Forensic Technology in Employment Investigations
Over the last 12 months, we have seen an increasing number of cases involving employees stealing intellectual property. In this month’s bulletin, we provide an overview as to how best to manage your forensic investigation.
Firstly, there are a number of complicating factors that need to be considered, such as the security on devices, particularly when they are owned by the employee but used for work purposes. Secondly, it is important to act quickly and preserve volatile evidence such as audit log data. Thirdly, all of the actions taken need to comply with the relevant laws so that the evidence can withstand legal proceedings.
A forensic technology expert can assist in securing electronic data and maintaining its evidential value throughout the investigation. The forensic expert will uncover the “who, what, when, where and how” relating to the evidence at issue. This work must be underpinned by robust methodologies, evidentially sound processes and suite of forensic tools that are fit for purpose and have been accepted by the courts.
The following is a list of considerations when engaging a forensic expert to assist you with an employment investigation:
- brief the expert appropriately on the background and purpose of the case
- be satisfied your expert has the necessary resources including a well-equipped laboratory
- provide the expert with the terms of reference which sets out objectives, timeframes and limitations
- confirm what data is required to be collected and examined
- confirm whether the investigation needs to be covert and that your expert can work within these requirements.
We recommend that all physical devices be preserved for potential forensic examination at the outset of your investigation. This includes copying the hard drive from a laptop, the contents of a mobile device, cloud data, and any other removable devices such as USB keys.
In particular, if you are seeking to examine deleted data, there are a number of considerations that may impact on the success or otherwise of recovering this information, including:
- how long ago the files were deleted
- where the files were deleted from (such as a USB device or a laptop)
- whether a record of deleted files is available, particular for cloud storage accounts
- what the format of the deleted file is (documents are easier to recover than emails).
As internet users post their personal details online, social media has become a potential goldmine of evidence for employment investigations. Evidence from social media activities can be collected either directly from the cloud provider or extracted from the device which was used by the employee to post the content, including content which has long since been deleted from the cloud version.
Mobile devices contain a rich source of evidence including “to-do” lists, photos and GPS coordinates. They store a considerable amount of data and the technology employed on such devices is rapidly evolving. Success factors for examining mobile devices depend on the make and model, the software version installed on that device, and the nature of the data being sought. Always remember that data transmitted from a mobile device may also exist in the cloud. However, you may not be permitted to access the cloud data from your work owned device. Check with a lawyer first.
Finally, it is important to note the difficulties associated with cloud computing. Over recent years organisations have moved a significant amount of data into the cloud, with varying degrees of traceability in relation to employee activity. If you suspect your employee has taken your confidential information, you should immediately instruct your IT providers to preserve as much data as possible that is in the cloud. Your success of recovering relevant data will be dependent on the cloud systems licensing, audit retention policies, and whether it records files that have been copied or deleted.
Please do talk to us if you have a requirement to conduct a forensic technology investigation.
Click here if you wish to subscribe to our Premium Edition of the Bulletin.
This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.
Incident Response Solutions 