• Investment World
• eWorld
• Catalyst
• Mentor
• Life
• Canvas
• Praxis
• Urban Pulse
• Brand Quest

Bharat Kumar

Want to check on a cyber-suspect without his knowledge and without removing his PC? Or do you want to fully clean a hard disk so that a current user is not liable for misdeeds of an earlier user? Forensic technology to the aid.

WHEN Na Vijayashankar, or Naavi, author of a book on Indian Cyber Law and active opinion-maker in the same area, called eWorld for a meeting with a business associate, it was easy to guess that the topic would relate to the law. He got us to meet George Bar, director at Intelligent Computer Solutions (ICS).

Investigation delayed is justice denied. That is the premise on which technology from ICS is built. It helps companies to quickly capture evidence of fraud without having to sacrifice portions of an IT network for the sake of the investigation.

How does this technology help? If a bank suspects an employee has conducted fraudulent transactions using a particular computer, it has to investigate all the transactions for which that computer had been used. To do this, it has to isolate the computer from its network and get investigators to work on it. This means loss of a particular resource that its network needs daily.

One solution is to merely copy the hard disk of the computer onto another hard disk. But that would copy only those files that are present. What if the perpetrator had erased his tracks or files after committing fraud? You need technology that would, in effect, take an image of the hard disk, thus helping you retrieve even deleted files. And, typical `back-up' technologies are also slow.

Bar, in Chennai recently to forge tie-ups for his company, spoke to eWorld about possibilities using ICS' products.

He says, "If your company has some 400 computers, and you do know that there is someone out there sending out sensitive information from one of those machines, but aren't sure who is doing this or on which computer, what do you do?" That's where he says his technology comes in. He explains that through a process called "bit image copying" of the original hard disk, it is possible to copy data up to 3.5 giga bytes per minute (a typical PC nowadays holds about 40 GB of hard disk memory). He says, "Our solution takes an image not only of the data but of the actual hard disk itself." The duplication is done along with calculation of the "hash" of the captured disk, making it eligible for evidence in court at a later date.

Retaining the original also helps in preventing accused folks from later claiming that the evidence has been tampered with to foist cases on them.

(And if you are puzzled by the `hash' reference, hashing is a process in which an electronic document is run through an algorithm to produce a `hash code' of a finite length. Irrespective of the length of the document, whether it is a file or an entire hard disk, the hash code is always a small string of finite characters. An example is 5afcaf836de43ef640e5e0c6b2012461, which is a 32-bit hash code of a 1.37 MB Power Point file produced by MD5 Hash algorithm, a standard recognised in Indian Law. The hash code is unique to a document. Even changing a comma or a space will produce an entirely different hash code, if you run the algorithm again. `Hashing' hence helps you determine if a file has undergone any change.)

In the US, the company's clientele includes the New York Police Department, the Federal Bureau of Investigation and the Department of Defence.

There's another obstacle that this technology surmounts: If your laptop is covered by a warranty that insists only an authorised serviceperson can open its cover, you can still take bit image copies of the hard disk using ICS' MASSter through the USB port. Authorities also used this technology in the investigation of the murder of Daniel Pearl, a journalist with The Wall Street Journal.

Interestingly, ICS itself is rarely involved in court sessions, even though plaintiffs or defendants in a case might have used its technology. Says Bar, "We only sell our technology and train users to make the best of it."

Some `forensic wiping' too

Companies also seem to have another interesting use for the technology. They use it to completely erase data from their machines, so that even deleted files cannot be retrieved. Why? Explains Bar, "When users change machines, it is important to give them a clean slate. You cannot afford to have, in the disk, objectionable material put in by an earlier user. It might lead to a situation where an innocent is convicted." Examples of organisations that completely erase data before a new user begins using the computer include, schools, law firms and clinics. He calls this forensic wiping!

ICS' clients include those that haven't used the technology for only investigating frauds. Companies that run up huge data daily and that need to take back-up copies real quick use MASSter. ICS quotes a test engineer from SCI as saying that the technology helps him in loading software on UNIX stations. He has said that he is now able to load four drives in less than 10 minutes. Compare this with the one-hour it took to load one drive, earlier.

Naavi sees uses for this technology in systems audits too. "E-governance applications lend themselves to this solution so aptly." He says the technology could save the day where data is stored across several remote locations and is amenable to manipulation, particularly, he says, "of the kite-flying type", such as temporary change of information in passport offices, land registration departments, changes during verification or between audits.

bharatk@thehindu.co.in

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
The mid-flight pause

Copyright © 2004, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line