To Catch an e-Criminal

Someone is stealing electronic data from you ' right now. A person your firm or company has trusted for years is doing things that are making you suspect he or she is stealing. You don't know how or with whom, but you know something is wrong. What do you do? Where do you turn? How do you find out for sure?

While this may not actually be happening to you right now, it may happen in the future. There is no way to actually avoid it, but there are ways to detect and catch the person before he gets anything else.

The following three steps will help you to discover whether your suspicions are correct and gather enough evidence to have an open-and-shut case.

Step One: Profile

When profiling the person you suspect, it is important to look at all possible factors and keep some points in mind. Our experience has shown that when women steal, they tend to commit petty theft or steal things in increments too small to even notice. On the other hand, men usually go for the grand prize; something so enormous it is rather obvious.

A person's habits can also alert you that something strange is going on. For instance, lack of vacation time is traditionally a good sign because if the person is out of town, someone else has to handle his work and the person suspected of stealing won't want others on his computer and in his files.

Then you have to look at the triangle of illegal opportunity. The three points of this triangle are:

1. Rationalization. When someone feels he isn't getting what he deserves, he will make excuses to commit the crime. Example: the company owes it to him because he has been working late every night, or he should have access to all of the company's files because he is an executive.
2. Pressure. There are many different pressures that can lead someone to committing fraud. For example, if someone had a relative that has large medical bills. Another example may be late mortgage payments.
3. Opportunity. This is the area a company can control. If the opportunity is there, for example if a check is left out, the person has administrative access to files, etc., he can easily commit an illegal act.

If all three of these areas are present, a person is very likely to commit an illegal act.

The Sarbanes-Oxley Act (“SOX”) was designed to help eliminate the opportunity point in the triangle. It sets up accounting and security controls designed make it very difficult for a person to commit fraud (or other illegal activities for that matter).

Step Two:
Internal Investigation

After profiling the likelihood of the individual to commit an illegal activity, the next step is to conduct an internal investigation. The key to this step is to have as few people involved as possible. This will avoid including someone that may be involved in the illegal act or tipping off the actual person you are investigating.

The next step is to conduct a forensic investigation. Contact your external and internal legal counsel; they will likely have an external data forensic investigator that they work with. If they do not, look to a company that does information security as well as data forensics.

Forensics investigations entail multiple avenues, but touching base on some the activities are a bit-for-bit clone of the hard drives, restoration and reconstruction of partitions and files, and hashing. The cloning of the hard drives allows the forensics examiner to investigate the entire hard drive, and even reconstruct data that has been previously deleted off of the system. Examiners can sometimes even go back and pull years of deleted information off of the system to be used in the investigation.

Investigators will also utilize different tools when performing the forensics analysis. There are many free tools on the Internet, including sysinternals, Helix, DD, Autopsy, as well as commercial products, such as Encase and NTK.

Once settling in on an investigator, there are three types of forensic investigations that can be conducted (all which are legal and admissible in court): covert, live and dead.

Covert Forensics

Covert forensics is conducted during off hours when the person you suspect of illegal activity is not in the office. The investigator will acquire the suspected person's hard drive, image each file and replace the hard drive without being detected or damaging any of the files. During this operation, the investigator can also install devices in the computer that can be utilized during live forensics. These devices include keystroke loggers and backdoors into systems.

Live Forensics

Live forensics is conducted in real time. Utilizing some of the devices installed during the covert investigation, the investigators can monitor all traffic and activities taking place on that computer.

Dead Forensics

Dead forensics takes place once the hard drives are obtained. The investigator will analyze the information and files on the drives and be able to detect any suspicious activity. This activity can range from e-mail conversations to deleting files and banking transactions.

Step Three: Interrogate

After obtaining enough information to properly confirm suspicions, the next step is interrogation. It is very important that you have all the information you need so that your case is foolproof.

During interrogation efforts, the accused will typically go through five stages (identical to that of grief).

1. Denial. When you first approach this person, his first action will be to deny everything.
2. Anger. As you continue to interrogate the person, he most likely will become angry, yelling things like he can't believe that you would suspect him of this because of all he does for the company. This is typically the longest and hardest stage because it is the individual's last effort to keep himself out of trouble.
3. Bargaining. The suspect will then begin bargaining with you, offering to pay the money back or expose another person involved.
4. Depression. The person will begin crying and doing other things as he goes through this stage to make you feel sorry for him.
5. Acceptance. Finally, he will accept the fact that he has nowhere to go and that your case is foolproof.

Case Study

We once worked with an organization that suspected its CFO of embezzlement, as well as other potentially fraudulent activities, including insider trading.

Our company was contacted by the organization's legal department to perform covert forensics analysis of the CFO's computer system. Our team went on site in the middle of the night, cloned the CFO's entire system, and left without being detected.

Upon returning to our office, we began performing our analysis of the cloned system. We identified and reconstructed deleted records of wire transfer information that totaled more than $2 million. The transfers were from the organization's bank account to the CFO's personal offshore bank account.

We also discovered deleted e-mails where the CFO identified that he was upset with upper management and felt that the money belonged to him. Upon completion of our investigation, the organization contacted the FBI and began its interrogation efforts, during which he admitted to his wrongdoings. The CFO was convicted and is currently serving an 11-year jail sentence.

Conclusion

Of course, most instances of employee theft are not as grandiose as this example, but the bottom line is that members of law firms and in-house legal departments have access to all kinds of essential electronic data. Having a pre-planned mechanism to protect this data is critical in the event that you suspect that it is being handled inappropriately. Simply firing an employee suspected of wrongdoing is not appropriate on a variety of levels, most significantly you will likely not recover your data or your funds and the opportunity to do so may be lost forever. For this reason, it is essential to prepare a tactical response plan in advance to address potential problems ' instead of trying to play catch-up after the fact.

Someone is stealing electronic data from you ' right now. A person your firm or company has trusted for years is doing things that are making you suspect he or she is stealing. You don't know how or with whom, but you know something is wrong. What do you do? Where do you turn? How do you find out for sure?

While this may not actually be happening to you right now, it may happen in the future. There is no way to actually avoid it, but there are ways to detect and catch the person before he gets anything else.

The following three steps will help you to discover whether your suspicions are correct and gather enough evidence to have an open-and-shut case.

Step One: Profile

When profiling the person you suspect, it is important to look at all possible factors and keep some points in mind. Our experience has shown that when women steal, they tend to commit petty theft or steal things in increments too small to even notice. On the other hand, men usually go for the grand prize; something so enormous it is rather obvious.

A person's habits can also alert you that something strange is going on. For instance, lack of vacation time is traditionally a good sign because if the person is out of town, someone else has to handle his work and the person suspected of stealing won't want others on his computer and in his files.

Then you have to look at the triangle of illegal opportunity. The three points of this triangle are:

1. Rationalization. When someone feels he isn't getting what he deserves, he will make excuses to commit the crime. Example: the company owes it to him because he has been working late every night, or he should have access to all of the company's files because he is an executive.
2. Pressure. There are many different pressures that can lead someone to committing fraud. For example, if someone had a relative that has large medical bills. Another example may be late mortgage payments.
3. Opportunity. This is the area a company can control. If the opportunity is there, for example if a check is left out, the person has administrative access to files, etc., he can easily commit an illegal act.

If all three of these areas are present, a person is very likely to commit an illegal act.

The Sarbanes-Oxley Act (“SOX”) was designed to help eliminate the opportunity point in the triangle. It sets up accounting and security controls designed make it very difficult for a person to commit fraud (or other illegal activities for that matter).

Step Two:
Internal Investigation

After profiling the likelihood of the individual to commit an illegal activity, the next step is to conduct an internal investigation. The key to this step is to have as few people involved as possible. This will avoid including someone that may be involved in the illegal act or tipping off the actual person you are investigating.

The next step is to conduct a forensic investigation. Contact your external and internal legal counsel; they will likely have an external data forensic investigator that they work with. If they do not, look to a company that does information security as well as data forensics.

Forensics investigations entail multiple avenues, but touching base on some the activities are a bit-for-bit clone of the hard drives, restoration and reconstruction of partitions and files, and hashing. The cloning of the hard drives allows the forensics examiner to investigate the entire hard drive, and even reconstruct data that has been previously deleted off of the system. Examiners can sometimes even go back and pull years of deleted information off of the system to be used in the investigation.

Investigators will also utilize different tools when performing the forensics analysis. There are many free tools on the Internet, including sysinternals, Helix, DD, Autopsy, as well as commercial products, such as Encase and NTK.

Once settling in on an investigator, there are three types of forensic investigations that can be conducted (all which are legal and admissible in court): covert, live and dead.

Covert Forensics

Covert forensics is conducted during off hours when the person you suspect of illegal activity is not in the office. The investigator will acquire the suspected person's hard drive, image each file and replace the hard drive without being detected or damaging any of the files. During this operation, the investigator can also install devices in the computer that can be utilized during live forensics. These devices include keystroke loggers and backdoors into systems.

Live Forensics

Live forensics is conducted in real time. Utilizing some of the devices installed during the covert investigation, the investigators can monitor all traffic and activities taking place on that computer.

Dead Forensics

Dead forensics takes place once the hard drives are obtained. The investigator will analyze the information and files on the drives and be able to detect any suspicious activity. This activity can range from e-mail conversations to deleting files and banking transactions.

Step Three: Interrogate

After obtaining enough information to properly confirm suspicions, the next step is interrogation. It is very important that you have all the information you need so that your case is foolproof.

During interrogation efforts, the accused will typically go through five stages (identical to that of grief).

1. Denial. When you first approach this person, his first action will be to deny everything.
2. Anger. As you continue to interrogate the person, he most likely will become angry, yelling things like he can't believe that you would suspect him of this because of all he does for the company. This is typically the longest and hardest stage because it is the individual's last effort to keep himself out of trouble.
3. Bargaining. The suspect will then begin bargaining with you, offering to pay the money back or expose another person involved.
4. Depression. The person will begin crying and doing other things as he goes through this stage to make you feel sorry for him.
5. Acceptance. Finally, he will accept the fact that he has nowhere to go and that your case is foolproof.

Case Study

We once worked with an organization that suspected its CFO of embezzlement, as well as other potentially fraudulent activities, including insider trading.

Our company was contacted by the organization's legal department to perform covert forensics analysis of the CFO's computer system. Our team went on site in the middle of the night, cloned the CFO's entire system, and left without being detected.

Upon returning to our office, we began performing our analysis of the cloned system. We identified and reconstructed deleted records of wire transfer information that totaled more than $2 million. The transfers were from the organization's bank account to the CFO's personal offshore bank account.

We also discovered deleted e-mails where the CFO identified that he was upset with upper management and felt that the money belonged to him. Upon completion of our investigation, the organization contacted the FBI and began its interrogation efforts, during which he admitted to his wrongdoings. The CFO was convicted and is currently serving an 11-year jail sentence.

Conclusion

Of course, most instances of employee theft are not as grandiose as this example, but the bottom line is that members of law firms and in-house legal departments have access to all kinds of essential electronic data. Having a pre-planned mechanism to protect this data is critical in the event that you suspect that it is being handled inappropriately. Simply firing an employee suspected of wrongdoing is not appropriate on a variety of levels, most significantly you will likely not recover your data or your funds and the opportunity to do so may be lost forever. For this reason, it is essential to prepare a tactical response plan in advance to address potential problems ' instead of trying to play catch-up after the fact.