IT Forensics: From Black Art to Precision Science

Pasadena, California-based Guidance Software is perhaps the leading IT forensics software vendor, with the exception of the U.S. government. Its EnCase series of applications allows law enforcement and IT administrators to gather and analyze forensic data using a graphical user interface (GUI) — a far cry from previous DOS-based methods.

According to Robert Shields, Guidance’s senior director of marketing, EnCase’s marketing mix is presently 55 percent public and 45 percent private, and the fastest-growing segment is the private sector. Shields told the E-Commerce Times that 40 percent of Guidance’s private-sector customers are Fortune 1000 enterprises, while the remainder consist of Global 5000 companies and forensic consulting firms.

Jon Bair, Guidance’s senior director of development, joined the company after years spent working as a U.S. Army investigator and developing the protocols and tools used in military computer forensics. The E-Commerce Times recently spoke with Bair about the evolution of IT forensics and the challenges facing this fast-moving field.

E-Commerce Times: Please give us a little background about yourself, including your work as a U.S. Army investigator. Did you begin your IT forensics career in this capacity?

Jon Bair: I went into the Army as a military policeman and worked my way through that because I knew I wanted to do criminal investigations. I could see the future of investigations was fraud — economic crime — and so I moved into that field.

At the time, in the late ’90s, computer evidence forensics was really just coming into its own, and our laboratory was backed up about six months for computer forensics. The Army realized it needed to have a field forensics program, and I was selected. I was in the largest office the Army has for criminal investigations: Fort Hood, Texas.

I went to lieutenant training courses, selected the tools and created the first field computer forensics laboratory outside of the main lab for the U.S. Army.

ECT: Did you develop software while you were there?

Bair: I developed the protocols and [the] tools we would use. This was when the primary tools were all in DOS, and it was very time-consuming. It took an inordinate amount of time and different tools to do the work.

You couldn’t use Windows back then because, as soon as you turned on Windows, it changed the evidence. Guidance Software was the first company to have the ability to create the forensic evidence and then examine it in Windows with a graphical user interface. It took all these separate command-line tools, put it into one integrated utility — and made reporting really easy to do.

Computer forensics used to be a black art and an esoteric science that people were afraid of. Now it’s a mainstream part of investigations.

ECT: When did you switch over to the private sector, and what brought you to Guidance?

Bair: I came on board full-time in November 2001. I was running my laboratory in Texas, and I had been invited to teach at the Federal Law Enforcement Training Center, which is now run by the Department of Homeland Security (it used to be under the Department of Treasury) in Georgia, where all federal law enforcement agencies except the FBI and a few others are trained.

I went back there to teach computer forensics, and I met a part-time instructor who was a local law enforcement officer out here in California. He was teaching for Guidance Software part-time, and EnCase was being taught. He’s now the vice president of information technology and business systems here, and a lot of our senior-level folks in the entire training department are former law enforcement personnel.

I started working part-time for Guidance, then went full-time, working my way up from the training department. Last May I took over the development division.

ECT: What generally motivates people to purchase your solutions?

Bair: What we’ve seen a lot is that people will have an incident, and the first thing they’ll do is — if it’s a big crisis and they don’t have the capabilities to handle it — they will outsource to one of the large consulting firms. All the big consulting firms have forensic practices. It gets really expensive, and after a bit they get to the point where they decide, “This is something we need to bring in-house.”

In that case, we provide the training, the software and other expertise to set up their own internal investigation department. If there’s a crisis, oftentimes there is no way they can do it themselves. They will outsource it, and then, as needed, they’ll build their own capabilities.

ECT: When you say EnCase is a Windows-based solution, is it primarily a client-side application? What if you are running Windows on the desktop and Unix or Linux on the server?

Bair: When we say EnCase is Windows-based, that’s for the examination and reporting. Windows was chosen because it’s so prolific and so many people know how to use it. You’re able to examine evidence obtained from multiple sources — from servers running Unix, Linux or Macintosh; floppy drives; USB drives; CD-ROMs; from many different sources. Analysis is done on this platform that is very easy to use. You have the capability for the people who enjoy that to use Linux to do forensics. However, learning how to use that operating system and the tools people find intimidating, and they are not as advanced and developed as they are on the Windows side.

ECT: Are EnCase Enterprise Edition and EnCase Forensics Edition complementary products?

Jon Bair: Yes. The EnCase Forensics Edition is the platform that has been used and accepted by law enforcement. However, Forensics Edition requires you to conduct forensics locally — that is, you have to go to the infected computer physically, or the infected computer has to be taken offline and brought to you. And that is not an optimal solution for large businesses that have LANs, WANs or servers that they cannot take down even if there is a big intrusion.

As an example, a few weeks ago the FBI had to serve a warrant in Ohio, and they went to this business that was providing Internet chat servers, and they couldn’t locate the evidence they were looking for. So, they seized all the servers and took them back to the laboratory, and it’s going to take them many months to go through all that information, and the business is offline.

This used to be common practice a few years ago, and it’s very rare it occurs now because most businesses won’t allow this to occur. What the Enterprise Edition allows law enforcement to do is to go inside a crime scene and collect evidence without taking the business offline — without disrupting business operations, in a best-practices manner — and to use the forensics tools that are incorporated in the Forensics Edition.

The Enterprise Edition essentially has the same functionalities as the Forensics Edition, along with this additional functionality. These corporations can respond anywhere on their network instantly with [an] intrusion or alleged incident and get the data in RAM that, if you took the server offline, would be lost. You can see what Trojans are running and then also get the data off the hard drive as in traditional forensics.

ECT: How does real-life computer forensics differ from what you see on CSI?

Bair: In the first two seasons (I haven’t watched it really these past two seasons), they handled the original evidence each time they showed an episode, which we call a big “no-go” in the Army. That’s because handling the original evidence in that manner will alter or destroy the evidence so that it won’t be admissible.

We make EnCase very automated, but humans still have to look at the results and determine the relevance of it.

EnCase has a lot of power to work with different operating systems and what is called an “artifact.” To get what the user sees is very easy. It takes training and experience, though, through logging stuff and knowledge of OS, making transactions that show you knew the file was there. You had possession, you made an affirmative act affecting it, which is oftentimes a legal requirement to show culpability and to prove in court. That requires more experience on where to go and what to look for [to] determine its relevance.

ECT: How important is the human element in IT forensics investigations using EnCase?

Bair: We make it as easy as it can be to cull through these billions of bytes of data. But no matter how smart you are, if you are not able to articulate what you have done to put into a readable report for the end user, it is not going to be effective.

ECT: What companies do you view as your primary competitors? How do you differentiate yourself from these competitors?

Bair: We compete with the federal government, which is always fun to do. The IRS criminal investigation division has purchased source code from a cop in England, and they distribute it free. It’s called ILook, and it’s for law enforcement only. There are a number of freeware tools, but ILook is the closest thing to being a comprehensive, Windows-based application, though we believe the features are inferior to ours.

ECT: How do you see EnCase evolving over the next several years?

Bair: Encryption is one of the biggest concerns people have with investigations, communications, e-mail and also with handheld devices, like handheld PCs, BlackBerries, cell phones, things of that nature. Also, [people have concerns about] new operating systems coming out, like Microsoft’s Longhorn, and others that are important to businesses, [like those used in] high-end servers for financial institutions. So those are the areas we are currently developing so that Enterprise and Forensics Editions of EnCase can support them in both the near- and long-term future.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

E-Commerce Times Channels