The Beacon Bulletin: Your Firm's Email and YouTube: Computer Forensics 101

This Week; Focus On: Recovering Your Firm's Email: Computer Forensics 101

Email originating from your firm's computer is at once your property and your liability. An employee may think it amusing to YouTube a hilarious water cooler moment or participate in an intra-industry user generated site to discuss work issues or situations. A routine sweep, while perhaps viewed by some as an invasion of privacy, is actually good housekeeping. One is expected to maintain a general awareness of what is brought in to or taken out of one's home. Workplace Internet protocols call for an even higher monitoring level given the potential for creating a harmful environment and revealing company information.

This week's Bulletin will focus on the nuts and bolts of recovering computer evidence data utilizing procedures that would minimize the chance that the extracted evidence could be compromised.

To insure the integrity of the computer evidence, all data files should be copied onto write once only Read Only Memory (ROM) disks. Alternately one can "clone" the computer hard drive. There are, however, some problems involved with cloning. All hard drives are by their very definition read and write media. That means once information is cloned onto a hard drive, it can be altered. It is virtually impossible to alter data on a write once ROM disk. Also, if you clone a hard drive, you will be copying everything, including the OS (operating system). This can occupy a large amount of memory when the evidence is usually found on data files. Data files typically account for a much smaller portion of the hard drive's space and would therefore be easier to deal with. (In the event that time or circumstance dictates cloning the hard drive, do so with the intention of subsequently copying the data files to ROM disks.)

Phase I - Preliminary Procedure - Obtaining Log-Ons and PINS

1. Obtain all log on names and passwords (or PINS).

2. Obtain email log on names and passwords (PINs).

3. Obtain evidence computer encryption codes, passwords and software for the applicable data files.

Phase 2 - Evidence Access and Duplication

1. Identify all data files including hidden and deleted files. Identify e-mail message files.

2. Copy identified files onto CD-ROM write once only disk.

3. After all the copies are completed, certify that each file was copied from the evidence computer.

Phase 3: Software Identification

1. Identify all software used in the evidence computer.

2. Identify e-mail account client and provider.

3. Have available another computer (called Computer No. 2). Load the software on this secondary computer that has been previously identified.

4. Load the CD-ROM disc (previously recorded with data files) into Computer No. 2.

5. Review and print all or selected evidence data files as required.

Phase 4: E-Mail Evidence Discovery

1. Identify e-mail provider.

2. Request any available e-mail files from e-mail provider's server.

Phase 5: Review of Evidence

This is the final phase of the evidence discovery from the evidence computer. All evidence files are now on CD-ROMs and Computer No. 2 has the requisite software loaded to view and evaluate the evidence.

The attorney may now want to search on a key phrase or name(s) contained within all the files to quickly sort out any specific evidence. Or, the attorney may want to sort files by date and review a chronology of events