To catch a data thief...

Ivan Barc – of Barc & Co Accountants – was recently jailed for two-and-a-half years after computer evidence was used to show that he had concocted fictitious company accounts. The prosecution proved that Barc was supplying the accounts to a gang which then used them to fraudulently claim credit finance to buy fleets of expensive cars. The forensic investigation recovered deleted copies of accounts from Barc's computers, which matched the fraudulent accounts supplied to finance companies.

This is but one small example of how computer forensics are playing a vital role in investigations. Never before has information been so vital to companies – and the impact from its loss so great.

Is such information subject to misuse and/or being stolen? The answer is yes! According to criminal law you cannot steal 'information', but that's probably just as well because company security managers are much more likely to catch an information thief and recover data, etc through civil proceedings.

Worryingly, the DTi reports that only 10% of companies have drafted detailed guidelines on how to deal with evidence and investigations. It's not uncommon for companies to address these issues for the first time immediately after they've become a victim. Reactionary as opposed to proactive.

Monitoring e-mail traffic
The law allows for covert investigative measures that might include monitoring the suspect's e-mails, and checking for any data on their computer which shouldn't be there. Having identified where the stolen information may be located, the evidence is then presented to the Court without the knowledge of the suspect. Civil Courts are issuing more and more search orders these days, allowing investigators to enter the premises and seize a suspect's computer(s).

In turn, this can lead to an interesting series of events – such as the time when the computer in question was "formatted" as the Court officials entered the building. Unfortunately for the suspects, forensic analysis recovers data after formatting. Not only was the data recovered, but also the user of the computer at the time the formatting took place was identified, providing hugely valuable evidence for the complainant.

Having seized computers from the suspect, forensic analysis will show whether the information does in fact belong to the complainant and, if this is proved, the evidence will be used in legal proceedings where damages can be pursued.

As the scope of insurance cover reduces and basic internal misuse by employees remains prevalent, it's understandable that companies are increasingly likely to undertake internal investigations using their own staff. It's therefore vital that Boards of Directors and their in-house security specialists use staff that have the appropriate experience and training.

Forensic principles should apply to any internal investigation. A disciplinary process and indeed dismissal can always be contested, and companies might find themselves needing to defend their actions in court.

This article was first published in the Autumn 2002 Newsletter produced by UK Chapter 208 of ASIS International