The New World of the Computer Hacker – and Forensic Technology Specialists

Cybercrime has thrust into the forefront of public attention due to a glut of high-profile, well-publicized cases of compromised computer systems at organizations like Sony, Target, Home Depot, and J.P. Morgan Chase. These cases have brought the “hacker” out of a shadowy netherworld and into the consciousness of the general public as well as security experts. These stories make most people think that the risk of “high-tech crime” is from the outside or remote hacker -- that organized group overseas or the solitary technology genius banging away at the keyboard in the dark, looking for sensitive corporate data, personal information, and credit card data to steal. While outside hackers are a significant component of high-tech crime, insiders – threats from within the organization – are often overlooked. The resulting damage can be just as dramatic, if not more so, than an attack from the outside.

Computer Forensics and Investigations Require Detective Skills

High-technology investigators never know what sort of case will appear next. A cross between evil intent by those who would try to cheat, steal or game the system to their advantage; innovation in using the new technologies in nefarious ways (or ignorance at how to use the technologies properly); and good old-fashioned opportunity to do mischief presents significant risk to any organization. While new technologies may provide new opportunities, they also leave behind footprints and artifacts that can be discovered. Users’ activities can be traced, often without their knowledge, and can reside on devices years after they have left. Forensic technology specialists aid their clients in securing data and finding those deep, hidden, and/or obscure artifacts that may still reside on their devices most often without their knowledge.

In a cybercrime or hacking investigation, it is imperative to first ascertain the extent of a compromise within an organization and then proceed with the wider scope of the investigation to determine responsibility for the compromise. It is not uncommon that an organization will not detect a compromised system for months or even years after a breach has already occurred. It also is not uncommon for the organization to learn of the compromise except from a third party, such as a law enforcement agency or another organization doing its own investigation, rather than only from their own internal scanning and monitoring devices.

Cybercrime cases can also take many different forms: an outside hacker accessing the corporate network to steal credit card information or to use the corporations’ computers as robots to attack other computers on the Internet; the head of IT intercepting and reading others’ emails or configuring the corporate servers to mine for Bitcoins after hours; or the disgruntled ex-employee who, because of weak controls, is sent a new password and begins deleting medical records or downloads an entire customer database.

Not all high-tech investigation matters necessarily contain crime, fraud or litigation. Many might involve a system failure, negligence, natural disaster or other occurrence that affects an organization’s systems. Often, a root cause investigation is conducted to ascertain why the end result occurred, what can be done to remediate it, and what steps can be taken in the future to mitigate the impact of such events occurring again. It is not unheard of to recover data from burned file servers or hard drives submerged in water, intentionally erased, and even zapped in a microwave oven!

Typically, the need for forensic technology services involve some form of dispute: pending litigation, bankruptcy, fraud or white collar crime, intellectual property theft, divorce, or employee misconduct. More often than not, the need is to analyze the contents of computers, cell phones, tablets, and storage media (hard drives, thumb drives, flash drives, etc.) looking to uncover evidence that potentially could be used in a legal matter.


The Art of Following the Dollar!

In one matter, an individual had received millions of dollars in business loans and hid them in overseas banks. An analysis of the active files on his business computers yielded nothing. The recoverable deleted files were restored but also yielded nothing.  Our professionals executed a number of searches across every bit of data on the hard drives looking for any types of leads: credit card numbers, phone numbers, account numbers, SWIFT codes, or routing numbers. In a forensic examination of the “unallocated space” on the hard drives (space that is currently not being used on the drive), we discovered traces leading to 5 bank accounts, identified by their routing numbers, in the Pacific island of Vanuatu. The files had not only been deleted years prior, but large portions of the files had also been overwritten leaving just pieces intact – but enough to know where to start to look for the missing money.

Oh Boy – I Lost all of the Files!

In another case, a county-level district attorney’s office was upgrading their evidence photo database to a newer version of the application software. This database contained photo evidence for both active and inactive criminal matters going back for a number of years. The upgrade ended up overwriting all of the database’s content. Luckily, they had backup tapes. Not so lucky, however, was the fact they had never tested their backups and not a one of them worked – not an uncommon phenomenon. By performing low-level analysis of the file structure on the hard drive, pieces of the original files were able to be manually put back together one by one. Fortunately, our professionals were able to restore their photo evidence.

Trends & Developments - March 2016

Steven Konecny is a Director in the Forensic, Litigation and Valuation Services Group with experience as a high tech investigator and business consultant specializing in the utilization of information technology and information analysis.

* Required