For high-tech forensics labs, a growing role in corporate crime-fighting

<br>SAN FRANCISCO (AP) _ Kris Haworth pounded away at her keyboard, navigating a labyrinth of computer data in her search for evidence. <br><br>The board of directors for a $5 billion company suspected

Saturday, April 7th 2001, 12:00 am

By: News On 6

SAN FRANCISCO (AP) _ Kris Haworth pounded away at her keyboard, navigating a labyrinth of computer data in her search for evidence.

The board of directors for a $5 billion company suspected revenues were being inflated. It was up to Haworth to fish out incriminating e-mail thought to have been deleted.

Using data-mining and tracking software so powerful that they once qualified as government secrets, she found what the directors were looking for. The Securities and Exchange Commission was notified and criminal indictments against several executives followed.

Haworth, who runs Deloitte & Touche's computer forensics lab in San Francisco, is one of a growing number of private-sector cyber avengers, fighting computer crimes that the government is ill-equipped to investigate or that companies would rather not report.

Haworth won't identify her clients. Few companies are willing to reveal their vulnerabilities to stockholders, competitors or potential litigants; some don't even want their own employees to know.

These sleuths can pinpoint internal sources of misstated earnings, nab thieves of trade secrets, track down hackers, help dispute claims of wrongful termination or sexual harassment, and uncover improper Internet usage by employees.

At Deloitte & Touche, their tools include SilentRunner _ a program created by Raytheon Corp. for U.S. intelligence agencies that captures and analyzes in real time all the activity on a computer network.

``We could find or recover anything on a hard drive,'' Haworth said. ``Somewhere in that system, your electronic fingerprints remain. Short of taking your hard drive and having it run over by a Mack truck, you can't ever be sure that anything is truly deleted from your computer.''

Some of the handiwork of these cyber investigators _ many of them ex-federal agents or prosecutors _ is reported to federal agencies, but much of it never reaches the public eye.

Also, there's often little the government can do to help, said Howard Schmidt, Microsoft Corp.'s chief security officer and a veteran military investigator.

``All the law enforcement agencies out there don't have the people trained to do this kind of work and to handle all the potential victims that may be out there,'' Schmidt said.

Financial losses from computer crimes grew 43 percent from $265 million to $378 million last year, and 85 percent of businesses and government agencies detected security breaches, according to an annual survey by San Francisco's Computer Security Institute and the FBI.

Yet only a third of 345 respondents said they reported the attacks.

Many times, only lawyers or corporate officers know what their private cyberspooks glean electronically _ and they use the secret information to quash or spur civil litigation.

Another case in point: A construction equipment supplier hired Deloitte & Touche when threatening to file a trade-secret lawsuit against a former high-ranking sales employee. The ex-worker had allegedly taken a multimillion-dollar client with him when he joined a competitor.

Haworth traced the former worker's company e-mail to his outside Yahoo! e-mail account. The unauthorized e-mail contained internal copies of non-flattering company documents. The case settled out of court.

``In my world, we find the smoking gun and give it to the attorneys,'' Haworth said.

New Technologies Inc. of Gresham, Ore., was one of the first companies to specialize in computer forensics. NTI was founded in 1996 by a group of ex-feds who pioneered the field, among them Michael Anderson, a 25-year IRS criminal investigator who has trained thousands of law enforcement and military workers on computer-tracking techniques.

The boom in private labs hasn't gone unnoticed by law enforcement agencies already struggling to keep up with computer-related crimes on limited budgets.

``A lot of times they're sucking the good guys from the government and paying them double,'' said David Green, deputy chief of the Computer Crimes and Intellectual Property Section of the FBI.

Today, NTI trains and assists government agents and specialists at the Big Five accounting and consulting firms and Fortune 500 companies. It is a lucrative profession.

Deloitte & Touche charges $250 an hour and pegs the average price of a basic computer forensic job at $25,000. The company has more than doubled its nationwide forensics staff from 40 in 1998 to 100 today.

It opened its first lab in Dallas in 1999, its second in San Francisco this year and will open another shortly in Chicago. Still more are planned to provide space for all the equipment used to gather, store, and analyze huge amounts of data taken from computer hard-drives.

Ernst & Young started with one lab in 1998 and now has six in the United States, one in Canada and one in London.

The trend will only grow as more business gets done on digital devices, said Kristopher Sharrar, a former Air Force investigator and now Ernst & Young's national leader of computer forensic services.

``Businesses were getting hacker intrusions and network viruses, and our clients are now looking at us to provide litigation advisory services,'' Sharrar said.

Electronic discovery is even more important now that the federal courts in December began requiring litigants to turn over evidence in digital as well as paper format. Before, a judge had to approve demands for e-mail or computer memos.

``These developing forensic technologies are as important to discovery as the Xerox machine,'' said Emmett Stanton of Fenwick & West, a Palo Alto-based law firm. ``It's not a question of 'Will e-mail or electronic evidence be important?' It's a question of 'How important will it be?'''