IT professionals who inadvertently remove evidence and in some cases take the matter into their own hands pose a serious threat to cybercrime investigations, a former federal police agent and computer crime investigator told Computerworld last week.
Graham Henley, head of PricewaterhouseCoopers' Australian computer forensic division, said IT managers tend to take matters into their own hands when computer-related crime is identified in an organisation.
"This is a huge problem for investigators because the IT manager will see the discrepancy first so it will never see the light of day," Henley explained.
"The last thing they want to do is go to the police because [as a result of publicity] the company share price could drop $10 overnight."
This is where the PricewaterhouseCoopers dispute analysis and investigation division steps in, as most organisations want to avoid unfavourable publicity.
However, when they get to the scene of the crime investigators often find the IT manager has accidentally wiped out, or overwritten data, Henley said.
"Just turning the computer on or off alters dates, times and other relevant information," Henley said.
"We go straight into the workplace and take a forensic image of a suspect's computer so obviously we don't want the alleged crime scene tainted at all.
"Organisations prefer to use our services because if they go to the police they lose control of the investigation and the information is usually commercially sensitive."
Henley said the division provides a brief of evidence that can then be forwarded to police for a conviction.
He said Internet crime has skyrocketed 600 per cent since 1998 and the global bill for cyber software theft has reached $250 billion.
"In the past 12 months we have examined more than 1000 cases of piracy; cybercrime in Australia is estimated to be in the range of $4 billion to $14 billion but these figures are notoriously inaccurate because it is mostly unreported," Henley said.