Portrait Of A Computer Forensic Examiner

While data can be recovered from any computer, expert Ives Potrafka believes that corporate IT departments have far less control over what happens on PCs used for work.

Thomas Claburn, Editor at Large, Enterprise Mobility

September 26, 2008

4 Min Read
Dark Reading logo in a gray background | Dark Reading

Ives Potrafka, a forensic examiner with the Center for Computer Forensics, sees a lot of data theft. Those responsible tend to be ex-employees, either starting up a company while employed or going to a competitor and taking trade secrets.

According to Potrafka, when insiders steal corporate data, they tend to do it via noncorporate e-mail accounts or using external storage media.

Potrafka spent four years as a Special Agent, Computer Forensic Examiner, and Internet Investigator in the High Tech Crime Unit in Michigan Attorney General's Office, and served as a law enforcement officer for 24 years. "Certainly, hacks take place. ... Those are the ones that makes the papers," he says. "But it's more common that it's insider-related and employee-related."

Nowadays, Potrafka tends to work for clients in civil actions, though he still works on the occasional criminal case. A lot of his work involves e-mail analysis and keyword searches.

"A few years ago, we did a case for a major banking corporation where the president of the corporation and the majority of the staff, all within a two-to-three day period, resigned and went to another bank," he said. "We got a call on a Saturday from IT at the bank asking us to come look at some computers at the bank on Monday. Rather than wait until Monday, we came in on Saturday night and started looking at them and by Monday morning, we had found out that the president plugged in an external hard drive to his computer two days before he resigned."

The bank's attorneys then filed a legal demand to see that hard drive, Potrafka said. When they received it, they found stolen files.

Encryption can be an issue, but it isn't a common problem. "If a file is truly encrypted, without the key, you're not looking at it," Potrafka said. "But very honestly, we don't see much of it."

Potrafka participated in a homicide investigation several years ago in which he was asked to construct a timeline that showed when a murder victim had been using her computer.

"It was a case where the husband came over and killed his ex-wife," he said. "She had been connected to America Online. And the America Online records showed she was online the entire time, from like 8:00 p.m. or 9:00 p.m. until 7:50 am the next morning, when her son found her deceased. We were asked to look at the computer and show when she was really using it. ...Working with Microsoft and America Online, we were able to show that she stopped using the computer about 10:50 p.m., which is about her estimated time of death. It kind of blew a hole in the husband's defense." Potrafka was also involved in an industrial espionage case involving the sale of trade secrets to China.

"We were asked to analyze an engineer's laptop computer and desktop computer and his PDA," he said. "We were able to show where he had been taking trade secrets out of the country, actually, and selling them to China."

Potrafka said he sees a lot of trade secret theft. Such cases, he said, often involve fired or departing employees who take contact lists, price lists, or plans when they leave. He said he works closely with clients to encourage them to preserve their data, because bringing in new employees to work on the same computer as someone who just left the company overwrites what the former user of the computer was doing.

The blurring of boundaries between work and home life poses a problem for forensic investigations, Potrafka said. While data can be recovered from any computer, corporate IT departments have far less control over what happens on personal computer equipment that's used for work. "When the sales manager leaves and he has been working at home, it's not so easy for IT to go and look at his home computer," he said.

The ideal scenario from an IT perspective, Potrafka said, is for companies to provide and own the equipment that workers use at home.

Investigating Windows machines is the easiest, said Potrafka, because more tools have been developed for Windows forensics. "When you're getting into the Apple Macintosh world and the Linux world, the investigations become more complex," he said.

Major forensic software packages include EnCase Forensic (Windows, Linux, AIX, OS X, Solaris), Forensic ToolKit (Windows), MacForensicLab (Mac OS X, Linux, Windows), and Blackbag Technologies (Mac OS X), to name a few.

So what should you do if you think your company's security has been breached? InformationWeek has published an independent analysis on the topic. Download the report here (registration required).

About the Author

Thomas Claburn

Editor at Large, Enterprise Mobility

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful master's degree in film production. He wrote the original treatment for 3DO's Killing Time, a short story that appeared in On Spec, and the screenplay for an independent film called The Hanged Man, which he would later direct. He's the author of a science fiction novel, Reflecting Fires, and a sadly neglected blog, Lot 49. His iPhone game, Blocfall, is available through the iTunes App Store. His wife is a talented jazz singer; he does not sing, which is for the best.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights