Thursday, May 5, 2011

Companies Regularly Use Same Forensic Search Tactics Employed on bin Laden Computers

It's been reported the analysis of bin Laden's seized computer disks should help thwart future attacks and locate terrorists. "I'm certain government forensic experts have their hands full  looking for the proverbial needles in an acre of haystacks," says Mark J. McLaughlin, President of Los Angeles based Computer Forensics International. "The breakthrough software tools and search techniques used by government examiners are the same ones we routinely use to analyze hard drives and cellphones for attorneys, corporations and the courts."

Computer forensic examiners start by making exact copies of seized digital evidence. Then experts would typically use EnCase, a forensic software package, to conduct the analysis. "We can easily view computer files just as you would normally look at them on your computer," says McLaughlin, a senior examiner with over 500 cases under his belt. The software automatically recovers deleted documents, emails and images. Plus each data file's date and timestamp is displayed making it easy to assemble a timeline of when the file was created, modified or even viewed. He adds, "we also have a very cool program for conspiracy examinations that visually shows the frequency and relationship email senders have to one another."

But the real power of a forensic examination comes from the ability to search through hundreds of gigabytes of data quickly, thoroughly and in any language – even Arabic. Lists of relevant keywords are searched against the evidence, later returning search hits where the keyword was found. It's also important that each hit is seen in context to other words, which makes it easier to reassemble fragments of text. McLaughlin says, "by using wildcard search terms we can recover partial email addresses, phone numbers and a person's internet browsing history. Computer forensic examiners work hard for our clients. I can truly say, if it's there, we're going to find it."

No comments:

Post a Comment