Thanks to TV shows such as CSI, most people are more familiar today than ever before about the importance of forensic investigations when it comes to crime scenes and criminal or civil court proceedings. Data or computer forensics is a broad term that encompasses not only the investigation of crimes committed using a computer, network, or the Internet but also the use of a computer in a way that violates a corporate policy or the investigation of certain types of security breaches. Each of these can lead to legal action, and all should be investigated with the utmost care. It is crucial that a system administrator (or other IT staff responsible for the initial or ongoing investigation) understand how to effectively investigate the affected computer(s).
While it makes perfect sense that very stringent examination procedures should be taken if you suspect a network security breach—such as someone compromising a workstation or file server within your network so that you can isolate the attacker, all compromised data, and the method of attack both to respond at a technical level and potentially a legal level, other investigations may seem less important.
Even a simple act of enforcing a company’s or school’s acceptable use policy should be done with appropriate methods to preserve evidence and document the investigation. Should you discover, for example, that a faculty member of a school has been accessing pornographic material and present this information to management, the result would likely be disciplinary measures or termination. If that teacher were to sue for wrongful dismissal, it would fall to the IT staff who initially found the prohibited content to produce sufficient evidence to link the faculty member to both the content and the computer on which it was found. If solid enough evidence isn’t presented, the school could end up having to pay significant damages to the terminated teacher.
If an actual crime has been committed, you should involve law enforcement as soon as you discover it. However, if your investigation until that point has tainted the evidence and doesn’t include sufficient solid documentation of your activities, an officer might tell you that it is impossible to build a legal case capable of convicting the perpetrator as a result of your attempts at investigation.
Basic Forensic Methodology
Regardless of whether a forensic investigation is being conducted under Mac OS X or another computing platform, there are certain basic rules and methods that need to be followed; the first is that you should avoid contaminating any potential evidence. In "real-world" forensics, this means wearing gloves to avoid leaving fingerprints or DNA at a crime scene. In the computing world, it means not booting or even mounting the computer’s hard drive on another computer. Any time a Mac OS X computer boots or mounts a hard drive, information on that drive is modified, thus contaminating your evidence.
You also need to ensure that you have solid and secure documentation of everything that you do in the course of an investigation. In crime dramas, a medical examiner is often shown doing this by noting his or her findings into a tape recorder during an autopsy. In a data investigation, you can use any number of methods, including hand-written notes, text files on a computer, or even a tape recorder. Ideally, you’ll want some method that provides time stamps of each note and that preserves your documentation from potential editing. There are some forensic tools that offer these features, but many help desk management solutions offer this as part of their feature set for creating case notes. Whatever method you use, be sure that your notes are as detailed as possible and that you notate every step in the process of your investigation.
As you gather evidence during your investigation, you’ll also want to document it and include detailed information and time stamps. For some pieces of evidence, such as log files, screenshots, or image files, you may be able to simply print them with a time stamp on the printed page—identifying each with a number or name that is also noted in your investigative notes, along with the details of what it is and where/how you found it. Many forensic tools offer you built-in methods for identifying and linking evidence as you uncover it.