Employee-related investigations in a digital world.
Business and HR managers that must deal with employee-related matters should also remember that any adverse action, such as suspension or termination, could potentially lead to litigation. An internal investigation could also lead to criminal prosecution. Whether an inquiry involves a policy violation, theft of proprietary business information, embezzlement, or some other employee misconduct, it is likely that computers, cell phones, other digital devices, or cloud storage may have information that you need for your inquiry. It will be important for you to acquire and preserve any data of value for your case. However, your decisions on how to obtain the information from those sources could be costly if not done properly.
Consider for a moment that an employee’s company-owned computer may be a source of information for your inquiry. Your first thought may be to turn on the computer and look through files yourself to find information that could be helpful. You may also consider calling the IT department to look for particular documents, files, or programs and print anything that may be needed. While on the surface this seems like an easy venture, but it could be problematic in the future. Not everyone is well-versed with computer system operations and not all “IT staff” are the same.
While all attorneys go to law school, not all attorneys work or specialize in the same practice areas. When you need legal representation for a specific issue you look for an attorney who has knowledge and expertise in that area. For example, you would not hire an attorney who specializes in real estate to represent you on criminal charges.
Likewise, If you call a computer programmer, who spends every day writing code and creating software programs, and ask about the intricacies of transport control protocol/internet protocol or other in-depth networking matters, they will provide some basic information, but probably refer you to a network analyst who has experience in that area.
This same concept holds true for forensic computer examiners. While a person in your IT department may have basic knowledge about data recovery methods and some basic procedures, they may not have the same experience as a forensic computer examiner dealing with the types of matters discussed in this article on a daily basis. Further, they probably do not have the experience in producing reports tailored for a digital investigation or experience testifying in a legal proceeding.
The U.S. Cybersecurity and Infrastructure Security Agency writes, “We define computer forensics as the discipline that combines elements of law and computer science to collect and analyze data from computer systems, networks, wireless communications, and storage devices in a way that is admissible as evidence in a court of law”. It is this aspect that is so important when you as the business owner or HR manager make decisions about obtaining information from electronic devices.
Each step beginning with the acquisition of the device and data, to the analysis of any potentially material information, and the reporting of findings, needs to be performed in a manner that will be admissible in a potential future legal proceeding. Every time you turn on a computer or a smartphone, each time you access a file or application, or perform other operations, changes occur and affect important artifacts like the metadata. Can the person you asked to get the data also “validate” that what was obtained was not altered? Are tools that were used to obtain and analyze the data able to be validated? There must also be accurate and reliable reports generated. If a legal action is commenced, you will need the same person to be able to provide expert testimony through direct and cross-examination. Providing testimony alone is more than just being able to answer “yes or no” questions. The person must be able to explain in detail the steps that were taken and “why”. They will have to be knowledgeable in how to properly analyze data, understand how the operating system works, and many more complex issues.
When you need electronic devices examined for potential evidence, do not take chances, contact an experienced forensic examiner. When the details matter, we are here to help. Call us at 662-404-1000 or contact us by email at firstname.lastname@example.org.