In our post The Biggest Threat to Your Company May be within Your Company, we discussed how the biggest threat to your company may be within your company in terms of employee misconduct and fraud. Employee misconduct and fraud investigations are conducted for several reasons, including: sexual harassment, creating a hostile work environment for other employees, employee sabotage and intellectual property (IP) theft. IP theft can include ideas, inventions, and creative articulations, such as trade secrets and exclusive products to parts of motion pictures, music videos/music, and software source code, among other IP.
“Don’t reissue the computer unless the drive is removed and stored somewhere safe with a proper label on it.”
Investigations Are About the Data
When a capital crime happens – such as robbery, kidnapping or murder – we all understand that preserving the crime scene is vitally important so that law enforcement can gather evidence such as fingerprints or DNA. Failure to preserve the crime scene can result in the inability for law enforcement to ever identify, pursue and convict suspects for the crime.
In the case of employee misconduct and fraud investigations, the sources of data associated with the investigation should be treated as a crime scene and must be preserved so that professionals can pursue the subject(s) of the investigation. With that in mind, it’s important to consider these best practices:
Employee Departures: Preserve data on every employee departure, especially if they are in certain positions of authority or have access to critical data within the organization. Examples include:
- They have access to data such as customer lists, project bidding information, HIPAA personal health information or other sensitive personal information, sensitive company information.
- They are in a position of authority where they are managing others.
- They are a “C-level” executive in the company.
Hard Drives are Cheap: Don’t reissue the computer unless the drive is removed and stored somewhere safe with a proper label on it. You may not realize for months after departure that a departed employee warrants investigation – by then, it may be too late if you’ve re-issued their computer with the same hard drive as important evidence may no longer be recoverable.
Don’t Have IT Look at the Data First: As noted above, you must treat it as a potential crime scene! An IT person untrained in forensics best practices could cause irreparable damage to the evidence on the machine, simply by turning it on and opening a few files! It’s better to unplug the computer and don’t turn on until you discuss the issues with an attorney (preferably one who understands the importance of preserving data evidence).
Keep Equipment On: If a computer with potential evidence is powered on, leave it on!Important evidence may be stored on the computer’s random-access memory (RAM) that only maintains data for as long as the computer is on. If the power is turned off, the RAM releases all that information and it may not be able to be recovered (if the computer has been placed into a hibernation state, some of the information may be recoverable in the “hyberfil.sys” file, but that’s not guaranteed).
Disconnect from the Network: Complete preservation of the evidence can’t be guaranteed unless the computer is not accessible remotely, so it’s important to disconnect it from the network to help ensure preservation.
Don’t Forget Mobile Devices: As we discussed in Mobile Device Forensic Discovery: Here’s a Case That Illustrates the Importance, mobile devices have a wealth of potential evidence. It’s important to have a sound Bring Your Own Device (BYOD) policy to preserve your rights to collect evidence from those as well for departing employees.
When you suspect potential employee misconduct or fraud, it is important to engage a digital forensics firm to perform an investigation to uncover pertinent evidence. Using specific and specialized software, the digital forensics firm can reveal digital evidence and a critical timeline through the various data sources to which the employee has (or had) access. Treat it as a crime scene and leave it to the professionals to process that crime scene effectively!
For more information about Forensic Discovery’s Computer Forensics services, click here.