IntaForensics - Piecing Digital Evidence Together

USB flash devices, the small sticks used to store data, are becoming increasingly prevalent. Typically smaller than a pack of chewing gum and weighing around 15g, they can be easily carried in a pocket, hidden at the back of a PC or lost on the bus.

A 16 gigabyte USB flash device can currently be purchased new for under 20 GBP. To put this capacity in perspective, a typical MS Word document of 10 pages has a file size of approximately 60 kilobytes. This means you could potentially store up to 280,000 documents, or three million pages, on a single drive.

It is the affordability, portability and capacity of these devices that allows them to pose two major risks in the corporate workspace: intellectual property theft and client data loss. For malicious users, USB flash devices can even be loaded with software that seeks out and downloads information from a PC automatically, while even good intentioned users can expose their company to risk by simply losing a device loaded with sensitive data.

And once it is in the wrong hands, this data can be sold to the competition, leaked to the public, or even used to facilitate identity theft. In fact, the European Network and Information Security Agency recently estimated that organisations typically lose between 50,000 GBP and 1.3 million GBP for every security breach via a USB flash device.

One way to tackle this problem is to introduce an acceptable use policy. Such policies typically involve banning the use of all personal USB flash devices in the workplace. Employees who legitimately require them can then be provided with company-owned devices, with the serial number recorded against the employee’s name. Rules can then be imposed with regard to the type of data that is permitted to be stored on the device, the movement of the device outside the workplace, and the user’s responsibilities with regard to protecting the device against loss or theft.

Where Intellectual Property theft using a USB flash device is suspected, computer forensic analysis can reveal traces, known as ‘artefacts’, left by the device on the computer’s registry. These can include a record of the unique serial number of the device, as well as when it was connected, thus making it possible to link an unauthorised action with an individual device. Further, if the USB device itself is available for analysis, computer forensic analysis can also extract the drive’s history, which could reveal evidence of data downloads even if the user has attempted to ‘wipe’ the memory. In addition, there is also a range of software available that can be used to control and monitor the transfer of information to and from every device on a network, making it easier for organisations to detect and prevent unauthorised use.

If you still think that your workplace doesn’t need to control the use of USB flash devices, just think: How many confidential records could you fit on to a 16GB device? And how much would it cost your company in reputation, sales and clients if that information fell into the wrong hands?

Many of us now use wireless networking as part of our daily routine when it comes to using the Internet; so much so that we tend to use it also when we are away from our homes and offices. This process, known as using a Wi-Fi Hotspot, is something that hundreds of thousands of us use every day in our major cities up and down the country.

There are even Internet-based sites which list the precise locations of these Hot Spots throughout the country so that traveling business staff, students, journalists and generally people on the move can take advantage of them.

However the problem stems from the fact that it is not just the aforementioned groups that use Wi-Fi; computer criminals also use these Hot Spots in order to gain access to the laptops and PDAs of unsuspecting users.

Generally if you are using a Wi-Fi Hot Spot outside the confines of your office or home you will have to disable your wireless encryption so that your equipment can freely pick up the signal being bounced around within said Wi-Fi Hot spot. When this happens access to the equipment is no longer secure and anyone with a degree of knowledge, and the right equipment, can gain access to your laptop or PDA and thus your personal information within a short space of time.

Computer criminals have perfected this technique in recent times as the use of Wi-Fi Hot Spots has become more common. They have also managed to siphon hundreds of thousands of pounds, if not millions, from the bank accounts of unsuspecting users by patching into email accounts, personal accounting software, and other means of storing personal information on laptop hard drives.

In much the same way Computer Forensics experts have also produced sophisticated programs and techniques which allow them to track wireless Internet activity as well as wireless mobile traffic.

They also can act as expert witnesses if such activity is detected and investigated and results in criminal proceedings being brought.

An individual can also use your laptop as a means of gaining access to the Internet, essentially using the laptop as a portal, and thus giving them access to a variety of sites which may be illegal or used for purposes not entirely proper whilst leaving no visible trace other than on the host laptops logging system.

Using a Wi-Fi Network is obviously a useful proposition if you are away from the office or home office but it does have drawbacks, the two most obvious being (a) the fact your laptop or PDA will become vulnerable to outside attack during the use of such a Hot Spot and (b) your information is potentially visible via the airwaves to a myriad of individuals whose desire to get their hands on your information could lead to a loss of money and the unauthorised use of your identity in the pursuit of criminal activities.

When you are away from home or the office it is wise to use only those Hot Spots where an encryption key is provided by the Hot Spots provider and also to ensure that when using your laptop away from the confines of the home or office that the amount of personal data stored therein is kept down to a minimum thus making the computer criminal’s job all that more difficult.

The recent story about Michael Fiola, a former employee of the Commonwealth of Massachusetts who was sacked for having child porn on his laptop, indicates the sheer importance of computer forensics.

State investigators found child pornography on Fiola’s computer despite him denying that he’d ever accessed such sites ever before. This led to his community shunning him, and his wife developing a stress related illness.

In order to clear his name Fiola hired a computer forensics expert, which proved to be the turning point in the case.

The computer forensic expert found that the pornography found on Fiola’s computer was due to various viruses and Trojans that had infected his computer, which allowed hackers to view the content for which Fiola was accused of accessing.

After the report was completed all charges against Mr Fiola were dropped. “The overall forensics of the laptop suggest that it had been compromised by a virus,” said Jake Wark, spokesman for Suffolk District Attorney Daniel Conley.

So, if you are accused of a computer related crime then remember that a computer forensics expert really can help clear your name just as Michael Fiola has discovered.