Page last updated on Thursday, December 1 2005 at 1649 UK

Handling a Scandal

by TKMs Director of Computer Forensics, Thomas Moore

How often do you open the business section of a broadsheet newspaper and find a headline covering the latest corporate scandal? In the past few years, we've seen Worldcom, Tyco, Enron and many more companies demonstrating just how accessible they are to fraudsters.

These three companies all have one thing in common: they were attacked from the inside. It's tough to combat illicit behaviour when it's driven from the top of the corporate pyramid, but the least any company can do is put in place a mechanism to deal with the problem as soon as it comes to light.

These days, most corporate scandals involve accounting irregularities, data security leaks and potentially damaging statements made in e-mail messages. It's easy to see, therefore, why there's plenty of work for computer forensics specialists like me, who spend most of their time using sophisticated software to rummage through terabytes of data recovered from computer systems and storage media. The goal is always the same: find the smoking gun.

I've never drawn a blank, but the process of sorting through huge volumes of data and recovering lost and destroyed files is time consuming and that means a hefty invoice for the company in trouble. I'm not trying to deprive myself of work here, but most companies could save a lot of time and money by putting in place a good incident response plan before disaster strikes.

Chief information officers (CIOs) need to take the lead in this by making sure that potential evidence is preserved automatically and in a way which makes it useable if the worst happens. Simple things like turning on automatic network and e-mail logging will cost nothing but provides a detailed audit trail. Since e-mail communications are often an excellent source of information, make sure that central e-mail stores aren't set to purge too soon; the longer the better when it comes to reconstructing deleted messages.

The first few hours of any investigation are golden. Mistakes made at the outset can be very difficult to put right, so develop an incident response procedure and practise it. Make sure it specifies a 'neutral' person who will take responsibility for chain of evidence. As CIO, don't be tempted to destroy or hide evidence in the hope of protecting the company or fellow executives - gaps are easily visible in an investigation and the digging doesn't stop until they're filled.

Above all, remember that the foundation of an investigation is reliable evidence. If in doubt, don't touch anything. Safely isolate equipment and storage media, physically disconnect networked systems and call in some expert help.

With proper planning, an internal debacle need not turn into a public scandal and that can only be to the good of the company, its employees and officers.

Thomas Moore is Director of Computer Forensics for TKM Technologies Ltd. He consults for a number of other companies and regularly helps to salvage evidence and reputation from corporate wreckage. You can contact him by e-mail to thomas@tkmtechnologies.com

Print page Print this article