Archive for July, 2009

Free e-discovery seminar on Metadata

Friday, July 31st, 2009

Patrick Computer Forensics Inc. is offering a free electronic discovery / computer forensics seminar for attorneys and their staff in Memphis. This half hour presentation is entitled “Metadata, what is it, and how does it win cases?”. As well as explaining metadata in easy to understand terms, the seminar will show examples of sources of metadata, and case studies where metadata was pivotal.

AccessData Certified Examiner now free (part 3)

Tuesday, July 21st, 2009

The devil is in the details.

As I indicated in a previous post on this issue, I expected that the ACE being free to obtain would somehow lead to a greater revenue stream for AccessData. Well thanks to a post by “rayp” on the Forensic Focus forums, the revenue stream has become apparent. It seems you are required to do 2 AccessData training courses in the first year in order to keep your certification.

Now in order to keep my CFCE, I need to have a certain amount of training over 3 years, but I can receive this through any reputable training body, and even count time I spend training others so long as it’s only counted once per year.

Clearly the ACE is not actually free in the long term, but you weren’t really expecting that it would be, right?

Employee fraud – first response

Tuesday, July 7th, 2009

With the downturn in the economy, the foreclosures and the credit crunch, employee fraud, theft and general malfeasance is on the rise. If you don’t want to take my word for it, do a search on employee fraud rise and read a few of the results. I’ve been seeing these kinds of cases here in Memphis too.

What follows is practical advice about what to do when employee fraud happens in terms of preserving evidence for a later investigation and trial. Note that this is not legal advice. Hence the first thing to do is call your lawyer. The way it works in Tennessee is that forensic consultants are retained by a lawyer, not directly by the public, so your lawyer’s involvement is not optional.

Let’s start at the point where you discover your employee’s malfeasance.

Document your actions. Who, date/time, what, where.

Firstly, if that employee has a dedicated workstation, immediately remove that workstation from your network. If the workstation is turned off, DO NOT TURN IT ON. Take the computer box (you don’t need the monitor and cables) and place it in a locked room or cabinet. If it’s a notebook computer, keep the power cable with the computer.

If you turn on the computer, it’s like walking through a crime scene. You leave your own fingerprints and footprints everywhere, and you may accidentally walk all over your evidence and destroy some of it. Resist the urge to look yourself, you’ll only hurt your case later on. (Note that once forensic preservation has been done, you can look all you want.)

If it is turned on, you’re going to need advice directly from a forensic computer expert, so contact us quickly. The permutations about how to deal with a live PC for forensics are too many to cover in this article.

Restrict that employee’s access to your computer network. If you have a central file server, or email server, these are potential sources of evidence and you don’t want your suspect employee trying to access them to cover their tracks.

If your employee has any portable computing devices owned by the company, e.g. a notebook computer, PDA, thumbdrive or mobile phone, take these back now and keep them with the workstation in the locked room/cabinet.

Check your backups. You are making regular backups of essential systems like your file server and your email server right? Check to make sure these backups have been conducted, and put aside your backup tapes or drives. Do not do new backups over old ones after an incident as you may inadvertently destroy evidence.

Get your system forensically preserved as soon as possible. Forensic imaging allows the preservation of all electronically stored evidence so that you can keep running your business. In situations like these, forensic preservation can be done out of hours to minimize disruption to your business.

Once your system has been forensically preserved, you can continue to do business, and decide on a course of action with your lawyer. A forensic examination on preserved evidence can be carried out weeks, even years after the preservation has been performed. If your case becomes a criminal issue, the forensic images can be turned over to law enforcement with a fully documented chain of custody, or your computer forensic expert can testify if the examination has already been performed.

4th of July – discount

Saturday, July 4th, 2009

Today, whilst contemplating the birthday of the USA, I recalled that today is also the 2nd anniversary of the first time I ever worked forensics in the US. For the 7 years before moving, I worked computer forensics for the Queensland Police Service in Australia, an agency with over 10,000 police officers and almost 3000 staff and responsible for an area bigger than Texas.

We had just moved over in June 07 to be closer to my wife’s family while her brother was serving in Iraq, and a friend I knew through IACIS needed someone available on short notice to do some work on the holiday. I had planned to go see the fireworks in Munford, but the opportunity to get back into the business was too good so I spent all day doing on-site acquisitions.

As a celebration both of our nation’s birthday and the 2nd anniversary of Patrick Computer Forensics (albeit unincorporated at that point) I’m offering a $100 discount on any forensic work retained in the next week. (Retainer and minimums apply, see the Rates page.)