Computer forensics has come along way since the phrase was first coined. The article below covers some of the general jobs in computer forensics, while the roles in computer forensics are discussed in this article.
Traditionally it was the recovery of lost and deleted file, in essence it was data recovery – at a very detailed level. Then it moved into what most people think of computer forensics as, the investigation of hard drives and computers, who did what and when. For a long time the police drove the market, and anybody who went on an EnCase course in the past 10 years would attest to that. The training and the tools, were all about police work, the vast majority of which is investigating child pornography. Police were investigating home computers (in general), with suspects using Hotmail, AOL, and Yahoo!. This has its own problem’s such as obtaining evidence from web servers based in the US
However, while the police were developing in these skill sets the civil sector was growing, and rapidly. Computer forensics was not about if a person looked at a child abuse picture, which can be relatively easy to demonstrate (technically), but looking at groups of individuals in a corporate environment taking company secrets.
This meant that the civil investigator had to c0llect all of the evidence, without legal powers, and work out where the data is stored, before it can even be investigated. Is it on the desktop, the laptop, the blackberry, or the email server? Or is it on the backup tapes, or the proxy server held in their US offices?
The client needs the result quickly, and they will pay for it, but how are you going to search all of those emails? EnCase, historically, was no good at email analysis, but DTSearch was. Indexing emails, which only just started in EnCase 6, and will probably not work until EnCase 7, has been happening in the civil industry for over a decade. FTK 1 has also handled emails for a very long time, something often over looked by those dismissing FTK 2 (this site included).
The dawn of Electronic Discovery
While computer forensics stepped into 2 different skills sets, corporate and criminal, the lawyers were dealing with a far bigger problem. They were not investigating 1, 2 or even 10 people at a time, they were investigating entire companies. They needed to look at millions of documents, and forensics simply would not cut the mustard. As the volumes of email exploded, there became a demand for lawyers to be able to search, filter, de-duplicate, cull and review this huge amount of data.
So, as the 21st century started so did Electronic Discovery. For the past 5 years those in electronic discovery industry have been doing what the computer forensics industry will be able to do in the next 5 years. Deal with huge volumes of email data, search it, and mark what is relevant quickly and easily, through a review platform.
But electronic discovery is a multi-billion dollar business, and the revenue of a computer forensics company pales in comparison to that of a giant electronic discovery company. As a result the research and development in the electronic discovery industry has produce a phenomenal tool set.
Concept searching, clustering, automatic redaction, near de-duplication, keyword searching audio files and language recognition, these are just some of the skill sets in the electronic discovery world. But even this technology is not enough and where the money is the technology will follow.
If a multinational company has a suspected fraud, how is that going to be investigated? Simply running EnCase is not going to help; which of the 100,000 employees computers would you run it on? Which of the thousands of real and virtual servers would you investigate? Even if you did know which, can EnCase handle SAP? Collection and review of the millions of emails may be a start, but is unlikely to find what is required.
The only way to investigate the fraud is to look at the money trail, that means collecting all of the data from all the different databases, accounts payable, invoices, pay role, in different formats, SAP, SQL, Access, Oracle (because no company uses just one type of database,) then converting all of those different databases into a common database.
Once that common format has been created, complex queries can be ran to look for information, e.g. double entries, invoices for contractors going to the same address as employees, shipment for products to the same address as employed contractors, etc.
This brave new world is the area known as data analytics and will more often than not involve forensic accountants rather than computer forensics specalists, but it is still the investigation of data, and it is at the forefront of modern IT investigations.