Forwarded From: phreak moi <hackerelite@deathsdoor.com>
http://www.idg.net/idg_frames/english/content.cgi?allowFeedback=false&referer=&outside_source=cnn&url=http%3a%2f%2fwww%2ecomputerworld%2ecom%2fhome%2fonline9697%2ensf%2fall%2f970609sleuths&doc_id=23244
Cybersleuths on the trail
Computer detectives glean evidence from backup tapes
A spot-check of employee electronic mail revealed this alarming message:
"I'll lose my job if they find out what I sent you."
Had company secrets been transmitted over the Internet? To find out,
anxious officials at the West Coast company called
Computer Forensics, Inc., a Seattle firm that combs through hardware and
software for evidence that some people expect to be hidden or erased.
Enter Joan Feldman, the 44-year-old president of the cybersleuth firm,
rolling her hard-sided Samsonite suitcase.
It's packed with portable hard drives and proprietary software tools that
help her pry open computer files and backup tapes.
As it turns out, the E-mailer hadn't revealed corporate goodies. But he
had sent pornography, allegedly to a minor in a chat room.
"The good news was the guy wasn't a thief. The bad news was he was a
potential pedophile," Feldman said.
Feldman and her team of former Secret Service agents, retired military
investigators and hard-core geeks root around a company's information
systems and look for evidence. The field is called computer forensics.
Sometimes a company hires forensics experts, but more often they are hired
by opposing attorneys seeking the "smoking gun" that could lead to a
courtroom victory.
For example, Vermont Microsystems, Inc. won $25.5 million in a 1994 trade
secrets theft case after the discovery that file directories at Autodesk,
Inc. had the same names as the original directories at Vermont
Microsystems.
Electronic evidence also played a role when Chevron Corp. paid four
plaintiffs $2.2 million in 1995 to settle a sexual harassment case that
involved allegedly offensive E-mail.
Similar lawsuits involving allegations of sexist or racist computer
messages are pending against Citibank, Morgan Stanley & Co. and R. R.
Donnelley & Sons Co.
For IS managers, the arrival of a forensics team is like their worst
nightmare come true. In a formal and tense interrogation called a
deposition, IS managers have to explain how they do their job and why some
computer records are retained and others aren't.
"From a corporate point of view, what could be more terrifying than
thinking someone else will come in and feel through your underwear
drawer?" asked Greg Stern, a lawyer at an East Coast insurance company,
who has seen the process.
So IS managers would do well to understand how old backup tapes, server
logs and other unsightly computer residue can cost their companies
millions of dollars in court, experts said.
Electronic files contain much more information than paper — and the most
telling details are the ones you can't see on screen.
"What's most useful to us are the hidden copies of a document people don't
know exist. But you can find them in hard drives and backup tapes,"
Feldman said. They can reside in printer and fax buffers, too.
Electronic Evidence's John Jessen and a team of 25 find legal evidence
buried in backup tapes
RUNNING UP BIG BILLS
Producing court- approved electronic evidence isn't cheap; it sometimes
runs into six or seven figures. The question is, who should pay for it?
Some judges have said computer files are no different from paper files, so
defendants must, at their own expense, collect and produce electronic
information requested by plaintiffs during the evidence discovery process.
But other courts have ordered plaintiffs — who usually make the request
for evidence — to pay for the job.
Either way, computer evidence is expensive to identify, locate, copy and
produce. In corporate cases, costs can run from $30,000 to $100,000 or
more, depending on the scope of the inquiry. Million- dollar price tags
aren't unheard of.
For example, sifting through 12 months' worth of E-mail created by 50
people would cost $60,000 to $75,000, said Joan Feldman, president of
cybersleuth firm Computer Forensics.
"You can really burn through money," she said.
No kidding. Feldman's company and rival Electronic Evidence Discovery both
bill like lawyers — time and materials per hour. Rates depend on the
investigator's expertise, but project leaders typically charge $85 to $175
per hour, and the top people charge even more.
"It takes a fairly big case to justify retaining a computer forensics
specialist," said Barry Johnsrud, a lawyer at Eisenhower & Carlson PLLC in
Tacoma, Wash. The Law firm has hired Feldman for two commercial litigation
cases in the past two years.
Johnsrud said with a laugh that Feldman herself charges nearly twice his
$125 hourly rate. — Kim S. Nash Feldman got into computer forensics in
1991 by going to work at a start-up called Electronic Evidence Discovery,
Inc. Nine months later, she quit to start a competing company.
She and former boss John Jessen are still bitter rivals. But the two are
the best-known commercial detectives who work the computer turf. And they
are in demand. Experts said discovery requests for computer files have
jumped from 2% of all discovery requests to 30% in the past five years.
GOOD IDEA, BAD EXECUTION
Still, many lawyers don't understand how to use computer files. Feldman
told the story of a U.S. Department of Justice case three years ago in
which the department demanded electronic evidence from the defendant. That
was smart. But agency lawyers asked that it all be converted to
WordPerfect files.
That was dumb.
Converting from a native format wipes out information that is invisible to
users but crucial to computer sleuths. That includes genealogy tidbits in
a header that indicate when a file was created and updated and, in some
cases, by whom. (The Justice Department has since reformed its practices.)
In fact, different operating systems and software packages have quirks
that electronic detectives can exploit.
Windows, for example, makes a handful of unnecessary copies of a document
that it stashes in several subdirectories. So it is easier to recover
supposedly deleted files on Windows than on Unix, Feldman explained.
But Unix machines generally keep more data about what has transpired on
the system. That is useful for following the tracks of wrongdoers.
E-mail discovery is more tricky. Most mail systems can't be searched by
keywords — which lawyers would love to do — because messages are saved
inside the E-mail package and are usually compressed. So recovering E-mail
is a lengthy process (see chart).
"A lot of people think this is a flashy business. You go in, get the
offending E-mail and win your client millions of dollars. But that's a
minority of the time," Feldman said. "It's a lot more drudgery than they
think."
The workload can be huge. A case filed in 1995 against a unit of the U.S.
Department of Agriculture, for example, has so far generated 53G bytes of
data from 27 mainframes and several minicomputers and PCs in four states
and the District of Columbia. That includes a year's worth of E-mail — and
doesn't include the 6,000 backup tapes Computer Forensics has yet to
scour.
STOLEN SECRETS?
Sometimes Feldman is called in when a company is only contemplating a
lawsuit. That's what happened when a departing scientist left his PC
behind and his former boss was worried about trade-secret theft.
Leftover E-mail and files turned up nothing juicy. But then Feldman looked
in an area of the Windows 3.11 operating system few users know about.
There, she found pieces of a PowerPoint presentation obviously created for
the ex-employee's new firm. And the information was very similar to the
old firm's proprietary data.
Feldman asked that Computerworld not reveal the secret Windows locale.
"It's one of my best tricks," she said, winking a blue eye.
But here is some free advice from the woman who otherwise charges $235 per
hour: Destroy old computer files, including E-mail and voice mail, on a
regular schedule.
"Many, many companies will have a records management policy for paper but
none for electronic information. That's stupid," Feldman said.
But — and this is a big one — don't suddenly start purging files after
your company gets hit with a lawsuit.
Judges throw the book at defendants who erase evidence after a legal
problem surfaces, she said. "You think you're helping, but destroying
evidence means you lose everything."
-o-
Subscribe: mail majordomo@repsec.com with "subscribe isn".
Today's ISN Sponsor: Repent Security Incorporated [www.repsec.com]
Received on Sun Nov 1 21:15:33 1998