Source: [id: 41018; name: CSO; isActive: true; siteId: 3] -- CSO -- $content.altguid

Computer Forensics Investigations: Body of Evidence

Part art, part science, a computer forensics practice requires more planning and investment than technology vendors would have you believe.

By

May 01, 2004CSO — When the body of his wife was discovered, Air Force Sgt. Joseph Snodgrass was stationed at Clark Air Base in the Philippines. Julie Snodgrass was found in the cab of a pickup truck nearby, having been stabbed more than 42 times. The only evidence connecting her husband to the crime were a couple of floppy disks on which were stored two letters: one in which Sgt. Snodgrass asked his mistress to hire three hitmen to murder his wife, and another increasing his wife's life insurance coverage to $450,000. During questioning in his office by the Air Force Office of Special Investigations (OSI), Snodgrass pulled the two 5.25-inch diskettes from his desk and used pinking shears to chop the damning evidence into 2 dozen pieces.

The agents confiscated the disks, but not before significant damage had been done. In checking with law enforcement and the diskette manufacturer, the investigators discovered that no protocol existed for reassembling disks that had been so seriously damaged. That's when an Air Force team headed by Jim Christy, currently the director of operations at the Department of Defense Cyber Crime Center in Linthicum, Md., went to work on the problem. After several failed attempts, the team managed to develop a process to line up the tracks on the disks and then tape the pieces together on a cardboard mounting hub. Spending only $131, Christy and his team were able to reconstruct the disks and retrieve 85 percent of the data.

Snodgrass was convicted of first-degree murder and was sentenced to life in prison.

Tape and cardboard may not be high-tech wizardry, but forensics isn't only about fancy tools and technologies that aid investigators in their work. It's as much about ingenuity and creativity as technology, and requires a unique array of skill: the technical savvy of a science- club geek married with the curiosity that marks a seasoned detective.

Armed with little more than cotton swabs and a handful of plastic baggies, police detectives from TV shows such as Quincy, M.E. or CSI: Crime Scene Investigation are able to reconstruct a crime, describe how it was perpetrated, and finger the person who did the deed. Investigators who specialize in computer forensics may not be as telegenic, but they accomplish the same goals as their Hollywood counterparts with the use of software and hardware. No wonder it has become a hot topic in the security community.

The truth about building and managing a forensic practice won't be found in the glossy pages of a product brochure or in a Hollywood screenplay. In any investigation, the story of what really happened is hidden in the details. Here's what we found when we asked security executives and industry experts to name the elements of a successful forensic practice and the challenges that await CSOs when they venture into this dynamic arena.Liability RedefinedComputer forensics is the use of technology to establish facts for building a case in court. Your board of directors may fervently wish never to need computer forensics, but given the evolution of legislation around security breaches, forensic capabilities are a necessity.

RESOURCE CENTER