Sniffing out the evidence

Sherlock Holmes and a whole pack of sniffer dogs would be little use in the fight against 'cyber-crime'. But fortunately, computer forensics is beginning to come into its own. DeeDee Doke reports

Tim Allen, a businessman from Ashford in Kent, suspected that the business competitors next-door to his engineering company were up to no good. Frustrated at his lack of rock-solid evidence to prove it, he took a daring chance. "I went dumpster-diving," he says. And he found just what he was looking for.

"When I went through their dustbins, I found some engineering drawings which I recognised. I recognised them as being of the style and presentation that we had produced in our own factory," he says.

But simply having drawings wasn't enough. The company name on the computer-produced drawings had been altered to reflect the name of the business next door. How could a connection be made between the drawings that Allen had found and his company's intellectual property? To make that missing link, Allen's solicitors stepped in and hired investigators with a special blend of expertise that's growing in demand: computer forensics.

From intellectual property (IP) theft to downloading child pornography from the internet, cyber-crime is on the rise in the UK - and UK businesses are increasingly finding themselves either facing court orders so that police can scrutinise their computers, or wondering whether their own computers are party to some form of wrongdoing.

Consider these statistics:

- Nearly 70 per cent of UK business professionals have stolen some form of corporate IP from their employers when leaving a job, according to Ibas, an international specialist in computer forensics. It says the most common way to steal IP is by sending copies of documents and files to personal e-mail accounts.

- A police survey of 201 of the UK's largest companies revealed that 83 per cent had experienced some form of cyber-crime in 2003, costing more than £195m in business downtime, lost productivity and perceived damage to their brand or share price.

- There have been more than 1,200 arrests and 655 convictions on child pornography charges in the UK alone following an international investigation into the use of a paedophile internet site run by a computer consultant in Texas.

Police investigating Lincolnshire-based accounts clerk Andrew Tatam on related child pornography offences seized 13 computers - including some from his workplace - during their inquiry. They subsequently found 495,524 images of child pornography, part of a 20 million-image pornographic database. He was convicted and sentenced to five years in prison.

The ugly truth

For business, these figures paint an ugly picture - and police and consultants alike agree that HR must be at the forefront of protecting companies' interests as modern cyber-battles ensue, especially when employees are involved.

"HR is really a key area whenever such an incident happens - it's based around a member of staff using equipment," says Chris Watson, operations director at Evidex, a Surrey-based computer forensics training firm. "HR is almost always going to be the department that deals with and controls any particular incident."

HR stands at the core of all the issues surrounding potential wrongdoing with computers in the workplace. Disciplinary matters, human rights issues, data protection and workplace privacy, employment contracts and more, all come under HR's jurisdiction.

And not only is HR going to play a crucial role if and when an incident giving cause for concern takes place: perhaps even more importantly, HR must take the initiative to either prevent such incidents in the first place, or to give the company legal recourse should a computer-related offence occur (see box on page 21).

The enemy within

Take Allen's case. His company, the MJ Allen Group, has no HR department. As group managing director, Allen handles all the HR issues, and a major contributor to his problems with his troublesome neighbours stemmed from a basic HR issue - a lack of contracts with his staff.

The MJ Allen Group bought the Tamworth-based British Midland Tool (BMT) out of receivership in 1989. Allen kept the company's previous original owners "on a nice old fashioned basis; we all shook hands" - only to have them turn on the new owner a decade later. One of BMT's senior leaders 'retired' from the company in 2000 only to set up shop as a direct competitor next door to the BMT facility, hiring about two dozen of BMT's staff and luring away most of its customers. While the MJ Allen Group's solicitors agreed with their clients that the situation did not seem fair, it appeared that nothing could be done.

When Allen found the drawings, however, the game changed. A court order to study the computers of both BMT and the competitors was obtained. At the request of Allen's solicitors, Cripps and Shone in Buckinghamshire, computer forensics specialists Vogon International took the computers away for months of scrutiny. Before that time, Allen only had a vague idea of what computer forensics was about.

"I didn't have any real knowledge of it," Allen recalls. "I knew there were people who were able to reconstruct information and such, but I didn't have anything more than a sort of James Bond image of it."

The HR lessons have been learned the hard way at MJ Allen. With the help of its solicitors, new contracts with restrictive covenants have been created for new senior employees to sign when they join. "And so far as existing employees are concerned, we now have formal contracts between us," Allen says.

Thanks to what Vogon investigators found on the two computers through forensic investigation, Allen ultimately won his court case, which was finally settled in January in an out-of-court settlement. However, his victory was somewhat bittersweet - BMT's company name still exists, but it is no longer a trading entity.

Allen's company was only able to recoup its legal costs, but he still believes the tens of thousands of pounds his company shelled out on the computer forensics portion of the case was money well spent.

"Without that, it would have been pretty difficult to have won," he says. "I think that without being able to show they stole these drawings from our computer, proving that we'd been done wrong would have been much more difficult."

The computers involved in Allen's case were scrutinised roughly a year after the upstart competitors left MJ Allen. What happens when you suspect something amiss is going on right here, right now?

Clearly, HR must work closely with IT to create an environment where effective computer forensics investigations can take place. "It is extremely important that IT and HR departments work together when dealing with disciplinary cases involving cyber-crime to uphold the policy and ensure mistakes aren't made in the investigative process," says David Roberts, chief executive of the Corporate IT Forum - an independent organisation representing the corporate IT end-user community.

Roberts recommends the use of outside experts to investigate suspected cyber-crimes. "Sometimes in serious cases, it is better just to leave the computer completely undisturbed and call in the experts, as the slightest change can erase crucial evidence - which could damage the case if it goes to court," he says.

Evidex's Chris Watson, a former City of London policeman who helped create that department's computer crime unit, takes the recommendation a step further. "The first rule is, do not be tempted to have a look yourself," he says. "If the machine is on when you get to it, either take a photograph or sketch what's on the screen, because that could be pertinent evidence. Then pull the plug on that machine -I mean literally. Pull the plug out from the wall. Don't shut it down, or close down the programs."

Then, Watson suggests, start a continuity file that includes the current time, date, computer serial and model number, your name and what action you took. The computer should then be sealed, even if it is just in an ordinary black bin liner. "Seal it with sellotape and put a label on it," Watson says. "Then lock it up somewhere. Once you've secured it, you can sleep easily over the weekend."

Keep in mind that virtually every type of electronic device may be used in committing a cyber-crime, from PCs and laptops to mobile phones and personal digital assistants. And while a thorough investigation into possible cyber-crimes can be expensive in terms of time and money, HR's investment of time and expertise may well turn out to be an insurance policy of the best kind.

Top 10 computer forensics tips for HR professionals

Legislation and regulation

Make sure you have read and understood the Data Protection Act and European Convention on Human Rights (especially Article 8). These have an important bearing on the way in which incidents can be investigated. James Davies, joint head of Lewis Silkin's employment group and the chairman of the UK Employment Lawyers' Association on workplace privacy, says: "What you cannot be doing is accessing people's computers when they haven't got an expectation that it might happen, and how and why it might happen. If you let them know through a policy that something's liable to happen, they don't have an expectation of privacy, and it's much more difficult for them to complain - provided you've got a legitimate purpose."

Policy

It is vital to have a comprehensive company policy in place covering the (mis)use of computers. This should form part of the employee manual.

Definitions

Define precisely what you mean by terms such as 'acceptable' or 'misuse'. The more detail you provide, the less room there is for interpretation and legal argument if a case goes to court.

Induction

Make sure new joiners are taken through the computer usage policy, and sign a form acknowledging that they have read and understood the document. Should an incident occur, you will need to be able to show that an employee was fully aware of the policy and the consequences for breaching the policy.

Exit interview

It is good practice to take leavers through a 'check-out' list during an exit interview, making sure they have returned all company property including electronic files and documents (or at least deleted copies from their private PC or laptop).

Incident management

Make sure you understand your role and responsibilities as part of an incident management team. Incident handling needs to be highly co-ordinated and controlled to be effective - every minute counts.

Incident scenarios

Make sure you have an appropriate response pre-planned to different scenarios. It's vital that things are handled correctly from the start - a case of suspected fraud, for example, will need to be dealt with in a different way to finding pornographic material on adesktop PC.

Confidentiality

Make sure investigations are kept completely confidential until they are complete. The premature leak of information may lead to people jumping to the wrong conclusions, and could seriously impede the successful conclusion on the investigation.

Continuity

Make sure an audit trail is kept at all times. If a case goes to court, you will need to be able to back up your version of events.

Call in the experts

The earlier computer forensics experts can be brought in, the better. Computers are a 'crime scene' like any other, and only expert investigators should be allowed to gather evidence.

What is computer forensics?

One expert puts it this way: "Computer forensics is simply the application of computer investigation and analysis technology in the interests of determining potential legal evidence." As any dictionary will point out, the term 'forensics' means 'pertaining to the law'. And in terms of computer forensics, the science is simply developing a bank of computer-based evidence.

The actual technological procedures involve 'imaging' a computer's hard drive, and using certain software tools to unearth data that may be stored throughout, including files that the user deleted. The data may be stored in fragments, so a computer forensics team will usually consist of technicians and analysts who can 'connect the dots', so to speak, to put the information into an understandable form.

"The great principle of forensics investigation is that every contact leaves a trace," says Chris Watson of Evidex. "That is exactly the same for a computer - it's knowing where to look and how to interpret what you find."

More information

- The UK National High-Tech Crime Unit: 0870 241 0549 or www.nhtcu.org

- Evidex: 020 8335 1753

- Vogon International: www.vogon-international.com

- www.ibasuk.com