The investigator should look around the suspect’s work area for documents that may provide a clue to the proper user name and password combination. The investigator should also check desk drawers and rolodexes to find names of acquaintances and friends, for example. It is possible to compel a suspect to provide access information. The following cases set a precedence for ordering a suspect, whose computer was in the possession of law enforcement, to divulge password or decryption key:

•  Fisher v. U.S. (1976), 425 U.S. 391, 48 LED2 39.

•  U.S. v. Doe (1983), 465 U.S. 605, 79 LED2d 552.

•  Doe v. U.S. (1988), 487 U.S. 201, 101 LED2d 184.

•  People v. Sanchez (1994) 24 CA4 1012.

The caveat is that the suspect might use this opportunity to command the destruction of potential evidence. The last resort may be for the investigator to hack the system, which can be done as follows:

•  Search for passwords written down.

•  Try words, names, or numbers that are related to the suspect.

•  Call the software vendor and request their assistance (some vendors may charge for this).

•  Try to use password-cracking programs that are readily available on the net.

•  Try a brute force or dictionary attack.

Searching Access Controlled Systems and Encrypted Files

During a search, an investigator may be confronted with a system that is secured physically or logically. Some physical security devices such as CPU key locks prevent only a minor obstacle, whereas other types of physical access control systems may be harder to break.

Logical access control systems may pose a more challenging problem. The analyst may be confronted with a software security program that requires a unique user name and password. Some of these systems can be simply bypassed by entering a Control-C or some other interrupt command. The analyst must be cautious that any of these commands may invoke a Trojan horse routine that may destroy the contents of the disk. A set of “password cracker” programs should be part of the forensic toolkit. The analyst can always try to contact the publisher of the software program in an effort to gain access. Most security program publishers leave a back door to enter their systems.

Steganography

One final note on computer forensics involves steganography, which is the art of hiding communications. Unlike encryption, which uses an algorithm and a seed value to scramble or encode a message to make it unreadable, steganography makes the communication invisible. This takes concealment to the next level: that is, to deny that the message even exists. If a forensic analyst were to look at an encrypted file, it would be obvious that some type of cipher process had been used. It is even possible to determine what type of encryption process was used to encrypt the file, based on a unique signature. However, steganography hides data and messages in a variety of picture files, sound files, and even slack space on floppy diskettes. Even the most trained security specialist or forensic analyst may miss this type of concealment during a forensic review.

Steganography simply takes one piece of information and hides it within another. Computer files, such as images, sound recordings, and slack space contain unused or insignificant areas of data. For example, the least significant bits of a bitmap image can be used to hide messages, usually without any material change in the original file. Only through a direct, visual comparison of the original and processed image can the analyst detect the possible use of steganography. Because many times the suspect system only stores the processed image, the analyst has nothing to use as a comparison and generally has no way to tell that the image in question contains hidden data.

LEGAL PROCEEDINGS

The victim and the investigative team must understand the full effect of their decision to prosecute. The postincident legal proceedings generally result in additional cost to the victim until the outcome of the case, at which time they may be reimbursed.

Discovery and Protective Orders

Discovery is the process whereby the prosecution provides all investigative reports, information on evidence, list of potential witnesses, any criminal history of witnesses, and any other information except how they are going to present the case to the defense. Any property or data recovered by law enforcement will be subject to discovery if a person is charged with a crime. However, a protective order can limit who has access, who can copy, and the disposition of the certain protected documents. These protective orders allow the victim to protect proprietary or trade secret documents related to a case.

Grand Jury and Preliminary Hearings

If the defendant is held to answer in a preliminary hearing or the grand jury returns an indictment, a trial will be scheduled. If the case goes to trial, interviews with witnesses will be necessary. The victimized company may have to assign someone to work as the law enforcement liaison.