Corporate versus Law Enforcement Concerns

The needs of the corporate world and those of law enforcement differ on several levels. Law enforcement officials work under more restrictive rules than corporate agents or employees. If you assist law enforcement in an investigation, you may be considered “an agent of law enforcement” and you may be bound by the same restrictions that they encounter. When working with law enforcement, it’s important to be aware of these ramifications, especially if you’re working without a court order. This scenario could also open you up to civil litigation when complying with such requests, so it’s always advisable to seek legal counsel. In the corporate world, all that is generally required to begin an investigation—to access servers, network systems, routers, and so forth—is the written approval of the corporate agent with the appropriate level of authority for such activities. On the other hand, law enforcement is subject to multiple laws regarding not only how but under what circumstances evidence can be seized. Often, forensic investigators working in law enforcement need a court order before they may examine computer systems, networks, routers, and so on. Face it: There is a big difference between a company deciding to log router traffic and a local or federal law enforcement officer asking the company to log the traffic.

Both law enforcement and corporate practitioners follow a set of best practices set forth by various agencies. For law enforcement, a set of best practices exists for electronic discovery and proper retrieval of data. The corporate world also established best practices for security and best practices for determining what comprises an incident. These best practices inform incident response procedures, which describe how to react to an incident. Because disasters are usually of a larger magnitude, best practices for disaster recovery may affect both electronic discovery and retrieval of data. The focus of this book is to provide information that can be used in either discipline—corporate computer forensics or law enforcement computer forensics—and is not specifically aimed at law enforcement.

Corporate Concerns: Detection and Prevention

Every day new articles are written about network security and vulnerabilities in software and hardware. This visibility has caused security to become a priority in most companies. Corporate efforts to make sure a network is secure generally are focused on how to implement hardware and software solutions, such as intrusion detection, web filtering, spam elimination, and patch installation. The SQL Slammer worm infected 200,000 computers running Microsoft’s SQL Server. Ninety percent of all vulnerable servers were infected in the first 10 minutes after the worm was released on the Internet. Dealing with the threat of network damage through an intrusion or virus is a part of everyday life for corporate IT professionals, whereas forensic experts focus on the examination, analysis, and evaluation of computer data to provide relevant and valid information to the courts.

Corporate focus is on minimizing the potential damage that may result from unauthorized access attempts through the prevention, detection, and identification of an unauthorized intrusion. This is done mainly by putting security policies in place that dictate the level of security for various areas and computers. Along with these policies, incident response and disaster recovery plans set forth procedures for investigations, including when, who, and how to contact law enforcement.

Companies can access Web sites to find out about new vulnerabilities or security best practices. It is in the best interest of any company to assign someone to check this information on a regular basis to ensure that the network is protected.

You’ll find in many corporate environments that incidents are not reported, often due to the issue of legal liability. The “Let’s just quietly fix it” approach to security incidents is common in the corporate world. Some laws now hold senior management responsible for data breaches. A company is potentially liable for damages caused by a hacker’s using one of its computers, and a company might have to prove to a court that it took reasonable measures to defend itself from hackers.

The following federal laws address security and privacy and affect nearly every organization in the United States.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted on August 21, 1996, to ensure the portability, privacy, and security of medical information. HIPAA dictates that only patients, agents they designate, and their health-care providers have access to the patients’ medical information. HIPAA requires that Patient Health Information (PHI) be kept private and secure. It imposes stiff fines and jail time both for health-care institutions and individuals who disclose confidential health information to unauthorized parties.

The Gramm-Leach-Bliley (GLB) Act requires financial institutions to ensure the security and confidentiality of the personal information that they collect. This includes information such as names, addresses, phone numbers, income, and Social Security numbers. Basically, financial institutions are required to secure customer records and information regardless of size of the information files. Among other institutions, GLB covers check-cashing businesses, mortgage brokers, real estate appraisers, professional tax preparers, courier services, and retailers that issue credit cards to consumers.

The Sarbanes-Oxley Act, named for the two Congressmen who sponsored it, was passed to restore the public’s confidence in corporate governance by requiring chief executives of publicly traded companies to personally validate financial statements and other information. Congress passed the law to prevent future accounting scandals such as those committed by Enron and WorldCom. Under the law, executives who sign off on internal controls can face criminal penalties if a breach is detected. In other words, if someone can easily get into a secure or private part of your system because you use a three-character password such as “dog,” you will be noncompliant with Sarbanes-Oxley.

Compliance is becoming more important to businesses, which face an increasing number of laws and regulations that involve e-discovery obligations and data breach notification laws. For example, a new Massachusetts law protects residents’ personal data from breaches and sets a fine of $5,000 for each record lost. This means a company could be fined $1 million for losing a laptop computer containing personal data on 200 Massachusetts residents.

The new law applies to businesses in Massachusetts and to any company that keeps personal data on the state’s residents. The law requires companies to act to prevent breaches, not just to notify victims after a breach has occurred. Businesses must encrypt data in motion and at rest, including information on portable devices such as USB drives, laptop computers, and smartphones.

Often, a company that is the victim of a security breach does not know which law enforcement entity to call. Company management might feel that the local or state police will not be able to understand the crime and that the FBI and Secret Service are not needed. In addition, management might be afraid that the intrusion will become public knowledge, harming investor confidence and chasing away current and potential customers. They might also fear the effect of having critical data and computers seized by law enforcement.

An investigation can seriously jeopardize the normal operations of a company, not only for the customers but for employees as well. A disruption in the workplace causes confusion and upsets employee schedules. Furthermore, cases are often hard to pursue if a suspect is a juvenile or an intruder is from another country. In many states, the damages inflicted by an intruder are too small to justify prosecution. Last, pursuing such matters takes a long time and can be costly.

Many businesses perceive that there is little benefit to reporting network intrusions.

Law Enforcement Concerns: Prosecution

Whereas the corporate world focuses on prevention and detection, the law enforcement realm focuses on investigation and prosecution. Each state has its own set of laws that govern how cases should be prosecuted. For cases to be prosecuted, evidence must be properly collected, processed, and preserved. In later chapters, we’ll go through these procedures. Technology has dramatically increased the universe of discoverable electronic material, thereby making the job of law enforcement much more complex. Electronic evidence can include any and all electronically stored information that is in digital, optical, or analog form. Not only does evidence include electronic data, it also includes electronic devices such as computers, CD-ROMs, floppy disks, cellular telephones, pagers, and digital cameras.

22-Year Old Tennessee Man Convicted for Hacking into Sarah Palin’s E-mail Account

On April 30, 2010, a federal jury in Tennessee convicted David C. Kernell, now 22, of intentionally obtaining unauthorized access to Sarah Palin’s e-mail account. Kernell, the son of a Tennessee state Representative, was also convicted of obstruction of justice. Kernell was found not guilty of wire fraud. The judge declared a mistrial on the identity theft charge because the jury was unable to reach a verdict on that charge. Kernell turned himself into federal authorities.

Evidence presented at trial showed that on Sept. 16, 2008, Kernell accessed Palin’s personal e-mail account. He reset her account password by providing Palin’s birth date and zip code to Yahoo’s password retrieval system. According to the evidence, Kernell read the contents and captured screenshots of the e-mail directory, e-mail content, and other personal information. Kernell posted screenshots of Palin’s personal information and e-mail messages to a public Web site. Kernell also changed her password to a new one and posted the new password, allowing the account to be accessed by others.

Evidence also showed that after he became aware of a possible investigation by the FBI, Kernell deleted electronic evidence to obstruct the imminent FBI investigation. As of the writing of this book, Kernell’s sentencing is scheduled for late October 2010. Kernell faces a maximum of one year in prison and a $100,000 fine for unauthorized access as well as 20 years in prison and a $250,000 fine for obstruction of justice.

Source: U.S. Department of Justice, Federal Bureau of Investigation, Knoxville, http://knoxville.fbi.gov/dojpressrel/pressrel10/kx043010.htm

For a case to stand up in court, most evidence must be attested to by a witness. In the case of electronic evidence, who is the witness of a computer making a log entry? How can a law enforcement officer show that the other 15 accounts logged in at the time didn’t commit the deed? Despite the relative infancy of the law, electronic data is finding its way into the courtroom and is profoundly impacting many cases.

Courts are generally not persuaded by challenges to the authenticity, best evidence rule, chain of custody, and so on of electronic data introduced at trial. This type of issue has been brought up in court several times. A good example is United States v. Tank. The court addressed the question of the authentication of Internet chat room logs that were maintained by one of the co-defendants. The defendant claimed that the government did not have a sufficient foundation for the admission of the logs. The government provided evidence linking the screen name used by the defendant to the defendant. The government evidence also included testimony from one of the co-defendants about the method he used to create the logs and his recollection that the logs appeared to be an accurate representation of the conversations among the members. The court ruled in favor of the government, declaring that the government made a satisfactory showing of the relevance and authenticity of chat room log printouts.

With the increase of cybercrime, keeping up with caseloads has become nearly impossible. Department of Public Safety (DPS) crime lab personnel barely have time to answer the phone. How does law enforcement determine the priority of the complaints that they investigate and prosecute? Generally speaking, the following factors help determine which cases get priority:

The Amount of Harm Inflicted Crimes against children or violent crimes usually get high priority, along with crimes that result in large monetary loss.

Crime Jurisdiction Crimes that affect the local populace are usually chosen, especially when resources are taken into consideration.

Success of Investigation The difficulty of investigation and success of the outcome weigh heavily in determining which cases are investigated.

Availability and Training of Personnel Often crime investigations that don’t require a large amount of manpower or very specific training take precedence.

Frequency Isolated instances take a lower priority than those that occur with regular frequency.

In addition, some associations offer help and guidance not only to law enforcement but the corporate world as well. The High Technology Crime Investigation Association (HTCIA) is one such organization. The national Web site, http://htcia.org, links to chapters throughout the world, which include information on local laws associated with computer crimes.