Westlake Village (CA) - The sheer number and volume of current storage devices can be tough for the average computer user to handle, but what about computer investigators that must look for criminal information? Criminals try to hide information on their 200 GByte harddrives and portable devices like an iPod or cellular phone, but computer forensic investigators can usually recover the data. Andy Spruill, Director of the Professional Services Division at Guidance Software, talked with TG Daily about past investigations and how he deals with the vast mountain of data.
Spruill's team is considered to be the forensic "SWAT team" and he usually takes cases that police departments cannot handle or when the original investigator needs a second opinion. He teaches computer forensic classes at Cal State Fullerton and is a Reserve Police Officer in Orange County California. Encase Software, made by Guidance, is of course his primary software tool.
Many of the cases that Spruill deals with in conjunction with his work at Guidance are business versus business fights and intellectual property theft crimes. He recounts an interesting case where two Japanese companies sued each other over a stolen soup recipe. The companies often will fight for lost prestige, but also over millions, even billions in lost revenue. For the case, the team used Encase's native language search to look for Japanese keywords on the seized harddrives. "The examiners didn't even speak or read Japanese and there was a translator sitting behind them," says Spruill. It was discovered that one of the companies in fact did steal the recipe.
While there is no typical case, many involve taking and scanning computers from both households and business buildings. Spruill told us that one to five systems are usually taken from the household, but business seizures are much larger and he once had to scan 5000 machines in two and a half weeks. With such a massive volume of computers and storage space to search, Spruill tells other examiners to focus and don't use a "shotgun approach".
According to Spruill, increasing harddrive capacities have definitely changed the forensic landscape. "There is no comparison between cases today and three years ago. Back then a computer had about 40 GBytes, now you see at least 200 GByte drives," says Spruill. One TByte RAID arrays are commonly seen by Spruill and sometimes he has to grab much more.
External hard-drives and personal devices like iPods, PDAs, cellular phones and cameras are also commonly found. In fact, Spruill worked on a case where a major gaming company lost some of their source-code for an upcoming game. It turns out that the code was smuggled out of the building on an Apple iPod, which Spruill adds, "is nothing more than a harddrive."
According to Spruill, these days anything can be a storage device and it's hard for investigators to keep up with new devices. "This is hard enough for us tech guys [to keep up with new gear], but the poor cops out there have a really rough time," says Spruill. He tells his forensic students and fellow cops "not to look for devices, but to look for the USB or Firewire connector and grab the wire and everything connected to it." He adds that a stuffed mouse, watch or even a Swiss Army Knife could have built-in flash memory.
So what exactly does Spruill look for in an examination? Email is obviously a treasure trove of information, but Spruill told us that webmail is also important. "People seem to think that webmail is private. That is the worst thing," says Spruill. Coming in second are the items in the browser cache such as web pages, graphics and cookies. In addition, most people like taking personal notes in notepad and Microsoft Word, which he considers another great source of information.
In one case, a legal firm wanted Spruill and his team to discover why a certain employee had much lower productivity than his peers. Using the Encase software, a spreadsheet was made that compared the level of activity on Office documents and surfing of work related websites versus the amount of time surfing non-work sites. Spruill looked at the open, modified and close timestamps of Word and Excel spreadsheets. He also recovered the timestamps of sent and received emails. While this may seem a lot of work, Spruill says, "This was a legal firm, so they were covering their bases."
A computer examiner often has to think like the computer owner as they investigate the harddrive. "You look into that person's mind when you are investigating," says Spruill. He can usually tell if the owner is male or female just by looking at the contents of the Internet Cache. Many people have a list of websites that they check within the first few minutes of turning on the computer - that combined with shopping and even porn sites can easily give away the gender.
We asked Spruill if anyone he has investigated has ever used harddrive erasing tools. He said that he had come accross such programs, but yet has to find one that actually worked: "It will absolutely make my job harder, but I have yet to find one that doesn't leave something behind," says Spruill. There have even been cases where criminals forget to delete the erasing tool and Spruill adds, "Just the fact that they had it there, doesn't look good in court."
Spruill believes that computer forensics is a great mix of computers and law enforcement and says, "You get to be a tech and a cop at the same time." The technical aspects can be learned quickly, but he warned that learning how to deal with lawyers may take a while. "Eventually, that is what you are getting big bucks to be able to testify and defend your findings and opinions in court," says Spruill.