White hat hackers hunt white collar crooks
1 April 2005 | 0
Pat Moran, who is director of Ernst & Young’s Risk Advisory Financial Services Group, heads up a team of 20 people who specialise in IT risk assessment, information security and computer forensics services. In the past 18 months, his team has been involved in the investigation of 78 cases in Ireland where their forensic know-how has been used to gather evidence of computer misuse. By contrast, he says, Ernst & Young’s office in Chicago has handled only 45 cases in the same period.
‘Many of the cases here involve intellectual property theft,’ he said.
A typical example would be an employee of a software development company who might be accused of taking a copy of the development code before leaving to join a competitor. In other examples, former employees have been accused of making copies of sensitive company data such as client details before leaving to set up in competition.
In such cases, Moran’s team has been called in to uncover evidence hidden in IT equipment that would prove or refute such claims. ‘If somebody had been using a company laptop to acquire or transmit such data, we can analyse the data on it and build up a picture of how it was used,’ he said. ‘Our procedures have been vetted by the Gardaí so that they can be used in court.’
Moran said that members of his team have been to court to give evidence in three cases already. ‘Legal action is still pending in about 20 to 30 per cent of the cases,’ he said, ‘and the rest have been settled out of court or at HR (human resources) tribunals’.
Moran’s team makes use of forensics software called Encase, which can examine a disk drive for evidence of how the computer was used. Also used by the Garda fraud squad, it can recover deleted files and link activity on a computer to particular user IDs and passwords.
Moran says that using tools like Encase makes it difficult for people to hide their tracks, even in cases where they have been careful and have defragmented their disks or flushed their Web browser caches to conceal evidence of files they have deleted or Web sites they should not have visited.
He claims that because there are so many things you have to remember to do to disguise your actions, the chances of overlooking one or two of them are high. ‘There are software tools out there that can help you hide your tracks,’ he said, ‘but finding one of them on somebody’s hard disk would be a major red flag. They would have to explain what it was doing there in the first place.’
Moran offers a few possible reasons why misuse of computer resources is so high in Ireland. ‘We have a skilled workforce that is familiar with technology and knows how to use it,’ he said. ‘We have a lot of people who work in the IT industry, but there has also been a downturn in the economy and a lot of companies and jobs have disappeared. In those circumstances, the risk of intellectual property theft is quite high.’
He also agrees that the indifference of management in this country to IT security, compared with other countries, has made it easier than it should be for people to misuse computers. ‘We think of security and control as an afterthought, rather than something that should be built into our processes from the start,’ he said. ‘Many companies in this country have been burned because of that.’
He also points out that a very real danger to companies is the damage that can be wrought by a rogue employee as opposed to the threat posed by an external source. By way of an analogy he points out that: ‘People are locking the doors and windows very well, but once somebody gets into a house, they are able to go anywhere they please. Most fraud historically has been perpetrated by current or former employees, so internal security needs to be improved.’
A trend that is becoming apparent in the forensics world is the shift from examining activity on a single PC to uncovering transactions between several machines on a network or even multiple networks. In the case of money laundering, computer forensics experts might be called upon to give evidence of transfers from one network to another around the world.