Picture this: Detectives hand over a zip drive to a technician who sits at a state-of-the-art console surrounded by multiple monitors. With just a few keystrokes, cool graphics speed across the screens, and within minutes, the tech has unraveled a key piece of evidence that allows law enforcement to nab the criminal. Sounds like a scene straight out of your favorite crime drama, right?
Albeit entertaining, nothing in the real world is ever so simple or so fast as it's portrayed on "NCIS," "Law & Order," or pick-your-favorite-city "CSI." Still, a generation has grown up captivated by the seemingly unlimited capabilities of TV computer forensics examiners to retrieve deleted, corrupted or encrypted files.
Such a role, however, isn't merely the machinations of Hollywood screenwriters' overactive imaginations. Rather, it's a bona fide profession that's emerging as one of the hottest disciplines among engineers and information technology (IT) professionals.
From Then to Now
The term "forensic" means the application of science to answer questions arising from crimes or litigation. This can take on many forms, such as medical autopsies, crime scene evidence analysis and in-depth accounting reviews. Computer forensics has often been referred to as an autopsy of a hard drive. Although the newest member in the forensics club, this expertise is gaining prominence among law enforcement and the technical world.
Officially, the specialty originated more than 20 years ago, right around the time personal computers began proliferating the marketplace. At first, specialists assumed IT functions, such as recovering deleted files or converting paper documents to electronic records for more efficient searches.
Photo credit: Jared
Indeed, this was among the first tasks Jason Park, CCE, tackled. "I started out by helping attorneys manage their documents. I would take papers and scan them to create databases. Then I would index them by date, authors and other data so attorneys could do searches quickly," explains the computer forensic examiner with Litigation Solution Inc., based in Dallas, Texas. But as computers assumed more prominence in our day-to-day personal and business operations, the examiner's role also grew. In Park's case, his job responsibilities expanded to include combing through clients' files. He explains, "Corporate America started storing their data on computers, so the technology became more and more important to litigation. We took documents from the digital format to analog and then scanned them back into digital, but in a format our database could utilize. The next big step was to convert everything to tiff or PDF files so people could search by extracting text."
Around this same time, hackers began capturing a lot of headlines as they covertly wormed their way into private systems. These rogue cyber pirates spurred a new generation of forensics specialists who deciphered how the hackers broke into systems and then programmed barriers to prevent similar actions in the future.
Now fast-forward to today. Users of all kinds—from private citizens to international businesses networked around the globe—stockpile incredible amounts of data on computers and servers. It's typical to find everything from business records to bank accounts to personal correspondence. Plus, there are copious numbers of smart phones through which countless digital exchanges occur. There are also digital camera cards, memory sticks and MP3 players—virtually anything digital has the potential to become evidence in a civil or criminal case. All this put together has broadened the scope of how computer forensics examiners practice their trade.
"Digital evidence is part of every case, and the crimes span the gamut from the smallest to terrorism or intelligence-related because computers have become a part of our everyday lives," asserts Ovie Carroll, director of the Cybercrime Lab within the Department of Justice (DOJ), located in Washington D.C.
Indeed, examiners may find themselves working on anything from child custody or divorce cases to criminal prosecutions or even probing possible embezzlement or trade secrets violations. "The more that attorneys and other professionals realize how much data are on computers, the more and more examiners are needed," states Park.
The crux behind computer forensics is to retrieve electronic evidence. "But it needs to be preserved in a certain way," comments Park. "The corporate IT guy may be able to do a data capture, but if it's not done in a forensic manner, then it could be problematic [in court]."
More specifically, examiners must avoid altering files in any way, shape or form. For example, one would never work off of original files. "That evidence would be thrown away because it's difficult to prove who did what," offers Park. "You have to protect the chain of evidence."
Rather, the first step is always to make a copy of any device or file in question and use that to investigate the contents. But even then, it's not as simple as commanding the computer to "duplicate" because that operation routinely updates time codes. Instead, it's the examiner's responsibility to preserve all time references at and up to the moment in question. It's almost as if they make time stop. "We copy the set of data exactly as it was during the regular business [functions]," says Park. Another element is to verify what actions took place, such as document creation, e-mail transmissions and file deletion. Each time users instruct the computer or other digital devices to carry out a command, distinctive tracks are left behind that examiners follow.
"A good computer forensics examiner understands how computers work, not just at the user level, but also at the physical level," asserts Carroll. "For example, an examiner needs to know what happens on the computer when a jump drive is inserted and a document created. Also, they need to figure out what action was taken by the user when the examiners don't find the evidence that should be there. They need to ask themselves what would cause that evidence to not be there because they know vapor trails are left behind." "Also, we supplement our collections of data throughout the process. For example, people may use a document template over and over," adds Park. "We may end up harvesting the same type of file multiple times, and every time it's altered, there's a new document to review."
While uncovering the evidence alone can be compelling and challenging, that's just one aspect of an examiner's duties. It's not just about the bytes on a drive or the e-mails and their attachments, but it's also figuring out who the user was. "We're looking for attribution. Even with a regular crime scene, if you find a gun, you really want the user attribution to determine who pulled the trigger. You're not just finding the smoking-gun document, but who created the document," states Carroll.
What separates digital forensics from other disciplines is the realm in which it is practiced. It's not just about product development, faster processors or new applications. Instead, it's about sifting through existing software and hardware with a twist. As both Carroll and Park noted, the technical tasks are carried out within the confines of legal parameters. "Working on a case also involves social aspects and motivations," states Victor Fay-Wolfe, PhD, professor of computer science and director of digital forensics at the University of Rhode Island (URI) in Kingston. "One of the things I personally like about digital forensics is the mix of technology, law and the social aspect. Students read and discuss cases as they might do in law classes, but they are involved in studying the technology. They look at how the network protocols work or if the case involved network sniffing. It also makes teaching technical aspects more interesting for students."
Fay-Wolfe had been teaching traditional computer science courses for years before he delved into the world of forensics. His introduction to the specialty came about somewhat unexpectedly. "My cousin runs a computer forensics firm, and on a visit, I saw what she was doing. I thought, 'This is a wonderful outlet for computer scientists and engineers who want to do something besides programming,'" he explains. "There are immediate results in the work."
Energized, Fay-Wolfe approached university administrators with the idea of creating a forensics program. "It didn't take a lot of convincing," he notes. URI now offers an undergraduate minor in digital forensics as well as a graduate certificate, master's and doctorate degrees with a forensics focus.
Ever since its inception, student interest has been high. "The program has helped with enrollment figures, particularly among underrepresented groups—about half of our forensics students are women, whereas traditional computer science majors tend to be male. Minorities also seem to be more interested in forensics," says Fay-Wolfe.
Perhaps one of the most appealing elements to the URI program is the Digital Forensics Center where students can apply their newfound skills. The center operates as a consulting organization for attorneys, businesses, government and law enforcement. Under the guidance of faculty members, students assist clients with digital data acquisition, network activity investigation, data recovery and even expert testimony or reporting.
"We're also seeing digital forensics becoming a legitimate research area," comments Fay-Wolfe. "The department has secured over a million dollars in funding from the DOJ to research areas in digital forensics that are not currently supported. Research [ideas] often come from student interns who are out in the field seeing where practitioners are having problems," he continues. "That helps us develop research proposals."
More Than a Technician
Part of what makes computer forensics so intriguing at the moment is the new tools being developed. "Now there are integrated tools, such as EnCase Forensic Software," says Fay-Wolfe. "In the next five years, there will be a dramatic acceleration in the number and kinds and sophistication of tools for investigators."
But the real key to succeeding in the discipline is staying abreast of the technological changes happening in general. With each new advancement, comes a new challenge forensically-speaking.
"Unlike the study of fingerprints, which is straightforward and hasn't changed much over the years, digital forensics is about understanding the progression of computers and digital devices," says Fay-Wolfe. "There are new issues that come up with new products that were we never thought of before. There are encryption aspects that did not use to be encrypted. Technology is changing and we need to address that. Others can learn to use the tools, but with a computer- or engineering-based education, you have the ability to adapt because you have a broader understanding."
With each new challenge, however, come new career opportunities. "It's a huge job market that will only continue to grow," observes Carroll. "It's a great field to be in, but it's not a field for someone who wants to stop learning. It requires a lifelong learning and self-study."
Examiners today have a choice of settings in which to practice, such as law enforcement at local, state and federal levels, private investigative firms, corporate America and software development firms. That said, experts agree a prime computer forensics candidate will bring more to the marketplace than just a well-tuned technical toolkit. Employers look for individuals who combine the technology with a thorough understanding of the necessary legal parameters. "Knowing where on computers evidence can be found is good, but knowing how it's used within the scope of legal investigations is better," advises Park.
"It's important to demonstrate that you know the practical aspect of the field. There are courses with respect of how to maintain the evidence chain of custody," adds Fay-Wolfe.
This is where internships prove invaluable. They provide a real-time glimpse into the field where students can test out the various forensics applications. "We partner with agencies to provide [students] opportunities, such as the Rhode Island State Police, local police departments' crime labs and NCIS. There are also several private computer firms," says Fay-Wolfe. While TV viewers may think they're getting a behind-the-scenes peek into the world of computer forensics, the truth is that's an exaggerated, fantastical version. That's not to say there isn't any drama involved in a computer forensics career. "It's the most exciting field," asserts Carroll.
"No single day is the same as the previous," concludes Park.