COMPUTER FORENSICS
DESERVE A PLACE IN YOUR HUMAN RESOURCE TOOLKIT

Executive Summary

Computers contain evidence useful in many human resource circumstances. Allegations of discrimination, sexual harassment, and unfair discharge are serious threats that are better understood by knowing what an employee did. Since computers are such a pervasive part of most employees' work lives, analysis of data stored on these computers helps address these issues. Human resource and/or legal department investigations are incomplete without computerized information.

Theft of trade secrets can also be combated with computer forensics. No business wants to allow a competitor to hire an employee, and in the process steal valuable confidential information. In most cases, the stolen information is stored on computers, with computers used to initiate the theft.

Computer forensics can trace the steps used by a misbehaving or dishonest employee to provide you the evidence needed for fair and resolute decisions. Most operating systems store massive amounts of information. Much of this evidence is difficult to eliminate.

The cost of properly collecting and analyzing this evidence is miniscule compared to what your company is already paying for such incidents. When done properly, computer forensics generate significant savings.

Why Your Information Technology Group Should Not Do this Work.

The emphasis of any computer forensic investigation must be on obtaining unquestioned evidence. Although technical knowledge is certainly required, legal processes, the integrity of evidence, and a clear and concise reporting by an independent expert witness should be the focus. To accomplish your objectives, specific procedures must be followed with specialized software.

Most information technology personnel focus on network administration and user support, rather than the specialized procedures and software that is required to preserve evidence. Even if your in-house personnel had the necessary tools and training, they (i) will be viewed as lacking independence, (ii) will not have the legal-related experience, and (iii) may not be qualified to serve as an expert in computer forensic investigations in court.

Electronic evidence is fragile, and can be easily altered or erased without proper handling. Finding the "smoking gun" will be of little value if you fail to establish that the data was not tampered with or otherwise corrupted. Unless a trained specialist performs the recovery and analysis, the information could be easily destroyed, discredited, or never found. This happens because:

• All files opened by your IT department show an access date/time that proves someone other than the subject employee had access to the critical files. In this situation, it is difficult to establish that the suspect employee was responsible for whatever you find.
• The mere act of turning on a computer, looking at directories and opening files will cause the operating system to write information on the hard drive, thus overwriting information that might otherwise be useful.
• Deleted, disguised, or hidden information is easily overlooked. Some of this information is stored in normally inaccessible areas of the hard drive.

In an attempt to avoid the use of specialized software, an in-house solution often involves copying the disk under investigation onto a newly formatted disk. This approach is incomplete. First, a copy made through Windows or DOS will include only those files that the system has been told to "remember". As a result, data on the disk from "deleted" information, and slack (the data remaining in the unused portion of each sector) will not be included. Second, a reformatted disk continues to house remnants of prior data because the reformatting process does not remove all information from the disk. As a result, data having nothing to do with the investigation will corrupt the results.

Most companies just want to know what the employee was doing. Because these companies do not plan to get into a dispute, they rationalize doing the investigation themselves. This is usually a mistake. The reality is that no one "plans" to have a dispute. Our courts are full of cases where the people involved would have preferred to resolve their dispute by dealing with a reasonable adversary. Unfortunately, adversaries often do not see the world the way that you do. The best way of protecting your interests and reaching a settlement is to have strong evidence that supports your position. The vast majority of our clients do not go to court - but that happens because the other side understands the strength of the evidence that they face. If your concerns are important enough to warrant an inspection, it is worth doing the inspection properly.

How Should One Deal with this Fragile Evidence?

Merely booting the subject computer in a Windows environment will alter critical date stamps, erase temporary data, and cause hundreds of writes to the drive. Each of these actions overwrites data that may be important to the investigation. Therefore, until you obtain expert assistance, if the computer is on, leave it on. If it is off, leave it off.

Specialized computer forensic software ensures that the subject's computer is not altered in any way during the evidence acquisition process. After initiation of a special boot procedure, the examiner uses software to create a "mirror" of the targeted storage. The examiner converts this created image to a read-only drive, as the only practical means of ensuring that data is not altered or lost in the course of the investigation.

A mirror image of a disk is a "bit level" copy. It includes all information on the disc regardless of whether the computer operating system recognizes the data as an existing file.

To prove that no data has been altered, computer forensic software employs an algorithm to generate an image hash value. The algorithm calculates a numerical value based on the exact contents of the drive that was imaged. If any data on the image changes, even something as little as the addition of a single keystroke or changing the case of a single character, the hash total changes. This provides irrefutable evidence that the data is not altered.

What Can I Do to Ensure Successful Use of this Information?

• Obtain an image of computer disks and other storage media used by a departing employee as part of your routine documentation for "difficult" employees. A difficult employee includes anyone (i) whose discharge is likely to be disputed, (ii) likely to raise claims of inappropriate employer conduct, and (iii) leaving to work for a competitor. If this is not done, by the time problems are better known, the former employee's computer will likely have been passed on to the next user. Through routine ongoing use, the integrity of the evidence from the former employee will be compromised.

  Preferably, computer data should be part of your proactive HR decisions. However, even if computer forensic data was not collected initially, it can still be useful later to corroborate decisions. Further, many claims from employees and thefts by employees are uncovered after the employee's departure. In all these cases, the computerized mirror image can be archived for later use.

• Ensure that your personnel policies communicate expectations regarding the lack of employee privacy when using company computers and electronic systems. Similarly, your policies should include a statement regarding a code of conduct or acceptable use policy with respect to the company's systems. Employees should confirm their knowledge of these policies, preferably in writing. Most companies already do this as part of their overall HR practices.

  Get the advice of legal counsel before performing a covert investigation. You should understand the employee's rights to privacy, if any.

• Do not confront the suspect until you have considered covert options. Once an employee is aware of your suspicions, significant electronic information can be deleted or altered by the suspect. Although "deleted" information may be recoverable, do not take that chance. By acting before the suspect makes attempted erasures, covert investigation provides a greater opportunity to collect irrefutable evidence, at an overall lower cost.

Where is all this Evidence?

Computers record massive amounts of information about user activities. Both applications and the operating system record this information, sometimes in more than one location. Deleting files, emptying the recycle bin, and clearing the memory of browsers or other applications does not remove information from all locations.

Because of this, important information can be obtained from rather obvious (if you know about them) usage logs and storage. A computer user that wishes to cover his tracks can clear some of this information, but some subjects are careless, unsophisticated, and/or surprised by your investigation. However, even crafty and sophisticated people will have trouble eliminating everything. Even the act of eliminating information will leave tracks.

When dealing with those crafty and determined people that think they can cover their tracks, the "magic" of computer forensics is well worth its cost. In most investigations, here is the type of information you will receive:

• Deleted files (or portions thereof) that remain on the disk because subsequent activity has not yet overwritten them.
• A listing of deleted file names, even if the files themselves cannot be recovered. This is useful in showing use of unauthorized programs, or files with suspicious names.
• Internet sites visited, regardless of the browser settings or deletion of the browser history. This information is stored in hidden system files, parts of the Windows registry, and as remnants of web addresses that remain in "unoccupied" file space.
• Information and graphics from internet sites visited (we often find images that are clearly against almost every company's policies).
• The existence of suspicious applications, or the fact that they were used. Examples of troubling applications are those used to transmit files, communicate with unauthorized remote computers, prevent data recovery, crack passwords, encrypt files, or perform computer hacking.
• Information remaining in swap files, page files and other temporary Windows files. These files generally show what the user was working on recently, even if not otherwise saved.
• Information contained in hidden and password protected files from just about any well-known file type.

Although perhaps obvious, an investigator can sort and search computerized text and numeric data using powerful software. This allows the investigator to find information rapidly, using key word searches. Similarly, the investigator can typically identify target file types, including files where the person being investigated attempts to hide something by changing a file extension.

Although the data may be easy to retrieve (e.g., files that remain intact, recycle bins, browser history and temporary files), you still need to be able to prove that the subject is the one responsible for the evidence. Even for the evidence that is obvious, procedures that prove the source of the data are still important.

What Will This Cost and What Reports Will I Receive?

Creation of the disk image is most cost effectively performed in our offices. In this case, our labor charges for creating a mirror image and performing an initial battery of recovery and processing tasks currently costs $800. We will also bill for storage media (currently around $100 for each hard drive being imaged, but this varies based upon the disk size).

Our flat fee includes an email report that shows (when such information is available):

• A list of all file names, sizes, extensions, date created, and date last modified for all current files on the disk
• An initial list of the names, sizes, extensions, date created, and date last modified for "deleted" files that perhaps can be recovered
• A list of recent files that were deleted on the system, even if the file cannot be recovered
• An initial list of troubling internet sites visited with this computer sorted by categories (e.g., pornography)
• A list of internet temporary files that remain on the computer
• An initial list of deleted graphic (picture) files that are on the disk, regardless of whether the file extension has been altered
• A listing of certain suspicious software that is not normally part of the software most companies provide to their employees
• Identification of the disk examined along with detailed evidence documentation

Performing the work in our office requires that the subject hard disk be unplugged from the computer and sent to us. Alternatively, we can bring our equipment to your offices and create an image there. Usually, this is part of a covert investigation without the employee being present. If done at your location, there are additional charges for travel and the time we are at your location. The copying time depends on the size and speed of the disk we are imaging. Generally, a 20GB disk will take several hours to image, and will cost about twice the amount (not including travel time) charged if we perform the work in our office. Larger drives are proportionately more time consuming.

If you have specific concerns, we can tailor our search and analysis to meet your specific needs. Our initial report will often highlight areas for potential additional work. You may want to do some inspections yourself, in which case we will send you the relevant files. If you authorize additional work, we bill for this at a competitive hourly rate.

95% of Investigations are Incomplete.

The recent eighth biennial study by Ernst & Young regarding fraud prevention, detection, and investigation included a shocking statistic. Ninety-five percent of formal investigations ignored computerized information and computerized tools. In light of the overwhelming prevalence of computers and the modest cost of gathering electronic evidence, this is inexcusable.

The companies in this survey that used outside consultants provided an amazing show of client satisfaction. Approximately 90% of the companies that used outside forensic auditors were satisfied with the investigation. The wealth of information available from computer forensics can easily determine the outcome of a dispute or potential dispute.

The Fulcrum Advantage

We are not just computer techies. Our firm includes forensic accountants that regularly conduct financial investigations. Our broader expertise allows us to (i) separate the important from the unimportant, and (ii) interpret the results from the overall perspective of your business and its records. By using a single service provider for these related tasks, our work is more complete, better coordinated, and costs less.

Our firm is quite experienced in civil litigation. Should your employee make a claim, or you have a claim of stolen proprietary information, we are well equipped to support your case. Because of this experience, we know how to convert our methodology and conclusions into persuasive information for a judge and jury.

We use updated and sophisticated forensic software. This is important because technology is constantly changing. Our work is of the highest caliber, yet we charge less than the larger firms. You get "big firm" results at a "small firm" price.

David Nolte is a principal at Fulcrum Financial Inquiry LLP with over 30 experience performing forensic accounting, auditing, business appraisals, and related financial consulting. He regularly serves as an expert witness.

See Fulcrum Financial's Profile on Experts.com.

©Copyright 2003 - All Rights Reserved

DO NOT REPRODUCE WITHOUT WRITTEN PERMISSION BY AUTHOR.