are your goals here, and how much is this really going to cost, so you need to weigh the situation.


7. What are some of the challenges around computer forensics with the rapidly changing mobile world?

This is becoming really a serious concern, I was attending a conference in Albany, a forensics conference in Albany earlier in October and there was a lot of New York State Police people there saying that they are just swamped trying to figure out how to read the data out of these new devices, the cell phones are changing so rapidly it's all proprietary information on how to get into them and get the data out, again if you just turn it on you have affected it and now you are tabbing down through how can they say you didn't change that, or add these things in there. So, again the ability to forensically dump the data out there are some software companies that are trying to sell these products but they can't keep up with the quantity and the changes and now it's everything.

I mean your PDA is everything it has your internet accesses, I have recently purchased a GPS system and it was sort of horrified to see that it actually stores the fastest speed that I drove on that trip and I was thinking next time I am going to get pulled over they are going to say "Madam could you please give us your GPS?" and then they will see that I drove eighty five miles an hour down that highway. So, there is so much information that we are collecting on ourselves but then the question is how to dump that out.

In the work that I do, especially in criminal defense, we are usually a couple of years behind, it takes the court a long time and a lot of things go on before a case actually comes to trial. The law enforcement they have to be right on the scene and they have to get that data to prove that there even is something against this person so they can be charged they have to have reason in order to be able to charge someone of a criminal offence. But if they can't even read this data in the cell phone, this is very complex. So we are seeing a lot of issues related to that, people, the police are just stymied with it as I say I get that material about two years later so the software is already out there, but they have to be right on the scene within days, weeks or months they have to have the data out or else the charges have to be dismissed if they can't prove it.

So that is one concern, and then we also have other types of devices like RAID arrays, RAID Arrays are very difficult because on a regular hard drive the things may be in different sectors but you can basically map out the drive with RAID arrays stuff is all over the different drives, and it's distributed, and stuff is duplicated, where is the stuff? And then you have got encrypted drives, where if you blow the encryption then there is no way to actually recover the data so that is a way of people protecting the drive from being read, of course they can't get their own stuff back either but they may not want to get stuff back they may want to go that resort.

In the USA we have the fifth amendment and it has been ruled in certain cases that you do not have to be forced you can't be forced to belly-up your own private key in order to allow this data to be read, so there were issues about could you be forced to do that if your computer was Impunded. Right now the climate is that you cannot be forced to do that, but again different countries have different laws. So RAId arrays, encrypted drives is another issue and then we have a lot of talk about the cloud, if people are computing in the cloud, and all of what they are computing is distributed on the entire Internet, what are we going to do? How are we going to investigate the cloud?

That was some of the issues that were raised at the OOPSLA conference when we were talking about the cloud computing because it's very popular now. If you distribute your entire illegal process to be done in little parcels, all over the computational network, this part may not be illegal and this part may not be illegal but putting these two parts together may be illegal. So, this is going to raise a lot of interesting questions for lawyers and forensics examiners in the months and years to come, it's going to be a very interesting changing field.

Jan 27, 2010