Despite its name, the Deloitte & Touche computer forensics laboratory looks less like a cybercrime research facility than a clandestine Internet café. A single counter of perhaps two dozen PCs lines one wall of a narrow, windowless room. Two young men, casually dressed, stare at monitors and tap away at keyboards, occasionally exchanging a few words. Boxes of hard drives and miscellaneous equipment sit stacked against the opposite wall. A manager comes by and asks whether anyone wants coffee.
The similarities end there. None of the computers, neither the PCs nor the two refrigerator-size servers that sit in an adjoining room, are connected to the Internet. The hard drives are not replacement parts, but rather exact copies of the hard drives of employees that Deloitte clients suspect have committed financial fraud. (The copies are captured by a “night team” that arrives at an employee’s office after hours and is so careful to leave no trace of their presence that they take a digital photo of the desktop, allowing them to perfectly reposition everything from the mouse pad to the ballpoint pen.) The two young men are not playing games, but running special software that can rifle through thousands of electronic documents, E-mail messages, and any other computer files that might constitute a paperless trail of wrongdoing. There are few secrets here: even when erased by their creators, those documents and messages almost always leave an image behind that can be found and captured by forensics experts.
The company operates 10 labs around the country. Business is booming, which is not good news. Accustomed to spending more on computer security year over year, usually with the aim of keeping data safe from outsiders, companies may be dismayed to realize how often the threat lurks from within. The 2002 Computer Security Institute/FBI joint survey on computer crime and security found that theft of proprietary information and financial fraud were the two most significant problems as measured by dollar loss. While hackers can and do engage in both types of abuse, in most cases employees are better positioned to do so.
And they do. Last November, two former accountants at Cisco Systems Inc. received 34-month jail terms for using their access privileges to Cisco’s computer systems to credit themselves with nearly $8 million in company stock. This past March, a former database administrator at Prudential Insurance Co. was charged with money laundering, credit card fraud, and identity theft amid allegations that he copied personal information on 60,000 employees and attempted to sell the data over the Internet.
At Deloitte & Touche, evidence uncovered by its forensics experts helped to convict a purchasing manager at the Giant Food supermarket company in Landover, Maryland, of taking more than $600,000 in kickbacks from suppliers. He awaits sentencing pending the completion of another trial involving a co-conspirator. John O’Connor, a partner at Deloitte & Touche whose law enforcement experience includes a stint at the U.S. Attorney’s Office in Boston, says such cases, known as “procurement fraud,” are becoming more common; in fact, Deloitte recently launched a specialized service to help companies prevent such abuse.