DIGGING THROUGH YOUR DIGITAL PAST
Matt Bertsch, Manager of Digital forensics at Novitas since 2012, is just back from a two-week conference in Florida.
The subject was DFIR or Digital Forensics and Incident Response, his specialty. It was the kind of conference where hall monitors walk the rows of seated attendants, preventing them from whipping out their phones and taking pictures of the PowerPoint presentations. Everyone was given the PowerPoints on paper in a big binder, but the threat of digital proliferation was too great for the organizers. They wanted to protect their intellectual property.
Back at the mothership in Portland on Southwest Broadway, Bertsch was explaining why computer forensics have boomed in the last five years.
"The field has been around since computers have been used to commit crimes, but the way things are done and what they accept in court are fairly new."
It is common now in litigation for lawyers to request a digital copy or "image" be made of a particular person's phone or laptop hard drive. This is then studied by folks like Bertsch and his colleagues at Novitas, a company which until recently was best known for scanning mountains of paper legal documents to free up space in law firm basements.
Most people identify themselves as being part of the DIFR field, as in Digital Forensics and Incident Response.
"Digital Forensics is analyzing hard drives and emails, maybe investigating. Incident Response is when a network gets hacked or someone is suspected of stealing information and there's a machine that's live that has to be investigated."
Money has changed things.
"These days, when someone hacks into a network a lot more money's at stake," says Bertsch . "Back in 2001 there wasn't all the legislation that requires you to report certain information that was accessed."
The bigger law enforcement agencies do their own forensic work. Smaller police agencies might outsource it. Portland Police and the FBI both have their own forensics labs in Portland.
(A lot of what law enforcement deals with is child exploitation. It's usually illegal for a vendor firm like Novitas to work on that unless with an exception from a district or city attorney and in a law enforcement lab.)
Scott Stevens, Director of Business Development at Novitas, was previously at NTI. This firm was started by two former Treasury agents. Earlier in their careers the IRS, CID, ATF and Secret Service were all under Treasury, until Homeland Security was created after Sept. 11 2001.
"They retired and realized they could take their expertise to the private sector and create software for local law enforcement investigations. After a year or two of that they realized a lot of law firms would pay for this for litigation."
They talk about a case in Portland that was fairly typical. An employee in the IT division left Columbia Sportswear for another IT firm. Before he did, he installed back doors so he could access Columbia's data, with the intent of getting his new firm first dibs on IT work. He got away with it for two years.
"It was not so much stealing information as gaining advantage over other suppliers," says Stevens.
He adds, "Columbia's IT team figured out who had gotten in, but the problem is whether things were done in a forensically sound manner so it would stand up in court."
Connected after hours
Forensic teams look at work patterns, such as when external drives are added to a laptop, or what's going on with email.
"People say or think 'I'm gonna suck all this data out, tomorrow I'm going to quit and work for a competitor.' [Forensics] could know the time, if that was connected after hours that helps make the case, it's not part of their job description..."
Bertsch explains that computers log all files being opened and closed and track USB devices and their volume.
"Windows tracks the size of your file in a window, how the files are sorted, and it will save a folder name that has been worked on and the path to the folder. Windows 10 just introduced a timeline feature that tracks just about everything you do. It's totally opt in, and most people will opt in because it's convenient, but it tracks a lot of stuff.'
"Deleting a file in a computer is like deleting a page in a book by ripping out the table of contents," adds Stevens. "The file is still there, just the operating system is just not telling you where it is. So, you have to have forensic software to find it."
And changing the name on a file is not going to fool someone like Bertsch.
"A lot of companies are requiring third party encryption on phones, like Air Watch for IOS. It depends on what kind of work is being done and who's paying for the phone. My own phone for work only requirement is its' PIN code locked. Some companies requite built in encryption or third party that is controlled by their IT department. With the amount of work people do, phone, texts, social media, they've gone up in volume of use."
That means the files were written over, not just had their paths deleted and the data left behind. (Bertsch says smashing a hard drive with a hammer is still not totally safe, as scanning microscopes can be used to reconstruct the coded patterns once the pieces are reassembled. The only people who would do that, though, are deep pocketed law enforcement or anti-terrorism agencies.)
"It's not like this guy's getting unemployment and it says on his Facebook he's working three other jobs. If you hit print screen on that, it's not enough, it needs to be done in a forensic way. The other side can say you have an axe to grind and you may have Photoshopped the image.
"Each file has a unique five-digit hash (a set of numbers derived from the contents of the file). If I can verify that two files have the same numerical hash, I know it's the same intellectual property." It's like a digital fingerprint.
In another case they saw an employee had backed up an entire work computer using Windows Backup to a drive of his own. "The attorneys got a court order to turn over all the devices that had been plugged in."
The punishment was not harsh. "His ex-company told him to delete it. That was part of the settlement." They wanted to make sure it was forensically deleted. "A lot of times companies aren't looking to sue you for a ton of money. It'd cost them money too. At that point it's how much his ex-employer wants to dig into every computer."
According to Stevens, professional forensics companies are needed to collect data so it is admissible in court.
"The forensic imaging maintains chain of custody, which is the crux of the investigation. That's your OJ Simpson. It doesn't matter what the data says, it matters how it was collected, if the other side can say 'Matt screwed up.' And even if it says mathematically there are all these hashes all over the place, if it's not collected it's the old bloody glove. Even though it had all three people's blood on it, there's only one way to make that happen...If you can poke a hole in the chain of custody, you can poke a hole in the whole case."
"Even social media collections also need to be done forensically," says Stevens.
They only mail devices by FedEx or UPS so the know where the device is at all times. Tools used for flashing drives include Encase, FTK and Xways. For phones they use Cellebrite — AT&T has their machines in their stores for cloning SIM cards.
Apple and Google have been narrowing what you can get off a phone, encrypting more and more of the brain of the phone. "We always say here, security and convenience are always opposed," says Stevens.
A typical Mac has over a million files on it. "It's cheaper to review less, then you have to pay an attorney or law grad students less. So, the stipulation agreement might say 'Let us look at these three key words between these dates, and we will host a certain number of gigabytes of data.' We host it and the lawyers can access it, on any computer that hooks on to the Internet. If I say only show the things that have the word vacation in them, that'll be less time. If we collect six phones and a couple of computers that's more files than an army of humans could look through."
Steven T. Lovett, an attorney at Stoel Rives LLP, works on cases that involve computer forensics, often involving companies who compete against each other, and sometimes fight over intellectual property (IP) issues.
He says that searching a computer is more complex than it sounds.
"The forensic guys are very good at tracing a trail," Lovette told the Business Tribune. "They can be precise about what was done, they can see files and what was downloaded. That's what the judge is allowing you to do."
He says if a company is looking at an employee's personal cell phone, there is a reasonable expectation of privacy.
"They don't care about your romantic life or the pictures of your kids."
But if the phone is paid for the by the company, "You have no reasonable expectation of privacy."
Just because someone uses a laptop at home that connects to the work server, via a service such as Citrix or a virtual private network, it doesn't give the employer automatic right to search it. They have to have to believe the employee has downloaded some information to their home computer" that they are forbidden to.
"Usually the company has no interest in thousands of emails from a user to his wife.
We get laptops that the amount of data would take you months to review."
He says the law firm's job is to find search terms to get the right information, and that lawyers write the search terms then negotiate of over semantics and time.
The send the search terms to the vendor (such as Novitas and have them run a search, just to see the number of hits.
"We might see a phrase and say this will turn up half a million hits, let's drop a word, narrow it down. You work it out with opposing counsel."
If one side seems to be withholding to make a motion to compel, asking the just to make them hand over more documents.
He's been a litigator for 30 years. "When I started there was no computer on my desk."
Discovery has changed. Digital documents have become voluminous. "People put things in an email they'd never put in a letter," he adds, pointing out that people often implicate themselves.
"What Novitas does is a critical piece of business litigation." Stoel Rives uses a database called Relativity into which they load everything they get in discovery to make it available to their lawyers so they can make notes. "You can cut (the data) any number of ways. The skill of a young litigator is developed early in the use of these tools."
He more often works on cases where two evenly matched firms are in a suit, rather than an employer versus and employee.
"Forensics have become a routine thing in high dollar business litigation. It costs money to do this."
He says having a local office to work with is idea because there is still literal dropping off and picking up of phones, flash drives and hard drives.
According to an Orbis Research report in 2017, the global digital forensics market is estimated to grow from $2.39 billion in 2016 to $5.59 billion in 2022.
"Digital forensics or computer forensics deals with the activity of collecting, identifying, extracting and analyzing evidence from digital devices such as computers, laptops, hard disks etc. This type of forensics is being used in criminal and civil court cases. This technology is being used in the private sector for their internal investigations.
In the recent years, these technologies were highly used to prosecute different types of crimes ranging from child pornography to credit card frauds. Cyber-attacks, industrial espionage, information security breaches, identity fraud, financial fraud and many other illegal activities leave a digital fingerprint which can be used by highly skilled investigators to trace the origin of the attack. The process of collection and extracting is a very delicate process. Highly specialized tools and techniques are used to take the data with a write blocker so as to not tamper with the evidence."
Type of Business: Litigation Support, Electronic Discovery & Computer Forensics
Number of FTE: 35
Annual Income: Undisclosed
Owners: Rob Oliver
Services: scanning, OCR, coding, Electronic Discovery/Data Hosting, Computer Forensics
Address: 615 S.W. Broadway,
Portland, Suite 200