A New Book on Electronic Evidence

January 28th, 2006

A new book on electronic evidence by Michael Arkfeld has been released recently. The book, called “Electronic Discovery and Evidence”, is “the comprehensive resource for discovering and admitting electronic evidence. The book addresses every aspect of this process including electronic information storage, outside expert assistance, the inherent benefits of electronic formats, as well as the laws and procedures for admitting evidence in your case”.

More information about the book may be found here.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search your network for password protected and evidential files. With FindProtected, you can easily identify protected files and relocate them if necessary.

What is metadata?

January 28th, 2006

An excellent detailed article “Understanding Metadata” written by Craig Ball gives profound description of metadata in MS Office documents and explains two descriptive categories of metadata – system metadata and application data.

According to the article, metadata isn’t merely “evidence, typically stored electronically, that describes the characteristics, origins, usage and validity of other electronic evidence”, but rather “the electronic equivalent of DNA, ballistics and fingerprint evidence, with a comparable power to exonerate and incriminate”. Metadata sheds light on the context, authenticity, reliability and dissemination of electronic evidence, as well as providing clues to human behavior.

Almost every active file stored on your computer has some associated metadata. Some metadata may be considered crucial evidence; some is digital clutter. Understanding the different forms metadata takes and the evidentiary significance it holds is fast becoming an essential lawyer skill.

There are two principal strains of metadata: application and system… Application metadata is information typically absent from the printed page and embedded in the file it describes, moving with the file when you copy it. It has a fearsome reputation among lawyers because of its nasty habit of carrying sensitive information, such as deleted text, and who else has seen the document — but it’s that very capacity for holding more than meets the eye that enhances its evidentiary value.
By contrast, system metadata isn’t embedded in the file it describes, but stored externally and used by the computer’s file system to track file locations and store demographics. A file’s name, size, location, path and dates of creation, modification and access are common system metadata fields.

Having both application and system metadata is advantageous because, when metadata is stored both within and outside a file, discrepancies can expose data tampering. There are at least 80 accessible application and system metadata fields tracked for each Microsoft Office document, not including tracked changes, comments and Registry data.

However, electronic evidence lives in an environment that defines it. When metadata from one environment moves to another, it can change in ways such that you can’t assess absent metadata and metametadata from the host system.

Metadata is both evidence and a key to validating and understanding other evidence. Either way, it’s discoverable when potentially relevant.

This blog is run by the authors of FindProtected.
FindProtected is a security program that allows you to search your network for password protected and evidential files. With FindProtected, you can easily identify protected files and relocate them if necessary.

Higher-Ups Are Keeping an Eye on Workers

January 28th, 2006

An article written by Alison Grant on companies monitoring employee activity was posted on newhousenews.com. It says,

Whether they know it or not, employees are rarely alone on the job.
Businesses are deploying a battery of high-tech gadgets to keep track of employees in office cubicles, factories and hospitals and on the road.
Nine out of 10 companies engage in workplace surveillance — above all, monitoring computer use — according to a 2005 survey.

Almost all aspects of employees’ activities are typically monitored by the company management. According to the latest survey, three-fourths of the companies monitored employees’ Web site visits, as part of their daily “routine”; just over half said they monitored phone calls; while more than 50% reported using video monitors.

Employers are forced to monitor workers’ activity in order to:

  • Fend off hostile work environment claims and wrongful-termination lawsuits
  • Catch cyberslackers dialing up travel sites or day-trading on company time.
  • Stem the pirating of software, theft of company property and spilling of corporate secrets.
  • Concern over litigation and the role electronic evidence plays in lawsuits and regulatory investigations are prime motivations for corporate surveillance.

    However, shades of Big Brother should give employers reason to approach monitoring cautiously, according to business ethicists studying the issue. In fact, there is a danger of breeding a suspicious and hostile workplace, increasing stress and damaging employee morale.

    The companies must have clear-cut policies and thorough employee notice that phones and computers could be bugged.

    Besides, as electronic communications multiply, it’s harder and harder to keep up with it all. At some point, the company management needs to employ a security specialist, as well as use specific software solutions to sift through these huge amounts of data.

    Alison Grant’s article also describes the common ways of “how the boss may look over your shoulder” to find out what you’re actually doing at work.

    This blog is run by the authors of FindProtected.
    FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

    Danger Lurks for Stored Data

    January 15th, 2006

    Safeguarding stored data has always been challenging, but in a world where information is digital more than ever, and where compliance directives are increasingly more demanding, an effective data storage security strategy is a key aspect of doing business today.

    According to the article posted on newsfactor.com recently, “the security threats that network communications are exposed to are becoming increasingly insidious and invasive, with the data protection space an increasingly inviting and at-risk target.”

    These are the most important measures for any type of information security infrastructure:

    * Protect the privacy of the information while it is in transit

    * Protect the privacy of the information while it is stored

    * Ensure that the information has not been altered during transport

    * Ensure that the information has not been tampered with by unauthorized users

    * Ensure that all activities are recorded for potential audit or misuse tracking

    * Ensure that a specific type of information will be retained for the right amount of time depending on applicable company policy or regulations

    * Ensure that the information will be removed from the backup media as the regulation requires

    Compliance and security are now inextricably linked. When companies look to ensure that they will comply with a specific regulation, they must look beyond data retention to a highly secure environment. Efficiently storing data for a long time, and enabling quick and easily retrieval is a good and necessary start, but only the beginning.

    “A strategy for ensuring that the privacy of the information is well protected, that it has not been tampered with or was not altered while sent to the storage media, is just as important.”

    This blog is run by the authors of FindProtected.
    FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

    Put security policies in writing!

    January 15th, 2006

    The Federal Reserve Board, issued a new guide in December stating that all banks and other financial institutions must take certain steps to safeguard the personal data they handle.

    Among other things, those entities are expected to tightly control who can access their customer information systems. The are also called on to monitor physical storage of paper records, set up monitoring systems to detect intruders and provide written contracts outlining how they will respond to suspected breaches.

    It means that although federal law doesn’t explicitly say so, all companies that handle personal information for their customers should have written security policies.

    “I believe this guidance is useful for a guidepost in enterprises outside of finance,” said Benjamin Wright, a frequent speaker on information security and e-commerce. “A written policy is the first step for establishing we are taking reasonable steps within our enterprise to ensure security”.

    In the wake of several high-profile breaches last year, at both financial and nonfinancial firms, Congress considered a number of proposals intended to broaden data security laws. None of those measures advanced to consideration by the full legislative body. A new round of congressional action is predicted in 2006.

    But for now, many companies must decide for themselves how best to safeguard their systems.

    According to ZDnet.com.

    This blog is run by the authors of FindProtected.
    FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

    Regulatory impact on corporate security practices

    January 15th, 2006

    According to the U.S. results of the 8th annual Global Information Security Survey, regulatory compliance, internal attacks, and the vulnerability of electronic communications – especially instant messaging and e-mail – are among the key factors reshaping data security systems.

    According to the survey, there are indications that compliance requirements like Sarbanes-Oxley, HIPAA, the U.S. Home Security Act and the U.S. Patriot Act have had notable impact on corporate security practices. Over half of the survey respondents report that government regulations have pressured their company to adopt a more structured approach to information security, while 60 percent view regulatory compliance as more of a governance issue than a technology problem.

    Although only a third say achieving compliance is a main catalyst of security-related purchases, over half say it has made their company more cautious about their use of security hardware, applications and services.

    A majority of U.S. companies spend below $500,000 on security expenses, with half anticipating increased spending in the next year, and only 3 percent expecting spending to decline. Performance and return on investment count the most when purchasing security products.

    Although the spending on information security purposes is constantly on the rise, certain lapses remain that can result in serious financial losses for corporations or a violation of customer trust.

    “Security professionals lack the ability to control every point of entry, but worse, they have too much faith in technology that claims to automate network defenses,” said Rusty Weston editor, InformationWeek Research.

    You can find a lot of other interesting information in Vulnerability Of Electronic Communications article.

    This blog is run by the authors of FindProtected.
    Prior to developing security policy, it is essential to analyze your computer or corporate network for valuable resources, sensitive information that should by no means be disclosed. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

    How should authentication be described?

    January 8th, 2006

    Quandary’s blog has some noteworthy ideas on definition of strong authentication.

    It is typically considered that there are three categories that authentication can fall into — “what you know,” “what you have,” and “what you are.” However, the idea that these forms of authentication are different is “ultimately incorrect, as it all comes down to what your attackers know, versus what the computer knows”.

    “What you have” merely pushes the knowledge out of your head and either onto a piece of paper, or into some other device of some sort. So long as an attacker knows what is contained in the physical device, he has all the information he needs to successfully authenticate — the only extra obstacle he might encounter is physically interfacing with the hardware (e.g., a card reader) to communicate his knowledge.

    “What you are” is also simply a matter of an attacker knowing what your fingerprint, retina scan, DNA, voice, or other characteristic is like. If a computer can model your voice well enough to determine if you spoke a phrase or not, then it is very likely that an attacker will be able to model (or even directly play back) your voice using a similar method, and authenticate to the system. Fingerprints, retina scans, and DNA matches are even worse, because these never change.

    An alternative view on major axis of authentication is further described in the Quandary ’s blog. According to the author, “the most desirable authentication methods should be bidirectional, unique, and temporal, and should use each of these three attributes in a strong fashion”.

    This blog is run by the authors of FindProtected.
    Prior to developing security policy, it is essential to analyze your computer or corporate network for valuable resources, sensitive information that should by no means be disclosed. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

    Top Security Blunders

    January 8th, 2006

    An interesting article could be found at femiolubosi.com, called Top Security Blunders.

    This article once again illustrates the fact that “even the latest technology and good overall IT Security staff can be foiled by uninformed or careless users”.

    According to the article, top security mistakes are:

  • Insecure passwords.
  • Sharing passwords between users.
  • Using the internal organization password on external web sites.
  • Failure to adequately perform backups
  • Storing vital information locally rather than centrally.
  • Open, unattended workstations.
  • Ignoring vendor updates and patches.
  • Not physically securing computer equipment.
  • Disabling or diminishing existing security controls.
  • Installing unapproved software.
  • Exposing more personal information than necessary.
  • Propagating virus and other hoaxes.
  • Opening unexpected e-mail attachments.
  • Failure to train users to recognize security incidents and how to respond to them.

  • This blog is run by the authors of FindProtected.
    FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.

    Correct procedure for computer forensics

    December 25th, 2005

    Alan Neilson’s blog posted an article on security policy enforcement. What should be the management’s behavior if an employee is suspected of wrongdoing? According to the post, “there may be several forms of evidence available to a firm, which can exist in many locations within a computer system, or even an external storage device such as a CD or Zip drive.”

    The quest to secure reliable evidence is not only based on ensuring a conviction of an employee, but also on protecting the firm against a civil claim of wrongful dismissal. A hasty dismissal of an employee would be unwise: the firm will not know his modus operandi, his passwords, and once the employee knows that his actions have been discovered, he may be able to trigger the deletion of all evidence. By contrast, if the firm employs surveillance techniques (by using Trojans or key loggers, for example) then the firm can discover the employee’s modus operandi and passwords.

    The next stage involves the gathering of evidence, which can be stored in numerous places, and the firm must be aware of this possibility.

    Manual searches may not be particularly useful because stolen documents may have had their filenames changed, and file-type altered. Where forensic software is employed, however, it is the structure of the file itself which is searched, rather than its name or file-type, and this may prove fruitful for the firm.

    The evidence may not be on the computer at all: it may be on the firm’s server if it was sent by e-mail. This can prove an excellent source of evidence because of a common misconception that e-mail messages are impermanent. In fact, it is more difficult to remove e-mail than most believe, and on most systems, permanently deleting e-mail is a complex process.

    When evidence has been obtained, the firm must undertake a certain procedure to ensure that the evidence is made suitable for use in court. This involves tagging the evidence, bagging it, logging it, copying it and finally securing it.

    If a firm adopts such an approach to computer forensics where an employee is suspected of acting illegally, then it maximises its chance of securing a conviction of the employee, and protects itself against the possibility of an unfair dismissal claim.

    To make a deep inspection into employees’ files, you can use specific security software. FindProtected is an effective security solution that allows you to enforce an intelligent data security policy across the organization. With FindProtected, you can properly identify protected files and relocate them if necessary.

    This blog is run by the authors of FindProtected.

    Ford hit by Identity Theft

    December 25th, 2005

    Personal and financial information about 70,000 active and former Ford Motor Co. white-collar workers was stolen along with the computer holding the company information in November, according to the automaker.

    The stolen data includes names, addresses and Social Security numbers.

    Ford began notifying employees of the theft this week. There is “no evidence indicating that there has been any identity theft or misuse of employee information” according to a company spokesperson.

    Ford plans to pay for a credit-monitoring service for the people affected by the theft and is offering them a range of services. Ford has notified Federal Bureau of Investigation, the U.S. Secret Service, the Federal Identity Theft Task Force and the three major credit reporting agencies of the theft.

    According to Consumeraffairs.com.

    This blog is run by the authors of FindProtected.
    Prior to developing security policy, it is essential to analyze your computer or corporate network for valuable resources, sensitive information that should by no means be disclosed. FindProtected is an effective security program that allows you to search your network for password protected files. With FindProtected, you can properly identify protected files and relocate them if necessary.