When computer forensics is an essential component of an internal investigation, lack of familiarity with the legal and technical issues involved can prompt management to assign that component to its management information security staff.
For a variety of reasons, outlined here, this assignment should be avoided.
When allegations of misconduct or suspicions of hacker activity give rise to an internal corporate investigation, analysis of computer evidence will almost always be necessary. The evidence must be seized and duplicated in a manner that will protect its credibility and legal admissibility. Analysis of that evidence must be speedy and reliable. Finally, the results of that analysis must be reported to the corporate security leaders, their counsel and senior management, without risk of disclosure to unauthorized personnel. Throughout, only a minimum of intrusion upon business activities should be permitted.
Corporate managers may not be aware of the important and different skills that distinguish their MIS personnel from computer forensics experts. The legal issues that must inform any investigation may not receive management's early attention. Instead, it is natural and common for business leaders - who are always mindful of costs - to assign what seems to be just another computer problem to their own computer people. Unfortunately, this confusion can delay a successful investigation, disrupt business operations, and run the risk of losing evidence or rendering it legally inadmissible. Experience has shown that any one, or more, of the issues below can impede or prevent effective investigations when internal MIS staff are asked to wear the investigator's hat.
1. Loyalty Conflicts
MIS personnel may have relationships that can conflict with an unbiased review of the facts. If MIS staffers are loyal to their employer, they will be biased in favor of proving wrongdoing, whether any actually exists or not. Conversely, they may let personal resentment bias them away from discovering facts proving an injury to the company. If the investigation implicates a personnel acquaintance, a tendency to protect that person may make a friend hide, or alter, the record. An investigation may also raise questions about whether or not the MIS staff has done an adequate job in preventing the misconduct under investigation. This may motivate an MIS staffer to 'edit' discoveries before reporting them. Obviously, outside analysts are largely unaffected by these competing influences.
Merely suggesting that loyalty-based biases might have influenced an MIS staffer's work can raise questions of credibility. At trial, this argument might be used to question otherwise excellent evidence. Even a perfect job of preservation and analysis might be subjected to attack if the credibility of MIS staff can be put into question. While such tactics may seem unfair, they are reasonable and allowable in most legal proceedings. The fact that a witness is employed by one of the parties to a litigation will probably be offered as a reason why that witness is not credible. Although outside consultants are, temporarily, employed by their corporate clients, their credibility as 'neutral' witnesses is usually much higher than employees, because their career interests are not as deeply invested in any one case as those of full-time staff.
Internal staff may look for evidence supporting the desires of their employers, possibly to the extent of seeing it when it isn't there. This natural desire to please their supervisors may work its own influence, even when no loyalty conflicts come into play. As a result, evidence that doesn't tend to indicate guilt may be interpreted improperly, in an effort to appear to be successful. Outside contractors, however, will know that proof that misconduct has not taken place is just as valuable as proof that it has. Managers can save their businesses from needless expense when they learn, early, that their suspicions are incorrect.
This point is mostly self-explanatory. What may need extra attention, however, is the fact that computer forensics has matured to the point where it is appropriate to employ consultants with several years of experience in this discipline. The basics of computer technology will, of course, be within the skills of MIS staff members. The patterns of behavior, methods, hiding places and other 'tricks' of computer thieves take time to learn. Computer forensics is now old enough that experienced personnel have had that time. Further, interpreting computer-based evidence is no longer always as simple as reading a piece of email or 'undeleting' a file. Cross-referencing multiple sources of data, such as log files, fragmented sectors, online records, account histories, file access times, and more, can be essential to proving a case. Such techniques also take time to learn. A well-chosen consultant will have already learned them, while most MIS personnel have been learning something else.
Perhaps the 'evil twin' of the experience issue is that of novelty. An MIS staffer who is asked to participate in an investigation may see this as their first chance ever to 'play detective.' This can lead to wasted time and effort, as irrelevant distractions mislead or confuse the person assigned to the task. For example, a staffer asked to search for email between a subject and a recruiter may be excited to find indications of pornographic materials downloaded to the subject's computer. When encountered for the first time, this type of distraction can delay the real purpose of an investigation from being pursued. Similarly, the novel quality of the work involved in assisting with an investigation may encourage an inexperienced person to prolong the project, simply for the sake of personal interest. Computer forensics professionals are more likely to stay focused and not be slowed or misdirected by a new experience.
6. Legal Knowledge
Evidence collection requires adherence to certain rules. The ability to inspect evidence and differentiate what might be admissible from what is merely informative or speculative must be among the basic skills of a forensics investigator. Where privacy considerations come into play, knowledge of the law can make the difference between a successful investigation and one that creates problems for the corporation. MIS staffers are not hired for their knowledge of the law. Even though the corporate general counsel's office can provide guidance, respect for legal procedure isn't always a highly visible feature in the world of computer technicians. While respect for privacy and ethics are a hallmark of this profession, computer professionals often dismiss the seemingly arcane rules of evidence and related legal issues.
Specialized products, often costing thousands of dollars and requiring study and training to use, are now the standard of the computer forensics industry. While a clever MIS staff member will be able to do limited term-searching and recover some data with the programs they use for other purposes, an investigation that meets contemporary standards will require state-of-the-art hardware and software that is not found in corporate MIS departments. Some computer forensics contractors will have several of these assets, as well as proprietary resources they have created and developed themselves. An outside consultant can choose the best tools for the job, often finding evidence that is completely unavailable any other way.
8. Site insecurity
Computer forensics work can require the movement and disassembly of computers, printing of large quantities of email or individual files, review of backup tapes and disks, and a variety of other plainly visible activities. When such work is done in the corporate MIS center, it is impossible to maintain secrecy. The subject of the investigation will likely learn, perhaps via an acquaintance, about the investigation. Tampering may be possible, perhaps by the subject, an acquaintance, a victim, a hacker, or by accident. Such possibilities can lead to insurmountable legal problems when seeking to admit evidence at a trial. Even something as trivial as being able to testify that a diskette was not kept in an office entered by a night-time cleaning crew can exclude critical evidence. Accordingly, the proper place for computer forensics work is off-site.
9. System Load
Computer forensics work can take hours of intensive computation. An MIS department may be able to redirect sufficient computer resources to accomplish some computer forensics efforts, but any such redirection will be away from the real mission the corporate systems are there to perform. Conversely, if the MIS staff's efforts to assist with an investigation must be limited, a longer delay will result before their analysis will be complete. Corporate management will not want business activities interrupted by an investigation any more than is absolutely necessary. Again, the solution is to rely on temporary outside help that can use its own assets and systems.
10. Personnel Expense
Finally, it is important to remember that MIS staffers are skilled professionals performing critical services for their employers. Any time they are removed from those activities to assist in an investigation incurs the double cost of their regular overhead and the lost value of the work they should be doing instead. All outside computer help tends to be expensive, but the cost is offset by the continued services of MIS personnel who would otherwise be devoted to non-business activities.
Stevens R. Miller ([email protected]) has been a computer forensics specialist since 1997. He is also an attorney.