[ISN] Cybersleuths on the Trail

From: mea culpa (jerichot_private)
Date: Sat Oct 31 1998 - 01:44:03 PST

  • Next message: mea culpa: "[ISN] Companies must physically protect data"

    Forwarded From: phreak moi <hackerelitet_private>
    Cybersleuths on the trail
    Computer detectives glean evidence from backup tapes
    A spot-check of employee electronic mail revealed this alarming message:
    "I'll lose my job if they find out what I sent you." 
    Had company secrets been transmitted over the Internet? To find out,
    anxious officials at the West Coast company called
    Computer Forensics, Inc., a Seattle firm that combs through hardware and
    software for evidence that some people expect to be hidden or erased. 
    Enter Joan Feldman, the 44-year-old president of the cybersleuth firm,
    rolling her hard-sided Samsonite suitcase. 
    It's packed with portable hard drives and proprietary software tools that
    help her pry open computer files and backup tapes. 
    As it turns out, the E-mailer hadn't revealed corporate goodies. But he
    had sent pornography, allegedly to a minor in a chat room. 
    "The good news was the guy wasn't a thief. The bad news was he was a
    potential pedophile," Feldman said. 
    Feldman and her team of former Secret Service agents, retired military
    investigators and hard-core geeks root around a company's information
    systems and look for evidence. The field is called computer forensics. 
    Sometimes a company hires forensics experts, but more often they are hired
    by opposing attorneys seeking the "smoking gun" that could lead to a
    courtroom victory. 
    For example, Vermont Microsystems, Inc. won $25.5 million in a 1994 trade
    secrets theft case after the discovery that file directories at Autodesk,
    Inc. had the same names as the original directories at Vermont
    Electronic evidence also played a role when Chevron Corp.  paid four
    plaintiffs $2.2 million in 1995 to settle a sexual harassment case that
    involved allegedly offensive E-mail.
    Similar lawsuits involving allegations of sexist or racist computer
    messages are pending against Citibank, Morgan Stanley & Co. and R. R. 
    Donnelley & Sons Co. 
    For IS managers, the arrival of a forensics team is like their worst
    nightmare come true. In a formal and tense interrogation called a
    deposition, IS managers have to explain how they do their job and why some
    computer records are retained and others aren't. 
    "From a corporate point of view, what could be more terrifying than
    thinking someone else will come in and feel through your underwear
    drawer?" asked Greg Stern, a lawyer at an East Coast insurance company,
    who has seen the process. 
    So IS managers would do well to understand how old backup tapes, server
    logs and other unsightly computer residue can cost their companies
    millions of dollars in court, experts said. 
    Electronic files contain much more information than paper  and the most
    telling details are the ones you can't see on screen. 
    "What's most useful to us are the hidden copies of a document people don't
    know exist. But you can find them in hard drives and backup tapes,"
    Feldman said. They can reside in printer and fax buffers, too. 
    Electronic Evidence's John Jessen and a team of 25 find legal evidence
    buried in backup tapes
    Producing court- approved electronic evidence isn't cheap; it sometimes
    runs into six or seven figures.  The question is, who should pay for it? 
    Some judges have said computer files are no different from paper files, so
    defendants must, at their own expense, collect and produce electronic
    information requested by plaintiffs during the evidence discovery process. 
    But other courts have ordered plaintiffs  who usually make the request
    for evidence  to pay for the job. 
    Either way, computer evidence is expensive to identify, locate, copy and
    produce. In corporate cases, costs can run from $30,000 to $100,000 or
    more, depending on the scope of the inquiry. Million- dollar price tags
    aren't unheard of. 
    For example, sifting through 12 months' worth of E-mail created by 50
    people would cost $60,000 to $75,000, said Joan Feldman, president of
    cybersleuth firm Computer Forensics. 
    "You can really burn through money," she said. 
    No kidding. Feldman's company and rival Electronic Evidence Discovery both
    bill like lawyers  time and materials per hour.  Rates depend on the
    investigator's expertise, but project leaders typically charge $85 to $175
    per hour, and the top people charge even more. 
    "It takes a fairly big case to justify retaining a computer forensics
    specialist," said Barry Johnsrud, a lawyer at Eisenhower & Carlson PLLC in
    Tacoma, Wash. The Law firm has hired Feldman for two commercial litigation
    cases in the past two years. 
    Johnsrud said with a laugh that Feldman herself charges nearly twice his
    $125 hourly rate.  Kim S. Nash Feldman got into computer forensics in
    1991 by going to work at a start-up called Electronic Evidence Discovery,
    Inc.  Nine months later, she quit to start a competing company. 
    She and former boss John Jessen are still bitter rivals. But the two are
    the best-known commercial detectives who work the computer turf. And they
    are in demand. Experts said discovery requests for computer files have
    jumped from 2% of all discovery requests to 30% in the past five years. 
    Still, many lawyers don't understand how to use computer files.  Feldman
    told the story of a U.S. Department of Justice case three years ago in
    which the department demanded electronic evidence from the defendant. That
    was smart. But agency lawyers asked that it all be converted to
    WordPerfect files. 
    That was dumb. 
    Converting from a native format wipes out information that is invisible to
    users but crucial to computer sleuths. That includes genealogy tidbits in
    a header that indicate when a file was created and updated and, in some
    cases, by whom. (The Justice Department has since reformed its practices.) 
    In fact, different operating systems and software packages have quirks
    that electronic detectives can exploit. 
    Windows, for example, makes a handful of unnecessary copies of a document
    that it stashes in several subdirectories. So it is easier to recover
    supposedly deleted files on Windows than on Unix, Feldman explained. 
    But Unix machines generally keep more data about what has transpired on
    the system. That is useful for following the tracks of wrongdoers. 
    E-mail discovery is more tricky. Most mail systems can't be searched by
    keywords  which lawyers would love to do  because messages are saved
    inside the E-mail package and are usually compressed. So recovering E-mail
    is a lengthy process (see chart). 
    "A lot of people think this is a flashy business. You go in, get the
    offending E-mail and win your client millions of dollars. But that's a
    minority of the time," Feldman said. "It's a lot more drudgery than they
    The workload can be huge. A case filed in 1995 against a unit of the U.S.
    Department of Agriculture, for example, has so far generated 53G bytes of
    data from 27 mainframes and several minicomputers and PCs in four states
    and the District of Columbia. That includes a year's worth of E-mail  and
    doesn't include the 6,000 backup tapes Computer Forensics has yet to
    Sometimes Feldman is called in when a company is only contemplating a
    lawsuit. That's what happened when a departing scientist left his PC
    behind and his former boss was worried about trade-secret theft. 
    Leftover E-mail and files turned up nothing juicy. But then Feldman looked
    in an area of the Windows 3.11 operating system few users know about. 
    There, she found pieces of a PowerPoint presentation obviously created for
    the ex-employee's new firm. And the information was very similar to the
    old firm's proprietary data.
    Feldman asked that Computerworld not reveal the secret Windows locale.
    "It's one of my best tricks," she said, winking a blue eye. 
    But here is some free advice from the woman who otherwise charges $235 per
    hour: Destroy old computer files, including E-mail and voice mail, on a
    regular schedule. 
    "Many, many companies will have a records management policy for paper but
    none for electronic information. That's stupid," Feldman said. 
    But  and this is a big one  don't suddenly start purging files after
    your company gets hit with a lawsuit. 
    Judges throw the book at defendants who erase evidence after a legal
    problem surfaces, she said. "You think you're helping, but destroying
    evidence means you lose everything." 
    Subscribe: mail majordomot_private with "subscribe isn".
    Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:09:40 PDT