As a member of your company HR team, there may come a time when you are called upon to assist in investigating the actions of an employee within the company. Many internal investigations (such as harassment claims, fraud, misuse of company assets, etc.) often involve the use of digital devices and may require a forensic analysis of those devices to find evidence of an employee’s actions. Here are 4 questions that we often ask our clients (or you may be asked by your internal forensic staff) prior to starting any digital investigation.
1. What’s the story?
What’s the background to the situation? We want to be efficient and understanding the bigger picture usually allows experienced investigators to provide some guidance and suggestions. Our goal is to meet your objectives as soon as realistically possible, and so we’ll probably ask you specific questions and guide you through the aspects of the situation that are most relevant to us.
You should remember that digital forensic examinations can only be done on systems, devices and data that you have authorized access to. If you don’t, then there must be legitimate legal reason (such as a court order) that would allow for its examination. For example, while we appreciate that you might want to know who is behind an anonymous email account, a majority of the time it may take a court order to get that information.
2. What are you trying to find out?
Everything listed here is important, however this is really the key question. What is being investigated and what do you need to know? Did person ‘X’ access certain folders and files? Why was a breach attempt successful? Who took the data from your company and shared it with a competitor? These are just some common examples of what we get asked.
Your needs are varied and most examiners are used to dealing with an array of requests. Give this some thought, ideally work with your legal counsel as, typically, they are the ones who would ultimately use our findings so it’s best to work with them directly.
3. What have we got to work with?
All of the scenarios that require our services have common elements, namely digital evidence exists and needs to be reviewed. Sometimes data recovery has to occur before anything can be examined, but all cases will need a starting point; usually that’s a system, device (like a computer, phone or tablet), or a data set. We understand you may not have all the facts to start with, but here’s some guidance as to what we would ideally want to know:
a. The potential sources of information
Mobile device? Computer system? Large set of data? Knowing the make, model, operating system (and version) and what type of data and access rights users had on/to it dictates broadly what’s possible.
b. The amount of data in scope
The size of the physical storage media (typically a ‘hard’ or ‘solid state’ drive) can dictate how long it will take to make an exact ‘image’ of everything. An image is an exact copy of the original media, taken in a way that preserves its structure and content. Typically there is a need to create identical ‘images’ of the physical media, so that lost data or deleted artifacts can be recovered prior to any examination. If data sets from, say, a network storage facility, are being reviewed, then telling us the overall amount of data involved (usually measured in gigabytes or terabytes) will be ideal.
c. Who’s involved?
There are two sides to any digital activity; both the source and target. For example, if you need to identify who accessed certain data, then both the location that stored it, and the system or device that accessed would normally have traces of the activity.
Would there be an opportunity to examine both? How many people or applications had authorized access through common channels and how many were, e.g. administrators that may have been able to circumvent normal protocols as part of their role. The goal is to simplify the approach and take the most direct investigative route, but sometimes the obvious systems and devices may not be available so its best to consider all options.
4. What is the time frame of the investigation?
There are two points to consider when trying to estimate timelines. Firstly, when did the event or incident take place? Can the investigation get focused down to a point in time such as an hour, day, week or month? A slimmer timeline would normally result in more focused investigative work. In turn, that would result in more efficient and timely results for you.
Secondly, when do you need this? Is there a court date set? Are you a company and need something in place before a compliance deadline? If we know how urgent the matter we can prioritize the investigative activities and let you set everyone’s expectation on your side. We know that sometimes when you call us, it may be extremely urgent.
Every investigation is different and the background, data, infrastructure, systems and device purposes and types are diverse, If you keep the above elements in mind before you start your quest for digital forensic support, it should result in a more efficient overall experience.
- Conducting an internal investigation? Here are 4 things to consider - October 30, 2017
- What HR needs to know about investigating an employee’s digital activity - October 10, 2017