By: Bradley J. Bartram, Vice President of Information Technology & CTO
When a person hears the phrase “Computer Forensics” more often than not their mind wanders to an episode of CSI or NCIS or another piece of modern entertainment. A professional who has retained the services of a forensics expert might be drawn to their prior experience, which usually surrounds the retrieval of bits and fragments of data from someone’s computer. What both of these perspectives have in common is that they are post-mortem, which is to say they are reactive measures taken to accomplish a defined purpose. Entertainment uses computer forensics to lift that one piece of critical evidence in order to advance the plot. The legal profession uses computer forensics to build their case.
Computer forensics certainly has its place in the above examples, but forensics can also be used proactively as well. Take, for example, an auditor. This could be a financial auditor or it could be an internal security audit. For purposes of this example, company XYZ retains the services of an outside firm to perform an audit of internal controls that have been placed in operation and testing of operating effectiveness. Today, most of those controls exist and are based on computers. The audit would normally consist of standard procedures like reviewing documentation in the form of logs, notes, and reports as well as configuration settings for affected systems. Depending on the depth of the audit engagement, interviews with staff would be conducted. All of this is fine and accepted practices, but does it really provide a complete picture? Enter computer forensics.
In today’s world, business operates almost exclusively in binary. It is estimated that nearly 80% of all business records produced are never printed. The Computer Security Institute annual Survey estimates that the most expensive computer security incidents were those involving financial fraud with an average reported cost of close to $500,000. Employees typically have one or more desktop computers connected to various corporate resources. They have laptop computers, smart phones as well as a multitude of computer storage ranging from USB flash drives to external hard drives and even online storage. We also have online access to an array of computer services and resources ranging from email to online collaborative documents to social networking. All of this presents a challenge to a traditional audit because given the sheer numbers of ways for data to be received or transmitted, just finding the right questions to ask can be daunting. Luckily, the computers and devices are adept at keeping track of all of this information, and computer forensics brings that information back into the audit process.
Back to our original example, the audit firm finds that one document in particular is important and needs to be tracked. The XYZ company has it on a protected storage area of the network and five employees have access. An interview with each staff member appears legitimate and it appears the document has been under strict control. But is that the end of the story? That document could have left the company in ways undetectable to normal IT systems. It may have been copied to an external storage device or even mailed using an online service. Forensically, evidence of the document’s movement could be obtained by looking at deleted files or the system registry or even through a careful analysis of the user’s internet history. All of this could be done during the audit and possibly prevent this from happening during discovery.
Unfortunately, for a professional that has used a computer forensic professional in the past, the connotation is that computer forensics is expensive and prohibitive except in the direst of circumstances. How could the cost be justified for something as mundane as an audit? The answer is that computer forensics is time consuming and therefore expensive when not approached correctly, but it can be very reasonable when approached as a tool to polish existing audit work. In our scenario, computer forensics would be brought in towards the end of the engagement once the critical pieces of data were identified. The process was employed to identify and report occurrences of a violation of various rules by a small set of employees / documents or both. An exam that would be narrow enough to minimize cost while providing a tangible benefit to the client and provide an unparalleled depth to the firm’s audit report.