To outsource or not? Deciding if you need a digital evidence forensic examiner

It's a common scenario. ABC Company's internal fraud examiner receives an anonymous complaint that John Doe in the sales department may be using his contacts and company relationships to cultivate his own business and undercut the firm. Supposedly, he intends to resign his position and take a portion of the firm's customers with him. It's a strong allegation. How do you proceed?  

If you've been paying attention to the ever-changing world of fraud examination then you've no doubt considered acquiring the services of a digital evidence forensic examiner. You may have even thought of hiring an outside firm or bring someone on staff to aid in ongoing internal examinations. Or perhaps you're still trying to decide if a digital evidence forensic examiner actually could add anything to your fraud examinations.

Let's start with terminology. A forensic expert in the field takes all precautions and uses best practices in handling all evidence - digital or otherwise - when preparing it for the courtroom. Also, the forensic expert has properly obtained and secured the evidence and has maintained a secure chain of custody. The digital evidence forensic examiner can also be called a computer forensic examiner but the former title is now probably more appropriate because digital evidence is no longer confined just to desktop and laptop computers. It's contained in any electronic device that stores information: cell phones, pagers, cameras, PDAs, and other handheld devices. As companies move to a paperless culture, more evidence will be digital. Deleted documents, e-mail messages, visited Web sites, and evidence of installed software applications are just a sampling of the evidence that can be recovered by a digital evidence examiner. The registry (the internal database Windows uses to store information about installed hardware and software) of the current offering of Microsoft's Windows XP contains an incredible amount of additional information such as Website passwords, and recently typed-in URL addresses for the Internet browser.

Digital evidence examiners are increasingly being used in litigation support and e-discovery requests. (Electronic or e-discovery is the process of requesting information in electronic form.) Electronic discovery represents a paradigm shift from traditional document discovery to this present age of digital information. Unlike paper documents that can go missing from a physical file, electronic versions of documents rarely can be destroyed completely in all their forms or from all the possible places they might be stored. You can use digital evidence forensic examiners to help craft the e-discovery request to find evidence as well as help in responding to such a request. Even though fraudsters may attempt to destroy digital evidence, a trained examiner knows where potential evidence might exist that the "wiping" software might have missed. Also, the digital evidence forensic examiner can report on the telltale signs that indicate fraudsters used a program designed to eliminate evidence.

The threat of identity theft and the need to protect consumer data mandates that an organization thoroughly investigate any security breach or theft of proprietary information. A digital evidence forensic examiner can play a key role by helping to determine the impact of a data security breach and how the breach occurred while protecting evidence for a possible future legal proceeding. Departing employees who have access to sensitive corporate data and later start their own competing firms might have stolen customer lists, financial records, sales presentations, etc. A digital evidence forensic examiner might be able to determine if that employee purposely removed, altered, or copied data that could be classified as trade secrets or intellectual property. Such evidence may lead to subsequent litigation to stop the former employee from violating a non-compete agreement or using the information for his new firm. A digital evidence forensic examiner with proper software tools could create an image over the network of a current employee's computer before any contact is made with the employee to validate a complaint of improper use. This examination might prevent the employee from attempting to delete potential evidence and preserves that evidence for possible future litigation. Such a resource for a business-to-business company could actually add to the value of its business relationships by helping assure that data shared will be protected.

You may now be saying, okay you've convinced me; I need to add the services of a digital evidence forensic examiner. But do I hire one, train someone already on my staff, or do I outsource? If I outsource, do I use a private investigating firm or an audit firm? Let's take a look at some of the pros and cons of these choices. (See chart below.) 

If you're going to train someone already on your staff, purchasing needed software and hardware tools and training won't be cheap. You'll have to buy multiple software tools for cross-validation of results. You could buy hardware systems specially designed for computer forensic work or rely on those built by the examiner, which could be risky. The examiner will have to be trained to handle multiple operating systems, system configurations, and software tools plus possible certification. Most of the companies that provide products also provide training.

Because of the expenses of training an existing employee it may be more cost effective to hire an experienced examiner. But just remember that you'll have to also keep paying to train the hired examiner because of changing operating systems and fraudsters' techniques. So you'll have to consider if you're going to bring the skill set into the company or outsource it as needed. I can tell you from personal experience that no matter how little or great the need is today it will always increase exponentially as the company grows or lines of business change. Also, the examiner will be called upon more as the company, across all cost centers and departments, realizes the benefits that this skill set can provide.

The chart on page 8 is by no means an exhaustive list of pros and cons; you may be able to think of other factors in your own organization. It's important to remember that digital evidence gathering can also be used to exonerate an accused manager or employee and that result shouldn't be discounted during an internal investigation. If you're still on the fence about the inclusion of computer forensics or digital evidence examination in your investigation process it's probably time to make some decisions because sooner or later you'll be asked about digital evidence. If you decide to outsource, contact several firms and evaluate which has the best program for your company as well as the type of fraud examination you need. This will help you decide whether an audit firm or private investigation firm is the right choice. Get references to learn how a firm helped in the resolution of an issue. Prepare a plan so your company is ready to respond before an incident takes place; you know who you'll contact and what they'll do before it becomes an emergency situation resulting in a reach for the first firm you can find. If you decide to bring the examiner in-house make sure you know what you're getting. Decide the level of experience you're looking for, what certifications he has and if you intend on keeping him in-house. Compare salaries to reduce the possibility of losing the experience your examiner has gained.

Digital evidence allows fraud examiners to "fill in the blanks," analyze competing theories, substantiate a hypothesis, or take the investigation in another direction. Realizing that digital evidence forensic examiners can serve an important and vital role in a corporate investigation is the first step to improving the quality of the investigation and insuring that vital evidence isn't overlooked or left out of the process.

Richard D. Cannon, CFE, CFCE, is the forensic technology director for the ACFE.