High-Tech Snooping All in Day’s Work

Moving beyond merely monitoring employees’ Internet use, many of the nation’s largest companies are quietly assembling teams of computer investigators who specialize in covertly copying employees’ hard drives and combing them for evidence of workplace wrongdoing.

These high-tech investigators employ tools and techniques that originally were devised for law enforcement to catch criminals but that are now spreading rapidly in the private sector at Microsoft, Disney, Boeing, Motorola, Fluor, Caterpillar and dozens of other major companies.

The development, little known outside the narrow community of corporate security experts, is sure to raise tensions over workplace privacy in an age when the lives of millions of workers are inextricably tied to their office computers.

Employers say that their rush into the field known as “computer forensics” is a matter of self-defense, that being able to retrieve computer evidence is essential to their ability to catch employees engaged in everything from spending too much time surfing the Internet to stealing company secrets.

“People don’t always tell the truth about things,” said Howard Schmidt, head of corporate security for Microsoft. Their computers, he said, usually do.

But others question the need of corporations to target unsuspecting employees with the same forensic technology that police agencies use to investigate criminals. Employees subject to such searches face a level of scrutiny they may never have imagined. Investigators acknowledge that searches of computer hard drives routinely turn up embarrassing details about workers’ health problems, marital woes and financial difficulties.

“Pardon me for being a cynic,” said Lewis Maltby, president of the National Work Rights Institute in New Jersey, “but I don’t have total confidence in internal security teams to protect my privacy.”

Forensic work is a mix of daring and digital excavation. Investigators often sneak out late at night or use various ruses to obtain “mirror” copies of employees’ hard drives. Then they pore over the computers’ contents in excruciating detail, searching caches that few users even know about and resurrecting deleted files.

A recent search at one of Southern California’s largest assembly plants unfolded in typical fashion.

The investigator waited until midnight on a Sunday, when the plant was empty, its machinery motionless and thousands of computers had slipped into screen-saver slumber.

Stealing glances over his shoulder, he sat in front of the personal computer of a colleague who was likely home in bed. The detective spent half an hour making an exact copy of the hard drive, then retreated to an office lab. There, using an advanced new software program called Encase, he uncovered hundreds of pornographic images, more than enough to cost the worker his job.

“People don’t realize that the computer records everything,” said the company investigator, who spoke on condition of anonymity. “It’s better than an eyewitness.”

Surveillance Trend in Workplace

The rush into computer forensics is part of a broader surveillance trend in the American workplace. According to the American Management Assn., 45% of the nation’s large companies electronically monitor their workers, up from 35% two years ago. And under federal law, companies have an almost unfettered right to do so.

Because workplace computers are considered company property, employers are free to examine their contents without restriction. In fact, only in Connecticut are companies even required to inform employees if their computer use is monitored. California Gov. Gray Davis has twice vetoed legislation that would have set a similar standard.

For years, many companies have kept logs of employees’ Internet use and peeked into their e-mail. Now, corporate demand is rising for new types of surveillance software, from programs that record every keystroke to a new product from Raytheon called SilentRunner that spots suspicious clusters of activity on a company network.

Compared to other surveillance tools, forensics is more like a digital archeological dig. It involves sifting through a drive’s contents for evidence and handling it so carefully that not a single byte is altered.

Digital Evidence Is Turned Up

The Times interviewed more than a dozen corporate security specialists about the growing use of computer forensics by leading American companies. Citing concerns about the secrecy of their work, the investigators would describe specific cases only on the condition that their names and companies not be identified.

The investigators said their searches often turn up troves of digital evidence that lead to employee discipline or dismissal for violations such as stealing business plans, submitting phony expense reports and stockpiling pornographic pictures.

Often, they stumble into the unexpected. One investigator said he solved an embezzlement case at a publishing company after finding copies of e-mail confessions that a worker had sent to a Web site operated by a Catholic church.

The number of employees fired or disciplined for Internet-related crimes or company violations appears to be rising.

In July, Dow Chemical Corp. fired 50 employees and suspended about 150 others for swapping dirty jokes and photos via e-mail. That same month, Merck fired two workers and disciplined several dozen others for what the company called “inappropriate use of the Internet.” Last year, Xerox Corp. fired 40 workers and the New York Times terminated 23 employees at a data processing center for similar offenses.

As more and more companies crack down on computer-related misconduct, the demand for investigators trained in forensics has surged.

Microsoft Corp. had no forensic specialists three years ago, said Schmidt, former director of computer crime and information warfare for the Air Force Office of Special Investigations. Today, he oversees a team of five forensic investigators at Microsoft with a dedicated lab, handling about 60 incidents a month. Pornography downloads represent the bulk of the cases, he said.

Accounting firms, recognizing a new source of consulting revenue, are wooing some of the government’s top computer crime investigators. In 1998, Ernst & Young hired James Holley, also a former top official with the Air Force OSI. Since then, Holley has helped train and assemble a team that has grown to more than 120 forensic consultants.

Charging from $200 to $425 an hour, these consultants investigate everything from accounting irregularities to high-tech high jinks.

Holley said he recently was called in by a Canadian company to determine who had installed a camera that was transmitting pictures from under the desk of an unsuspecting female employee. Initially, the company asked a member of its own information technology team to investigate, but that worker claimed he couldn’t find any evidence.

“What the executive didn’t know was that the IT person was involved,” Holley said. After a follow-up search, Holley’s team recovered dozens of incriminating images from the culprit’s computer. “One was of that IT person sitting in the young lady’s chair, posing for the camera to make sure it was positioned right.”

Forensics isn’t magic. Once a piece of data is overwritten on a computer, it’s gone. But most computer users are unaware that merely deleting a file doesn’t erase it. So investigators depend in large part on the carelessness of users as well as the complexity of their machines. Computers tuck lots of information into crevices that most users can’t see or don’t understand how to clean out.

Microsoft Windows, the operating system used on 90% of the world’s computers, has been a boon to investigators. That’s because each succeeding version has generated a new thicket of caches and temporary folders that snag pieces of almost every file that appears on a user’s screen.

Until recently, extracting such evidence was almost the exclusive domain of law enforcement agencies that pioneered computer forensics.

Key Role in Solving Cases

Over the last decade, the FBI has gone from one computer forensic specialist to 30 in Washington and 140 others in field offices, handling 3,000 cases a year.

In Southern California, the budding science has played a key role in solving a number of high-profile cases, including the 1998 murder of a 7-year-old girl in a Nevada casino.

Police had physical evidence and surveillance video linking Jeremy Strohmeyer, a Long Beach high school student, to the crime. But when Strohmeyer entered a surprise guilty plea, it was largely because of evidence culled from his home personal computer, said Stewart Bell, the Nevada prosecutor in the case.

On Strohmeyer’s PC, police found hundreds of pornographic photos of children and text from a chat session in which he described fantasies about young girls 24 hours before molesting and strangling Sherrice Iverson. That evidence “helped cement him as the undoubted perpetrator,” Bell said.

Police used the Encase program to retrieve evidence from Strohmeyer’s machine.

Developed by Pasadena start-up Guidance Software Inc., Encase is part of a new breed of software that is doing for forensics what early Web browsers did for Internet navigation: turning a terribly arcane process into a simple point-and-click procedure.

Encase makes an exact copy of a drive without altering it, revives deleted files, scans for everything from pornography to bomb recipes, and spits out a report designed to pass muster with federal prosecutors. The software has reduced to hours work that once took days. And while previous forensic tools took months to master, investigators can become proficient with Encase after a weeklong training session.

Guidance got its first big contract, a $50,000 order from the Secret Service, in 1998. It has since been adopted by dozens of law enforcement agencies, from the Customs Service to the Los Angeles Police Department.

But over the last year, the company’s market has begun to shift heavily toward the private sector, said Sean McCreight, chief executive of Guidance. Its growing list of corporate clients includes Disney, Bank of America, Coca-Cola and Philip Morris.

Privacy advocates find the trend less than comforting, and they predict that companies will abuse the technology.

David Sobel, general counsel for the Electronic Privacy Information Center in Washington, said computer forensics is a perfect tool for inappropriate snooping on employees’ personal lives or smearing corporate whistle-blowers.

Officials for Boeing, Microsoft and other companies said they don’t launch forensics investigations unless there is evidence of wrongdoing from other sources. But others said that more mundane matters, such as the fear that a key employee might be considering leaving, could trigger an investigation.

And a growing army of forensic consultants is urging corporate clients to take such spying even further.

Mike Anderson, chief executive of New Technologies Inc., a Portland, Ore., company that provides forensics software and training, encourages his clients to copy the hard drive of any employee who leaves.

“We jokingly refer to [forensics] as truth serum,” he said.

There are new tools to thwart forensic searches. A program recently released on the Web called Evidence Eliminator claims to defeat Encase by wiping the areas where that program often finds evidence.

“If you do not use Evidence Eliminator,” the product’s Web site says, “you are a sitting duck.”

But usually, employees learn of forensic searches only after they’ve already been cornered. And experts said forensic technology is improving so rapidly that there is only one reliable way to cover your tracks.

“You want to know the best way to erase a hard drive?” asked Nick Barone, former head of the Price-Waterhouse Coopers forensic lab. “Go to your local hardware store and get a hammer.”