Computer Forensics: Administrative Investigations and the CCFE Exam

March 30, 2018 by

Jennifer Jeffers

Introduction

One of the best ways to measure and evaluate the technological progressions of the modern age is to examine the evolution of digital forensics. The invention of the internet brought about a lot of exciting new innovations and methods of contact, but it also introduced a new breed of crime known as a cyberattack. And the field of digital forensics emerged soon thereafter to combat these computer crimes through a clear, evidence-based investigative process, thereby restoring law and order to the online world. In part, this process involves the electronic discover of digital clues that can be used in subsequent legal proceedings such litigation or requests around the Freedom of Information Act. Any electronically stored information found during a digital forensics investigation can be subject to the rules of civil procedures and bound under the law of the land.

Digital evidence is particularly interesting in the way it exists. It lives only in an intangible form, with varying degrees of volume and transience. This digital information is typically accompanied by some sort of metadata that plays a key role in how findings are processed as evidence. For example, a digitally watermarked image could provide a court of law with the information they need to decide the validity of a copyright case. As a result of its emerging importance, the realm of digital forensics has since blossomed into many types, such as criminal, civil, and administrative investigations. 

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Start Learning

What is an administrative investigation in computer forensics?

Administrative investigations use digital forensics to examine workplace employees in the event of any suspicious behavior, corruption, or illegal activity. This includes using a company network or computer system to perpetrate crimes like sexual harassment, stalking, extortion, bribery, terrorism, pornography viewing, data theft, moonlighting, or some kind of discrimination. And considering Americans spend about 30 percent of their lifetime at work, this is no small feat. Although most administrative investigation are non-criminal in nature, they can lead to disciplinary action, suspension, or even termination of an employee if certain digital evidence is revealed. The reality of these consequences means the overall forensic process must be clear, methodical, and conducted with the utmost integrity. Because workplace employees use email, applications, and computer storage while fulfilling their professional roles, all of these areas become possible areas for forensic analysis and information gathering. Typically, this probing is done by administrators, analysts, or even private detectives, and the police are only notified if the case assumes a more criminal nature. 

What is the purpose of Administrative Investigations? What are the limitations of Administrative investigations?

Employee misconduct in the digital age offers a whole new set of challenges because unlike the days of old, investigators may not even have a real “place” to investigate, as the scene of the crime could very well be a network or an application on a smartphone. This type of volatile, highly dynamic, and somewhat unexplored digital environment provides many challenges for investigators but may provide the only means of assessing possible misconduct. While this unstable landscape can make the process more unpredictable and difficult, it also has the power to perform actions like retrieve maliciously deleted data, trace employee identity behind certain online movements, and establish a foundation for any legal recourse.

A forensic investigation of this nature can assume many forms and address many objectives. Depending on the severity of misconduct, investigators might need only to examine an employee’s phone to determine their ill-use of work time. But even this type of small forensic probing can lead to privacy-related issues and the legal need for a court-issued warrant to search through sensitive data like call records and information stored on the cloud. These limitations often make such investigations nearly impossible, especially in countries where privacy is greatly respected.

In more serious situations, investigators may look through a worker’s internet browsing history and other trace data on their computer or personal device. A fundamental principle in this field of forensics is the notion of exchange principles, which simply means that every contact made between two things (even digital ones) leaves a trace. A person leaves behind a footprint behind when she steps on the ground. And she leaves a fingerprint after touching the glass. Fibers can be left behind when her sweater brushes up against a couch. And similarly, computer forensic experts may be able to uncover important evidence when someone makes unsanctioned contact with parts of a network.

• Establishing days and times of remote connections
• Locating cookies dropped behind online movement
• Following internet browser history to determine recent activity
• Identifying recently attached storage media like USB thumb drives
• Recovering text messages, emails, call logs, and other data stored on a personal device

More broadly, the field of digital forensics does not have any real regulatory organization and receives no official recognition as a criminal right, even though it has recently become a vital part of national security. Of course, as cybercrime becomes increasingly sophisticated, these limitations will shift into more defined laws; however, the field itself is still in somewhat of a fledgling state. This current lack of regulation can lead to unverified “expertise” and even professional misconduct in certain situations. Given the amount of reporting and analyzing that must be done, it is vital that all phases of the investigation are handled with the utmost integrity and skill, otherwise people end up losing their jobs or worse. Until these issues are ironed out through increased legal attention, ethics on all levels will continue to be a concern.

The CCFE Exam

For those would-be digital detectives out there, the Certified Computer Forensics Examiner (CCFE) certification can provide just the right degree of knowledge and skill to crack even the craziest cybercrime. Students will need to have a solid foundational understanding of software engineering and IT to excel in this course, as computer forensics relies on elements like OS manipulation and software functionalities. The course will not only develop a student’s fundamental knowledge of the forensics recovery and analysis process, it will test the hard skills necessary to work with computer crimes. It will also establish a clear sense of the complex legal issues involved with computer forensics and how they may affect these types of investigations. The culminating exam includes these 10 areas:

1. Law, Ethics and Legal Issues
2. The Investigation Process
3. Computer Forensics Tools
4. Hard Disk Evidence Recovery and Integrity
5. Digital Device Recovery and Integrity
6. File System Forensics
7. Evidence Analysis and Correlation
8. Evidence Recovery of Window-Based Systems
9. Network and Volatile Memory Forensics
10. Report Writing

Students who pass this final certification exam will find themselves ready to work effectively with organizations and investigators in retrieving digital evidence, partitioning schemes, and writing court-admissible legal reports. To learn more about this opportunity, visit InfoSec Institute's 5-Day Forensics Boot Camp.

Cases & Examples

To see this process more clearly, consider a classic case of employee data theft. A disgruntled worker may choose to steal or delete sensitive data from a company as a way to take revenge for a perceived injustice, sabotage overall productivity, or make off with valuable trade secrets. The reasons are as varied as the individual. Say an ex-employee steals data by way of a USB zip drive, which are small, portable, easy to hide, and more importantly, can hold over 100 gigabytes of data. This act takes almost no time and would appear entirely undetectable. However, according to Locard’s principle—which assert that a perpetrator of a crime will invariably leave behind something of themselves at the scene—every action leaves behind some kind of trace.

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Start Learning

Conclusion

People in general are often unaware of just how many digital traces they do leave behind as they go about their online business, even through the simplest action of plugging in and extracting a zip drive. But in fact, a forensic examination of the process could reveal information like when the USB was used in a device and even the serial number of the thumb drive itself. When paired with other investigative findings like who was where and when, this could create a viable timeline for the crime. Piecing together these clues can recreate the electronic story of what happened and shed light on how exactly a suspicious employee breached the trust of the company.