Computer sleuth - the inside job

By VICKI JAYNE

The chilled room and thin rubber gloves clutching what could be a surgical instrument hint at a more medical version of forensics. But the corpse being dissected in the air-conditioned forensics lab at financial intelligence specialists McCallum Petterson is a laptop - and its exposed innards are potentially a mine of damning evidence.

In our digital work environment, a company or employee indulging in illegal or immoral activity is likely to have left a few electronic footprints. And it's a trail not easily erased.

Deleting computer files only removes them from view, says company IT forensics specialist Daniel Ayers, it doesn't destroy them.

"If you analyse the hard disc, you can retrieve deleted files dating back years. Most people don't know that. They don't realise they are leaving tracks."

Computers, cellphones, global positioning systems or other electronic devices all have their stories to tell when interrogated by an IT forensics expert.

Ayers recently resuscitated a defunct hand-held computer to help track down the diverse financial holdings of a deceased estate. But much of his work involves financial fraud, often related to insolvency.

He and colleague Geniene Koningham, a forensic and insolvency accountant, work together on such investigations. He's the geek, she's the beanie, says Ayers.

While he can recover a heap of information from deleted files, Koningham has the nous to sift through retrieved documents for evidence of financial malpractice, if, for instance, a company was trading while insolvent.

Increasingly, they are also being asked to uncover evidence of intellectual property theft, corporate espionage, or the use of work computers to download pornography.

Much of the work comes through law firms, who have been called in after a specific incident arouses employer suspicion.

Whether the problem is pornography or straight-out financial fraud, denial is usually the first defence, says Ayers.

"Even confronted with evidence, people will still flat out deny any wrongdoing. In the case of pornography, they'll perhaps claim it was an accidental download, or say someone else must be to blame."

But if there is electronic evidence, as in one case, of regular visits from a particular employee's computer to a porn site during work hours that date back over back three years, claims that it was accidental or "not me" start looking feeble.

As Ayers rather cynically notes, it is a little unusual to come across naked bodies while innocently going about work-related on-line activity.

For starters, porn sites generally wave big enter-at-your-own-risk warning flags, and can't be accessed without some deliberate action.

"From a management viewpoint, the service we provide is to find out exactly what has been happening on a company network," says Ayers. "It's best to look at computers before any allegations are made, so employers know what's been happening before they commit to a course of action."

In many cases, the evidence being sought doesn't lead to criminal action but does prove a breach of employer-employee trust.

"How can an employer trust someone who does things like that, then lies about it? What else might they do?" asks Ayers.

Much of his detection work is tied up in lengthy civil litigation - though one of Ayers' claims to fame is presenting New Zealand's first ever courtroom demo of computer hacking.

That was in August 2001 when he appeared as an expert witness in the trial of Aucklander Andrew Garrett, who earned 200 hours of community service for using software called Back Orifice to hack into other people's computers via the internet.

The fact that many company heads find IT a tad bewildering can make them easy victims of IT fraud, warns Ayers. One recent example is that of a company paying a lot of money to an opportunistic consultant for IT services that were neither needed nor fully delivered.

Intellectual property theft is also on the increase. Competitive markets provide incentive and untrustworthy or disgruntled personnel often provide the opportunity.

An example: Company A has built a customer-data resource that gives it a competitive edge but later finds evidence Company B, a competitor, is apparently using the very same data.

When confronted, Company B's story is that it's in the same game so inevitably has the same customers.

But that explanation is rather undermined when a forensic IT investigation not only reveals numerous incidents of the data use but recovers the delete command removing it from their network.

Such a discovery can prove pretty useful, says Ayers.

"If you're claiming something is not there, then you don't take deliberate action to delete it. Electronic analysis shows that yes, they have this stuff they shouldn't have; yes, they've been using it and yes, they definitely knew they had it."

Even when it seems the electronic trail of data theft has gone cold, all is not lost. In one case, Ayers pulled some useful information off the PC of a former employee although it had been wiped and used by someone else for nearly a year.

"People do tend to underestimate what it's possible to retrieve."

The lab in which he probes for evidence is in itself evidence of the increasing importance of forensic IT.

Set up last year, it is purpose-designed. Anti-static floor and benches ensure electronic information is not inadvertently destroyed; motion sensor alarms and an access security system independent of general office security mean entry is strictly limited.

That and a rigorous chain of custody procedures are designed to forestall any challenges that the IT evidence they collect could have been tampered with.

With corporate fraud on the increase, Ayers, formerly an IT security consultant, reckons managers wanting to reduce risk need to focus on three areas: people, process, and technology.

"Make sure you have trustworthy people, structure processes to reduce the opportunity risk and technology-wise, develop good network security."