So You Want to Be a Digital Detective?

Hardly a case goes to court these days without the help of electronic gumshoes.

The man was careful to cover his tracks, erasing e-mail messages and other incriminating documents. He sent especially sensitive messages to his prospective employer via a Web-based e-mail service, not the corporate e-mail system of his current employer. And with good reason: The man had landed his new position by promising he’d bring trade secrets from his former job.

Unfortunately, the former employer didn’t suspect anything until months after the rogue employee had left. By then, his PC had been erased and given to another employee. The prospects of finding evidence of suspected wrongdoing seemed bleak.

But forensic investigators at Huron Consulting Services LLC in Chicago had a few tricks up their sleeves. Using special tools, they found e-mails still on the former employee’s hard drive — messages that he had deleted but that had not yet been written over. Investigators even found some e-mail sent via the Web-based service, because Web pages containing the messages had been automatically cached to the PC’s disk.

“The nature of those messages was such that it was clear that he knew — and his new employer knew — that he was going to bring documents and ideas to help start a new business,” says James Zinn, managing director of Huron’s digital evidence practice. “The case settled in favor of our client because of that evidence.”

A combination of forces — including changes in the legal and regulatory climate, an increase in the amount of electronic information that is stored and communicated, and the general litigiousness of society — has pushed computer forensics from the back rooms of law enforcement agencies into mainstream corporate America. “There’s been an explosion in the use of computer forensics for traditional investigations, but also now in more routine civil litigation,” Zinn says.

In December, the government updated its Federal Rules of Civil Procedure to require companies appearing in district courts to be much better prepared with electronic evidence. “They have to know what electronic information they have, essentially at the beginning of the case, and if they don’t, they can be sanctioned,” Zinn says. “That has increased the need for people who understand corporate IT systems and what data exists and how to retrieve it quickly and in a forensically sound manner.”

So who are these digital detectives? People with various combinations of IT, audit, legal and law enforcement skills are well positioned for careers in computer forensics, says William L. Farwell, director of forensic and dispute services at Deloitte Financial Advisory Services LLP in Boston and a former investigator of Medicaid fraud. “We look for people with law enforcement and government backgrounds, but we also balance that with people with computer science and computer engineering backgrounds, because we can teach the skills back and forth across the two groups,” he says.

Farwell says that his investigations are often done jointly with a client’s IT department, but sometimes the IT department itself is the target. “We’ve had cases where they were running multiple businesses within the company — their own pornography Web sites, anything you can imagine.”

Decoding Crime

Staying a step ahead of those who would hide digital evidence requires use of the latest technology, Farwell says. For example, Deloitte recently built an “advanced decryption center” in Boston that uses a variety of techniques for breaking password protections and unscrambling coded messages and documents. Farwell says a typical case today might involve examining 4,000 encrypted files created by 40 users.

Nick Robertson

Nick RobertsonNick Robertson, vice president of technical services at Forensicon Inc. in Chicago, specializes in electronic discovery, the phase of civil litigation in which opponents gather electronic evidence that they hope will support their cases. He has an MIS degree.

“Having a solid IT background — not only in software but hardware as well — is crucial for this work,” Robertson says. “In order to properly preserve evidence, you need to go out and properly handle large servers, desktops, laptops. You need to remove hard drives, make images of them and properly document everything you do.”

But technical skills alone aren’t sufficient, Robertson says. Computer forensic detectives must be able to write clearly and argue their conclusions persuasively and with confidence — often in court, facing hostile attorneys. And you have to be ready for anything. For example, he says, “you have all these great facts and details. Then you go to court and the judge asks, ‘How does a computer work?’ That seems an easy question, but it’s not.”

The pressure can be great and the deadlines punishing, Robertson adds. “You may need to go in at night when no one is around and pop a hard drive out of a machine and pretty quickly dig up some information. It’s not for the faint of heart,” he says.

And there’s a lot of last-minute travel, says Zinn, “so it’s not a very predictable schedule.”

Dyan Decker

Dyan DeckerBut the unpredictability is just what Dyan Decker likes about the computer forensics work that she does. “It’s the constant changing nature of what we do, and part of that is the changing technology, both hardware and software,” says Decker, a partner at PricewaterhouseCoopers. “I’m not the sort of person who can sit still, so this is an exciting role.”

Decker says that nowadays, the smoking gun in a litigation case is most likely to be found by computer forensics. In fact, she says, the day is coming when what is now often called “electronic discovery” will be just “discovery,” because very little evidence exists solely on paper anymore.

Related Articles and Blogs

Computerworld's IT Salary Survey 2017 results
Shop Tech Products at Amazon