"Data without the proper validation and documentation is just pure data," he says. "It’s one thing to have volumes of information in front of you. It’s another thing to be able to dig in there, give everything some context and put it together in a way that everyone in a courtroom can understand."

Do-It-Yourselfers

Companies that develop forensic capabilities in-house use money from the general IT security budget to develop divisions devoted to chasing down evidence after crimes. At Boeing, Motorola and others, for example, CIOs have hired squadrons of network security specialists to double as forensic investigators. Because these companies have so many security concerns, it’s actually cheaper for them to build forensics teams from scratch than to farm out services on a per-case basis.

Microsoft, for instance, has hired Howard Schmidt, former director of computer crime and information warfare at the Air Force Office of Special Investigations, as chief security officer and has groomed a team of 10 investigators to gather digital evidence. Late last year, EDS Corp. launched a Global Information Assurance program structured around a spanking new CyberForensics Lab at the company’s Herndon, Va., office.

Companies can also use forensic techniques to engineer some preemptive security checks. At EDS, for instance, forensic specialists occasionally monitor employee hard drives to make sure nobody’s stealing company secrets.

At Microsoft, Schmidt says his job hinges on much of the same. "With all of the top-secret stuff we have going on here, we need to make sure that none of our employees are taking classified information and sending it elsewhere," he says. "When we’re not tracking down evidence of wrongdoing, we’re proactively searching for it, scanning hard disks in the name of corporate security."

These projects can get expensive. While they declined to reveal actual figures, Schmidt says Microsoft spends "millions and millions" on forensics every year, and Daryl Eckard, director of operations for EDS’s Global Information Services Group division, says his company threw a "significant" amount behind the new lab. But financing is only the beginning, and even with the necessary funds, establishing an in-house computer forensics program on the corporate level can be tough. First is the issue of education. Investigators who have not received formal law enforcement training must endure rigorous knowledge transfer classes to learn the craft. Second is the issue of policy. McCreight and Schmidt suggest that before IT leaders even think about forensics, they should sit down with representatives from the legal and human resources departments to discuss procedural requirements and other expectations.