Dissecting Email Forensics

Subscription Options

Back in the days of Enron, purge and delete was the tactic du jour—clearly, it wasn’t the right answer. Ultimately, the malfeasance at Enron and its complicit accountants at Arthur Andersen ushered in a new paradigm of federal and state government email retention requirements. As a result, today’s IT and security managers have to figure out how to save more email while corporate attorneys and their management decide which email is hot and which is not.

According to the LiveOffice spon-sored paper, eDiscovery: Six Crit-ical Steps for Managing E-mail, Lowering Costs and Reducing Risks, authored by Contoural, many companies have implemented 30 to 60 day email and IM deletion policies. The thought process is: ‘get rid of the message before there is a reasonable anticipation of discovery’. Corporate counsel and IT managers think: ‘we save time, money and disk space.’ While aggressive email deletion is a seemingly logical solution, it doesn’t work anymore.

Access to electronically stored information (ESI) is now a standard request in litigation, yet many companies are still unprepared to find it. Contoural states that email often provides the most valuable insight into mindset surrounding actions and decisions. Further, litigators and regulators are well aware of the importance of email, often making it the first and most significant target of discovery efforts.

Email Forensics

Email is also the main platform for a variety of business related crime, including proprietary information theft, data leakage, harassment, and intellectual property violations. Few organizations, however, employ their own forensic investigators. When it comes to training existing IT staff to handle email investigations, limited funding, personnel, and perceived need dictates whether or not they will attend forensics training. With the wide availability of eDiscovery and email archiving solutions, organizations are better equipped to handle its internal investigations but better equipped does not necessarily mean better prepared.

“Companies are definitely more aware of eDiscovery requirements because there’s been so much discussion, press, and large sanctions [imposed by the courts] for not doing it well. But awareness doesn’t necessarily translate to doing it better,” says Peter Garza, who worked on both the Enron and Arthur Andersen cases and is an independent expert forensics investigator and former special agent with the Naval Criminal Investigative Service (NCIS). “Companies still have practices like collecting the data themselves and having users decide what is relevant. That’s dangerous because early in the case, if you self-collect, the perception of a user may be different than the perception of a lawyer on what he needs collected.”

Mike Fowler, CISSP, EnCE, senior director of training, partner development for Guidance Software adds that proper tools and training are extremely important, but that understanding the methodology behind forensic investigations is even more important. “I’d go toe to toe with anyone that thought they could purchase a bargain forensic toolkit and do a decent job of it. It’s just not comprehensive enough.” Then again, he points out, what is enough? There are many determinants to deciding on appropriate investigative tools: How secure do you want to be? What exactly are you looking for? Do you need to monitor crucial business functions? Is leaked information a cause of concern? Are laptops properly investigated for signs of abuse when an employee has left or been terminated? These are questions Fowler believes beg consideration. “The threat to corporate security isn’t waiting around outside in the parking lot day after day,” he says. “Sometimes, yes. But more frequently it’s internal.”

Fowler adds that IT professionals present challenges and says that although they have years of knowledge dealing with computers and networked systems, frequently the methods of protecting evidence and utilizing best practices for gathering evidence have not been part of their training. “I have always said, Give me a [police] investigator and I can train him in the technical issues. Taking an IT professional and giving him the investigative mindset is not something that can be covered in a four- to five-day class.”

Garza says that the most common “gotcha” happens when organizations try to handle email forensics in house, which, he feels, is done to save money. “Normally, IT people are very technically savvy, but they’ll make different decisions than their inside house counsel or outside attorney will make in regards to how evidence is identified, preserved or collected. In house technical people just don’t have the training and experience,” says Garza. “But for very large corporations that are serial litigants, it makes sense to have internal resources because they’re in better control of their data. However, I think from time to time they still need somebody that doesn’t have a horse in the race to review procedures with them, validate what they’re doing, and how they’re making decisions on preserving data or interpreting the data.”

I Spy With My Little Eye

Fowler contends that it is important for organizations to understand what email forensics is and is not capable of doing. “Computer forensics do not follow you home in your car. Enterprise forensics is installed on a base server with a specified number of licenses issued to monitor a specified number of systems on the network. The Sys Admin does not monitor all systems on the entire network all day long. It isn’t really possible and it would be very inefficient. Companies choose areas that need monitoring, or a specific individual that is most likely committing some type of internal policy violation, and they monitor thusly.”

Most of us have either been or currently are employees of a company that required us to sign documentation stating that inventions and all work belong to the company. Comments Fowler, “At least, this is the way North America does business. In knowing and embracing your status as a company employee, you understand that nothing on your desk—save for some pictures, weird objects, and a cup of coffee—belong to you. However, this is the very first thing that’s forgotten when arguments are presented. ‘How can your company spy on you?’ Well, they aren’t spying.” Fowler goes on to say that they are monitoring the data and workflow of their organization and asks: Shouldn’t any company in these scary economic times want to assure that it is operating at the most efficient and secure levels possible? “If you, as the loyal employee to Company X, are not in any violation of company policies, then the ad-hoc monitoring of your email and actions should not concern you—or should it? Depends on what you’re up to.”

A Case in Point

Peter Garza worked on both the Enron and Arthur Andersen cases and is an independent expert forensics investigator and former special agent with the Naval Criminal Investigative Service (NCIS). He has many stories to tell, but here is one about handling email forensics internally.

A recent case that Garza worked on involved an IT manager that was adamant that there were only three servers he should be concerned with, “He was very insistent,” recalls Garza. “So I said, ‘That’s fine, let’s talk through what each of the servers does, educate me.’ We went through a technical interview on each system I learned several very important things—one, that there was a universe of about 28 different servers and of those 28 servers, about 13 were potentially relevant. Most importantly—even though the litigation Hold Letter had gone out (telling them not to delete anything)—we talked about one of the servers that they didn’t think was relevant. I found that as employees left, they would ghost their hard drives to the server, and keep the images on it. As the manager was describing what that server did, I asked, ‘So what happens to that data?’ The response was, ‘As it fills up and we run out of room, we delete the older data.’” The point of this story? Garza notes that some of the deleted data was central to the case.

Mike Fowler, CISSP, EnCE, senior director of training, partner development for Guidance Software notes that computer forensics fills a large gap in IT capabilities and a greater need for comprehensive security. Single solutions and cutting edge tools can accomplish its goals at the hands of trained examiners employing investigative mindsets and utilizing proper methodologies but there is no quick fix forensic solution. Says Fowler, “There are brilliant tools on the market that are well worth a company’s time and energy to explore. The cost in dollars is dwarfed overall by the multiple uses for enterprise forensics and its total, almost immeasurable ROI.”