Law Firm Techs

Portrait Of A Computer Forensic Examiner

While data can be recovered from any computer, expert Ives Potrafka believes that corporate IT departments have far less control over what happens on PCs used for work.

By Thomas Claburn,  InformationWeek
Ives Potrafka, a forensic examiner with the Center for Computer Forensics, sees a lot of data theft. Those responsible tend to be ex-employees, either starting up a company while employed or going to a competitor and taking trade secrets.

According to Potrafka, when insiders steal corporate data, they tend to do it via noncorporate e-mail accounts or using external storage media.

Potrafka spent four years as a Special Agent, Computer Forensic Examiner, and Internet Investigator in the High Tech Crime Unit in Michigan Attorney General’s Office, and served as a law enforcement officer for 24 years. “Certainly, hacks take place. … Those are the ones that makes the papers,” he says. “But it’s more common that it’s insider-related and employee-related.”

Nowadays, Potrafka tends to work for clients in civil actions, though he still works on the occasional criminal case. A lot of his work involves e-mail analysis and keyword searches.

“A few years ago, we did a case for a major banking corporation where the president of the corporation and the majority of the staff, all within a two-to-three day period, resigned and went to another bank,” he said. “We got a call on a Saturday from IT at the bank asking us to come look at some computers at the bank on Monday. Rather than wait until Monday, we came in on Saturday night and started looking at them and by Monday morning, we had found out that the president plugged in an external hard drive to his computer two days before he resigned.”

The bank’s attorneys then filed a legal demand to see that hard drive, Potrafka said. When they received it, they found stolen files.

Encryption can be an issue, but it isn’t a common problem. “If a file is truly encrypted, without the key, you’re not looking at it,” Potrafka said. “But very honestly, we don’t see much of it.”

Potrafka participated in a homicide investigation several years ago in which he was asked to construct a timeline that showed when a murder victim had been using her computer.

“It was a case where the husband came over and killed his ex-wife,” he said. “She had been connected to America Online. And the America Online records showed she was online the entire time, from like 8:00 p.m. or 9:00 p.m. until 7:50 am the next morning, when her son found her deceased. We were asked to look at the computer and show when she was really using it. …Working with Microsoft and America Online, we were able to show that she stopped using the computer about 10:50 p.m., which is about her estimated time of death. It kind of blew a hole in the husband’s defense.” Potrafka was also involved in industrial espionage case involving the sale of trade secrets to China.

“We were asked to analyze an engineer’s laptop computer and desktop computer and his PDA,” he said. “We were able to show where he had been taking trade secrets out of the country, actually, and selling them to China.”

Potrafka said he sees a lot of trade secret theft. Such cases, he said, often involve fired or departing employees who take contact lists, price lists, or plans when they leave. He said he works closely with clients to encourage them to preserve their data, because bringing in new employees to work on the same computer as someone who just left the company overwrites what the former user of the computer was doing.

The blurring of boundaries between work and home life poses a problem for forensic investigations, Potrafka said. While data can be recovered from any computer, corporate IT departments have far less control over what happens on personal computer equipment that’s used for work. “When the sales manager leaves and he has been working at home, it’s not so easy for IT to go and look at his home computer,” he said.

The ideal scenario from an IT perspective, Potrafka said, is for companies to provide and own the equipment that workers use at home.

Investigating Windows machines is the easiest, said Potrafka, because more tools have been developed for Windows forensics. “When you’re getting into the Apple Macintosh world and the Linux world, the investigations become more complex,” he said.

Major forensic software packages include EnCase Forensic (Windows, Linux, AIX, OS X, Solaris), Forensic ToolKit (Windows), MacForensicLab (Mac OS X, Linux, Windows), and Blackbag Technologies (Mac OS X), to name a few.

So what should you do if you think your company’s security has been breached? InformationWeek has published an independent analysis on the topic. Download the report here (registration required).

Posted by Andrew Conry-Murray, Sep 26, 2008 03:46 PM 
While technological challenges abound in e-discovery, IT’s biggest hurdle may be getting in-house attorneys to meet them half way.

On the TV show Alias, field agent Sydney Bristow always worked closely uber-geek Marshall Flinkman, who augmented her talents for disguise and ass-kicking with gadgets and hacking tips.

I’d always imagined that IT and in-house attorneys would have a similarly close relationship when it comes to electronic discovery. After all, IT has the technical skills to find and produce the electronic evidence that the attorneys rely on to prosecute or defend a case.

Turns out that just like Alias, my picture of this relationship was fiction.

Earlier this week I spoke with an IT professional at a large U.S. utility company whose job is to facilitate e-discovery efforts between IT and the legal department. Her job is to collect information from custodians and get it to the attorneys.

This year alone she’s collected evidence in 10 to 15 matters, and has worked on many other cases that haven’t required production of evidence.

But when I asked her if there was a close-knit relationship between IT and legal, she said “It’s the Grand Canyon.”

“They are intelligent people,” she says of her counterparts in the counsel’s office, “but the frame of mind they have is computers aren’t something they need to think about. Once you start talking about the technical side, they get that look in their eyes like ‘I don’t know what you’re talking about.’”

That’s a shame because IT must also rely on the expertise of the legal folks to ensure they are properly collecting and preserving information.

For instance, this IT expert manages the practice of self-collection, in which custodians gather up relevant information. But self-collection can also be fraught with danger. Custodians may overlook critical information, or hide or destroy it to protect themselves. More likely, they may alter critical metadata in the collection process — something that opposing counsel or a prickly judge could raise hell about.

The IT pro says that if IT and legal were more tightly coupled, they could work together to address such problems. “They would know more about this stuff and understand the need at the beginning to say ‘Here’s why self collection is inadequate, here’s the precedents why.’” From there, IT could find the right tools for the job to meet appropriate legal standards.

If your organization is involved in legal discovery, do IT and legal team up like super spies, or are they separated by a wide gulf? Let us know.

Ogilvy (advertising firm) Gets More Efficient At Moving Huge Files
Ogilvy & Mather Worldwide is highly dependent on its ability to quickly move large digital files around the world, so the advertising and marketing company’s IT group introduced Web Transporter 1.0, a desktop digital asset transfer and distribution system. People drag and drop assets onto the Transporter, which delivers the assets in the background, up to a file size of 20 GB. Web Transporter automatically reads off a centralized rules engine and follows full business continuity rules, with meta information from these assets residing in more than one location on the Transporter grid.

Web Transporter ensures that each asset is given a digital fingerprint; if the system recognizes an exact match on the grid database, the file won’t upload, thus saving valuable computing resources and bandwidth. The system instead generates a URL based on the existence of the file already online.

Morrison & Foerster Makes The Most Out Of E-Mail
Law firm Morrison & Foerster takes e-mail seriously. A core part of its business operations is to ensure that all client-related messages are accurately recorded. To that end, Morrison integrated a records management system, called MailMaster, into its Outlook e-mail system. With MailMaster, messages put into an Outlook folder are automatically copied into the firm’s records management system. MailMaster solved a risk management problem and also put Morrison in compliance with records management policies and expectations. MailMaster has automatically filed more than 5 million messages, bringing a notable reduction in requests for manual assistance in correspondence gathering and retrieval.