Companies routinely find themselves in court these days for everything from trademark disputes to wrongful termination suits. And as more information goes digital, so does more courtroom evidence. PricewaterhouseCoopers partner Larry Kanter says that so-called electronic discovery is now commonplace. But it is often a problem for companies because critical information has been deleted or improperly archived. The process of ferreting out such data, known as "forensic computing," can fall to high-priced experts. But new technologies allow companies to handle much of this themselves.
If your CIO isn't inquiring about it, chances are your lawyers will. Browning Marean, a partner in the San Diego offices of law firm Gray Cary Ware & Freidenrich, says, "I can't imagine [lawyers] not expending considerable effort in electronic discovery, because that's where the good stuff is."
Computer-based evidence has been introduced in nearly every case he's worked on in the past 10 years. E-mail is the richest source of information, but other documents that synthesize facts, such as PowerPoint presentations or enterprise software programs, can be revealing as well. For example, Marean was able to prove that a construction company was lying to a lending bank by showing the discrepancies between project management reports submitted for cash draw-downs and records used for internal management decisions.
Even when files are deleted, data rarely disappears unless the drive on which it resides has been overwritten multiple times, experts say. In fact, in most cases it shouldn't disappear at all — unless companies mandate that it do so. Having a formal data-destruction policy in place is vital in legal proceedings, they say. That way, you're more likely to hang on to information you need, and to avoid arousing suspicion when information the other side may need is no longer available.
Companies that augment such policies with the latest forensic technologies are tight-lipped about exactly what they do, but clearly such technologies are in vogue. Research firm IDC Corp. says the forensic services market will reach $69 million in 2004, up from $24 million last year.
AccessData Corp., which recently expanded its product line from an encryption-cracking tool to a full forensics tool kit, says demand for the $595 tool kit and nationwide training courses has doubled. Private-sector demand for Guidance Software Inc.'s EnCase, widely used by law enforcement agents, has tripled over the past year. For about $4,000 per person, the company provides the software and training to enable an IT professional to duplicate a cybercrime scene and analyze the evidence.
Niksun Inc., which also says sales have tripled, makes the equivalent of a surveillance camera for network activity. The hardware device allows computer activity to be recreated down to the keystroke, and costs from $30,000 to $70,000. Meanwhile, so many companies have asked high-tech investigators at Kroll Associates to train their staff members in forensic computing techniques that Kroll is now formalizing a vendor-neutral training program, says managing director Jason Paroff.
Bringing such sleuthing capacities in-house not only helps shave litigation fees, but also may forestall court appearances altogether. "You can fend off lawsuits and get better cooperation when you have the evidence in hand," says Dora Furlong, a computer forensics expert who has spent the past 18 months as a full-time staffer for a Fortune 500 telecommunications company.
Furlong uses tools like EnCase for such jobs as determining the true origin of harassing E-mails and justifying employee terminations. So far, she hasn't had to visit a courtroom on the company's behalf.
Investing in the latest tools is only part of the equation. William Spernow, research director at Gartner and former head of the cyberinvestigations group as chief security consultant for Fidelity Investments, goes so far as to argue that a staff person trained in forensic computer analysis — ideally someone with a law enforcement background — is also a must. Deciding which tool to buy is confusing, he says, since there are currently few comprehensive and user-friendly packages. And there's always the danger that electronic evidence will be overlooked or mishandled, reducing its usefulness in a court case.
But as the tools — and wrongdoers — get more sophisticated, forensic computing may become a more mainstream skill, if only out of necessity. According to Thomas Talleur, managing director of forensic and litigation services for KPMG LLP, "The reality is that companies are losing far more data across networks than they know, but I can't prove it to them, because only about 10 percent have the tools in place to detect it."
Modern-Day Magnifying Glasses
Basic tools for data detective work.
|Network sniffer (hardware)|
Allows user to "recreate" the crime by keeping a record of packet sessions across networks.
|Portable disk duplicator and/or duplication software|
Preserves the original crime scene by allowing investigators to copy hard drives in the field and the lab for later analysis.
|Chain-of-custody documentation hardware|
Videotapes every mouse click of the investigative process to make court testimony more credible.
|Case management software||Helps link seemingly unrelated pieces of evidence.|