It must now be assumed the same is true for many business activities, not only when there is an accusation or suspicion of wrong-doing, but even in their absence. The tidal wave of scandal that's swept across the American business-scape, beginning with Enron and continuing today with the mutual fund industry, has also hit the shores of the UK and the EU. In response, new legislative and regulatory requirements, such as the Sarbanes Oxley Act in the US and similar regulatory changes in the UK and Europe, with more to come in the EU Constitution, all incorporate the requirement that businesses proactively demonstrate their innocence in activities and reporting, even in the absence of any evidence to the contrary.

Following closely on the heels of this new regulatory environment will be a flood of lawsuits by shareholders whenever even the suspicion of wrongdoing depresses an organisations market value.

Businesses must come to terms with this critical change in the relationship between themselves and their investors, the media, legislative bodies, regulatory agencies, the law enforcement community and the public at large. Most well-run organisations have a variety of policies and systems to prevent, ferret out and prosecute unethical and illegal activities. Yet, the domination of the headlines by corporate misdeeds for the past two years, combined with the new "guilty until proven innocent" regulatory strategy, clearly requires organisations to do more: Better methods of preventing unethical and illegal activity; More sophisticated methods to discover fraud and theft before significant harm is done; Greater proactivity in ensuring their ability to defend themselves.

Radically different steps need to be taken to deal with a radically different legal and regulatory environment.

Crooks Will Always be Crooks

Already, more than 100 corporate employees in the US are being prosecuted with hundreds more to come - perhaps thousands - as greater scrutiny is applied with the weight of new laws and a reinvigorated enforcement community. Will these new laws and regulations prevent future episodes of fraud, theft and scandal? Of course not. That tiny (but very damaging) percentage of executives and employees who are crooked will remain so. From the board room to the file room, greed, power and revenge will continue to drive that small minority to lie, cheat, steal and sabotage to the detriment of the organisation, employees, owners and shareholders, and the executives who are held accountable, even when not personally involved.

Rigorous vetting, training, oversight and internal enforcement will remain key ingredients in the fight against employee malfeasance. But, as today's headlines demonstrate, the techniques of the past are no longer enough in our new "guilty until proven innocent" world.

Case Study: A major Pan-European Call Centre operation suspected former executives of altering and deleting employment contracts on the company servers in an attempt to sue for severance pay of up to 9 times the original contractual value. Data Recovery UK Limited was hired to forensically image and analyse the server environment for evidence of misuse. Working 24/7 over a weekend and for 5 days straight, our forensic team restored deleted files and emails and broke passwords into secure documents, bringing to light the tampering that was going on. The suspected employees settled the disputes out of court for the amounts stipulated in their original employment contracts, saving the company tens of thousands of pounds in further litigation and investigation costs and hundreds of thousands o f pounds in severance liability.

Technology vs. Technology

Technology has become the great enabler of criminal activity by employees. LAN's, WAN's, the inexpensive broadband access to the internet, the easy availability of tremendous computing power and broad access to concentrated data all contribute to an employee's ability to plan, organize and execute illegal activities either by themselves or in concert with others both within and outside the organisation. Short of an old-fashioned "stick em up!" scenario, it's hard to imagine corporate malfeasance taking place without the use of the organisation's own technology.

How can businesses turn the table and use existing and proven technology to increase prevention, discover criminal activity that has taken place before great damage is done, and position themselves to vigorously prosecute criminal behavior and defend themselves when faced with enforcement action?

Using Proven and Accepted Technologies in New Ways:
Advanced Computer Forensics

Computer Forensics is the highly-specialised field of imaging, analyzing and reporting on data from computers that have been used in suspected illegal or unethical activities. Specialised hardware, software and highly-trained technicians and engineers are required, along with rigorously enforced procedural standards that protect the chain-of-custody. When properly conducted computer forensics techniques are universally accepted by investigators, enforcement agencies and the courts and are usually immune from legal challenge.

Historically, computer forensics experts and processes are employed after the fact - when suspicious activity has already been found and the requirement is the discovery and documentation of the electronic evidence trail.

These same techniques and expertise, however, can be employed in new ways to help organisations reduce illegal activities, comply with new regulatory imperatives and position themselves to proactively defend themselves in the face of accusations from shareholders and regulatory agencies.

Proactive vs. Reactive

The new approach to the use of Advanced Computer Forensics techniques involves proactively applying them in a systematic, well-planned process BEFORE discovery of suspicious activity of an unethical or illegal nature.

The objective is to capture a "forensically correct" snapshot of key data and computer usage by predetermined criteria (employee, department, timing and the occurrence of a key event, such as the resignation or dismissal of an employee or an acquisition or merger), in order to accomplish one or more of the following:

1) Deter employees from engaging in unethical or illegal activity, similar to the psychology of random drug testing;
2) Create accurate, contemporaneous and continuous records that can be accessed should malfeasance be discovered at a future date; (continued on reverse)
3) Prevent the aging, fragmentation or loss of electronic evidence of misuse that may go undiscovered for months or years;
4) Provide monitoring and analysis of activity by key employees in highly-sensitive areas of the company, such as finance, research and development, HR or purchasing;
5) Retain documented potential evidence, acceptable in a court of law, as defense against future accusations or lawsuits or to limit the liability to the level of the individual perpetrator rather than to the organisation as a whole.

Advanced Computer Forensic techniques can be applied to any form of electronic data storage device: hard drives, floppy drives and optical drives in desktops and laptops, RAID configurations on the organisation's servers, data tapes, flash memory, even the memory in PDAs. With the proper planning, forensics technology and expertise, the process can be conducted in a way that does not disrupt normal business operations and be applied either covertly or overtly.

System Back Up Data

One question many companies ask is why they cannot use the data from back-ups for the same purpose? There are several reasons why this typically is not a good idea.

First and foremost, back up procedures and software normally do not capture deleted data, or data in unallocated space, for example, often times the exact type of data where evidence resides. (Most employees who use their computers for illegal activity, even unsophisticated users, will attempt to cover their activities by deleting data, reformatting their drives, defragmenting them or other techniques. They don't work!)

Second, back up procedures and files are notoriously unreliable. More than 50% of our customers who incur a data loss have attempted to restore a back up to no avail. Either the procedure simply does not succeed or they find that critical data is not backed up at all.

Third, back-up files are rarely kept for a significant length of time. Since backing up data is a repetitive process, if done properly, back up files are rarely saved for more than a few weeks at a time, if that.

Fourth, backing up data is an "internal" process whose accuracy is likely to be challenged in court. It is not

subject to the strict chain of custody process that gives the legal and court communities the confidence necessary to pursue vigorous enforcement and, on the flip side, give the company confidence that the evidence will be accepted.

Finally, most organisations do not back up employees' desktop or laptop computers. A smart perpetrator will conduct their illegal activity on a laptop and make sure it's never available for system back-ups!

The use of an independent Computer Forensics firm is critical to protect the integrity of the process and potential evidence.

Case Study: In early 2003 a senior manager at a major business services company in London registered a new company with an identical service portfolio to the firm he was working for. For months the suspect and an associate operated the business while he continued to work for our client. Our client’s resources and customer database were used to market and sell the services of the suspect’s new company. An advanced computer user, the suspect encrypted files and used secure deletion techniques to hide his activities from the company management. Data Recovery UK Limited was called in to investigate and, undercover, his laptop was forensically seized and analysed. In certain areas on the hard disk enough evidence was discovered to secure a second laptop for investigation. The evidence discovered was turned over to the company’s solicitors for legal action against the employee and his associates.

Plan Carefully

As with any critical business process, particularly one potentially subject to the strict demands of the regulatory and court systems, detailed planning is essential to implement a successful proactive computer forensics program.

An organisation contemplating this new and valuable approach should partner with an outside Computer Forensics firm to conduct the detailed planning required and have outside counsel involved to ensure that other regulatory and statutory requirements are met such as employment, data protection and privacy law.

Is It Worth It?

Consider the following. It is estimated that each year, more than £80 Billion is lost in the UK alone through employee theft, fraud and sabotage. This is the direct cost only. Add to it billions more in investigation and litigation costs, lost productivity, the future value of Intellectual Property lost…the list goes on and on as do the billions of pounds lost. Now, add the cost of the publicity surrounding employee malfeasance: Loss of reputation, employee morale, a depressed stock price.

Finally, the new regulatory and litigation environment we are now entering places a new, heightened level of personal responsibility and liability on the backs of corporate executives for the activities of their employees and organisations. How many are willing to take that risk?

Businesses now operate in a radically new environment, one that will only become more so as the legal and regulatory process catches up with the ability of employees to create havoc and loss. Radical new steps are required to combat both the increasing sophistication of employee malfeasance and the growing liability of organisations and executives to their shareholders and the regulatory agencies.

Advanced Computer Forensics applied in a new, proactive strategy can plan a key role in businesses adapting to this new world of "guilty until proven innocent".

Data Recovery UK Limited is a data recovery and Advanced Computer Forensics services firm located in London and is part of the Data Recovery Services Inc. global group of companies, providing data recovery and computer forensics services for more than 22 years. FailSafeTM is Data Recovery UK Limited's suite of Proactive Advanced Computer Forensics Services. The author may be contacted at Data Recovery at sjudge@dataemergecy.co.uk, or by phone (0)20 7407 4002, fax (0)20 7407 4003. ##