Computer Crime Fighters


Soyup Hahn (ENG '09). Photo by Nicole Laskowski
Soyup Hahn (ENG '09). Photo by Nicole Laskowski

No matter how careful they are, cybercrooks, like any burglar, leave behind traces of their wrongdoing, revealing where they’ve been and what they’ve been up to. And like crime scene investigators, computer forensics experts can follow that trail of clues as they try to crack a case.

This summer, Soyup Hahn (ENG’09) got a taste of cybersleuthing, as an intern at First Advantage Litigation Consulting in Boston, a company that specializes in litigation support services, including computer forensics.

“I don’t know what I want to do after I graduate,” says Hahn. “I wanted to explore my options by doing an internship, and forensic data recovery just sounded cool.”

Of the investigations that First Advantage conducts, 80 percent involve intellectual property theft. It is a growing problem nationally; the U.S. Department of Justice recorded a 26 percent increase in the number of intellectual property cases between 1994 and 2000.

Sometimes employees try to sell the information, use it at their next place of employment, or even create a competing company. The most common methods of intellectual property theft include e-mailing information to a Web mail account, saving data on a removable storage device like a flash drive, and burning CDs.

The remaining 20 percent of intellectual property cases involves hacking, harassment, installation of pirated software, and illegally downloading music.

A forensics expert begins the process of acquiring data, or the chain of custody, by taking what is called a forensic image — a transmission of every bit of information contained on an electronic device. To do this, the electronic device is hooked up to a “write-block,” a piece of equipment that makes sure the data removed from the original device haven’t been modified. The data are then stored on the forensics expert’s own hard drive.

“This is the most important part of the process,” says Hahn. “If the acquisition is done improperly, it could damage the case.”

The image is taken back to the office, copied, and logged in the evidence room. From there, the expert begins to analyze the copy.

“We can look at all of the documents a user has been interacting with in the last few weeks: what they’re modifying, what they’re deleting, their Web site activity, their recent e-mail activity, any storage devices they’ve plugged into the computer,” says First Advantage northeastern regional director Mark Spencer, who was Hahn’s supervisor.

The forensic image contains more information than a user may suspect, Hahn says. It includes not only files that users can see, but those they can’t, such as deleted space — space marked available because a file has been deleted but, as is often the case, not destroyed — and slack space, or the space between where one file ends and the next begins.

Spencer compares the concept of slack space to a parking space. A compact car parked in a spot big enough for a Hummer can’t fill the entire spot. The same thing happens with documents. A computer forensics expert can access the leftover space to recover remnants of what had been there and to search for evidence of illegal activity such as intellectual property theft.

“I had no idea this type of career even existed before the internship,” says Hahn, who will continue as a part-time employee at First Advantage this fall. “I like the fact that this job requires you to think and to concentrate, and it can be really challenging.”

This article originally appeared in BU Today.