Specialist’s job is like CSI for your company’s computers

Greg Koenighain knows it probably hasn't been a good day for his customer when he gets that initial call for assistance.

“Usually it's when they realize they have an issue that they have to take to the next level,” he said.

Koenighain, a data recovery specialist and owner of Midwest Computer Forensic Lab in Cedar Rapids, uses his considerable computer skills to find evidence of unauthorized or illegal computer activity.

He's often called on by employers to search for evidence of data theft, usually after resignations or terminations.

“Nowadays, you get a lot of employees who think they can do better and start another company, and they think it will go easier if they can take their contact list with them,” he said.

Employees may believe it's all right to take their contacts - even the employer's computer use policy indicates information stored on the company's computers belong to the company.

At other times, a line has clearly been crossed: The ex-employee knows it, and has often tried to take steps to cover the trail.

Koenighain typically goes into the company after regular business hours, loaded down with hard drives, cables and other gear to reproduce all the data on the employee's hard drive.

“You have to prepare for everything,” Koenighain said. “When you go in to image a computer, you may have one shot to image that computer and get out.”

“Imaging” a computer produces a virtual replica of the contents on that computer's hard drive on another hard drive or storage media.

Koenighain takes the external hard drives loaded with the data back to his Cedar Rapids office, where he conducts his search using computer forensic software called Encase Forensic, from Guidance Software.

The forensic software tools “carve out the documents for you,” he explained.

That's more useful than it might sound because a forensic examiner does not see files through the regular user interface. They view the raw computer language that the computer uses to process the information.

Copying the drive can take 3 to 12 hours. Then the real work begins to search for sensitive data that has been recently accessed and transferred.

The Hollywood portrayal of computer forensics doesn't match the reality of Koenighain's work.

Unlike hackers in TV shows, computer forensics specialists must follow standardized search protocols that are tedious and time consuming. They make it possible to show exactly how the search was conducted, and make any evidence discovered admissible in court.

“I'm going through it page by page, looking at all these symbols and letters and machine language,” Koenighain said. “It's a lot of long hours, a lot of coffee and Mountain Dew.”

When an employer becomes suspicious of an employee, they may have their internal IT staff undertake a search for evidence of misconduct.

While they sometimes succeed, Koenighain said it also can lead to problems. If they don't take the right steps, they can change dates and times when files were accessed, destroying valuable evidence.

Behavior patterns are somewhat predictable when an employee is trying to hide computer files.

Secretive employees seldom store the sensitive files on the company's networked central servers, for example, Koenighain said. Instead, they tend to file it on the local drive of their desktop PC or laptop computer under misleading file names.

“It's the local work station that probably causes the most grief,” Koenighain said.

Portable memory devices - thumb drives or memory sticks - have made data theft easier in recent years, Koenighain said, because they can hold so much data. Even if the data isn't being stolen on a memory stick, Koenighain said, they can be lost and fall into the wrong hands.

Koenighain started the business in 2007 after learning to build and repair computers on his own. He'd been fascinated by computer technology since the first personal computers became popular.

The business really took off after the Cedar River flood in 2008, which brought Koenighain business restoring data from hard drives damaged by floodwaters in the downtown area

The work typically involved taking storage platters out of non-functioning hard drives, putting them in different hard drives, and trying to get the drives to read the data.

It worked much of the time, but Koenighain noticed that more of the recoveries were successful from computers on the east side of the Cedar River than the west side. He suspects the floodwaters on the west side may have been more corrosive, causing damage to the hard dive platters.

When Koenighain first started out, businesses with data recovery needs often had to send computers to companies in larger cities such as Minneapolis or Chicago to have data recovered. Since then, at least one other company has started up in Cedar Rapids.

Using a professional for computer forensics is highly important in lawsuit situations, Koenighain added. He's been hired not only by plaintiffs and defendants, but appointed by the court as a neutral third party to search corporate data files.

While most of his work is with businesses, Koenighain sometimes gets calls from computer repair shops to help ordinary PC users desperate to recover files from damaged hard drives.

The work can often run $1,000 or more, but some personal data often is worth the price to its owners because of sentimental attachments, especially photos.

Greg Koenighain says:

•  Take the data backup rules seriously. Backing up data to external storage and also off-site if possible can save thousands of dollars and valuable time in the event of a disaster or external attack.
•  If an employee is terminated or leaves under suspicion, quarantine their computer until it can be imaged.
•  Adopt clear corporate policies for use of business information technology resources and information stored on company computers and networks to address security issues and ownership of data.