By the time René Hamel gets a phone call, it’s usually too late — the crime has already been committed.
When Hamel’s phone rings, it could mean that a company’s security systems have been breached and its property plundered, that an overly trusting firm has been defrauded or that a threat has
been made. But those responsible are no ordinary criminals. The route these thieves take to get to their goods are electronic circuits. The tools they use to break in are illicitly obtained passwords. And their spoils often consist of intellectual property.
Hamel, the vice-president of computer forensics services at investigations firm Inkster Group of Toronto, helps track down the bandits with the help of his colleagues. On a typical day, Hamel might get a phone call or two from companies seeking his help while he continues to collect evidence and track down the guilty party in ongoing cases. The companies that have been victimized go to organizations such as the Inkster Group because they want to, if at all possible, avoid the publicity that comes with going to the police. They don’t want their customers and partners to know that they hadn’t properly fortified their systems and that perhaps they can’t be trusted with sensitive consumer information.
Among the phone calls Hamel receives on what for him is an ordinary day — and what for the caller has often set alarm bells ringing — is a call from an organization that’s received a threatening e-mail and one from a company that suspects an individual has illegally obtained information it sells on a subscription basis. Subscribers pay the company to get a hold of the information and agree not to pass it onto anyone else. However, the vendor suspects that one of the employees of a subscriber company has been passing the information to an ex-employee who has gone into business for himself. It wants to prove that the information the individual is using to attract clients has been obtained illicitly so that if he doesn’t own up and agree to play fair, it can make an example of him.
Hamel’s task will be to prove the information the individual in question is using came from the subscriber company employee. He’ll probably start by exploring the possibility of either seizing or imaging the computer. To do this, he will need a civil search warrant.
With a criminal warrant, police can kick down doors and seize anything they want. With a civil warrant, police can be on hand to keep the peace, but if the person who’s premises are being searched doesn’t want to open the door, he or she doesn’t have to. However, if people served with civil warrants don’t comply with them, they can be found in contempt of court.
Once a computer has been seized, a bit stream image is taken of it, and it’s locked up so that it can be used in court later if needed.
“”Our group is trained to protect the integrity of electronic evidence,”” Hamel says. “”We take a picture in time of the electronic evidence. It’s like a crime scene. But instead of putting it in a bag, we put it in an electronic container so that it’s not tampered with before it gets to court.””
Locking down the evidence
The Inkster Group works off a backup while the original hard drive remains locked up.
All companies should have a secure locker where they can put computers in case an incident occurs, Hamel says.
“”You can freeze information and then argue with lawyers about what should be done.””
A case can be thrown out even if a smoking document is found and a person can be placed behind the keyboard if proper procedures aren’t followed.
Placing people at the keyboard at the time a computer was used to commit a crime means going through their records, phone calls and e-mail, looking at swipe card data and building camera footage. “”You put all that together and the judge (says) there’s enough circumstantial evidence to (indicate), ‘Yes, this person is involved.'””
Once the computer has been secured, Hamel and his colleagues look through hard drives for evidence. Even if documents are erased, they can still be discovered, or meta data can be found about who last modified a document. Hamel, an ex-RCMP officer with 16 years on the job, also interrogates suspects.
The Inkster Group uses the information obtained by talking to the suspect to help guide them in their search through the hard drive, says John Young, a computer forensics examiner with the company. The suspects often give up more information than they intended, he says.
Companies don’t take the proper measures to protect themselves, Hamel says. They often hand over their most sensitive information to the new guy without doing a background check, he says.
No one likes to do network back-ups, and so that job often falls on the newest addition to the IT department.
“”In Canada, we’re a trusting culture, and people are always surprised,”” Hamel says. He encourages companies to do background checks on employees.
The most interesting case he’s dealt with involved an individual who’d discovered a way to make purchases with Interac but have the transaction cancelled once he had the goods.
The individual got greedy and began making very large purchases with his card, so the bank flagged his file.
The process the individual used to cancel transactions was complicated enough that he needed to keep a checklist, which was found hidden on the slack space on his computer.