Former FBI special agent Gary Rittenberry sits before a computer monitor, tracking a white-collar criminal. With a few clicks of his mouse, Rittenberry, a high-tech sleuth for the accounting firm Deloitte and Touche in Dallas, follows digital footprints through an enormous maze of data—names, addresses, phone numbers, Social Security numbers, check numbers, and information taken from invoices. A software program takes the mass of data and converts it into a graphic image that looks like a multispoked, multicolored wheel made up of tiny lines. Each line connects pieces of information that are potentially the red flags of fraud. It might be an address for a dummy corporation set up by employees hoping to skim money by using fake invoices, or a suspicious-looking message from an employee to an outside company. “You see a situation that the data says is there,” Rittenberry says, pointing to the screen. “Then you have to say, ‘All right, if I were a crook, how would I do it?'”
As anyone who works in an office knows, it is now almost impossible to embezzle money, steal trade secrets, run calling card scams, and commit Medicare or securities fraud or a host of other white-collar crimes without using a computer. That, in turn, has spawned a new breed of crime fighter: former FBI agents, ex-cops, and ex-prosecutors who, like Rittenberry, have found new careers in the private sector as “computer forensics” investigators. Instead of collecting physical evidence such as fingerprints, hair, and fibers, they look for digital electronic information in data files. Then they recover, analyze, and protect the pertinent data. “We’re kind of like a Sherlock Holmes on a hard drive,” says David Wilson, a forensics and electronic-discovery specialist who works in Deloitte and Touche’s new computer lab in a windowless office in downtown Dallas.
Deloitte and Touche’s business is booming too. That’s because many companies refuse to go to the police. They simply don’t want to admit publicly that their computer systems have been successfully breached. The cops are also less effective: Public agencies have been hamstrung by a lack of money and expertise, and there is a tremendous backlog of computer-related cases in the justice system in Texas and elsewhere. As a result, Deloitte and Touche and most of the other big accounting and consulting firms have launched themselves into the computer forensics business in the past few years. Many have recruited former law enforcement officials to run their practices, which mostly involve going after financial fraud or theft of trade secrets. Deloitte and Touche hired Peter McLaughlin, a former senior member of the Royal Canadian Mounted Police, as the director of their forensic accounting services. Arthur Andersen hired J. Roger Schermerhorn, a former senior engineer for information-system security at NASA’s Johnson Space Center, to set up a global electronic-security team in Houston. What they offer companies is the ability to conduct a discreet internal investigation.
They have found a remarkably fertile field. Not only are most financial transactions posted on computers these days, so are government secrets, proprietary business information, and personal health records. (Even drug dealers put their records and inventories on computers.) And technology has created entirely new crimes, like hacking and the planting of computer viruses. Witness the computer crime spree earlier this year when hackers shut down major Web sites like Yahoo, eBay, and Amazon.com, and the ILOVEYOU virus infected computers via e-mail. And Texas is rife with it: The state ranks near the top nationally in computer crime because of its size, huge high-tech industry base, and concentration of workers skilled in computers.
It’s almost impossible to tell just how much computer fraud is costing companies and public agencies, since less than half of the companies in a recent survey by the Computer Security Institute would put a dollar value on it. But 90 percent—primarily large corporations and government agencies—detected computer-security-breaches during the past twelve months. Seventy-one percent said there had been serious breaches involving theft of proprietary information, financial fraud, system penetration by outsiders, and sabotage of data or networks. The Association of Certified Fraud Examiners, which is based in Austin, estimates total fraud and abuse losses to U.S. companies at $400 billion.
“There’s no way to measure empirically the real amount of fraud that goes on because so much of it is not reported and so much of it is not recovered,” says Joseph Wells, a former FBI special agent and the chairman of the Association of Certified Fraud Examiners. It’s also much easier to hide, remove, manipulate, or destroy information with a computer. “It used to be that if I were to break into your safe and steal the $1 billion that your company had there, you would notice it was missing,” Arthur Andersen’s Schermerhorn says. “Today, if I intelligently come into your virtual safe and steal your intellectual property, you don’t know that I’ve taken it, nor do you know what I’m going to do with it and how it’s being used until you begin to see symptoms.”
Finding out how or whether a computer crime was committed and repairing the damage is where the private eyes come in. They are trained specifically in how to recover and reconstruct “erased” files. In one case the Deloitte and Touche team investigated, employees of a Fortune 500 company stole trade secrets and sold them to a foreign competitor. The employees were engineers and were quite adept at covering their tracks, even “scrubbing” deleted files so they couldn’t be easily traced. Though the employees denied the existence of the files, Deloitte and Touche’s investigators were able to retrieve them. “They said they would never talk to anyone in this foreign country, that they didn’t know any of these people,” says Eric Schwarz, one of the Deloitte and Touche team’s key investigators and the head of its national computer lab. “And yet proprietary documents for the stolen technology, converted to the language of the foreign competitor, were found. We also found the head of the foreign company—his name, phone number, address, and everything—left in a remnant of a ‘delete’ entry on a Palm Pilot.” Deloitte and Touche’s work allowed the company to confront its employees with specific knowledge of what they had done. (The case is ongoing.)
In other situations the computer criminal’s intent may not be greed but malice. Schermerhorn recalls a case involving a disgruntled employee who left a company to work for a competitor. He wanted to make his new employer look good, so he broke into his former employer’s computers and electronically changed the software that managed the production of the company’s main product so that it wasn’t up to the normal quality-control and -assurance standards. When consumers bought the product, it didn’t work. “The whole company was predicated on the accuracy of this data,” Schermerhorn says. Arthur Andersen’s team identified the problem and its source, corrected the data, and put in protective measures so the breach wouldn’t happen again.
Gathering and preserving electronic evidence is a lot different from the old days, when boxes of file folders would be seized and manually examined without disturbing the information. It turns out to be one of the most sensitive, difficult parts of the computer forensics business. That’s because even the simplest of acts can alter such evidence. “As soon as someone turns on that computer, the files are changed,” Schwarz says. “Just like booting it up. Dates and times are changed.” Federal rules of evidence dictate that for something to be admissible in court, it has to be deemed an exact duplicate. So if Schwarz has to retrieve evidence from a hard drive, for example, he’ll make a duplicate copy and examine that. “The original is never touched,” he says. “It sits pristine.” Law enforcement officials themselves sometimes inadvertently mess up electronic evidence. “In the O. J. Simpson trial, it was alleged that physical evidence had not been handled properly,” says Mike Morris, an FBI special agent in Dallas who handles computer crimes. “The problem with digital evidence is that a lot of the time, federal agents or state and local officers don’t consider this box as evidence. They think they know how to use a Mac or Windows, so they fire up the computer and click through it. It’s equivalent to walking through the crime scene.”
Because of their expertise in handling evidence, private computer experts often are brought in by courts to conduct electronic discovery in lawsuits. It is one of the most important things they do. “Attorneys don’t just subpoena print documents anymore,” Deloitte and Touche’s Wilson says. “They’re looking for every e-mail and file that exists on computers.” And the courts increasingly are seeking neutral computer experts in legal proceedings. In those cases, the court hires an independent expert paid for by all parties. The expert’s job is to make sure that each side gets the electronic evidence it’s entitled to, that the data requested are relevant and responsive, and that no privileged data are released. Often, Deloitte and Touche’s Schwarz says, opposing attorneys will subpoena huge amounts of electronic data that are irrelevant to the suit. “We’re seeing a growing trend where some plaintiffs attorneys are using electronic discovery, due to its cost and complexity, as a hammer in pretrial negotiations, trying to force a settlement,” Schwarz says. The expert-witness business now accounts for about 30 percent of Deloitte and Touche’s forensics and electronic-discovery practice.
Though the private forensics experts have all sorts of new software and tools to speed the process of tracking down computer criminals, they say technology can never replace old-fashioned detective work. “It’s not about being computer literate; it’s about investigative skills and being able to think like a crook,” Rittenberry says. “There isn’t a black box that finds fraud.” Says Arthur Andersen’s Schermerhorn: “You’re matching wits.”
The reason Schermerhorn and Rittenberry and other private sleuths get so much business is that the cops are often overmatched, especially outside the major cities. Police officers in Allen, a high-tech bedroom community north of Dallas, find themselves tracking a raft of ingenious computer crimes, even though they have no formal training. Charles Cook, a criminal investigator with the Allen Police Department, has worked on cases involving e-mail threats made against the high school, fraud cases involving eBay, credit card thefts in which thieves used stolen numbers to access pornographic Web sites, a high-tech thief who decided to steal his former employer’s star software program, and members of a group called the Allen Prankstaz who set portable toilets on fire and bragged about their antics on their Web site. Cook has some background with computers, but like many others in law enforcement, he says he finds technology changing at such a dizzying rate and computer crime growing so fast that he needs help keeping up.
This fall he’ll get that help. As part of a major effort by public law enforcement to catch up with private computer-crime investigators, Cook is one of the first students at a high-tech crime lab that will open this fall in Dallas. The lab, a collaboration between the FBI’s Dallas division and U.S. Attorney Paul Coggins’ office, will train investigators from police departments in North Texas and from various federal agencies in methods of handling electronic evidence. When it opens in Dallas’ West End, it will be only the second such lab in the country (the first one opened last year in San Diego). Within a year the FBI expects to have sixteen field examiners trained and actively working on cases. Though it is a major sacrifice for a small police department like Allen’s to commit an investigator full-time to the lab, Allen police chief Bill Rushing says he thinks it’s worth it. “What we’re trying to do is to stay ahead of these crimes,” he says. “We’ve got to be progressive.” As progressive, at the very least, as the crooks who are using computers to commit their crimes.