The Net Detectives

24-01-2003

by Andrew McLindon

As computer crime intensifies, businesses are turning to people with 'real world' investigative backgrounds to help them root out wrong-doing on their IT systems.

Dan Quealy investigated murders, drug dealing, Mafia activity and fraud during his 10 years in law enforcement in the US. Philip Curran* used to be a lieutenant in the French army and a Holocaust investigator, while John Finan is a computer programmer turned detective sergeant. What all three have in common is that they are using their considerable detection skills to combat the ever-growing menace of cyber-crime.

It may seem a long way from his previous career as an expert in blood-splatter patterns, but Dan Quealy says his role as head of Ernst & Young's security and information technology practice in Dublin also sees him engaged in forensic investigations.

Such investigations may not involve deducing how someone was killed, but do include traditional detective work such as trawling through documents and files, gathering hard-to-find evidence, matching people to places where the alleged crime was committed and delivering sufficient proof, if any is available, for a conviction.

More specifically, for Quealy and his team it can mean searching through computer files and documents, e-mails sent and received, and recovering deleted and over-written data held on a PC or disks. Basically, they are capable most of the time of dragging just about any information out of a computer, regardless of whether it has been erased or deeply buried.

Typically, the unit investigates incidents such as alleged on-line sexual harassment, the use of porn in the workplace, and computer fraud, all of which can be deeply damaging to a business if committed by employees.

For instance, a recent investigation involved a buy-out of a company under which the founder agreed to a no-compete clause. The buyers kept on the former owner's deputy, but soon became suspicious about the actions of this person. The Ernst & Young team discovered that the deputy had been recruited by the founder to help start-up a new business in direct competition with the company and the deputy was feeding him commercially sensitive information about products and clients in order to assist him.

According to Quealy, the unit managed to expose this by digging incriminating information out of the deputy's computer. "Somebody had spent a long time clearing out this PC, it had been well-worked, but we managed to find relevant details such as files, logs, and e-mails that the person thought they had erased, and we were then able to successfully make our case," remarks Quealy, who also worked for 10 years looking after telecoms and computer security for a US defence contractor.

Ask Detective Sergeant John Finan what his job entails and he simply states that it is "the retrieval of evidence from computer systems and the Internet." But it involves much more than that.

A former computer programmer, Finan is sergeant in charge of the Garda computer crime investigation unit, which is responsible for the investigation of computer-related and computer-specific offences. The former can involve assisting other units in investigating all kinds of potential crimes where computers may have been used, such as murders and drug dealing, while the latter refers to offences like the downloading and sending of child pornography via the Internet, computer fraud and malicious hacking.

As with all members of the unit, Finan has an investigative background and was a member of the fraud bureau before joining the computer division in 1991.

And similar to Quealy, although he and his unit have technology at their disposal, it is often their detection skills that they rely upon to solve cases. "We use forensic software and utilities to investigate software, applications and operating systems, and while sometimes all that is needed are these tools, other times it comes down to the abilities and knowledge of the investigator to sift out and discover what is relevant to the investigation, and what is useful as evidence."

Philip Curran's work as an investigator for the anti-software piracy organisation, Business Software Alliance (BSA), also brings him into virtual contact with major criminals.

A law graduate who specialised in intellectual property rights, Curran was in the French army and also investigated occurrences during the Holocaust before starting his current career three years ago.

Curran says he was attracted to Internet piracy investigation by the challenge and it certainly is one. Over a third of all software used in Western Europe is pirated, which translates into around EUR2.9 billion in annual losses to producers. Given the vast sums involved, it is no wonder that software piracy is becoming a major revenue generator for criminal gangs.

"Leading crime syndicates have realized that it is much easier to smuggle in one CD worth EUR1,000 than drugs of the same value," explains Curran. One of his recent investigations, for example, led the authorities to pirates based in Lithuania who in turn had links to the Russian Mafia.

In simple terms, Curran operates undercover on-line. He visits Web sites and on-line chatrooms where people release information on how to crack software and pirate it. He then adopts an alter ego and attempts to gain their confidence.

"I get in touch with them, maintain a dialogue and purchase their goods. Using the information gained, and by working with national and European law enforcement, it is possible to identify who they are and where they are based. It is just a matter of sticking to your character."

*Not his real name