How to Be a Better Burglar

Some years back, the place I worked went through significant changes that caused great upheaval and stress throughout the workforce. Most people accepted the changes and dealt with them professionally. A few people didn’t have the necessary coping skills, and they acted out. One way of acting out came in the form of anonymous letters sent to the board of directors, executive management and a few senior people in some of our sales offices. The letters were not complimentary of the corporate leadership, and a disruptive buzz began around the company.

Management wanted to locate the source and choke it off, and that was where I came in. I was asked to do some sleuthing and figure out who was behind the letters.

Because the letters were apparently typed on a computer and then laser printed, it seemed logical to look for trace evidence on people’s PCs. With hundreds of PCs as potential crime scenes, we tried to narrow the field by assembling a list of possibly disgruntled employees. The list included about two dozen people who all worked on the top floor of the building. I did some initial reconnaissance and figured out where all the offices were. Because this event occurred before the days of sophisticated forensics tools, I also prepared some diskettes with homegrown search routines.

To avoid tipping my hand and generating a lot of commotion in the work area, I planned to come into work at night after people had left for the day. Armed with a floor plan marked with the suspect device locations and my programmatic burglary tools, I rode the elevator to the top floor and began my search. With so many devices to search, I had to move quickly and methodically. I found a workstation, booted it up, write-locked it and started running my tools. I had four tool diskettes so that I could simultaneously search four devices.

The work areas were vacant. The cleaning people had come and gone, and the lights were off. I felt every bit the Watergate burglar as I quietly went from desk to desk, office to office in my search. I was surprised that my padding about the workplace at night invited not one visit from the building’s security guards. (Those were the days, too, before 9/11 and increased physical security.)

I felt sneaky and creepy as I violated the sanctity of each personal work space. Although the offices were company property and nobody had a legal expectation of privacy, it still felt wrong to be poking around other people’s stuff. As I moved aside knickknacks, family pictures and other personal items, I used as much care and respect as I could.

After hours of scanning for certain keywords that appeared in the anonymous hate mail and more hours analyzing the logs my programs had generated, I ultimately came up empty. If the letters were typed on a computer and printed on a laser printer, it wasn’t on one of the machines I searched.

In the end, it wasn’t my high-tech snooping that solved the case. The case was solved through handwriting comparisons done on the envelopes. Sure enough, the culprit was one of the two dozen “persons of interest” on the list.

That Was Then

Since that time, our computer forensics activities have grown much more sophisticated. We work in teams of two now. One person serves as the scribe and keeper of the checklist that helps ensure all important steps are taken. The other person disassembles the PCs, pulls the hard drives and restores the workstation to the previously unaltered state. We alert the building security people, partly as a professional courtesy and mostly to minimize the risk of being confronted by the targets of our investigations. During one nocturnal investigation, I was at the workstation of an employee when she suddenly appeared! Like the Grinch nimbly providing an excuse to little Cindy Lou Who, I came up with a reason for having her PC apart. “This PC appears to be infected by a virus that’s attempting to propagate across our network,” I said. “I need to take it over to our lab to remove the virus. I should have it back in a few hours.” And off I went.

Today, the building security people disallow access for the “people of interest” that we’re investigating by disabling their ID badges. We also take along radios that operate on the channel that the building security folks use. The radios allow the two areas to share information about the movement of people, the location of offices and anything else that might come up.

Our burglar tools also have grown in sophistication. Computer forensics software available today automatically searches, sorts and analyzes files. We also know enough to bring hand tools, Mylar antistatic bags, a digital camera and self-adhesive labels for tagging evidence.

In the interest of speeding evidence acquisition, our investigators practice disassembling PCs in the lab. Different PC cases are screwed and latched together in different ways. When the clock is ticking, there’s no time to fumble around looking for unlatching mechanisms. It’s better to rehearse so that, come show time, they don’t lose precious minutes.

When investigators are seeking evidence from the devices of people who are still employed by the company, they use guile and stealth to keep the investigation secret. Innocent people must be shielded from unwarranted suspicions, and of course the investigators don’t want to tip their hands to those who may actually be guilty. Investigators usually perform searches afterhours when people aren’t around. If the device involved is a laptop that the user takes home at night, they may use deception to obtain the device during regular work hours. On one occasion the investigators caused a message to appear on an employee’s PC indicating that a virus had been detected. The message instructed the employee to call and report the problem, which he dutifully did. The investigator answered the call and offered to send someone right away to collect and repair the PC. The caller was pleased with the excellent service, and the investigators got the evidence they were seeking.

The best investigators I’ve worked with are not only careful and methodical but also creative. During one investigation many years ago, we needed to figure out who was inappropriately using a particular PC. There weren’t any surveillance cameras in the work area back then, so the investigators had to improvise. They removed some of the guts of an older PC and installed a Web camera in the void that was created. The camera peered out through the diskette drive slot, and the “floppy cam” was born. The investigators captured the nefarious activity in irrefutable detail.

The Paper Trail

Since the nervous early days of using simple hexadecimal editors as computer forensics tools, skulking around in offices at night and figuring things out for ourselves, our investigations have settled into a careful, deliberate rhythm. Today we assume that every investigation might lead to litigation. It’s one thing to capture evidence for your own purposes, and another when the courts get involved. We expect attorneys to challenge our evidence-gathering procedures, so we take extra care to ensure those procedures are sound. We use the same software as most law enforcement agencies and follow industry-accepted procedures. We use digital cameras to photograph the work areas we target and use checklists to document every step. Our goal is to provide solid evidence to our lawyers so that their cases hold up in court.

Documenting your work is the least exciting part of most investigations, but it may be the most important part. When it comes time to go to court, an investigator’s best friend may be her case log book and associated documentation. Without carefully gathered evidence, most cases will fall apart under attack by knowledgeable attorneys. Furthermore, a poorly run investigation may not even serve the purposes of the internal organization. Management should err on the side of ensuring that the reputations of innocent people aren’t tarnished by bungling investigators.

There should be checks and balances in place to ensure that rogue investigators aren’t poking into people’s business without proper cause. Requests for investigatory activities should be made in writing. Not only does this level of formality help guard against inappropriate snooping but it also helps protect the investigators from accusations of the same. Similar to law enforcement investigators who must apply for a warrant before conducting searches, corporate security personnel should loop in legal or HR representatives to corroborate the need for the investigation. Companies have few restrictions placed on them when it comes to searching the systems they own. Although employees may not have a reasonable expectation of privacy, they should be treated with respect.

Investigative work can be intriguing, but it’s also serious business. People’s lives can be significantly affected by the outcome of investigations. I always keep that thought in mind as we plan and conduct our investigations, and try above all else to treat others the way I too would want to be treated.