Computer Forensics
Computer Forensics: An Essential Guide for Accountants, Lawyers, and Managers, by Michael Sheetz. John Wiley & Sons Inc., Hoboken, NJ, 2007. 152 pages, $50.00.
Digital detectives are becoming the frontline soldiers of law enforcement. The field of computer forensics is growing rapidly, with the demand for experts outpacing the need. Many hard-to-crack homicides and other felonies are solved on the basis of information unearthed by computer forensics experts who analyze digitally stored evidence and comprehensively report their findings to ensure its admissibility in court.
Part of the reason that computer forensics experts are in such demand is that the cost of computer-related crimes in the United States is burgeoning. The FBI reports that cyber-crimes cost businesses more than $67 billion annually. But, in addition to crimes against private industry, the country faces the looming possibility of large-scale threats to national security. In 1998, the U.S. Department of Justice and the FBI created the National Infrastructure Protection Center to safeguard national infrastructure networks and systems from attacks, including computer-generated criminal acts such as hacking and spreading viruses. The center guards telecommunications systems, financial networks, transportation systems, utilities, and other vital parts of the nation’s infrastructure.
It is thus fitting that Michael Sheetz, the author of Computer Forensics: An Essential Guide for Accountants, Lawyers, and Managers, has a law enforcement background as well as a law degree. A frequent contributor to magazines such as Law and Order, Police Chief, and Police Officer Quarterly, Sheetz has a special interest in computer crime and served as the sergeant of an investigative team in Ft. Stewart, Ga., during Operation Desert Storm in 1991. The National Institute of Justice at the Department of Justice also has an interest in computer crime. In April 2004, the institute issued an outstanding report on the subject: “Forensic Examination of Digital Evidence: A Guide for Law Enforcement.” Sheetz’s book measures up to the standards of this re-port and delivers much useful information in fewer than 150 pages of text.For novices to the field, Computer Forensics covers the essential stages of the seizure and analysis of computer evidence—namely, collecting and preserving the evidence and rendering an opinion about it.
The book’s most important lesson is that digital evidence is fragile and ripe for inadvertent damage if improperly handled during an examination. The stages of data gathering are the most volatile; for example, even a single touch of the computer mouse by an inexperienced investigator can jeopardize an entire course of evidence collection and preservation. Sheetz cautions that “[t]he very process of turning on the computer will in fact change the evidence. ... The process of starting a computer is the functional equivalent of opening a book, erasing several lines of the text, and replacing the text with something new—every time you open it.” Sheetz convincingly conveys the importance of documenting and explaining any change to dig-ital evidence if the evidence is to be used in court. Sheetz is at his best when he is in the criminal detection mode. He writes: “The computer installation is the crime scene, no different from the scene of a murder or a burglary. Investigators must document how the suspected criminal left the computer, just as they would document a murder scene.” In describing how investigators take control of a case, Sheetz covers the salient points of case assessment: determining the skill level of the offender, identifying the number of computers and any proprietary software, and evaluating the site. A similar checklist appears in the report produced by the National Institute of Justice.
Two chapters in Sheetz’s book—“Computer Tools and the Forensics Examination” and “Computers as Tools for Evil”—are immensely enjoyable, with the latter reading like the table-top fantasy game, “Dungeons and Dragons.” One of the most interesting chapters covers hackers and describes such practices as “war driving,” which involves random drives through neighborhoods with wireless-enabled laptop computers and scanning programs, in attempts to capture access keys. Sheetz explains that, “[a]s computer security administrators become more and more vigilant, frequent polling of the system reveals unauthorized processes running and leads to the discovery of the intruder.” In response, some hackers use a “hooking device that allows the rootkit [a Trojan horse-type program that gains control of computers at the system level] to high-jack the system processes polled by the system administrator and report back whatever the hackers desire.” According to Sheetz, rootkits can be hard to detect with traditional virus protection software. But he does not provide an explanation of how to deal with hackers who gain nearly total access to a system with rootkits until later in the book, when Sheetz addresses the tools used by computer forensic investigators.
It is at that point that we learn more details about rootkits and also that investigators have two kinds of forensic examination techniques to assist in identifying certain rootkits. The tools are to be used in tandem—accessing the system from a remote safe system, then comparing “the hash value of the system files with the hash value of trusted binaries.” Hashing, Sheetz explains, is digital fingerprinting that creates a unique hash value for every digital object. Examiners can detect changes to a file, because any change will produce a different hash value. Hashing apparently solves the rootkit problem—a database of Windows and other programs holds all “true” hash values. Thus, by hashing all the program files on the computer being investigated and comparing them to the “true” hash values in the database, investigators can identify files that have been tampered with. “In child pornography cases,” Sheetz writes, “certain image files tend to circulate frequently and seem to be perennial images in the most predators’ collections. Investigators have com-piled databases of hash values for these common images files.” He explains that “investigators can compare the hash values of individual files on the target computer with the database of known pornographic images. A match proves to a scientific certainty that the image, regardless of the name, is the contraband file.”
A drawback to Computer Forensics is that it does not make it easy for readers to locate information by category. Managers as well as legal and accounting professionals would have benefited from an outline checklist with each chapter, which could serve as a quick road map. In this respect, the report is-sued by the National Institute of Justice is far easier to navigate because of its short and easily identifiable sections, bullet points, and special notes.
Apart from this formatting concern, however, Computer Forensics provides a useful introduction to a ubiquitous field. Classes in digital forensics are now offered in approximately 100 colleges around the country, and federal intelligence agencies such as the National Security Agency are seeking experts in the field. Familiarity with the subject is no longer necessary just for specialists. Sheetz points out that, although we have not experienced no-table cyber-terrorist attacks, “the power of the bit and byte could well be a hundred times more powerful than the airliners that struck the World Trade Towers.”