Editor: Please give our readers an overview of computer forensics today.
Fehrman: In both criminal investigations and civil cases, personal computers, laptops, PDAs, cell phones and other electronic devices have become increasingly important as sources of evidence. Communications sent by email or files left on a computer can make or break a case. Computer forensics is the application of computer investigations and analysis techniques that gather credible evidence suitable for presentation in regulatory investigations, courts of law and other proceedings. From the beginning of a case until the end, the goal of computer forensics is to perform a thorough, structured investigation that retrieves hard to find and lost data.
Computer forensics must also maintain a documented chain of evidence to find out exactly what happened on a computer and who was responsible. The recovery of the digital "fingerprints" left by the routine use of computers and other electronic devices extends to even erased files utilizing various software and electronic forensic techniques to ensure all the evidence is available.
Editor: Please tell our readers about your background and the expertise of the incident response teams that you've put together.
Fehrman: While in the Marine Corp in the 1990s, I spent the first couple of years working as a systems administrator. During my last few years in the service, I focused on network security, which led me to computer forensics. After I left the Marine Corps, one of my former colleagues, who left the service a couple years earlier, encouraged me to join him at On Site. I worked two years as a systems administrator and network storage manager and then became On Site's director of IT.
Shortly after On Site was acquired by DocuForce, we started to put together a forensics division. It's been an exciting run to build something essentially from nothing, gathering resources and key players within the industry.
Our team members enjoy a great diversity of age, personal backgrounds and professional expertise. Some have 3 years experience while others have over 20 years. They include former National Security Agency, military, police department and sheriff's department personnel. Some have worked on theft of intellectual property and others on family law and investigation.
In response to a customer's request, our team members can get to any location in the U.S. within 12-18 hours and within 24-36 hours outside the country. I'm very proud of the mobile and incident response teams that we've built here.
Creating Electronic Evidence Labs makes On Site a one-stop shop solution offering everything from forensics, e-discovery, scanning, coding, online review and even digital printing. I think that sets us apart from a lot of the industry's other players.
Editor: How can computer forensics help win or lose a case?
Fehrman: It starts with the chain of custody making sure that you cross your t's and dot your i's. We recently imaged over 20 hard drives for a client in a day and a half. When you're dealing with the pressure of a fast turnaround, you have to be very careful not to make mistakes. This is a discipline in which you can't make a mistake now and ask for forgiveness later.
Unless the computer forensics expert follows standard protocols, he or she can lose a case for you. If the evidence is tainted or damaged, the alleged perpetrator will have no liability no matter how guilty he/she is. Whether it's a million dollar case or a hundred million dollar case, you need an expert who will properly handle the evidence.
Editor: Why are speed and accuracy so critical?
Fehrman: An investigation involving fraud and other allegations can have far reaching consequences on personal, as well as business, reputations. For example, the media recently reported on the indictment of the former CEO of a leading printing company.
For two years, Homeland Security's U.S. Immigration and Customs Enforcement division had been tracking down customers of a company in Minsk, Belarus, that distributed child pornography from its websites and handled credit-card payments for other such sites. The government's probe allegedly led to the former CEO because credit card records showed that he allegedly was buying subscriptions to the child-pornography websites using his company's PC and laptop.
During the government's coordination of its investigation with the company's IT department, someone allegedly warned the former CEO. The government alleges that the former CEO used a computer program to obliterate 12,000 files from his office PC and laptop.
Editor: What characteristics should a company look for in a computer forensics expert?
Fehrman: Excellent technical skills are only part of the package. A computer forensics expert must also have an open mind. Sometimes the evidence that you're looking for might not be there, and what the attorneys believe happened really didn't happen. We love to find what the client anticipates. There is no better rush for me than when I'm working on a case and I find the smoking gun, but sometimes it's just not there.
In addition, the expert must have experience and credibility. Without those two qualities, it doesn't really matter what follows.
The expert must be able to react immediately. While some cases will have a scheduled collection with plenty of advanced notice, many cases require the expert to go immediately to a distant location.
The ability to adapt and improvise is very important in the business. Many investigations are done covertly when employees are away from their office. The expert must be able to get in and out quickly without disrupting the employees' daily work routines.
Editor: What are a few of the hurdles of getting electronic evidence into a usable form?
Fehrman: The first hurdle is to find the evidence, whether it be on a CD, DVD or mainframe. The next hurdle is to image the computer and to extract the relevant data for processing. The prevalence of back up tapes and media expands the volume of data exponentially.
Timing issues add hurdles. The FCC, DOJ, other government agencies and litigators require that evidence be reviewed in very short amounts of time.
Other hurdles result because technology is advancing at such a rapid pace. Just 10 years ago, a 2-gigabyte hard drive was a large hard drive. Today, most home users have 80- and 120-gigabyte hard drives in their computer.
Editor: What are some of the services that can help litigators get their arms around the challenges?
Fehrman: No two cases are the same. One of our recent cases entailed 600 backup tapes, each containing documents that were also stored on either a server or e-mail. The 600 tapes produced over 6.5 terabytes of data, which came without a spreadsheet or other type of organization. It was like trying to put a puzzle together without seeing a picture of what it was supposed to look like when it was done. Before we started logging images into our system, we put together a game plan. If we hadn't made sure at the inception that we were logging everything in, by the time the case got halfway through, we would have had the time consuming and inconvenient task of going back and trying to find this or that tape or this or that exchange database that resided on it. Our attention to detail at the beginning made a much smoother end for us and our client.
Editor: How has electronic discovery been growing?
Fehrman: Four years ago we had one terabyte for the entire company's storage. Two years ago, we had 15 terabytes in our DC facility and 25 within the entire company. Last year, we were at 30 terabytes here in DC and 50 within the company. Today, we're at 75 terabytes here in DC and 150 company-wide. From one terabyte to 150 in just two years, we're growing hand over fist.
Two years ago, I would have told you that the boom would last three to five years. Today, looking at how data is growing exponentially, I don't see a downfall. I've talked to other experts in the industry, and everybody's busy right now.
Editor: In what area of Electronic Evidence Labs do you see particularly rapid growth?
Fehrman: The need for tape restoration has been growing enormously. The Morgan Stanley case was decided on not turning over backup tapes. That's a heavy price to pay for not turning over backup tapes.
Only a handful of providers in the U.S. can handle any cases that involve hundreds of tapes. One of our strong points here is that we have a state of the art lab with lots and lots of hard drive and internal storage space. Inside our Electronic Evidence Lab, we have more than 25 terabytes dedicated for restoration and extraction of data that then can be put on our live network. At any given time we are working on 500 and 1,000 tapes.
Editor: What industry trends do you anticipate in the next couple of years?
Fehrman: You're going to see a lot of the e-mail archiving on the front end. The automated archiving of e-mail and other data will vastly increase the speed at which data is collected and searched. It will also limit the amount of data processing for attorney review. Because the mail has already been archived, it will be available to be searched when the case comes up. The savings in time and cost will encourage everybody to rework how they are managing their electronic records. For the whole industry I see a very bright future.
Published September 1, 2005.