The scope of retail investigations can take a loss prevention team in many different directions, covering every area of the retail enterprise. This is especially true in the age of technology, where information and opportunity can be found—and exploited at the tip of a finger.
Computer forensics is the study of evidence based on the result of attacks on computer systems to learn what has occurred, the extent of the damage, and how we can prevent it from happening again. These techniques are frequently used to analyze computer systems, recover data in the event of a hardware or software failure, analyze computer systems (For example: following a break-in or security breach to determine how the perpetrator gained access and what they did), gather potential evidence in the event of an issue or breach, or to collect information about how the computer system is working for the purpose of debugging, performance optimization, or other related tasks.
The goal is to explore and explain the current state of a computer system, storage media, electronic document (Ex: an email message or JPEG image), or other information moving over a computer network. Depending on specific needs, objectives can be as straightforward as “what information is here?” and as detailed as “what is the sequence of events responsible for our present situation?”
Anyone conducting investigations involving computer forensics should be properly trained to perform the special kind of retail investigation at hand. Digital evidence can be collected from a variety of sources to include computers, cell phones, digital cameras, hard drives, CD-ROM, USB memory devices, web pages, and other sources and equipment.
Handling of Evidence
Extreme care must be taken when handling computer evidence as most digital information can be easily compromised. Once modified, it may be difficult or impossible to detect that a change has taken place (or to revert the data back to its original state) unless other measures have been taken. Such mishaps can potentially destroy valuable evidence and decimate the entire investigation.
Traditionally, retail investigations involving computer forensics were performed on data “at rest” (For example, when examining the content on hard drives). Computer systems were shut down when they were impounded to avoid incidents that might cause data to be erased. However, today there is increasing emphasis on performing analysis on “live” systems, as many of the current attacks against a company’s computer systems will leave no trace on the computer’s hard drive, with the perpetrator only exploiting “live” information in the computer’s memory.
A typical forensic analysis might include a review of media material, reviewing the Windows registry for suspect information, identifying and deciphering passwords, keyword searches for topics related to criminal incidents or policy violations, extracting e-mail and images for review, and other specialized analysis based on specific needs and goals. Once the analysis is complete, a report is typically generated to review findings so that the necessary and appropriate decisions can be made.
Loss prevention must remain a proactive part of the business to best support the needs of the retail industry. There will always be a need to grow and adjust, which opens new doors for creative minds. Computer forensics continues to develop as investigative tool in the retail setting, and an area where significant opportunities will be realized as technology continues to evolve.