Sniffing out the evidence

Holmes and a whole pack of sniffer dogs would be little use in the fight
against ‘cyber-crime’. But fortunately, computer forensics is beginning to come
into its own. DeeDee Doke reports

Tim Allen, a businessman from Ashford in Kent, suspected that the business
competitors next-door to his engineering company were up to no good. Frustrated
at his lack of rock-solid evidence to prove it, he took a daring chance.
"I went dumpster-diving," he says. And he found just what he was
looking for.

"When I went through their dustbins, I found some engineering drawings
which I recognised. I recognised them as being of the style and presentation
that we had produced in our own factory," he says.

But simply having drawings wasn’t enough. The company name on the
computer-produced drawings had been altered to reflect the name of the business
next door. How could a connection be made between the drawings that Allen had
found and his company’s intellectual property? To make that missing link,
Allen’s solicitors stepped in and hired investigators with a special blend of
expertise that’s growing in demand: computer forensics.

From intellectual property (IP) theft to downloading child pornography from
the internet, cyber-crime is on the rise in the UK – and UK businesses are
increasingly finding themselves either facing court orders so that police can
scrutinise their computers, or wondering whether their own computers are party
to some form of wrongdoing.

Consider these statistics:

– Nearly 70 per cent of UK business professionals have stolen some form of
corporate IP from their employers when leaving a job, according to Ibas, an
international specialist in computer forensics. It says the most common way to
steal IP is by sending copies of documents and files to personal e-mail

– A police survey of 201 of the UK’s largest companies revealed that 83 per
cent had experienced some form of cyber-crime in 2003, costing more than £195m
in business downtime, lost productivity and perceived damage to their brand or share

– There have been more than 1,200 arrests and 655 convictions on child
pornography charges in the UK alone following an international investigation
into the use of a paedophile internet site run by a computer consultant in

Police investigating Lincolnshire-based accounts clerk Andrew Tatam on
related child pornography offences seized 13 computers – including some from
his workplace – during their inquiry. They subsequently found 495,524 images of
child pornography, part of a 20 million-image pornographic database. He was
convicted and sentenced to five years in prison.

The ugly truth

For business, these figures paint an ugly picture – and police and
consultants alike agree that HR must be at the forefront of protecting
companies’ interests as modern cyber-battles ensue, especially when employees
are involved.

"HR is really a key area whenever such an incident happens – it’s based
around a member of staff using equipment," says Chris Watson, operations
director at Evidex, a Surrey-based computer forensics training firm. "HR
is almost always going to be the department that deals with and controls any
particular incident."

HR stands at the core of all the issues surrounding potential wrongdoing
with computers in the workplace. Disciplinary matters, human rights issues,
data protection and workplace privacy, employment contracts and more, all come
under HR’s jurisdiction.

And not only is HR going to play a crucial role if and when an incident
giving cause for concern takes place: perhaps even more importantly, HR must
take the initiative to either prevent such incidents in the first place, or to
give the company legal recourse should a computer-related offence occur (see
box on page 21).

The enemy within

Take Allen’s case. His company, the MJ Allen Group, has no HR department. As
group managing director, Allen handles all the HR issues, and a major
contributor to his problems with his troublesome neighbours stemmed from a
basic HR issue – a lack of contracts with his staff.

The MJ Allen Group bought the Tamworth-based British Midland Tool (BMT) out
of receivership in 1989. Allen kept the company’s previous original owners
"on a nice old fashioned basis; we all shook hands" – only to have
them turn on the new owner a decade later. One of BMT’s senior leaders
‘retired’ from the company in 2000 only to set up shop as a direct competitor
next door to the BMT facility, hiring about two dozen of BMT’s staff and luring
away most of its customers. While the MJ Allen Group’s solicitors agreed with their
clients that the situation did not seem fair, it appeared that nothing could be

When Allen found the drawings, however, the game changed. A court order to
study the computers of both BMT and the competitors was obtained. At the
request of Allen’s solicitors, Cripps and Shone in Buckinghamshire, computer
forensics specialists Vogon International took the computers away for months of
scrutiny. Before that time, Allen only had a vague idea of what computer
forensics was about.

"I didn’t have any real knowledge of it," Allen recalls. "I
knew there were people who were able to reconstruct information and such, but I
didn’t have anything more than a sort of James Bond image of it."

The HR lessons have been learned the hard way at MJ Allen. With the help of
its solicitors, new contracts with restrictive covenants have been created for
new senior employees to sign when they join. "And so far as existing
employees are concerned, we now have formal contracts between us," Allen

Thanks to what Vogon investigators found on the two computers through
forensic investigation, Allen ultimately won his court case, which was finally
settled in January in an out-of-court settlement. However, his victory was
somewhat bittersweet – BMT’s company name still exists, but it is no longer a
trading entity.

Allen’s company was only able to recoup its legal costs, but he still
believes the tens of thousands of pounds his company shelled out on the
computer forensics portion of the case was money well spent.

"Without that, it would have been pretty difficult to have won,"
he says. "I think that without being able to show they stole these
drawings from our computer, proving that we’d been done wrong would have been
much more difficult."

The computers involved in Allen’s case were scrutinised roughly a year after
the upstart competitors left MJ Allen. What happens when you suspect something
amiss is going on right here, right now?

Clearly, HR must work closely with IT to create an environment where
effective computer forensics investigations can take place. "It is
extremely important that IT and HR departments work together when dealing with
disciplinary cases involving cyber-crime to uphold the policy and ensure
mistakes aren’t made in the investigative process," says David Roberts,
chief executive of the Corporate IT Forum – an independent organisation
representing the corporate IT end-user community.

Roberts recommends the use of outside experts to investigate suspected
cyber-crimes. "Sometimes in serious cases, it is better just to leave the
computer completely undisturbed and call in the experts, as the slightest
change can erase crucial evidence – which could damage the case if it goes to
court," he says.

Evidex’s Chris Watson, a former City of London policeman who helped create
that department’s computer crime unit, takes the recommendation a step further.
"The first rule is, do not be tempted to have a look yourself," he
says. "If the machine is on when you get to it, either take a photograph
or sketch what’s on the screen, because that could be pertinent evidence. Then
pull the plug on that machine -I mean literally. Pull the plug out from the
wall. Don’t shut it down, or close down the programs."

Then, Watson suggests, start a continuity file that includes the current
time, date, computer serial and model number, your name and what action you
took. The computer should then be sealed, even if it is just in an ordinary
black bin liner. "Seal it with sellotape and put a label on it,"
Watson says. "Then lock it up somewhere. Once you’ve secured it, you can
sleep easily over the weekend."

Keep in mind that virtually every type of electronic device may be used in
committing a cyber-crime, from PCs and laptops to mobile phones and personal
digital assistants. And while a thorough investigation into possible
cyber-crimes can be expensive in terms of time and money, HR’s investment of
time and expertise may well turn out to be an insurance policy of the best

Top 10 computer forensics tips for HR professionals

Legislation and regulation

Make sure you have read and understood the Data Protection Act
and European Convention on Human Rights (especially Article 8). These have an
important bearing on the way in which incidents can be investigated. James
Davies, joint head of Lewis Silkin’s employment group and the chairman of the
UK Employment Lawyers’ Association on workplace privacy, says: "What you
cannot be doing is accessing people’s computers when they haven’t got an
expectation that it might happen, and how and why it might happen. If you let
them know through a policy that something’s liable to happen, they don’t have
an expectation of privacy, and it’s much more difficult for them to complain –
provided you’ve got a legitimate purpose."


It is vital to have a comprehensive company policy in place covering the
(mis)use of computers. This should form part of the employee manual.


Define precisely what you mean by terms such as ‘acceptable’ or ‘misuse’.
The more detail you provide, the less room there is for interpretation and
legal argument if a case goes to court.


Make sure new joiners are taken through the computer usage policy, and sign
a form acknowledging that they have read and understood the document. Should an
incident occur, you will need to be able to show that an employee was fully
aware of the policy and the consequences for breaching the policy.

Exit interview

It is good practice to take leavers through a ‘check-out’ list
during an exit interview, making sure they have returned all company property
including electronic files and documents (or at least deleted copies from their
private PC or laptop).

Incident management

Make sure you understand your role and responsibilities as part of an
incident management team. Incident handling needs to be highly co-ordinated and
controlled to be effective – every minute counts.

Incident scenarios

Make sure you have an appropriate response pre-planned to
different scenarios. It’s vital that things are handled correctly from the
start – a case of suspected fraud, for example, will need to be dealt with in a
different way to finding pornographic material on adesktop PC.


Make sure investigations are kept completely confidential until they are
complete. The premature leak of information may lead to people jumping to the
wrong conclusions, and could seriously impede the successful conclusion on the


Make sure an audit trail is kept at all times. If a case goes to court, you
will need to be able to back up your version of events.

Call in the experts

The earlier computer forensics experts can be brought in, the
better. Computers are a ‘crime scene’ like any other, and only expert
investigators should be allowed to gather evidence.

What is computer forensics?

One expert puts it this way:
"Computer forensics is simply the application of computer investigation
and analysis technology in the interests of determining potential legal
evidence." As any dictionary will point out, the term ‘forensics’ means
‘pertaining to the law’. And in terms of computer forensics, the science is
simply developing a bank of computer-based evidence.

The actual technological procedures involve ‘imaging’ a
computer’s hard drive, and using certain software tools to unearth data that
may be stored throughout, including files that the user deleted. The data may
be stored in fragments, so a computer forensics team will usually consist of
technicians and analysts who can ‘connect the dots’, so to speak, to put the
information into an understandable form.

"The great principle of forensics investigation is that
every contact leaves a trace," says Chris Watson of Evidex. "That is
exactly the same for a computer – it’s knowing where to look and how to
interpret what you find."

More information

– The UK National High-Tech Crime
Unit: 0870 241 0549 or

– Evidex: 020 8335 1753

– Vogon International:

Comments are closed.