The scope of retail investigations can take the loss prevention team in many different directions, covering every area of the retail enterprise. Computer forensics is the study of evidence based on the result of attacks on computer systems in order to learn what has occurred, the extent of the damage, and how we can prevent it from happening again. These techniques are frequently used to analyze computer systems, recover data in the event of a hardware or software failure, to analyze a computer system (For example: after a break-in or security breach to determine how the perpetrator gained access and what they did), to gather potential evidence against an employee in the event of an issue or breach, or to gain information about how the computer system is working for the purpose of debugging, performance optimization, or other related tasks.
The goal is to explain the current state of a computer system, storage media, electronic document (Ex: an email message or JPEG image) or other information moving over a computer network. Depending on our specific needs, objectives can be as straightforward as “what information is here?” and as detailed as “what is the sequence of events responsible for our present situation?”
Anyone conducting an investigation involving computer forensics should be properly trained to perform the special kind of retail investigation that is at hand. Digital evidence can be collected from a variety of sources to include computers, cell phones, digital cameras, hard drives, CD-ROM, USB memory devices, web pages and other sources and equipment.
Handling of Evidence
Extreme care must be taken when handling computer evidence as most digital information can be easily compromised. Once modified it may be difficult or impossible to detect that a change has taken place (or to revert the data back to its original state) unless other measures have been taken. Such mishaps can potentially destroy valuable evidence and decimate our entire investigation.
Traditionally retail investigations involving computer forensics were performed on data “at rest” (For example, when examining the content on hard drives). Computer systems were shut down when they were impounded to avoid incidents that might cause data to be erased. However, in recent years there has been increasing emphasis on performing analysis on “live” systems, as many of the current attacks against a company’s computer systems will leave no trace on the computer’s hard drive, with the perpetrator only exploiting “live” information in the computer’s memory.
A typical forensic analysis might include a review of material on the media, reviewing the Windows registry for suspect information, identifying and deciphering passwords, keyword searches for topics related to criminal incidents or policy violations, extracting e-mail and images for review, and other specialized analysis based on our specific needs and goals. Once the analysis is complete, a report is typically generated reviewing our findings so that the necessary and appropriate decisions can be made. Computer forensics is a growing investigative tool in the retail environment, and an area where significant opportunities will be realized as our technology continues to evolve.