Tough on the causes of crime
- Article 29 of 77
- Information Age, February 2002
Tracking insider computer crime is hard enough. But proving guilt can be even harder.
Page 1 | Page 2 | Page 3 | All 3 Pages
With tools such as Vogon, the company's forensics specialist can examine the copy of the computer hard disk and uncover deleted files, secondary accounts, hidden files, encrypted files, files hidden in invisible partitions or alternate file streams, and uncover patterns in disguised files that give away their true natures. If the file is encrypted, it might not be possible to read it, but if the company has forbidden file-encryption in its policy document, the employee can still be dismissed.
However, proving that someone is responsible for the activities on his or her computer is a different matter from proving the computer was used for a crime. Police sergeant Gurpal Virdi was accused by the Metropolitan Police in 1998 of sending racist emails to himself and other officers.
While there were forensic blunders in the case that meant the wrong log was checked for evidence of his sending the emails, it was the physical evidence that proved his innocence – he was at another police station when they were sent.
“It's one of the hardest parts of forensics,” says May. “You can establish an email was sent from someone's email account, but you can't prove their fingerprints were on the keyboard at the time it was sent. I investigated a case where a machine had been implicated in sending pornography. The desk where it was situated had photographs of its owner's grandchildren on it – 60-year old women with grandchildren rarely distribute child pornography.”
May argues that companies need good authentication systems, strong password systems and a clause in the IT policy that makes it an offence for an employee to tell anyone their password. Physical security – in which people are restricted to areas to which they have access and nowhere else – needs to be enforced, even though there is “an English tendency” not to challenge people. He recalls a company where he found a complete stranger had walked in off the street and started using a terminal – without anyone challenging them.
Most cases of internal IT abuse rarely reach trial or even tribunal because of the costs and the difficulty of proving cases. Sometimes the investigation opens a “whole can of worms”, according to May, and individuals are implicated that management had not suspected. But without the tools, the policies and the methodology, a company can do little more than grin and bear it.
Page 1 | Page 2 | Page 3 | All 3 Pages