You suspect that a former colleague who recently joined a competing company has taken your firm’s computerised sales data records as well as its highly prized client list with him. What do you do? Is there anything that you can do?
Today, such records won’t leave your system without a trace. In the right investigative hands, not only can the identity of the culprit be traced, but also how, when and where those valuable records were transferred elsewhere, printed or copied.
And that’s not all: e-mails that a sender thought had been deleted can be resurrected — as well as any lewd pictures that have been downloaded. Like a homicide team scouring a murder scene for any clues that may lead to the killer, a computer forensics investigator on a cyber-crime scene sees the trail of message fragments, e-mails and key words as a potential path to the data thief.
”People don’t appreciate how much of a trace is left on a computer system and there may be evidence there that may not exist elsewhere,” says Phillip Sealey, head of forensic technology at accountancy firm Deloitte in London, where, Sealey notes, the demand for computer forensic services has grown exponentially in recent years. White-collar crimes, running the gamut from copyright infringement to sexual harassment and fraud, are prime candidates for such investigations.
Probably the most notorious instance in which this evolving science is being applied is the fallout from Operation Ore — thousands of cases involving suspected British customers of a United States child pornography website need to be examined to see if there is enough evidence for the police to prosecute users. The sheer volume of work arising from this investigation alone is said to have so overloaded British police departments’ high-tech crime units that some of their work has been contracted out to private companies.
”We don’t see it slowing down,” says Joel Tobias, managing director of two-year-old Manchester computer forensics company CY4OR. ”Ninety percent of our cases are for law enforcement and immigration cases and of that 90%, a lot may involve child pornography. We’ve got three-and-a-half months’ work in hand for now.”
While some workplace investigations involve allegations of downloading inappropriate images on the job, the majority of office-based cases involve intellectual property (IP) theft. A recent survey of 400 United Kingdom business professionals by global computer forensics company ibas, found that nearly 70% had stolen some form of corporate IP from their employer when leaving a job — most commonly, e-mail address books (taken by 54,3% of leavers), sales proposals or presentations (32,6%), and customer databases and contact information (30,4%).
”Electronic systems are not as secure as paper — they can’t be locked away,” says solicitor Michael Bywell, a partner in the technology, media and communications group at City of London law firm DLA. ”More businesses conduct their business today by computers, so there’s a certain inevitability about all this.”
Laptops, servers, personal digital assistants, cellphones and tape recordings are all potential sources of evidence for investigators, but their primary aim is always to ”image” (copy) the hard disk of the PC believed to be involved in the wrongdoing. But just as important as having the image is keeping the possible crime scene as pristine as one would the scene of a robbery or murder so investigators can consider the whole picture — and any waiting evidence remains untainted.
”The most exciting aspect is probably the sense of satisfaction that I get when we get a case, and nothing seems to be there — and then we run some of our tools across the hard drive, and all sorts of evidence starts coming out,” says Matthew Trump, a graduate in Russian studies from the University of Nottingham in the UK, but such a computer enthusiast that he persuaded CY4OR to take him on as a forensics trainee eight months ago.
What this new breed of investigator is eager to point out, however, is that finding evidence of wrongdoing on a particular PC does not necessarily prove that its primary user is guilty, even if the perpetrator used that user’s login to sign on. That’s where a broader set of investigative skills comes in to look into contextual details. Was the primary user at work at the time the ”smoking gun” material was being created or sent on that computer? Was a particular site visited on purpose — or by accident? ”A computer is part of an overall picture — not taken in isolation,” notes Chris Watson, a computer forensics expert with ibas’s UK office.
Simon Janes, the company’s MD and a former Scotland Yard investigator, says: ”You have to look at the incident as a whole — what motivation exists, what abilities were needed to do this and the perceived opportunity for success.”
Beginning such an investigation at all, however, requires employers to consider employee rights and privacy issues. Solicitor Ana-Maria Norbury, at London firm Baker and McKenzie, emphasises that employers must bear in mind that there are implied terms of trust and confidence between them and their employees. If the employer has reasonable grounds to suspect that something untoward is going on, then they are, as common sense would suggest, able to breach these with relative impunity. Equally, however, they are not free simply to search wherever they like without reason.
”Random testing of all computers could lead to all kinds of problems,” says Norbury.
She also suggests that employers should have a policy that clearly lets employees know that their e-mail and Internet usage could be monitored and informs them ”what you’re doing and what information you’re looking for”, in order to balance the rights of both employer and employee. Employers must identify the reason for monitoring or investigating, says Norbury, and ensure that these practices don’t go further than necessary.
Future uses of this electronic-age science are being busily explored. Daryl Hamilton Wallis of Bridgend-based Fields Associates, a registered expert witness for these types of investigation, is intrigued by the possibilities computer forensics offer in terms of psychological analysis —most obviously through analysing which websites are being visited and using changing patterns of Web use to identify behavioural changes. ”Its applications could extend from companies wishing to keep an eye on the psychological welfare of their employees to early warnings of whether industrial sabotage was more likely to happen internally than from outside,” says Hamilton Wallis.
If a person suddenly starts visiting websites featuring expensive real estate for sale, for example, or luxury holidays, those visits could suggest that the person expects a change in circumstances, or is displaying a personal vision of his future that is not compatible with his or her current situation.
If this all sounds a bit Big Brotherish, Hamilton Wallis emphasises that such scrutiny of employees would have to be based on an open company policy of informing the workforce that these tools were being used — think of it as akin to a sobriety test, he suggests.
”This can only be done in an environment where people are pre-warned,” he says.
While such uses undoubtedly form part of the future, he warns that the greatest danger now to businesses is letting their suspicions of possible wrongdoing fester without taking action. Electronic trails may not disappear entirely, but the longer bosses put off calling in experts to examine what’s happening, the more difficult it can become to pick up the scent and start piecing together the evidence. ”It’s human nature — we can’t believe a disaster when it happens,” Janes says. ”We want to accept a normal explanation. ‘It can’t be fraud, it must be a mistake’, we think. Six months later, we realise maybe it wasn’t a mistake.”
The very idea of cyber-crime may be enough to intimidate technophobe employers and deter them from investigating their suspicions — in part because the specialist skills needed to search out the evidence most assuredly lie outside their own organisations. And bringing experts on board to scrutinise the situation isn’t cheap.
But employers discount this burgeoning science at their own risk — by losing their investments in intellectual property, failing to unearth the truth about sexual harassment allegations, and potentially missing out on evidence for other workplace crimes they are, in some sense, abdicating their professional — maybe even moral — responsibilities. As the experts like to say, cyber-crime is just like any other crime, it simply involves a computer. — Â