THE TELEVISED REPORT OF A bank computer fraud case had a familiar theme: Law enforcement agents were shown removing computing equipment--specifically, a suspect's PC--as part of what television reporters said would be a computer forensics investigation. A law enforcement spokesperson interviewed by the television reporter stated that the suspect's computer hard drive would be inspected to determine how the fraud was committed.
But there was one key drawback with this investigative process: The "forensics" investigation focused on the suspect's PC hard drive alone. Critical evidence--consisting of host-computer audit-trail logs, computer utilization and user access reports, and other documentation that could have helped investigators reconstruct the fraudulent transaction by revealing the suspect's overall system activity--was never obtained.
For this reason, though the suspect was convicted of the theft of bank funds, the case was not prosecuted under computer-crime statutes. The fraudulent transaction had not been traced back to the suspect, and the prosecutor determined that without any meaningful reconstruction of the transaction events, any prosecution effort would be unsuccessful.
While the scenario just described is not typical of computer-crime investigations, it is clear that a growing number of investigators have developed the mistaken notion that computer forensics has only to do with targeting computer media--specifically, the PC hard drive--and recovering digital evidence. Although there is no question that useful investigative information can be gathered from PC hard drives, servers, laptop drives, and other media, it is critical for investigators to understand the distinction between examining such local media and conducting a full-scale computer-incident forensics investigation.
A full-scale computer-incident forensics investigation is a complete, thorough probe to determine the nature, scope, and duration of the fraudulent transaction in question. This requires the investigator to retrieve user-access log-on reports, time- and date-stamp reports, and other system logging reports that establish what events occurred, whose user identification was associated with each event, and which application systems were involved, creating a complete reconstruction of the incident in question.
Though no two cases are exactly the same, the emphasis of a computer-fraud investigation must be on generating the evidence to prove who conducted the transaction event. This approach generally requires attention to understanding the system structure and gathering the evidence, but of equal importance is how the evidence is presented to a jury if the goal is to obtain a conviction.
System structure. Before looking at the logs, the investigator must gain a basic understanding of the subject organization's IT architecture, its enterprise network infrastructure, and the general components of the computing environment, including the information security controls in place. Questions to ask include: How are users authenticated to the host computing system where the fraud or other crime occurred? What safeguards are in place to offer a high degree of assurance that each user is the individual connecting to the system? How are access events tracked and records stored for later reference? What is the transaction verification process? How are system changes controlled and logged?
Gathering evidence. Once the investigator knows the basics of the computing environment in question, he or she can begin the investigation. The investigator's goal, of course, is to uncover evidence that can be used to convince a jury that only the suspect could have used the combination of passwords, user IDs, and other log-on features in committing the fraudulent transaction. The first step toward that end is for the investigation to be forensically sound, which means that the investigative steps must be documented and repeatable. …