Forwarded From: phreak moi <hackerelitet_private> http://www.idg.net/idg_frames/english/content.cgi?allowFeedback=false&referer=&outside_source=cnn&url=http%3a%2f%2fwww%2ecomputerworld%2ecom%2fhome%2fonline9697%2ensf%2fall%2f970609sleuths&doc_id=23244 Cybersleuths on the trail Computer detectives glean evidence from backup tapes A spot-check of employee electronic mail revealed this alarming message: "I'll lose my job if they find out what I sent you." Had company secrets been transmitted over the Internet? To find out, anxious officials at the West Coast company called Computer Forensics, Inc., a Seattle firm that combs through hardware and software for evidence that some people expect to be hidden or erased. Enter Joan Feldman, the 44-year-old president of the cybersleuth firm, rolling her hard-sided Samsonite suitcase. It's packed with portable hard drives and proprietary software tools that help her pry open computer files and backup tapes. As it turns out, the E-mailer hadn't revealed corporate goodies. But he had sent pornography, allegedly to a minor in a chat room. "The good news was the guy wasn't a thief. The bad news was he was a potential pedophile," Feldman said. Feldman and her team of former Secret Service agents, retired military investigators and hard-core geeks root around a company's information systems and look for evidence. The field is called computer forensics. Sometimes a company hires forensics experts, but more often they are hired by opposing attorneys seeking the "smoking gun" that could lead to a courtroom victory. For example, Vermont Microsystems, Inc. won $25.5 million in a 1994 trade secrets theft case after the discovery that file directories at Autodesk, Inc. had the same names as the original directories at Vermont Microsystems. Electronic evidence also played a role when Chevron Corp. paid four plaintiffs $2.2 million in 1995 to settle a sexual harassment case that involved allegedly offensive E-mail. Similar lawsuits involving allegations of sexist or racist computer messages are pending against Citibank, Morgan Stanley & Co. and R. R. Donnelley & Sons Co. For IS managers, the arrival of a forensics team is like their worst nightmare come true. In a formal and tense interrogation called a deposition, IS managers have to explain how they do their job and why some computer records are retained and others aren't. "From a corporate point of view, what could be more terrifying than thinking someone else will come in and feel through your underwear drawer?" asked Greg Stern, a lawyer at an East Coast insurance company, who has seen the process. So IS managers would do well to understand how old backup tapes, server logs and other unsightly computer residue can cost their companies millions of dollars in court, experts said. Electronic files contain much more information than paper — and the most telling details are the ones you can't see on screen. "What's most useful to us are the hidden copies of a document people don't know exist. But you can find them in hard drives and backup tapes," Feldman said. They can reside in printer and fax buffers, too. Electronic Evidence's John Jessen and a team of 25 find legal evidence buried in backup tapes RUNNING UP BIG BILLS Producing court- approved electronic evidence isn't cheap; it sometimes runs into six or seven figures. The question is, who should pay for it? Some judges have said computer files are no different from paper files, so defendants must, at their own expense, collect and produce electronic information requested by plaintiffs during the evidence discovery process. But other courts have ordered plaintiffs — who usually make the request for evidence — to pay for the job. Either way, computer evidence is expensive to identify, locate, copy and produce. In corporate cases, costs can run from $30,000 to $100,000 or more, depending on the scope of the inquiry. Million- dollar price tags aren't unheard of. For example, sifting through 12 months' worth of E-mail created by 50 people would cost $60,000 to $75,000, said Joan Feldman, president of cybersleuth firm Computer Forensics. "You can really burn through money," she said. No kidding. Feldman's company and rival Electronic Evidence Discovery both bill like lawyers — time and materials per hour. Rates depend on the investigator's expertise, but project leaders typically charge $85 to $175 per hour, and the top people charge even more. "It takes a fairly big case to justify retaining a computer forensics specialist," said Barry Johnsrud, a lawyer at Eisenhower & Carlson PLLC in Tacoma, Wash. The Law firm has hired Feldman for two commercial litigation cases in the past two years. Johnsrud said with a laugh that Feldman herself charges nearly twice his $125 hourly rate. — Kim S. Nash Feldman got into computer forensics in 1991 by going to work at a start-up called Electronic Evidence Discovery, Inc. Nine months later, she quit to start a competing company. She and former boss John Jessen are still bitter rivals. But the two are the best-known commercial detectives who work the computer turf. And they are in demand. Experts said discovery requests for computer files have jumped from 2% of all discovery requests to 30% in the past five years. GOOD IDEA, BAD EXECUTION Still, many lawyers don't understand how to use computer files. Feldman told the story of a U.S. Department of Justice case three years ago in which the department demanded electronic evidence from the defendant. That was smart. But agency lawyers asked that it all be converted to WordPerfect files. That was dumb. Converting from a native format wipes out information that is invisible to users but crucial to computer sleuths. That includes genealogy tidbits in a header that indicate when a file was created and updated and, in some cases, by whom. (The Justice Department has since reformed its practices.) In fact, different operating systems and software packages have quirks that electronic detectives can exploit. Windows, for example, makes a handful of unnecessary copies of a document that it stashes in several subdirectories. So it is easier to recover supposedly deleted files on Windows than on Unix, Feldman explained. But Unix machines generally keep more data about what has transpired on the system. That is useful for following the tracks of wrongdoers. E-mail discovery is more tricky. Most mail systems can't be searched by keywords — which lawyers would love to do — because messages are saved inside the E-mail package and are usually compressed. So recovering E-mail is a lengthy process (see chart). "A lot of people think this is a flashy business. You go in, get the offending E-mail and win your client millions of dollars. But that's a minority of the time," Feldman said. "It's a lot more drudgery than they think." The workload can be huge. A case filed in 1995 against a unit of the U.S. Department of Agriculture, for example, has so far generated 53G bytes of data from 27 mainframes and several minicomputers and PCs in four states and the District of Columbia. That includes a year's worth of E-mail — and doesn't include the 6,000 backup tapes Computer Forensics has yet to scour. STOLEN SECRETS? Sometimes Feldman is called in when a company is only contemplating a lawsuit. That's what happened when a departing scientist left his PC behind and his former boss was worried about trade-secret theft. Leftover E-mail and files turned up nothing juicy. But then Feldman looked in an area of the Windows 3.11 operating system few users know about. There, she found pieces of a PowerPoint presentation obviously created for the ex-employee's new firm. And the information was very similar to the old firm's proprietary data. Feldman asked that Computerworld not reveal the secret Windows locale. "It's one of my best tricks," she said, winking a blue eye. But here is some free advice from the woman who otherwise charges $235 per hour: Destroy old computer files, including E-mail and voice mail, on a regular schedule. "Many, many companies will have a records management policy for paper but none for electronic information. That's stupid," Feldman said. But — and this is a big one — don't suddenly start purging files after your company gets hit with a lawsuit. Judges throw the book at defendants who erase evidence after a legal problem surfaces, she said. "You think you're helping, but destroying evidence means you lose everything." -o- Subscribe: mail majordomot_private with "subscribe isn". Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:09:40 PDT