Ten years ago, computer forensics wasn’t taken seriously. But that was 10 years ago.
“With the ubiquity of computer-based devices in everyday use, forensic techniques are increasingly being applied to a broad range of digital media and equipment,” says #b#Rebecca Mercuri#/b#, a leading computer security and voting specialist based in Robbinsville. She is also the founder of Notable Software (www.notablesoftware.com), which provides expert witness support and laboratory forensics for court-related matters.
Mercuri will lead a hands-on workshop on Computer Forensics for Fun and Profit at the Conference Center at Mercer County Community College on Saturday, November 13, from 9 a.m. to 4 p.m. Cost is $125. For more information or to register, go to: https://princetonacm.acm.org/.
Computer forensics has evolved only in the last five or six years from an ad hoc pseudo-science into a recognized discipline with certified practitioners and guidelines pertaining to the conduct of their activities.
“People don’t realize the difference between information technology and computer forensics,” Mercuri says. “You’d call your IT technician for help if your hard drive crashed and you wanted to recover data. I’d help to gather evidence from your computer if, say, there was a suspected crime.”
Computer forensics experts can be called in for a broad range of issues such as class action suits; computer security and malware, including viruses, misuse of services, destruction of property; contraband, such as child pornography and other photographic, video or audio media; damage and claim evaluations; financial disputes and fiduciary ethics; intellectual property; and wrongful firing.
Forensic investigators can also be used to assess security breaches, copy and archive computer forensic materials or data, establish or determine chain of custody, recover and reconstruct deleted or damaged files, and work with impounded materials. “Computer forensics is not like going to a doctor in a murder case,” Mercuri says. “It is more like conducting an autopsy on the dead body.”
#b#Vulnerability#/b#. Company computers and other equipment can be vulnerable on several fronts. “An employee can quickly and easily remove voluminous proprietary files with a USB flash drive hidden in the palm of his hand,” Mercuri says.
Or an employee downloading child pornography on his company computer can cause his employer endless grief if the police get wind of it. The mere access of online child pornography can be illegal, especially if any illicit images were downloaded or left on the computer’s storage devices.
Authorities could come in with a warrant to examine all of a company’s computers to determine if any such images can be found — and deleting them doesn’t permanently erase them from the computer’s memory, Mercuri explains.
The company may not be at risk of criminal action. However, it can pay the price in the inconvenience through lost work time.
Mercuri, who grew up in Philadelphia, developed an interest in science from her father, who taught high school science for 41 years. But Mercuri also learned to love the fine arts from her mother, an English professor at Drexel University and the University of Pennsylvania.
“My parents would take me to the Franklin Institute, the Philadelphia Museum of Art, the Natural History Museum (in Philadelphia), and to hear Andres Segovia (the Spanish classical guitarist),” she says. “My dad would bring home robot kits sent to his school from Bell Labs.”
It was also the space age and Mercuri became an amateur radio operator. “I was exposed to all things while growing up. That’s how I got interested in engineering and computers. When I went off to college, computer forensics was not even on my radar.”
Mercuri would go on to earn five degrees. She began by concurrently pursuing her twin interests — she earned a bachelor’s in classical guitar from the University of the Arts in Philadelphia in 1977, followed by a bachelor’s in computer science from Pennsylvania State University in 1979. At Drexel she earned a master’s in computer science in 1989. The following year Mercuri obtained a second masters, in engineering, from Penn. She received her Ph.D. in computer and information science from the Penn in 2001.
Mercuri also earned an honorary alumna status at Harvard in 2005 by completing her post-doctoral research project, titled “Transparency and Trust in Computational Systems” at Radcliffe College. She also spent a post-doctoral year at Harvard and gave her doctoral dissertation, “Electronic Vote Tabulation: Checks & Balances,” just 11 days before the contested 2000 presidential election.
Based on her research, she was called to testify in the Florida case, where ballots were being challenged by the Democratic candidate Al Gore. Her testimony was cited in briefs presented to the U.S. Supreme Court (U.S. 1, November 15, 2000).
After her undergraduate years, Mercuri worked at the Sarnoff Research Center in for five years on various consumer electronics products, including personal computers and interactive videodiscs. As a consultant in the mid-1980s, Mercuri worked for numerous law firms and businesses, installing computers and designing custom databases.
One day the public defender in Trenton asked for her assistance in recovering lost data. Hence began a career in computer forensics. She incorporated Notable Software in 1999 and directed the business’ move into full-time computer forensics in 2005.
She notes that a company’s employees often use their work computer to commit a crime, such as downloading child pornography, dealing illegal drugs, or committing copyright violations or fraud.
Other times, problems enter a company’s computers uninvited. Mercuri offers some advice to companies regarding their hardware’s security.
#b#Don’t share#/b#. “I always tell companies the worst thing they can have is file sharing,” she says. “People think file sharing allows them to simply put stuff that they request on their computer.
But they are not aware that file sharing can permit users to inadvertently or deliberately download illegal content into a company’s computer.
File sharing is also vulnerable to remote attacks and illicit use through viruses, Trojans, and other malware.”
#b#Call a pro#/b#. Companies should turn to computer forensics professionals, not information technicians, when they suspect a computer contains evidence of wrongdoing, Mercuri says.
“I’m sure the IT people are nice, well-intentioned, and probably good at repairs,” she says. “However, a computer forensics expert knows how to safely retrieve or recover information on a computer.”
An information technician, for example, might first open the files to look for questionable or damning documents.
However, by doing so, he will inadvertently change the document date — which would likely negate the document’s connection with the suspected employee.
Scrutinize service contracts. Companies often turn over their computers to an outside technical support company for repairs without first reading the fine print of the service contract.
Some technical support companies will turn over to government authorities a client’s computers that are found to contain any questionable documents or files without first checking with the client.
“It’s unbelievable what companies will sometimes do,” Mercuri says. “You damn well must understand what your computer repair organization has detailed in the service agreement before signing it.”
Also, Mercuri urges companies to ensure that no sensitive information is accessible from a remote location.
And companies should be careful in determining which employees have access to sensitive information that can easily be stolen.
“That’s why companies shouldn’t allow people to log into their computers once they’ve been laid off,” she says. “They can steal or sabotage a company’s important data.” Companies should also safeguard and have a secure offsite backup for sensitive information.
“Some information that is especially sensitive, such as the recipe for Coke, should be protected so it can’t be removed by one person,” Mercuri says. “A smart company will secure that data in multiple locations that can be accessed only by multiple people, or employ multiple levels of passwords.”
In addition, many companies based in the Twin Towers paid a second price on 9/11 because they stored all their data there, Mercuri says. “Not only did they lose many employees, they also lost mounds of valuable, even irreplaceable, company data.”
Companies must examine their computer security to determine how to best protect themselves, she says. Their policies should cover not just employee computers, but also smart phones, cell phones, cameras, video equipment, and anything that can access and store data.
Meanwhile, companies are protected by laws mostly 30 to 40 years old, from a time before computers and the Internet were common to the workplace.
For example, it remains unsettled what is defined as a company’s intellectual property.
“It is a nightmare for companies today,” Mercuri says. “The technology has always been ahead of forensics, and forensics has always been ahead of the law.”
