Smart Business: Computer Forensic Specialists

[Legal/E-Business]

Smart Business: Computer Forensic Specialists

Hed: Manage Electronic Risks Before Problems Arise

Deck: As computer use grows, so does the job of the computer forensic specialist.

Summary: Forensic experts are helping small companies manage their electronic risks, which means avoiding trouble and catching violators.

Pull quote: "Whatever you do, don't ever use your computer for anything that your grandmom wouldn't be proud of." -- Peter Constantine, CEO, Data Discovery

Just three months short of retirement, a 61-year-old executive of a small Texas farm equipment manufacturer -- we’ll call him James -- suddenly got the boot. James had worked long and hard to rise through the ranks. Was his layoff part of a company plan to boost profits, or just a coincidence? James found the latter idea farfetched, and filed a lawsuit for age discrimination.

To help his attorney make the best possible case, James hired Computer Forensics, a national firm that tracks computer evidence for companies and agencies. Sure enough, after scouring files, CFI found an incriminating computer trail.

Just 15 days before James received his pink slip, the company’s HR database had been searched for all employees born before a certain date. A match with records of other recent layoffs supported the case that James had been targeted because of his age. Embarrassed, the company settled out of court.

This is just one type of situation CFI and its competitors hear about all the time. The Microsoft trial was a much more visible case where computer forensics played a starring role. Whether data-hunting on behalf of employees, employers, or regulators, forensic specialists have the same goal: finding computer evidence most people never even suspect is there.

Who They Are, What They Do

CFI is one of five companies in the United States dedicated exclusively to computer-based discovery services (also known as electronic discovery) for businesses and agencies of all sizes.

"The federal government is our largest client," says Joan Feldman, CFI founding president. With 20 years experience in forensics and litigation, she launched her company in Seattle in 1994, and opened a branch office in Washington, D.C. last year. The CFI team includes forensic specialists, attorneys, legal assistants, local area network engineers, and record management specialists.

Feldman's colleague and friendly competitor, Peter Constantine -- CEO of Data Discovery, based in Beaverton, Ore. -- is one of an additional 200 or more certified forensic examiners nationwide, usually with backgrounds in law enforcement, who work independently on cases large and small. Constantine went into business for himself after spending the last five years of his career with the federal Drug Enforcement Administration tracking computer evidence around the globe.

The types of cases they track are manifold. Could an employee have breached a confidentiality contract? Stolen a client list? Downloaded pornography? Sent a harassing e-mail to another employee? Or wasted hours of time browsing the Web? Could an employer have drafted incriminating memos or made reference to illegal activities? This is where electronic trackers step in.

Computer forensic specialists offer both remedial and preventive help. If you’re faced with litigation, as either defendant or plaintiff, electronic private eyes will know how to find buried evidence to help you win the case. (Contact them on the Internet or through referrals in the legal and law enforcement communities.)

Electronic trackers can also help business owners protect against future litigation. Specifically, forensic specialists can suggest policies governing how long to keep information, how to delete it, and how to permanently remove it from the system. Feldman recommends The ePolicy Handbook by Nancy Flynn, published last year by the American Management Association, as a useful guide. Flynn’s pointers can help readers identify risks, make sense of cyber laws, protect themselves with insurance, and train their employees in new policies.

Hidden in Plain Sight

"We're all used to tucking things away on our computers, sometimes consciously, sometimes not," Feldman says. "What's being tucked away for you by your computer? Thinking about that can keep you awake at night."

For instance, many people create journals or diaries on their computers. "They assume it's no one's business but their own," Constantine says, "but it often includes material that amounts to an admission of guilt. Also, the consensus among typical computer users is that once e-mail is sent or read, it's gone. Nothing could be farther from the truth. E-mail has done-in more people than you could imagine."

These two examples suggest why reviewing computer files is standard procedure in court cases. And without clear policies for file storage, companies can find themselves having to review mailboxes or backup tapes of pack-rat employees who never throw anything away. For a business with a small workforce, such a task can be overwhelming -- yet the law requires compliance.

Throwing things away is a task in itself. Most people know by now that simply deleting a file won’t make it disappear. If you really want it gone for good, discovery experts advise using one of several good programs currently available (some downloadable as shareware) to obliterate the file just as several layers of paint will cover a mark on a wall.

"On a search, we can’t get the file back," Feldman says, "but we can tell that one of these shredding or wiping programs has been used by just one line on the hard drive showing date and time. We’ll take that information to court if we think deliberate tampering or destruction of evidence has occurred."

These experts often turn up evidence in places average computer users wouldn’t think to look -- sometimes right in the open. For instance, something as simple and forgettable as the "History" feature, adjacent to "Favorites" on Microsoft's Internet Explorer toolbar, can tell any passing stranger where in the world of the Internet you've been for the past three weeks.

Feldman recalls a woman who lost her job for not getting enough work done, then filed a complaint of sexual harassment against her former employer. "The company couldn't understand why she wasn't productive," Feldman says. "They asked us to look at the computer she'd been using -- something they would not have done if she hadn't filed suit. The History feature showed she'd been running her home products distributorship from her employer's computer six hours a day." End of lawsuit.

Digging Deeper

Most cases are harder to crack. Constantine explains that there's a difference between data recovery (after a hard drive crash or file deletion) and data discovery the application of forensic methods to look for evidence.

Using tools of their trade, electronic detectives can find file fragments scattered across a hard drive and piece them back together like a jigsaw puzzle. "The user may think he's gotten rid of a file," Constantine says, "but he doesn't know the system has created copies of that file -- 'son' and 'daughter' files -- in places he wouldn't suspect."

It takes anywhere from 20 minutes to several hours to make an evidentiary image copy of an entire hard drive, using products designed for that purpose. The copy is then restored on the forensic lab computer and examined in painstaking detail.

Making and restoring the copy costs about $2,000; reviewing the data about $300 to $400 an hour. That review can take from two to 16 hours or more, depending on how much information is needed and how specific it is. "It takes longer to search the hard drive when we’re looking for small pieces -- dates, names, specific words, fragments of contract language," Feldman says.

Forensic specialists usually copy their findings onto CD-ROMs so clients can see for themselves what the files contain. The evidentiary copy remains at the lab. "This ensures that it can't be tampered with, for the client's own protection," Feldman says. "This way, there's an audit trail. We function rather like an escrow agency."

Feldman and Constantine hesitate when asked to describe specific small business cases they've handled -- although some appear in disguise on the CFI Web site -- and they firmly decline to name their clients. As with any investigative agency, their service depends on fail-safe security and impeccable confidentiality.

"Even when clients are so angry that they want to tell their stories, their attorneys restrain them," Feldman says.

But forensic specialists aren’t shy about spreading their message. "I talk to a lot of groups," Constantine says, "and at the end of every presentation I always tell them the same thing: Whatever you do, don't ever use your computer for anything that your grandmom wouldn't be proud of."