The Digital Trail of the Maltese Falcon: Private Investigations in the Information Age

What's the impact of IT on private investigations? Richard Power grills Ed Stroz about the field and what it means for CSOs, government and business.

These first two decades of Information Age, i.e., the 1990s and the 2000s, have transformed almost all aspects of human endeavor from bookselling to physics, from astrology to economics, and from pornography to politics; and the many ways in which the field of investigation has been impacted by information technology (IT) is of particular interest for me.

For example, in 1998, in my role as Editorial Director of Computer Security Institute (CSI), I interviewed the legendary private investigator, Terry Lenzer. He had solved the murder of three Civil Rights workers in Mississippi, served as Assistant Chief Counsel on the U.S. Senate Watergate Committee and as President Bill Clinton's personal sleuth). In the piece, we explored some of the evolving problems in the realm of on-line stock trading, etc. "The volume of only-line trades and the velocity at which they can be consummated has opened the door to all kinds of scams and frauds," Lenzner remarked, "including misappropriation by employees on trading desks who exceed their trading limits, the transmittal of information on the Internet in investor chat rooms being used anonymously by broker dealers to promote stocks or for shorting stocks. They are spreading false information about stocks going down." (World-Class Private Eyes Sharpen the Focus on Cyberspace, Computer Security Alert, 11/98).

Of course every human endeavor operates partly in light and partly in shadow; and, especially, in those fields that delve deeply into shadow, some succumb to temptation.

Also see Digital and Physical Investigations: Merge Ahead

Secrets Stolen/Fortunes Lost also included a "Virtual Roundtable" featuring several thought leaders in thwarting intellectual property theft and economic espionage, including Ed Stroz of Stroz Friedberg.

Stroz had served for 16 distinguished years in the US Federal Bureau of Investigation (FBI), during which he established the New York City FBI computer crime squad, one of the first two in the country, and directed several significant FBI investigations, including the high-profile international case of Vladimir Levin, a Russian hacker who broke into Citibank. In 2000, Stroz founded a private investigation (PI) firm in 2000, and has assisted his corporate clients in responding to Internet-extortions, denial-of-service (DoS) attacks, hacks and unauthorized access, and theft of trade secrets. He has also pioneered the concept of incorporating behavioral science into the methodology for addressing computer crime and abuse.

I consider him a valued colleague, and I was delighted to catch up with him recently to get an update on the evolution of corporate investigations in cyberspace.

Here are the seven questions I put to Stroz, and his insightful responses.

Richard Power:The ways in which the shift from the Industrial Age to the Information Age has revolutionized different fields of expertise and endeavors related to risk, security, privacy, etc. is of great interest to us all; and few are as fascinating as what the Information Age has meant to the field of private investigations for both for the corporation and the individual. It is something that I have been tracking for almost two decades, and that you and I have been discussing throughout. So for our CSO readers, give us your overview of where the field of private investigations was, technically and professionally, when you went into it after your years with the FBI, and where it is today, technically and professionally?

Ed Stroz: Private investigations are more important than ever, both for their private party clients, and for the government. Investigative skill is needed to address areas where suspicions or allegations have been made, but they also are being used for additional due diligence and assurance in the wake of financial scandals like that of Bernard Madoff. But today, private investigation requires updated skills.

As recently as the early 1990s, expertise in computerized technology was viewed as a tactical skill set within private investigative services. Today computer expertise is part of the necessary knowledge base in crafting an investigative strategy. For example, if a client thinks they are being "bugged" at home or work you would be remiss if all you did was "sweep" the office for listening devices. Today's investigator should have an understanding of spyware and sniffer technologies to even decide how to approach that type of engagement.

Another major change is brought about by the legal and practical limitations on government investigations. While the government has tremendous technological resources and expertise, those resources cannot be brought to bear in every investigation. And, putting technological prowess aside, the government is often restricted in what it is allowed to possess or view.

For example, a recent court case in the Ninth circuit limited the government's ability to examine a single computer device seized under search warrant because of the intermingled information contained within that device. In other words, the government agents may have had legitimate rights to see some of the contents in a given device, but maybe not all of it. In those situations, a safe way to proceed and honor the valid interests of government and the valid interests of private parties, is to have a carefully structured procedural protocol executed by competent private investigators, complete with an audit trail. Those services will increasingly be provided by the private sector in my opinion.

Also see Internal Investigations: The Basics

How has cyber changed private investigations, for good and bad? And how has the field risen to the challenges and opportunities?

Stroz: Cyber has brought more information onto the radar screen of private investigations. More information is generally a good thing, but you have to realize that not all information is factually correct. There is much more information to check and verify.

Just because it is on the Internet, or appears through a search engine query, does not mean it is accurate. However, even if the information is wrong, someone may have relied on it or used it in some way, and that fact could make it relevant to your client. Therefore a private investigation has to be able to consider all of these possibilities and bring experienced judgment about how to proceed.

I know that you and your time have developed several patented technologies, etc. to advance the work of private investigations in the 21st Century. Could you tell us a little bit about them, e.g., what they are, what they do, what problems they overcome, etc.?

Stroz: We have several patents under which we have developed proprietary software that performs "psycholinguistic analysis" of the language people use in their emails, letters, transcripts, and other sources.

Psycholinguistics uses insights from the field of psychology to help gain a better understanding about the intent and state-of-mind of people through their communications. This is important because much of the law is focused on whether or not there was "intent" associated with the actions of individuals. Intent is a critical element that must be be established in most litigation.

In other instances, we use psycholinguistic analysis to study threat language or anonymous correspondence. Our software, which we call "WarmTouch" provides a better understand people and their communications with others because so much conversation is now in text form.

If you were to advise a C-level executive or a board of directors member on organizational structure, resourcing, capacity building, etc., within the space of cyber risk, security and privacy; how would you recommend they plan for their investigative needs? What does your relationship with clients who have a robust cyber risk and security program look like? What is the optimal way to involve a private investigations firm? What works? What doesn't? Of course, it is never good to be calling you *after* a situation has gotten out of hand, so what is the best way to be proactive?

Stroz: We advise executives on these issues now. Sixteen years in the FBI, and ten years in private sector consulting, provided convincing experiences for hiring a quality firm that is expert and experienced in investigations and incident response, and to meet with that firm quarterly. What doesn't work is relegating security responsibility too low on the corporate org chart and not having an executive-level champion. Partnering with a smart and experienced firm in advance allows the consultants to learn your company and its IT infrastructure and file storage systems. This knowlege is crucial in fast-breaking incidents where the difference between success and failure can be measured in hours.

An investigative firm should be cooperating and collaborating with general counsel, IT, and security. Each of those corporate functions has essential knowledge. An investigative firm should bring experience and insight from other incidents, and from dealing with the governmental authorities. Regular meetings provide the client with important briefings and discussions. It's important to have a firm with a strong legal orientation to ensure that the evidence gathered during an incident will be admissable in court.

Of course you can't talk about specific clients or case, but what kind of mix of types of investigations are you handling? What kinds of investigations are common? Do these cases typically involve criminal and civil issues or likely one or the other? Can you give us a couple of sanitized examples?

Stroz: Most of our engagements involve actual or expected litigation. Our clients are usually in a civil litigation, regulatory inquiry, or criminal investigation. The specific types of problems our clients face are regulatory inquiries; data breaches resulting in compromised trade secrets, personal identified information, secret insertion of sophisticated spyware onto their computers, evidence of fraud that could only be uncovered with digital forensic skills, extortions, and threats delivered via email.

Also see Power's column This Profound Moment in Cybersecurity

What does the field look like now professionally? What kinds of roles and responsibilities have evolved in a practice like yours? What are the professional opportunities for technologists and for law enforcement professionals looking for a future in private investigations in the 21st Century?

Stroz: Private investigations are usually conducted by licensed professionals in this field. Traditionally, the expertise required to conduct private investigations was obtained from working in an experienced firm, or from law enforcement experience. As I stated earlier, having expertise with computerized systems and data was viewed as a tactical specialty called in when needed, much like having a technician perform a "sweep" to check for listening devices ("bugs").

Now, having some level of expertise with computerized systems and data is a strategic requirement in many cases. Just look at the presence of email in investigations. A competent investigative strategy requires expertise with computerized data in almost every investigation, including forensic accounting.

Let's close by talking about where we are now versus we are going in the field of private investigations. What are the challenges that are yet to be overcome? What are the opportunities that have yet been taken advantage of? What new challenges lie ahead? What new opportunities do you see?

Stroz: Private investigations are going to be more important and in greater demand than ever for many reasons. Let's start with recent developments evolving under the law. A recent Ninth Circuit Appeals court ruling in the Balco investigation found problems with the way government agencies were able to seize a computer and investigate its content. While a computer is a single piece of hardware that can be seized legally, it contains large quantities of intermingled data, some of which may be legally protected from being viewed by government agents, or just irrelevant to the evidence sought by the court order. How do the government's legitimate law enforcement access rights get executed, while ensuring that legally privileged and confidential information is shielded from view?

1 2 Page
Recommended
Join the discussion
Be the first to comment on this article. Our Commenting Policies