Private labs help fight computer crime in secret

The Associated Press
Sunday March 25, 2001



SAN FRANCISCO — Kris Haworth pounds away at her keyboard into the wee hours of the night, navigating a labyrinth of computer data, searching for evidence, a smoking gun. 

FBI and CIA baseball caps – gifts from friends – are propped on top of her computer monitor, and though Haworth doesn’t carry a badge, her abilities rival the best sleuths in either agency. 

Haworth, who runs Deloitte & Touche’s computer forensics lab in San Francisco, is one of a growing number of cyber avengers in the private sector, helping companies fight computer crimes that the government is ill-equipped to prosecute or that companies would rather not report in the first place. 

Companies are turning to these specialists for all kinds of private detective work: pinpointing internal sources of misstated earnings or trade secret theft; gathering evidence for hacking cases; disputing legal claims of wrongful termination or sexual harassment; or uncovering improper Internet usage by employees. 

The flourishing crop of gumshoes are armed with powerful tracking and data-mining software previously used only by authorities. Deloitte & Touche, for instance, recently added to its arsenal SilentRunner, a program first created by Raytheon Corp. for U.S. intelligence agencies. The computer surveillance tool can invisibly capture and analyze, from storage or in real-time, all activity on a company’s computer network. 

“We could find or recover anything on a hard drive,” Haworth said. “Somewhere in that system, your electronic fingerprints remain. Short of taking your hard drive and having it run over by a Mack truck, you can’t ever be sure that anything is truly deleted from your computer.” 

Some of the forensic handiwork becomes the basis of companies’ reports to federal agencies. 

A recent example: The board of directors for a $5 billion company suspected revenues were being inflated, and Haworth fished out and pieced together incriminating e-mails thought to have been deleted. Criminal indictments against several company executives followed. 

But a large portion of the work from Haworth and her corporate colleagues – many of them ex-federal agents or prosecutors – never reaches law enforcement logs or the public eye. 

“The reality is that business organizations don’t want to share information with the government and when they experience a problem from an external or internal threat, they frequently want to handle it themselves,” said Harris Miller, president of the Information Technology Association of America. Companies don’t want to divulge their vulnerabilities or computer security tactics to their competitors or stockholders, and sometimes not even their own employees. 

Added Howard Schmidt, Microsoft Corp.’s chief security officer and a veteran military investigator: “All the law enforcement agencies out there don’t have the people trained to do this kind of work and to handle all the potential victims that may be out there.” 

Financial losses from computer crimes increased to $378 million in 2000 from $265 million in 1999, and 85 percent of businesses and government agencies detected computer security breaches in the year 2000, according to an annual survey by San Francisco’s Computer Security Institute and the FBI. Yet only a little more than a third of 345 respondents said they reported the computer attacks to law enforcement. 

Many times only lawyers or corporate officers know about the data electronically gleaned from these private cyber spooks and use it to either quash or spur civil litigation. 

Another case in point: A construction equipment supplier hired Deloitte & Touche when it threatened to file a trade secret lawsuit against a former high-ranking sales employee, alleging he had taken a multimillion dollar client with him when he joined a competitor. Haworth traced the former worker’s company e-mails to his outside Yahoo! e-mail account. The unauthorized e-mails contained internal copies of non-flattering company documents. The case settled out of court. 

“In my world, we find the smoking gun and give it to the attorneys,” Haworth said. 

Reliable statistics measuring the overall growth of the private computer forensic industry are hard to find, but there’s plenty of anecdotal evidence. 

New Technologies Inc. of Gresham, Ore., known as NTI, was one of the nation’s first private companies to specialize in computer forensics when founded in 1996 by a group of ex-feds who were pioneers in the field, including Michael Anderson, a 25-year IRS criminal investigator who has trained thousands of law enforcement and military workers on computer-tracking techniques. 

Today, NTI trains and assists not only government agents but also hundreds from the private sector, specifically specialists at the Big Five accounting and consulting firms and Fortune 500 companies. Not a day passes without NTI rejecting a training request from other civilian workers, hoping to somehow cash in on the lucrative profession, said Scott Stevens, the company’s vice president of marketing. 

Deloitte & Touche, which charges $250 an hour and pegs the average price of a basic forensic job at $25,000, more than doubled its nationwide forensics staff from 40 in 1998 to 100 today. It opened its first computer forensics lab in Dallas in 1999; opened its second in San Francisco last month; and will open another shortly in Chicago. Still more are planned to provide the space needed to house the equipment used to gather, store, and analyze massive amounts of data taken from computer hard-drives. 

Ernst & Young started with one lab in 1998 and now has six in the United States, one in Canada and one in London. 

“We saw a growing need in the marketplace,” said Kristopher Sharrar, a former Air Force investigator and now Ernst & Young’s national leader of computer forensic services. “Businesses were getting hacker intrusions and network viruses, and our clients are now looking at us to provide litigation advisory services, and almost every time, they say we believe electronic discovery will be part of the process.” 

Computer forensics in the private sector will only grow as society increasingly communicates and carries out business on digital devices. In addition, a federal court rule adopted in December requires litigants to turn over discovery whether it’s in paper or digital format. In the past, lawyers had to hassle with getting a judge’s approval before pursuing their opponents’ digital documents such as e-mail or computer memos. 

“These developing forensic technologies are as important to discovery as the Xerox machine,” said Emmett Stanton of Fenwick & West, a Palo Alto-based law firm that represents high-tech companies. “It’s not a question of ’Will e-mail or electronic evidence be important?’ It’s a question of ’How important will it be?”’