Chris King, program director of the global networking strategies team at the Meta Group, warns, too, that CIOs should be aware of how network security decisions might affect an employee’s perception of privacy. Because plans such as Microsoft’s hinge on regularly imaging a company’s hard drives, employees often speak out against them, publicly invoking passages from the 1986 Electronic Communications Privacy Act and privately comparing employers to Big Brother. While concerns like these are legitimate, KPMG’s Talleur suggests that employees should be told that forensics is a matter of self-defense, and if they don’t like it, they can work somewhere else.

"Being able to retrieve digital evidence is more about catching employees stealing company secrets than it is about nabbing them abusing the Internet," he says. "If an employee is spending the day looking at [pornography], you can bet we’ll take note. In the scheme of things, though, that stuff is harmless compared with the crimes we’re really out to find."

A Little Help from Their Friends

Because not all companies have the resources to handle forensics endeavors on their own, their CIOs have turned to vendors and consultants who specialize in forensics solutions of every kind. Experts say this setup benefits everyone involved?vendors earn more charging for services by the hour than by selling a product, and clients achieve peace of mind knowing that their evidence is being processed by true pros. Some forensics, says King, is better than nothing at all.

Perhaps the best known of these forensics companies is NTI, where French and his colleagues foiled the former bank employee earlier this year. From its modest headquarters in Gresham, Ore., a staff of 20, including 10 computer forensics specialists, supports 25 proprietary products. On a recent winter morning, investigators (they call themselves "geeks") huddled around one of their own as he evaluated evidence for a $6 billion class-action lawsuit involving more than 20 laptops at a Fortune 100 company. Using a product called FileList, they strung together access dates in hidden files on each machine. "Of course we think our products are the best, but we don’t care if we use our products or the next guy’s," says Mike Anderson, the company’s founder and CEO. "We’ll do whatever we can to establish evidence that our clients can use in a court of law."

Others subscribe to the same philosophy. In Alexandria, Va., Riptech supplements an outsourced 24/7 information security monitoring and management offering with a computer emergency response team that performs general analyses and remediation efforts onsite. Provo, Utah-based AccessData recently released a Forensic Tool Kit to complement a previously limited consulting business that specializes in troubleshooting encryption crises of any kind. Then there’s WetStone Technologies, a company that offers products and services for helping companies address steganography, the process by which nefarious employees encrypt and embed data within ordinary e-mail attachments (see "Say What?" Page 118).