Rene Hamel has spent most of his career fighting bad guys. But for the last ten years his greatest weapons have been his IT skills and his investigative mind.
Hamel is the senior manager of corporate investigation services (CIS) in the computer forensics and business intelligence tools department at the Royal Bank of Canada (RBC). His typical workday involves responding to requests from the CIS, his department’s main client, which handles external investigations on things like faulty mortgages and the fraudulent use of credit cards. Computer forensics is a sub-department of this division.
“There are three of us (in forensics) and we’re not just busy finding people doing something wrong (within the company). We’re also busy helping the investigators who are doing external investigating,” said Hamel, who joined RBC on May 5, 2003. “We collect electronic evidence – that’s why they have us.” The team he heads is also in the process of building a forensics lab, which he expects will be completed by September 2004.
Hamel didn’t arrive at RBC with only a background in IT. After training in 1982 for a policing career in Nicolet, Que., he set out to find a job, only to discover that most police departments in the province had a hiring freeze. While looking for employment, he enrolled in computer programming and systems analysis courses at the Herzing College in Montreal, where he acquired Visual Basic and Assembler programming skills.
Three years later, he got a call to join the RCMP. Because of his IT skills, Hamel said he eventually saw the opportunity unfold for a career in computer crime investigation. “I joined the commercial crime group in Vancouver – their technology division – where we did hacking investigations. I investigated any major crime where a computer was seized (for evidence).”
During his time as a police officer on the native reserves of northern B.C., Hamel also took some distance courses through the University of Victoria’s part-time computer-based information systems certificate program.
While he was still with the RCMP, Hamel had the chance to help accounting firm KPMG with forensics investigations revolving around a civil case on his own time. His contact with the firm opened up a career path in the private sector – the firm approached Hamel to join its forensics department in 2000.
Hamel said he liked the switch over to the private sector for a number of reasons. “What was neat was that . . . if a client’s system is compromised, they don’t tell you (the police) everything. They try to hold off on calling the police as long as they can because the company doesn’t want the publicity,” Hamel explained. On the other hand, a lot of people call firms like KPMG “because they know that the information will be kept private.”
The investigations in the private sector investigations often move quicker when they involve civil litigation, he added. On the other hand, when the police are investigating a computer-related crime, it takes a long time to get to court – sometimes two or three years. “You try to get the people (from the IT department) to come in and testify, and many cases they are long gone.”
Hamel also noted that private sector forensics investigations offer more variety. “With the RCMP I investigated a lot of child porn-related cases, but with KPMG, there was always something new” – situations ranging from disgruntled employees who steal documents to start their own companies, to sexual harassment on the job, all the way down to the fraudulent transfer of money within financial institutions and law firms.
“We follow the electronic trail and think about all the places to look (for evidence), and it’s not always on a computer,” he said. “If a disgruntled employee thinks electronically and wants to get certain files or client lists, they will try to figure out a way to move the information without being noticed. But often they forget about e-mails, video recordings and phone logs . . . . There is information coming in from everywhere, and at the end of the day, you have to tie that information to a person.”
Proper initial acquisition of the evidence – how one images, or copies, the hard drive – is paramount. Imaging a hard drive using regular copying utilities could corrupt the document’s system time/date stamp that could be used as evidence, leading to questions about the validity of the evidence in a court case. “Lawyers will challenge you, asking, ‘Who says that e-mail wasn’t modified?'” he said, adding that using third-party “hashing” utilities that calculate the hash or fingerprint of the electronic evidence is the only way to ensure that the evidence is usuable in a civil or criminal lawsuit.
Hamel said the average IT worker doesn’t necessarily need full-blown forensics training, but should at least know how to handle electronic evidence. “They should know when not to shut down a system . . . and they should wait for the investigative people to come in. That alone can save a case.”