Cracking Down On Crime

New software tools and tactics help investigators search computers and networks for evidence that lawbreakers thought they had deleted
Technology has played a role in criminal investigations since before Sherlock Holmes' time. But today's gumshoes are as likely to be skilled in reading spreadsheets as well as rap sheets, screen shots as well as mug shots, paper trails as well as powder trails, thanks in part to new laws such as the Sarbanes-Oxley Act and the USA Patriot Act.

So corporate felons beware: Those files you thought you erased can and will be used against you in a court of law. Investigators today possess software tools that search PCs, servers, and networks for evidence such as text files, images, and E-mails that can be used to ferret out white-collar criminals.

In searching for bits of evidence, investigators look in places many computer users don't even know exist: the unallocated memory containing fragments of deleted files or, if they're lucky, the entire file.

Such a search can produce the smoking gun in a case, says Ives Potrafka, senior examiner at the Center for Computer Forensics, a private company that assists law firms and legal departments. Before joining the company, he spent four years with the High Tech Crimes Unit of the Michigan attorney general's office.

Computer forensics is a combination of science and art. "It's a marriage of technology and good old-fashioned detective work," he says.

In one case, a client sued a brokerage firm, alleging that it had denied access to its Web site, preventing the client from executing a large trade in 2000. By the time the case came to trial 2-1/2 years later, the firm assumed that all relevant electronic files had been deleted. Using sophisticated search tools, however, the center was able to find Web-site records to prove that the client had indeed visited the site on the day in question. The case was thrown out of court.

Since the Enron case, in which its auditor, Arthur Andersen, destroyed piles of evidence, recovery and analysis of data has come to form a central part of internal investigations. Also, provisions in Sarbanes-Oxley require companies to collect, search, and preserve electronic data.

The Sarbanes-Oxley Act isn't the only thing likely to trigger forensic investigations. The California Security Breach law requires companies to investigate and report incidents in which customer-account information has been compromised. The Basel Committee, an international regulatory body, requires banks to collect and preserve forensic evidence to "contain and mitigate incidents, ensure business continuity, and prosecute the perpetrator."

There's still an extensive backlog of pre-Sarbanes-Oxley investigations waiting to be tackled, says Philip Upton, head of forensic technology solutions at PricewaterhouseCoopers. Investigations can take months or, in some cases, years.

Investigations can be triggered by noncompliance issues, such as violation of company policies, circulation of inappropriate content, or misappropriation of information. Sonnenschein, Nath & Rosenthal LLP, a 600-attorney law firm, has a thriving computer-forensics practice. It uses Guidance Software Inc.'s EnCase to create bit images of the hard drives of up to 20 PCs simultaneously, cutting 90% off the time it would take to search each hard drive separately.

Computer-forensics software is a fast-growing part of the $500 million-a-year corporate investigations industry; Guidance's revenue doubled from $10 million in 2002 to $20 million last year, and it's projected to double again this year as companies build in-house investigative capabilities while still relying on outside consultants for more-difficult cases.

Computer forensics has evolved steadily as a discipline, says Jim Doyle, director of Northeast operations at Guidance. Like many in the profession, he's a former cop. In 1995, he was tapped to form the New York Police Department's computer crimes unit, which dealt with investigating computer-related crimes. Recruits were given a crash course in evidence-gathering techniques. Says Doyle, "We took detectives off the street working on homicide, rape, and robbery cases and made them computer crime investigators."

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing