Advertisement
Advertisement

Investigations must play by the rules

Danyll Wills

The American television drama CSI (Crime Scene Investigation) has been one of the most popular programmes worldwide since first broadcast in 2000.

In some episodes the programme will deal with data on a computer which the team will extract for legal purposes. This is called forensic computing and it is a growing industry in America and other parts of the world.

Richard Kershaw is one of a handful of experts in Hong Kong with considerable experience in this area. He is vice-president and head of forensic technology at Hill & Associates, a company specialising in nearly all aspects of security.

Mr Kershaw likes to compare what he does with somebody discovering a piece of paper with a signature on it. If you write a confession on that paper just above the signature, will it be believed? Will it stand up in court?

'Private sector consultants such as myself are normally asked to assist a corporation conducting an internal investigation. This may eventually result in termination or a criminal complaint, so all computer forensic investigations must abide by the strict criminal procedure rules,' he said.

Kroll has been in this business for many years and recently set up a forensics laboratory in Hong Kong. Scott Warren, Kroll's managing director responsible for computer forensic, e-discovery and intellectual property protection practice groups in Asia, said this kind of activity went hand-in-hand with the digital world. 'As more companies go digital, our services become more important.'

Mr Kershaw said that the roots of computer forensics were in criminal law, but now that civil law was getting involved, certain things were changing.

'There are numerous differences between criminal and civil procedure. Criminal procedure talks of suspects and assumes there will be no co-operation. In civil procedure, the parties are - in theory at least - appealing to the court for arbitration.

'Everyone is supposed to play nicely together and no information is supposed to be withheld,' he said.

Of course, things do not work like that in reality. Nevertheless, computer forensics experts now talk about custodians of data rather than suspects because it is a far more neutral-sounding word and will not prejudice a case.

The real shift in this, however, is the move from paper to digital.

If, for example, an employer suspects an employee is stealing data, it is unwise to copy the employee's e-mail. The information should be obtained in a proper way.

'A scalpel in the hands of a thug is a knife. There is no such thing as a court-authorised computer forensic software tool. Many have been validated in court as part of a process, but that is not the same thing. The only forensic tool to pay attention to is the forensic examiner's brain. The use of ordinary software tools in a forensic manner will stand up in court, provided there is rationale and process,' Mr Kershaw said.

Mr Warren said that other factors made forensic computing important, especially in Hong Kong where people moved around a lot. 'The high turnover of employees [here] means that protecting IP is very important,' he said.

One service Kroll provides is taking a digital image of any notebook computer of an employee who is leaving or is fired. This is especially true and necessary if that employee is a member of senior management. It is vital, according to Mr Warren, because America and Europe have begun to create corporate governance laws and many companies in Asia are doing business with America and Europe.

Mr Kershaw said that the IT department need not be redesigned to prepare for e-discovery and that the e-discovery market was growing.

'This e-discovery is gaining a lot of attention and teams are being formed to address corporate litigation preparedness.

'This is, to my mind, reinventing the wheel. The information security function of the company will have gone through the process of identifying and classifying information so they can protect it appropriately. By default, they know what systems they are on and it is this systems information the forensics consultants need to plan for its preservation and collection,' he said.

This is a complex world and it is likely to get even more so as people try to work around the technology. So far, the forensic computer specialists seem capable enough. Time and a few law courts will decide if that is true.

Post